Another redirect victim...

Add me to the list of those with redirect issues. Click on link results from a Google search and if it doesn’t go to the right place it’s either a redirect or an avast site block alert, which I assume now that avast is blocking the redirect site rather than the site I was trying to go to.

Attached are the results from my aswMBR scan.

A couple of stupid questions. I see this is being called by some a “Google” redirect issue. By that one would assume you could use other search engines and not have the problem, or is this a case of using google generically to mean all search engines? And I’m guessing this is across all browsers?

Also, is it just when clicking a link from a search or have people found it an issue when going to normal sites they always visit (typing in a url, clicking a bookmark, etc.) or clicking links in a forum, say like from avast?

Thank you!

Log doesn’t show any MBR infection.
So it is worth to obtain and attach OTS logs from essexboy guide
http://forum.avast.com/index.php?topic=53253.0

What is OTS? This is just a scan, right, doesn’t make any changes or anything, won’t cause any system crashes. I’ve read several threads on here where people have run into system problems trying run some things. That may be because of other issues they may have on their computer, though. My computer is my job, so partner that with my lack of computer knowledge and I tend to be probably more paranoid about trying things than I should be.

Thanks!

I just finished a MBAM quick scan and I’m now running a full scan.

UPDATE: MBAM full scan showed no issues.

SECOND UPDATE: Probably wasn’t necessary but I uploaded the .dat file created by aswMBR to VirusTotal and nothing showed up: 0/43. Saw this suggested to others a few times so I thought, why not.

Yes, it is the scanner (OldTimer’s Scan-It!). It makes log with detail info about your system, this log can be seen by malware remove specialist (essexboy, probably :). Also this scanner can apply custom fixes but these fixes should be written specially for your system. And it is necessary to look at this kind of log to understand where can be problem.

Old-Timers Scan-It. Never in a million years would I have guessed that one! :wink: Thanks, psw! I have some client work I have to get done and since the scan may take a while and the instructions say not to do anything else on the computer while the scan is running, I’ll have to do it later today. I’ll post the results.

Thanks!

Thought I’d add this quickly. When the avast malicious site blocker comes up it has this:

64 dot 111 dot 211 dot 172

Also, does it affect Start Page browser? Since it doesn’t happen with every link I click on I can’t tell. Does happen with Bing, Google, Yahoo, Dogpile.

Probably a small redirect malware somewhere

The IP address, 64.111.211.172 is for ISPrime slightly different IP than previous ones in the forums.

Try forum search for ISPrime to get an idea of what was happening for those people.

This for instance http://forum.avast.com/index.php?topic=81132.msg663487#msg663487, so you are going to need to run OTS, as you are being asked to do already.

Wow, David, that person is having a major computer breakdown from trying that Combofix thing.

Anyway, instructions say don’t use the computer while OTS is running, so should I shut down avast while it’s running? Disconnect from the Internet?

The combofix thing in the other thread is I believe because of the new variant malware doing the rounds… However, he is the only one (to my knowledge) that has experienced it. Since then we have learnt more about this variant and will be taking a different approach. Actually you can use the system whilst OTS is running but it will be a little slow while it does its data gathering thing

Avast is recommending I run OTS in the sandbox. Do I?

No, have it run normally.

Okay, that was fast!

I have attached the OTS file.

OK this may take a bit longer as your temporary folders are pretty full and I will be emptying them, on completion let me know if the redirects persist

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\Pam\Application Data\Mozilla\FireFox\Profiles\35637qgf.default\prefs.js
YN -> browser.search.selectedEngine -> "Startpage"
< FireFox SearchPlugins [User Folders] > -> 
YY ->  startpage.xml -> C:\Documents and Settings\Pam\Application Data\Mozilla\Firefox\Profiles\35637qgf.default\searchplugins\startpage.xml
< FireFox Extensions [Program Folders] > -> 
YY -> XULRunner -> C:\DOCUMENTS AND SETTINGS\PAM\LOCAL SETTINGS\APPLICATION DATA\{0BFF04C7-69BF-43A1-86E7-5795D83E2FE3}
[Files/Folders - Modified Within 30 Days]
NY ->  xmlserver.xml -> C:\xmlserver.xml
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

Received an error message and so fix did not continue. Also ended up with a kind of grayed-out thumbs.db icon on my desktop after I restarted. Do you know what that is from? I started to delete it but then it said it was a system file so I didn’t. It wasn’t there before I tried to run the fix.

Held my breath that the icons and such would come back after I restarted since the program didn’t finish.

Here’s the message:

“Access violation at address 00402993 in module OTS.exe Read of address 01712000.”

The system files will be revealed whilst OTS does it’s work and it will kill all processes so that it can run uninterupted. We will hide the files once you are clean

Could you re-run a quick OTS scan please no scripts required to see if it removed the miscreant

Also are the redirects still occuring ?

Clicked on OTS to run and after avast recommending I open in sandbox and I chose to open normally this popped up in a Notepad window:

Files\Folders moved on Reboot…
File move failed. C:\WINDOWS\temp_avast_\Webshlock.txt scheduled to be moved on reboot.
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_960.dat not found!

Registry entries deleted on Reboot…

Also, what does running without script mean? Running it without the added things in the Customer Scan box and Additional Scans?

So far it’s not happening but it didn’t happen all the time before so…

FORGOT TO ADD THIS: the name of the file with the message above is 07152011_163825.log.

Do I try it again? (I realize you guys might be headed off to bed soon.)

Also, what does running without script mean? Running it without the added things in the Customer Scan box and Additional Scans?
Thats right just press the quick scan and nothing else - I feel that OTS has killed the bad boy

This “File move failed. C:\WINDOWS\temp_avast_\Webshlock.txt scheduled to be moved on reboot.” is an avast file and as such whilst you have a browser open will be present and protected. So it isn’t an issue if removed on boot, it will be recreated when required.

I had put my best guesses down as I thought essexboy would be tucked up in bed now ;D

Thanks, David! :slight_smile:

And the latest is attached…

So far so good on having no further issues. Hope it continues!