Keep getting redirected

Viruses and worms
1

This started a few days ago and comes and gos. It happens when i do a google search from my browser (FF) Malware bytes blocks it most of the time.

Heres the info i have right now

Redirect to, find-fast-answers.com
IP, 67.29.139.153
Type, outgoing
Port, 52309
Process, avastsvc.exe

I ran a boot time scan a few days ago and it showed nothing but will do it again now. MB found a few things a few days ago and removed them but now shows nothing. Heres what was found a few days ago.

Malwarebytes’ Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7286

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

7/26/2011 4:24:55 PM
mbam-log-2011-07-26 (16-24-55).txt

Scan type: Quick scan
Objects scanned: 175048
Time elapsed: 1 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID{0F9E81F1-8C60-4D6E-B526-C65FBFD9CBAb} (Trojan.Tracur.Gen) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{0F9E81F1-8C60-4D6E-B526-C65FBFD9CBAB} (Trojan.Tracur.Gen) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT.fsharproj (Trojan.BHO) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\api-ms-win-core-misc-l1-1-032.dll (Trojan.Tracur.Gen) → Quarantined and deleted successfully.
c:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-032.dll (Trojan.Tracur.Gen) → Quarantined and deleted successfully.

Going to run boot time and MB again and report back

2

Boot time showed nothing.

3

you mean this

Redirect to, find-fast-answers.com IP, 67.29.139.153 Type, outgoing Port, 52309 Process, avastsvc.exe

that is from avast…unless fake…why the MBAM protection module detect this ???

4

Full MB scan showed nothing

Give me a sec and ill see if the warning is the same

5

found out why ;D

This is quite normal. The reason it is showing Avast! instead of your internet browser is because Avast!, like many antivirus softwares, hooks into your browsers to scan internet traffic for infections and block malicious websites as well. The same thing happens with Kaspersky, if Kaspersky is installed and the user browses to a website on Malwarebytes' Anti-Malware's block list it will show that AVP.exe is being blocked instead of the user's internet browser.

Your system isn’t compromised and you don’t need to take any additional action

http://forums.malwarebytes.org/index.php?showtopic=72258

6

It isn’t the process (the web shield) but the IP that MBAM is blocking.

Why it is blocking that IP is beyond me, but a search for find-fast-answers.com seems to indicate a malware infection. http://answers.yahoo.com/question/index?qid=20110726003222AAOzHKn It doesn’t have a particularly good reputation, http://www.mywot.com/en/scorecard/find-fast-answers.com, but WOT isn’t a great tool in this regard, just use for guidance only.

7

So should i run OTS?

8

What happened after running MBAM and removing those files and registry entries.
e.g. do those files come back ?

It won’t hurt to do an OTS scan:

Note: this says attach the file (to big for copy and paste, use the Additional Options in the Reply window to attach the file.

9
What happened after running MBAM and removing those files and registry entries. e.g. do those files come back ?

Everything was fine for a few hours then the redirect started again. Havent found any new files at all.

Also i want to add that when ever i do a scan, whether its boot time or MB, after that i dont get the redirect until after maybe 20 google searches then it starts again. The redirect isnt all the time either, maybe one in three searches.

Ill do the OTS and report

10

Mediafire link to OTS http://www.mediafire.com/?j7rd41rj5485528

11

OK, essexboy who is the malware removal specialist will be in bed now, 3:10am in the UK.

He is usually on-line around 7pm UK time.

12

No problem ;D Ill be stopping back to get this fixed and then ask some questions on how to keep this from happening again :wink:

13

Hi there I can only stop this at the moment for the main user, could you run OTS again and select all users please after this fix run

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> 
YN -> HKEY_CURRENT_USER\: Main\\"XMLHTTP_UUID_Default" -> F1 81 9E 0F 60 8C 6E 4D B5 26 C6 5F BF D9 CB AB  [binary data]
< FireFox Extensions [User Folders] > -> 
YY -> XUL Cache   -> C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions\{4b3df4d4-cc55-4071-9d1e-a0a325eb1ec9}
YY -> ShopToWin13   -> C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions\{b9dbe2c0-031f-4cad-911a-f4a7381d79c0}
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Modified Within 30 Days]
NY ->  573779942 -> C:\Windows\SysWow64\573779942
[Custom Items]
:REG
[HKCU\SOFTWARE\Microsoft\Internet Explorer\Main]
"XMLHTTP_UUID_Default"=- 
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[ZipFiles]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

14

Sorry about that. Forgot to select all users

Mediafire link to OTS report http://www.mediafire.com/?fsybp106q25cn4u

Will run fix now and then MBAM and report back.

15

OTS fix report

All Processes Killed
[Registry - Safe List]
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Main not found.
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions{4b3df4d4-cc55-4071-9d1e-a0a325eb1ec9}\defaults\preferences folder moved successfully.
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions{4b3df4d4-cc55-4071-9d1e-a0a325eb1ec9}\defaults folder moved successfully.
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions{4b3df4d4-cc55-4071-9d1e-a0a325eb1ec9}\chrome folder moved successfully.
Folder move failed. C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions{4b3df4d4-cc55-4071-9d1e-a0a325eb1ec9} scheduled to be moved on reboot.
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions{b9dbe2c0-031f-4cad-911a-f4a7381d79c0}\chrome\skin folder moved successfully.
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions{b9dbe2c0-031f-4cad-911a-f4a7381d79c0}\chrome\content\locale folder moved successfully.
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions{b9dbe2c0-031f-4cad-911a-f4a7381d79c0}\chrome\content folder moved successfully.
Folder move failed. C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions{b9dbe2c0-031f-4cad-911a-f4a7381d79c0}\chrome scheduled to be moved on reboot.
Folder move failed. C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions{b9dbe2c0-031f-4cad-911a-f4a7381d79c0} scheduled to be moved on reboot.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
[Files/Folders - Modified Within 30 Days]
C:\Windows\SysWow64\573779942 moved successfully.
[Custom Items]
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default deleted successfully.
[Empty Temp Folders]

User: All Users

User: Chris
->Temp folder emptied: 2491781 bytes
->Temporary Internet Files folder emptied: 15332070 bytes
->Java cache emptied: 91269788 bytes
->FireFox cache emptied: 993852820 bytes
->Google Chrome cache emptied: 8980035 bytes
->Flash cache emptied: 3734413 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 839933 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 136282 bytes
RecycleBin emptied: 110130376 bytes

Total Files Cleaned = 1,170.00 mb

[EMPTYFLASH]

User: All Users

User: Chris
->Flash cache emptied: 0 bytes

User: Default

User: Default User

User: Public

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTS Restore Point
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 07292011_143309

Files\Folders moved on Reboot…
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions{4b3df4d4-cc55-4071-9d1e-a0a325eb1ec9} folder moved successfully.
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions{b9dbe2c0-031f-4cad-911a-f4a7381d79c0}\chrome folder moved successfully.
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions{b9dbe2c0-031f-4cad-911a-f4a7381d79c0} folder moved successfully.
C:\Users\Chris\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Windows\temp_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot…

16

Now for the other users - could you check for alerts/redirects on completion please

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > -> 
YN -> HKEY_USERS\S-1-5-19\: Main\\"XMLHTTP_UUID_Default" -> F1 81 9E 0F 60 8C 6E 4D B5 26 C6 5F BF D9 CB AB  [binary data]
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> 
YN -> HKEY_USERS\S-1-5-20\: Main\\"XMLHTTP_UUID_Default" -> F1 81 9E 0F 60 8C 6E 4D B5 26 C6 5F BF D9 CB AB  [binary data]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\] > -> 
YN -> HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\: Main\\"XMLHTTP_UUID_Default" -> F1 81 9E 0F 60 8C 6E 4D B5 26 C6 5F BF D9 CB AB  [binary data]
YN -> HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\: URLSearchHooks\\"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}" [HKLM] -> C:\Program Files (x86)\uTorrentBar\tbuTo1.dll [uTorrentBar Toolbar]
YN -> HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\: "ProxyEnable" -> 0
< FireFox Settings [Prefs.js] > -> C:\Users\Chris\AppData\Roaming\Mozilla\FireFox\Profiles\nr8zccsm.default\prefs.js
YN -> browser.search.defaultengine -> "Ask.com"
< FireFox Extensions [User Folders] > -> 
YY -> ShopToWin13   -> C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions\{b9dbe2c0-031f-4cad-911a-f4a7381d79c0}
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\] > -> HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Modified Within 30 Days]
NY ->  573779942 -> C:\Windows\SysWow64\573779942
[Custom Items]
:reg
[ HKEY_USERS\S-1-5-19-3498192001-3238401358-4033018105-1001\SOFTWARE\Microsoft\Internet Explorer\Main]
"XMLHTTP_UUID_Default"=-
[ HKEY_USERS\S-1-5-20-3498192001-3238401358-4033018105-1001\SOFTWARE\Microsoft\Internet Explorer\Main]
"XMLHTTP_UUID_Default"=-
[ HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\SOFTWARE\Microsoft\Internet Explorer\Main]
"XMLHTTP_UUID_Default"=-
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

17

MBAM report

Malwarebytes’ Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7313

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

7/29/2011 3:21:25 PM
mbam-log-2011-07-29 (15-21-25).txt

Scan type: Full scan (C:|D:|)
Objects scanned: 365634
Time elapsed: 36 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Will rerun OTS now

18

Once done let me know if that cleared it

19

OTS report

All Processes Killed
[Registry - Safe List]
Registry key HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Main not found.
Registry key HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Main not found.
Registry key HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Main not found.
Registry key HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\URLSearchHooks not found.
Registry value HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable deleted successfully.
Prefs.js: “Ask.com” removed from browser.search.defaultengine
File C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions{b9dbe2c0-031f-4cad-911a-f4a7381d79c0} not found.
Registry value HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}\ not found.
Registry value HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{D4027C7F-154A-4066-A1AD-4243D8127440} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
[Files/Folders - Modified Within 30 Days]
File C:\Windows\SysWow64\573779942 not found!
[Custom Items]
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\S-1-5-19-3498192001-3238401358-4033018105-1001\SOFTWARE\Microsoft\Internet Explorer\Main not found.
Registry key HKEY_LOCAL_MACHINE\S-1-5-20-3498192001-3238401358-4033018105-1001\SOFTWARE\Microsoft\Internet Explorer\Main not found.
Registry key HKEY_LOCAL_MACHINE\S-1-5-21-3498192001-3238401358-4033018105-1001\SOFTWARE\Microsoft\Internet Explorer\Main not found.
[Empty Temp Folders]

User: All Users

User: Chris
->Temp folder emptied: 149228 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 88302490 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1536 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 84.00 mb

[EMPTYFLASH]

User: All Users

User: Chris
->Flash cache emptied: 0 bytes

User: Default

User: Default User

User: Public

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTS Restore Point
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 07292011_175326

Files\Folders moved on Reboot…
C:\Users\Chris\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Windows\temp_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot…

20

Thanks again and after i test a little ill let you know what happens

For now is there anything i should do to help stop this? Avast is up to date as well as MBAM. Is there something else i should be running?