Hi,
I read a lot of the other threads relating to my matter.
Like this : http://forum.avast.com/index.php?topic=80917.0
I also went through Essexboy’s prelim scans and have the logs ready at hand.

Here’s when it first started :
I remember reading manga (clean, I’m not that kind of person) and all of a sudden, msiexec.exe asks to be run. I keep on clicking no and exiting it, but it keeps on popping up.
I check up the program and google says it’s safe, needed for installation and uninstallations.
I clicked yes, then my Avast pops up, prompting that there’s a virus.

I’ve scanned with Avast and MBAM, finding 1 and 6 threats respectively. I thought I removed the rootkit/browser hijacker but it came back recently.

I reran the full system scans with Avast and MBAM and found nothing this time.

Hope my problem is an easy fix!

Ps. The MBAM scan logs are dated 7-2-2011 and 7-4-2011, showing the first and second scan respectively

Pss. OTS log is too big, will try to use MediaFire for it.

Edit : Editted to say that the threat is always coming from “64.111.211.158” when being redirected.

Here is the OTS log via MediaFire

http://www.mediafire.com/?h6hc03p44ew39lb

I have simular issue where iexplorer.exe starts up without user input and the shield pops up saying url blocked 64.111.211.158 I have used mbam combofix gmer rootkit revealer and still can’t stop this when the browser is opened it redirects as it would I expect would be delighted if someone can help with a fix for this.

Charlie

Please stick with your own topic you created and post the full information on the detection in that, http://forum.avast.com/index.php?topic=81078.0.

On completion of this run can you let me know if the problem persists

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3530662894-1663572426-3511026779-1000\] > -> HKEY_USERS\S-1-5-21-3530662894-1663572426-3511026779-1000\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{32099AAC-C132-4136-9E9A-4E364A424E17}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Modified Within 30 Days]
NY ->  2aecf431 -> C:\ProgramData\2aecf431
NY ->  12772417 -> C:\Windows\SysWow64\12772417
[Files - No Company Name]
NY ->  2aecf431 -> C:\ProgramData\2aecf431
NY ->  12772417 -> C:\Windows\SysWow64\12772417
NY ->  AML Free Registry Cleaner.lnk -> C:\Users\Win7\Desktop\AML Free Registry Cleaner.lnk
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

I just Completed the Fix you told me to Essexboy.
Thank you so much!

I am interested in how you find which Registries/Files/Processes are to be NY’d !
Thank you for your help again!
I will reply again if the problem occurs

Ps. I attached the after log when the computer rebooted.

Apparently… I spoke too soon…

I went to browse on Google, using Firefox.
The links I click on still redirects me to another search engine.
Same with the youtube links I click on.

Am I not done yet Essexboy?

Edit : Avast doesn’t pop up anymore for “Malicious URL Detected” even though I still get redirected to another page.

OK that would suggest that is in an area that I cannot see with OTS - so lets up the ante

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[]Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

I read your posts here and other threads
and I gotta say I like your sense of humor Essexboy ;D

Let’s up the ante indeed.

I ran ComboFix while shutting off my AV, and internet connection (just in case).

This is the log it produced.

I am also very interested in how you look at the OTS / ComboFix files.
How do you know which files/registries/processes are bad and not needed?

Thank you for all the help so far!

Yep it was hiding in firefox

I am also very interested in how you look at the OTS / ComboFix files. How do you know which files/registries/processes are bad and not needed?

Any more alerts/redirects ?

Ahh, experience is what I want haha
I wish I can be as good as you and get to your level (in reading OTS/CF logs).

There seems to be no more redirects at the moment!
I am very happy to report that!

Did ComboFix run help fix the malware hidden in Firefox?

Ps. All this time I had a feeling that you were feeding the logs into a self-programmed software that reads what’s bad in the logs. ;D

Well… right when I started reading Manga again…
Another alert pops up.
This time it says it’s a Trojan Horse.
It blocked it…
Not sure if anything got into my computer again.
Maybe I should stop reading Manga…

As they say if it hurts when you do it stop doing it.

In all seriousness, it would appear that that site (there appear to be lots of different manga sites) has been hacked and the web shield is blocking something malicious. The JS: (JavaScript) ScriptIP-inf is usually an indication that a malicious script tag has been inserted into a page and that script tag it trying to run a script from another site/page.

The idea of the web shield alert is to ‘block’ (abort connection of) the download and running of whatever is on that remote site/page. So it shouldn’t get into your browser cache and either be displayed or run in your browser/system.

So although nothing should have been downloaded to your system, clear your browser cache and monitor your system for any symptoms you might have had previously.

Yep CF removed the miscreants within FF and alas there is no automated tool that can replace the human eye, which can spot apparently unrelated files

Oncew you are really happy after your latest alarm and I will remove my tools

Alright, sounds good Essexboy!

It’s been 1-2 days since I’ve been using Google search engine, and every link directs me to the correct link ;D

Thank you for all your work!
I’m happy for your guidance and help for others too!

Thank you other mods too (like DavidR)!

As they say if it hurts when you do it stop doing it.

I’m ready for the cleanup and the goodbye

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Uninstall ComboFix

Remove Combofix now that we’re done with it.

[*]Please press the Windows Key and R on your keyboard. This will bring up the Run… command.[*]Now copy/paste this: ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /Uninstall, it needs to be there.
[indent]
http://i275.photobucket.com/albums/jj285/Bleeping/Combofix/CFuninstall.gif
[/indent][]Please follow the prompts to uninstall Combofix.[]This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.[*]You will then recieve a message saying Combofix was uninstalled successfully once it’s done uninstalling itself.

Run OTS and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

[] Go to this site and click Do I have Java
[] It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point

[*]Go to Control Panel and select System
[*]Select System
[*]On the left select System Protection and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]GoStart > All programs > Accessories > system tools
[*]Right click Disc cleanup an select run as administrator
[*]Select Your main drive and accept the warning if you get one
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[]Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe