Hello,
I just started getting an Avast warning for C:\Windows\assembly\tmp\U\80000cb.@ and I am hoping someone can help me get rid of it. I have been looking at other treads and hope I have included everything needed.
Thank you for your time and effort!!
C:\Windows\assembly\tmp\U\80000cb.@Try cleaning your temp files
Temp File Cleaner by OldTimer will clean all temp files
TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
did it work ?
This is a new one - so far only detected by Ad-Aware and Avast. TFC does not go into the assembly folders as there are not supposed to be temps there
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > ->
YN -> HKEY_USERS\S-1-5-19\: Main\\"XMLHTTP_UUID_Default" -> 44 0A 20 0F 78 A3 6C 42 B6 01 5B 1F 0D 83 76 59 [binary data]
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > ->
YN -> HKEY_USERS\S-1-5-20\: Main\\"XMLHTTP_UUID_Default" -> 44 0A 20 0F 78 A3 6C 42 B6 01 5B 1F 0D 83 76 59 [binary data]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1373814762-3253322592-2547707874-1001\] > ->
YN -> HKEY_USERS\S-1-5-21-1373814762-3253322592-2547707874-1001\: Main\\"XMLHTTP_UUID_Default" -> 44 0A 20 0F 78 A3 6C 42 B6 01 5B 1F 0D 83 76 59 [binary data]
[Files/Folders - Unicode - All]
YY -> C:\Users\Bill\Documents\?icrosoft.NET -> C:\Users\Bill\Documents\?icrosoft.NET
YY -> C:\Users\Bill\Documents\?icrosoft.NET -> C:\Users\Bill\Documents\?icrosoft.NET
[Custom Items]
:Files
C:\Windows\assembly\tmp
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.
This is no sign of malfunction, do not panic!
Thank you for the quick reply and help!!! Attached is the new log that was created after running the fix in OTS.
How is it now any problems ?
Avast is no longer reporting that there is a Win32Malware-gen threat. Thank you very much for your help. ;D ;D ;D
Much Appreciated,
Bill
I do however have a redirect issue when using Google but have only started reading the forums about it and will open a new thread if needed.
Are the redirects in Firefox, IE or both ?
I never use Explorer anymore, so as far as I know just in FireFox.
Essexboy,
I have to head out for a few hours, helping a buddy move today but I will check back when I get home.
Thank you again,
For sure - when you get back try this
Is it only firefox ?
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
[*]Ensure all Firefox windows are closed.
[*]To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
[*]When prompted to run the scan, click Yes.
[*]GooredFix will check for infections, and then a log will appear.
Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
Here is the log and I tried a couple different searches with no redirects. ;D 
;D
Outstanding help!!
Essexboy,
I do not know what happened, everything looked like it was going to be fine. Then a crazy program I never installed or have ever seen popped up. The name is Security Protection, it appears or has the look of a virus scanner and starts blowing up with what it is saying are infections on my computer. I can not take any actions for what it is saying are infections, it is requiring registration and a registration key.
I stopped it and had to reboot in safe mode because when it was up it wouldn’t allow internet access.
Below is what I got when I looked at it’s properties (hoping it helps)
File Location
defender.exe
File Description
Nxvbelazraamwqabdzycyoayg
File Version
6.1.7600.16385
Product Name
Copyright IWPUZN Software
Size
871kb
Date Modified
9/4/2011 5:45pm
Language
English United States
Original File Name
Two.exe
essexboy usually logs off around midnight so i guess he is not back until tomorrow, so you may try this or wait untill essexboy is back ?
read it all before you start
Remove Security Protection (Uninstall Guide)
http://www.bleepingcomputer.com/virus-removal/remove-security-protection
Absolutely, thank you. I will read it right now and post back.
Thanks,
Thank you Pondus, everything seems to be good. I have tried some searches with no redirects and Security Protection has not popped up.
You guys are great and truly have my appreciation!!!
I will give it a couple days and post back.
Thanks Again,
Bill
The rouge you had is a tricky one, it comes bundled with a TDSS rootkit.
So i recomend you run OTL again, and attach a new log so essexboy can see if it is all gone…
Pondus,
Thank you again… when you say run OTL is that the same as OTS and would I run it with the same “custom” scans I used originally?
netsvcs
%SYSTEMDRIVE%*.*
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles
%systemroot%\system32\drivers*.sys /lockedfiles
%systemroot%\System32\config*.sav
As always, thank you for your time and effort!!
just follow essexboy guide here, you only do the OTL stuff 
if he needs more he will tell you…he will be back here in 2-3 hours
I am pretty sure this is the log needed… lol
Thank you,
Can you remember what site you were on when it popped up ?
Might be worth running a fresh OTL log as MBAM does not allways get it all