Another Google Re-Direct. 64.111.211.158

I have attached the OTS Scan. Thanks in advance

Essexboy is notified…

Once this fix has run could you let me know if the alerts have ceased

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> 
YN -> HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 1
YN -> HKEY_USERS\.DEFAULT\: "ProxyServer" -> http=127.0.0.1:5643
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> 
YN -> HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 1
YN -> HKEY_USERS\S-1-5-18\: "ProxyServer" -> http=127.0.0.1:5643
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "incognito" -> [C:\WINDOWS\system32\incognito.exe]
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-639830881-344247752-21642521-1106\] > -> HKEY_USERS\S-1-5-21-639830881-344247752-21642521-1106\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{e2e2dd38-d088-4134-82b7-f2ba38496583}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> [Reg Error: Key error.]
[File - Lop Check]
NY ->  inetxfer.job -> C:\WINDOWS\Tasks\inetxfer.job
[Custom Scans]
YY ->  sta.exe -> C:\sta.exe
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Purity]
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

Still getting the errors, i have attached the ots log after running, also i have attached a aswmbr log from scanning to. Its showing 2 files

Looks TDL3 ish

Now to use my new piccies after their diet (cheers David ;D)

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

Unfortunately TDSKiller wont run, already tried to run it myself before posting. Even if its renamed to a .pif or .com file extension just flashes up for a second then dissapears. Any other ideas ??

Yep this is a new variant of which - at the moment we have little data

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.

As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RC1.png

[*]Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

[*]Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Here is the combofix log, Still showing the same 64.111.211.158 avast warning. Also re-directing all searches

Definitely something new on the streets now

Download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

[QUOTE]Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit:
[/quote]
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

If it finds something i am assuming i choose options 2 to restore standard boot code ??

No each MBR has a different code

Here is the mbr log, definately something there

Run MBRCheck.exe once again.

You will be presented with the following dialog:

[QUOTE]Found non-standard or infected MBR.
Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit:
[/quote]
Enter Y and press Enter.

The following dialog will be presented:

[QUOTE]Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:
[/quote]
Enter 2 and press Enter

The following dialog will be presented:

[QUOTE]Enter the physical disk number to fix (0-99, -1 to cancel):
[/quote]
Enter >>0<< and press Enter

The following dialog will be presented:

Enter >>1<< and press Enter

The following dialog will be presented:

[QUOTE]Do you want to fix the MBR code? Type ‘YES’ and hit ENTER to continue:
[/quote]
Type YES and press Enter (Must type the full word, YES). You will be inform if successfully wrote a new MBR code!

And last the following dialog will be presented:

[QUOTE]Done! Press ENTER to exit…
[/quote]
Press Enter. A report will be produced on the desktop. Post that report in your next reply.

Here is the Log after writing new mbr, still showing same symptoms. Sorry had wrong mbr text

Could you now reboot

Still the same, looks like mbr fake entry is still there

Hmm two of you with the same problem

Reboot the computer and press F8 to get to the safe mode menu
Once there select recovery console
At the command prompt type

FIXMBR

Accept the warning and then type Exit

Reboot to normal windows and run mbrcheck again please

I am getting the same Google redirect. I downloaded OTS, but I am not sure if I should use the same fix that you (Essexboy) recommended. I downloaded TDSSKiller and ran the scan as directed, and no threats were found. I am also downloading Avast as we speak (I had nothing for a while then AVG for a couple of days). What do you recommend?

No, Fixes are unique to the system they are created for.

Create a new topic and attach the OTS log there please