Google redirect to 64.111.211.158 SORRY

system · July 9, 2011, 6:06am

I have fallowed the steps found on other topics and scanned with OTS
here is the link to the TXT file http://www.megaupload.com/?d=5GG1Z45H

this is what i keep getting after clicking on links in google hxxp://64.111.211.158/c.php?s=eNpVkMmO2kAYhB_IkvV3270d5mAYiDG2AwzB4EvUK9tYYTEYo374MJNTVCrVoVQq6Tt4DCLCHvli_vbmIQRM8FfE-NUgBAwEYIgh8ubH7qT7wZd3qiF3W33e6u41MgbxyCFFEVbYCYolQVYDZ7GwPHb2d0RiQmMHAJI4qwWikglNWOykjSVwz17_tvxj9sdRvj0km3kalLegaZbtYmvyNOlAj9LzVJ3XxeXEVFnfGc3SPe-CIpOBfn9cKdkWt4cwQa7GNGDXrq8GBRx5Plto2M1aqXtIq7aZfZQH6Hv4ifNhRtJhqmRVbcYmi0euuaRXd5pyIzDV7GNRDmX9aNL9L7YKhvsktW2XrdWh3qwu4-NkchCubbrkenfHVZFMx3IonbvUk_Oq3qfL9z4R_PL83HrBQ4RxiCISIsS8FyTECIUIIGQv1N5jr3F5N-vJbYNFmz9Hz2I5uq_-4c5eHvyHG77lI7-pHleNx01dPU46mn-vPdFOUuYsjTjGWlvEDaKOY2UdIcRKT5XWjmoZCSYJxEooUCYC41xsGXLwFzQYp7Y

I really hope someone can help me… Thank you for your time

Pondus · July 9, 2011, 6:10am

please edit your post and change the http in the link you posted to hxxp so it is not clickable

Essexboy is notified…
he is usually in here at 08:00pm - 11:59pm UK time

system · July 9, 2011, 6:18am

thank you very much

system · July 9, 2011, 6:30am

sorry,i have a fix made by me for u can i give it to u or u will like to wait for essexboy to arrive?

system · July 9, 2011, 6:34am

I can try your fix…

system · July 9, 2011, 7:22am

here,u go:

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
YN-> C:\Windows\SysWOW64\blank.htm ->
HKEY_USERS\S-1-5-21-3727838005-863367943-902948553-1001\: Main\\"Start Page" -> http://search.conduit.com?SearchSource=10&ctid=CT1098640 -> 
YN->HKEY_USERS\S-1-5-21-3727838005-863367943-902948553-1001\: Main\\"Start Page Redirect Cache" -> http://www.msn.com/ -> 
YN->HKEY_USERS\S-1-5-21-3727838005-863367943-902948553-1001\: Main\\"Start Page Redirect Cache AcceptLangs" -> en-us -> 
YN->HKEY_USERS\S-1-5-21-3727838005-863367943-902948553-1001\: Main\\"Start Page Redirect Cache_TIMESTAMP" -> 3A D2 B9 A9 35 DB CB 01  [binary data] -> 
[Files/Folders - Created Within 30 Days]
NY-> C:\ProgramData\boost_interprocess
NY-> C:\Users\LordFenix\AppData\Roaming\Audacity
NY-> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\x264vfw64
NY-> C:\Users\LordFenix\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\x264vfw64
NY-> C:\Program Files\x264vfw64
NY-> C:\Users\LordFenix\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\x264vfw
NY-> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\x264vfw
NY-> C:\Program Files (x86)\x264vfw
NY-> C:\Program Files (x86)\Yontoo Layers Runtime
NY-> C:\ProgramData\Tarma Installer
[Files/Folders - Modified Within 30 Days]
NY-> C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
NY-> C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
NY-> C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
NY-> C:\Users\LordFenix\Documents\bookmarks-2011-07-09.json
NY-> C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3727838005-863367943-902948553-1001Core.job
NY-> C:\Windows\bootstat.dat
NY-> C:\hiberfil.sys
NY-> C:\Windows\SysNative\FNTCACHE.DAT
NY-> C:\Users\LordFenix\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
NY-> C:\Users\LordFenix\Documents\ax_files.xml
NY-> C:\Windows\SysNative\SELECT
NY-> C:\Windows\SysNative\list
NY-> C:\Windows\SysNative\PerfStringBackup.INI
NY-> C:\Windows\SysNative\perfh009.dat
NY-> C:\Windows\SysNative\perfc009.dat
NY-> C:\Users\Public\Desktop\Alcohol 120%.lnk 
NY-> C:\Users\Public\Desktop\GamersFirst LIVE!.lnk
NY-> C:\Windows\SysWow64\config.nt
NY-> C:\Windows\7Loader.TAG
NY-> C:\Windows\SysWow64\PnkBstrB.xtr
NY-> C:\Windows\SysWow64\PnkBstrB.ex0
[Files - No Company Name]
NY-> C:\Users\LordFenix\Documents\bookmarks-2011-07-09.json
NY-> C:\Windows\SysWow64\AVerIO.dll
NY-> C:\Windows\SysWow64\AVerIO.sys
NY-> C:\Windows\SysWow64\sptlib21.dll
NY-> C:\Windows\SysNative\SELECT
NY-> C:\Windows\SysWow64\sptlib01.dll
NY-> C:\Windows\SysWow64\sptlib22.dll
NY-> C:\Windows\SysWow64\sptlib11.dll
NY-> C:\Windows\SysWow64\sptlib03.dll
NY-> C:\Windows\SysWow64\sptlib02.dll
NY-> C:\Windows\SysWow64\sptlib12.dll
NY-> C:\Windows\SysNative\list
NY-> C:\Windows\SysNative\slmgr.vbs
NY-> C:\Windows\7Loader.TAG
NY-> C:\Windows\qawin32.INI
NY-> C:\Windows\SysWow64\ieuinit.inf
NY-> C:\Windows\SysWow64\tcpbidi.xml
NY-> C:\Users\LordFenix\AppData\Roaming\winscp.rnd 
NY-> C:\ProgramData\.zreglib
NY-> C:\Users\LordFenix\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 
NY-> C:\Windows\EReg072.dat
NY-> C:\Windows\SysWow64\PnkBstrB.exe
NY-> C:\Windows\SysWow64\PnkBstrA.exe
NY-> C:\Users\LordFenix\AppData\Local\Ygobulejacoyu.dat
NY-> C:\Users\LordFenix\AppData\Local\Unikiredoxiraki.bin
NY-> C:\Users\LordFenix\AppData\Roaming\vso_ts_preview.xml
NY-> C:\Users\LordFenix\AppData\Roaming\inst.exe
NY-> C:\Users\LordFenix\AppData\Local\fusioncache.dat
NY-> C:\Users\LordFenix\AppData\Roaming\pcouffin.cat
NY-> C:\Windows\SysWow64\xfcodec.dll
NY-> C:\Windows\SysWow64\NOISE.DAT
NY-> C:\Windows\bootstat.dat
NY-> C:\Windows\SysWow64\dssec.dat
NY-> C:\Windows\mib.bin
NY-> C:\Windows\SysWow64\msjetoledb40.dll
NY-> C:\Windows\SysWow64\bdmpegv.dll
NY-> C:\Windows\SysWow64\libfftw3f-3.dll
NY-> C:\Windows\SysWow64\mlang.dat
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.Tell me whether this was helpfull or not in terminating the problem.

system · July 9, 2011, 8:13am

I messed with google again and it still redirects me… so i guess it didnt work…

i attached my log file

Pondus · July 9, 2011, 8:36am

i recomend NOT running the fix made by com155 as he is not trained in using this program, so he can mess it all up

wait for Essexboy who is a trained and certified malwareremover

system · July 9, 2011, 8:39am

oh okie I will wait for him

i did a lil more google work and found out that what could be causing it is a Fake Extinction xulrunner 1.9.1 im running firefox 5 so i know that is way out of date if it was real… If that is the problem i still need help removing it… but i did disable through firefox… and it seems to have stopped the redirecting issue…

DavidR · July 9, 2011, 2:20pm

Is this google redirection only in firefox ?
If so - Try running firefox without add-ons, e.x. the Mozilla Firefox (Safe Mode) from the Start Programs, Mozilla Firefox menu, this runs firefox without add-ons.

Try some google searches and see if you get the redirects ?
If not check your add-ons, do you have this add-on installed, LeechBlock Version 0.5.2 ?

Uninstalling this in another case stopped the malicious url redirect alerts, but that was on firefox 3.6.17, so I don’t know if thei add-on is even compatible with FF5

essexboy · July 9, 2011, 2:34pm

Yes it is the xul runner within firefox plus a few other elements

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< FireFox Extensions [Program Folders] > -> 
YY -> XULRunner -> C:\USERS\LORDFENIX\APPDATA\LOCAL\{6EA668FA-A72A-4932-A63C-A66060202031}
< 64bit-BHO's [HKEY_LOCAL_MACHINE] > -> 64bit-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [HKLM] -> [AVG Safe Search]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> MRI_DISABLED [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_USERS\S-1-5-21-3727838005-863367943-902948553-1001\] > -> HKEY_USERS\S-1-5-21-3727838005-863367943-902948553-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "AdobeBridge" -> []
YN -> "Hulu Downloader" -> [C:\Program Files (x86)\Hulu Downloader\Hulu Downloader.exe -autorun ]
YN -> "svchost.exe" -> [C:\Users\LordFenix\AppData\Roaming\Microsoft\svchost.exe]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {AEA3991E-3109-4C98-989E-33994FEB1A91} [HKLM] -> Reg Error: Value error. [Reg Error: Key error.]
YN -> {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} [HKLM] -> Reg Error: Value error. [Java Plug-in 1.6.0_25]
[Files/Folders - Created Within 30 Days]
NY ->  boost_interprocess -> C:\ProgramData\boost_interprocess
[Alternate Data Streams]
NY -> @Alternate Data Stream - 1376 bytes -> C:\Users\LordFenix\AppData\Local\Temp:aMJdd8p6PJCO7RZmfadWwAY7cou
[Custom Items]
:Files
C:\Users\LordFenix\AppData\Roaming\Microsoft\svchost.exe
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

system · July 9, 2011, 11:09pm

thank you very much

I managed to find the FireFox issue… and your Fix found everything thing else…

You guys are the greatest

Google redirect to 64.111.211.158 SORRY

Announcements