Ive been struggling away at this one after being infected yesterday, so far these are some things Ive noticed (for me anyway):
The redirect isn’t hard-coded in the way they usually are, its a soft redirect (I.E. it only redirects once you arrive at a site, in the same way that typing a new address in the address bar would redirect you) and is easily bypassed by pressing back, and it only ever redirects once.
This virus/malware runs Internet explorer invisibly (not visible in any task manager i can find)
it then downloads movies from 10-15 sites at once (mainly ads) easily maxing my downstream speed
Ive disabled flash from IE this seems to have stopped the heavy downloading
it seems to be installed as a service, as the svchost.exe is where all the downloading is initiating
Ive noticed at times the memory being used by one particular svchost swells dramatically, sometimes reaching 1.5gb
I thought i narrowed down which service was tainted to com+ event system, but now i’m not so sure, it may be a hidden service.
Ive tried stopping services with the same PID one by one when its downloading, in the end killing the task from task manager is the only thing that stops it, but it restarts itself soon after.
Ive been looking through the various other 64.111.211.158 redirect threads (seem to be a lot in the last 2 days) and haven’t seen any resolved, I thought this may help narrow down the problem area.
also i’ve run a multitude of programs, most are now saying i have no malware (except the cookies from the pages that it continually runs in IE)
at this stage i don’t think my logs are going to be useful as they’re probably full of the 100 different programs i’ve tried in the last 2 days
Anyways, more that willing to go through any steps people have, so sick of having to kill svchost
TIA
Hallo,you may have been infected by TDDS.
Please download aswMBR from here http://public.avast.com/~gmerek/aswMBR.htm
1)Double click the aswMBR.exe to run it
2)Click the [Scan] button to start scan
3)On completion of the scan click [Save log], save it to your desktop and post in your next reply
Make sure to post your log in your next reply.
If this doesn’t help,i will pm Essexbot,to help you.
Looks like he will be super busy today with all that google redirects,haha ;D.
I may be talking too soon, but aswMBR seemd to have killed the beast !!!
I ran the scan, saved the log and clicked FixMBR. The I rebooted and I have no more redirections from firefox, Chrome started to work again and IE is not being spawned anymore. I will keep you posted if it comes back.
Here is the aswMBR log:
aswMBR version 0.9.7.705 Copyright(c) 2011 AVAST Software
Run date: 2011-07-11 08:52:27
08:52:27.244 OS Version: Windows 6.1.7601 Service Pack 1
08:52:27.244 Number of processors: 2 586 0x1706
08:52:27.246 ComputerName: DSI-HA UserName:
08:52:28.636 Initialize success
08:53:19.792 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-0
08:53:19.798 Disk 0 Vendor: ST912082 3.AD Size: 114473MB BusType: 3
08:53:19.811 Disk 0 MBR read successfully
08:53:19.819 Disk 0 MBR scan
08:53:19.825 Disk 0 Windows 7 default MBR code found via API
08:53:19.829 Disk 0 unknown MBR code
08:53:19.834 Disk 0 MBR hidden
08:53:19.844 Disk 0 scanning sectors +234438656
08:53:19.881 Disk 0 scanning C:\Windows\system32\drivers
08:53:34.303 Service scanning
08:53:35.425 Disk 0 trace - called modules:
08:53:35.476 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8783cf16]<<
08:53:35.480 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x87826030]
08:53:35.484 3 CLASSPNP.SYS[8d27259e] → nt!IofCallDriver → [0x878259c0]
08:53:35.830 \Driver\PCTCore[0x8617d680] → IRP_MJ_INTERNAL_DEVICE_CONTROL → 0x8783cf16
08:53:35.845 Scan finished successfully
08:53:53.344 Disk 0 MBR has been saved successfully to “C:\Users\haubuchon.DSICONSEIL\Desktop\av\MBR.dat”
08:53:53.350 The log file has been saved successfully to “C:\Users\haubuchon.DSICONSEIL\Desktop\av\aswMBR.txt”
Hi I would like an OTS log please to see if there are any remnants
To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.
[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.