Tried everything still google redirect 64.111.211.158 please help!

I have done the OTS and here is my results http://www.megaupload.com/?d=10QB8N8I thanks and I hope this will help.

hi burnsmonkey

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the RUN FIX button

[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-257084619-3419657708-3484036997-1000\] > -> 
YN -> HKEY_USERS\S-1-5-21-257084619-3419657708-3484036997-1000\: "ProxyServer" -> http=127.0.0.1:6522
< FireFox Extensions [Program Folders] > -> 
YN -> No name found -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "hpqSRMon" -> []
YN -> "SunJavaUpdateSched" -> ["C:\Program Files\Java\jre6\bin\jusched.exe"]
< Run [HKEY_USERS\S-1-5-21-257084619-3419657708-3484036997-1000\] > -> HKEY_USERS\S-1-5-21-257084619-3419657708-3484036997-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "Aim6" -> []
[Files/Folders - Modified Within 30 Days]
NY ->  7q4da2444o4nswy -> C:\ProgramData\7q4da2444o4nswy
NY ->  7q4da2444o4nswy -> C:\Users\Owner\AppData\Local\7q4da2444o4nswy
NY ->  4 C:\Users\Owner\AppData\Local\Temp\*.tmp files -> C:\Users\Owner\AppData\Local\Temp\*.tmp
NY ->  3 C:\Users\Owner\Documents\*.tmp files -> C:\Users\Owner\Documents\*.tmp
NY ->  1 C:\Windows\*.tmp files -> C:\Windows\*.tmp
[Files - No Company Name]
NY ->  7q4da2444o4nswy -> C:\Users\Owner\AppData\Local\7q4da2444o4nswy
NY ->  7q4da2444o4nswy -> C:\ProgramData\7q4da2444o4nswy
NY ->  6fq6p8858ae86mofmhwa61ow7l2sl4 -> C:\ProgramData\6fq6p8858ae86mofmhwa61ow7l2sl4
NY ->  6fq6p8858ae86mofmhwa61ow7l2sl4 -> C:\Users\Owner\AppData\Local\6fq6p8858ae86mofmhwa61ow7l2sl4
NY ->  82n6u1y5v2x4155u05qfmjh637ph4uoluj8 -> C:\Users\Owner\AppData\Local\82n6u1y5v2x4155u05qfmjh637ph4uoluj8
NY ->  82n6u1y5v2x4155u05qfmjh637ph4uoluj8 -> C:\ProgramData\82n6u1y5v2x4155u05qfmjh637ph4uoluj8
NY ->  Qfipig.bin -> C:\Users\Owner\AppData\Local\Qfipig.bin
NY ->  Obaziqatariveh.dat -> C:\Users\Owner\AppData\Local\Obaziqatariveh.dat
[Alternate Data Streams]
NY -> @Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:206E2596
NY -> @Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:4911317F
NY -> @Alternate Data Stream - 140 bytes -> C:\ProgramData\TEMP:4EFDF5FB
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[Reboot]

The fix should only take a very short time. After reboot,please post the following report/log into your next reply

2.Download ComboFix from here and save it to your Desktop
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
-Temporarily disable your AntiVirus/Antispyware program.
-Run ComboFix
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Post log reports ( ComboFix.txt) back to topic.

total,
Where did you get your training and what are your qualifications ???

To those being helped
Without training, receiving specific advice using the tools he is using can do serious harm to
your computer…

@burnsmonkey Essexboy is notified so wait for his advice…

Thank you.

Yep this is definitely the flavour of the month, but each one is different which is a bit of a nightmare

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-257084619-3419657708-3484036997-1000\] > -> 
YN -> HKEY_USERS\S-1-5-21-257084619-3419657708-3484036997-1000\: "ProxyServer" -> http=127.0.0.1:6522
< FireFox Settings [Prefs.js] > -> C:\Users\Owner\AppData\Roaming\Mozilla\FireFox\Profiles\h4plac8p.default\prefs.js
YN -> browser.search.selectedEngine -> "Search the Web"
YN -> extensions.enabledItems -> {59025C97-AA1C-4299-A1F3-96708152E9BC}:1.9.1
< FireFox SearchPlugins [User Folders] > -> 
YY ->  search-the-web.xml -> C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\h4plac8p.default\searchplugins\search-the-web.xml
< FireFox Extensions [Program Folders] > -> 
YY -> XULRunner -> C:\USERS\OWNER\APPDATA\LOCAL\{59025C97-AA1C-4299-A1F3-96708152E9BC}
< HOSTS File > ([2011/07/08 17:53:44 | 000,000,789 | ---- | M] - 22 lines) -> C:\Windows\System32\drivers\etc\hosts
YN -> 74.208.10.249 gs.apple.com -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{6e91ea6f-267f-11de-9ba2-001f164d5632} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6e91ea6f-267f-11de-9ba2-001f164d5632}\shell\AutoRun\command -> 
YN -> \{6e91ea6f-267f-11de-9ba2-001f164d5632}\shell\AutoRun\command\\"" -> [G:\winlog.exe]
[Files/Folders - Created Within 30 Days]
NY ->  Catalina Marketing Corp -> C:\Users\Owner\AppData\Roaming\Catalina Marketing Corp
NY ->  Catalina Marketing Corp -> C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp
[Files/Folders - Modified Within 30 Days]
NY ->  7q4da2444o4nswy -> C:\ProgramData\7q4da2444o4nswy
NY ->  7q4da2444o4nswy -> C:\Users\Owner\AppData\Local\7q4da2444o4nswy
[Files - No Company Name]
NY ->  7q4da2444o4nswy -> C:\Users\Owner\AppData\Local\7q4da2444o4nswy
NY ->  7q4da2444o4nswy -> C:\ProgramData\7q4da2444o4nswy
NY ->  6fq6p8858ae86mofmhwa61ow7l2sl4 -> C:\ProgramData\6fq6p8858ae86mofmhwa61ow7l2sl4
NY ->  6fq6p8858ae86mofmhwa61ow7l2sl4 -> C:\Users\Owner\AppData\Local\6fq6p8858ae86mofmhwa61ow7l2sl4
NY ->  82n6u1y5v2x4155u05qfmjh637ph4uoluj8 -> C:\Users\Owner\AppData\Local\82n6u1y5v2x4155u05qfmjh637ph4uoluj8
NY ->  82n6u1y5v2x4155u05qfmjh637ph4uoluj8 -> C:\ProgramData\82n6u1y5v2x4155u05qfmjh637ph4uoluj8
NY ->  Qfipig.bin -> C:\Users\Owner\AppData\Local\Qfipig.bin
NY ->  Obaziqatariveh.dat -> C:\Users\Owner\AppData\Local\Obaziqatariveh.dat
[File - Lop Check]
NY ->  Catalina Marketing Corp -> C:\Users\Owner\AppData\Roaming\Catalina Marketing Corp
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[ZipFiles]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

A dialog box has popped open asking me to create a folder that doesnt exist and it seems that it found 2177 files that will ask me the same thing, it is a JScript Script File.

OK that does not sound right could you get a screen shot for me or give me the name of the folder to create

i am malware hunter more then ten years
i am familiar with OTL, OTS, OTM, DDS, combofix,gmer,MBRcheck, AVZ, AVP, etc.
i no what i am doing :slight_smile:

what are your qualifications ???

Hi I am an instructor at GeekU - on the fix you missed the xul runner and the job which would have respawned the malware, where did you you train to get access to OTA ?

Here is the screen shot. http://www.megaupload.com/?d=MX19VDUG

Select no and tick do this for all following - It is being generated by the malware we are removing

Sorry I had to run to the ER but im back and selected Cancel since I didnt have a no option and I will post after its done.

OK it just asked me to restart and no log came up, is that correct?

Still getting redirect and even TDSkiller found nothing.

OK next phase then as it appears it is fighting back

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[
]Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Here is the combofix log, again it wanted to make sure if i wanted to delete a file and I did.

http://www.megaupload.com/?d=9QQP0PXG Thanks

That looks OK what are your current problems ?

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

All is well. I believe ComboFix did the trick, MBAM found nothing and I am not getting any redirects at all. Thanks essexboy!

OK once you are happy let me know and I will remove my tools