Website Redirect to 64.111.211.158

I want a reply ASAP, so I have my OTS Report (TPS report ;]) attached with whatever specialist magic I had read in this thread to fix my problem.

http://www.mediafire.com/?7a784ssubw57l38

That’s the download to my OTS, following those instructions.

Please download aswMBR from here http://public.avast.com/~gmerek/aswMBR.htm
1)Double click the aswMBR.exe to run it
2)Click the [Scan] button to start scan
3)On completion of the scan click [Save log], save it to your desktop and post in your next reply

I have to go,sorry.Hope some1 else will continue helping you.Sorry again.

saw the ots log looks like a mbr or tdss rootkit.

I can use that aswMBR to fix the problem right?

yes go ahead

I’m not as computer savvy as I thought! Thank you a lot for your help, and fast response. It’s too early to be putting things off!

Obviously TDSS since he’s experiencing redirection problems.

Still getting the problems. I’ve scanned twice and it’s the same exact log both times, even after ‘fixxing’

Here is the log to the aswMBR.

http://www.mediafire.com/?ha8rg5fokpqg80t

Irony: I got redirected trying to click on my own thread link :stuck_out_tongue_winking_eye:

@Riffy

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the RUN FIX button

[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1124350335-3646014730-853149843-1000\] > -> 
YN -> HKEY_USERS\S-1-5-21-1124350335-3646014730-853149843-1000\: "ProxyServer" -> http=127.0.0.1:60101
< FireFox Settings [Prefs.js] > -> C:\Users\Dicks\AppData\Roaming\Mozilla\FireFox\Profiles\v64r0iaq.default\prefs.js
YN -> network.proxy.http -> "127.0.0.1"
YN -> network.proxy.http_port -> 60101
YN -> network.proxy.type -> 0
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {5C255C8A-E604-49b4-9D64-90988571CECB} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Modified Within 30 Days]
NY ->  444 C:\Users\Dicks\AppData\Local\Temp\*.tmp files -> C:\Users\Dicks\AppData\Local\Temp\*.tmp
NY ->  444 C:\Users\Dicks\AppData\Local\Temp\*.tmp files -> C:\Users\Dicks\AppData\Local\Temp\*.tmp
NY ->  444 C:\Users\Dicks\AppData\Local\Temp\*.tmp files -> C:\Users\Dicks\AppData\Local\Temp\*.tmp
NY ->  24 C:\Windows\Temp\*.tmp files -> C:\Windows\Temp\*.tmp
NY ->  2 C:\Windows\*.tmp files -> C:\Windows\*.tmp
NY ->  1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp
NY ->  1 C:\Users\Dicks\Documents\*.tmp files -> C:\Users\Dicks\Documents\*.tmp
[Files - No Company Name]
NY ->  719384801 -> C:\Windows\SysWow64\719384801
NY ->  624E.38B -> C:\Users\Dicks\AppData\Roaming\624E.38B
NY ->  ativpsrm.bin -> C:\Windows\ativpsrm.bin
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[Reboot]

The fix should only take a very short time. After reboot,please post the following report/log into your next reply

2.Download ComboFix from here and save it to your Desktop.
http://www.forospyware.com/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
-Temporarily disable your AntiVirus/Antispyware program.
-Run ComboFix
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Post log reports ( ComboFix.txt) back to topic.

I followed the instructions for both of them.

http://www.mediafire.com/?mmwcumawnsj2j0d

http://www.mediafire.com/?ezbcackslfwu413

Still getting the problems ?

start malwarebytes, klick on tab update, update the program and perform full scan. post the log into your next reply

why full scan ?

and how did you make the OTS fix posted above ?

I actually am not having any more problems! I really appreciate the help.

I recomend you do not run the OTS fix posted by “total” as i suspect it is just a copy and paste from somwhere

every fix is unique for every case so untill Essexboy have confirmed, do not run

ok…now you must uninstall combofix

start /search/ in to search empty field copy combofix /uninstall and click enter
start OTS and klick clean up

i make OTS fix from here http://www.mediafire.com/?7a784ssubw57l38

example:

HKEY_USERS\S-1-5-21-1124350335-3646014730-853149843-1000\: "ProxyEnable" -> 0 -> 
HKEY_USERS\S-1-5-21-1124350335-3646014730-853149843-1000\: "ProxyOverride" -> *.local -> 
HKEY_USERS\S-1-5-21-1124350335-3646014730-853149843-1000\: "ProxyServer" -> http=127.0.0.1:60101 -> 

or:

network.proxy.http -> "127.0.0.1" ->
network.proxy.http_port -> 60101 ->
network.proxy.type -> 0 ->

and as you see:

 444 C:\Users\Dicks\AppData\Local\Temp\*.tmp files -> C:\Users\Dicks\AppData\Local\Temp\*.tmp -> 
 444 C:\Users\Dicks\AppData\Local\Temp\*.tmp files -> C:\Users\Dicks\AppData\Local\Temp\*.tmp -> 
 444 C:\Users\Dicks\AppData\Local\Temp\*.tmp files -> C:\Users\Dicks\AppData\Local\Temp\*.tmp -> 
 24 C:\Windows\Temp\*.tmp files -> C:\Windows\Temp\*.tmp -> 
 2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> 
 1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> 
 1 C:\Users\Dicks\Documents\*.tmp files -> C:\Users\Dicks\Documents\*.tmp -> 

you’re right only for this:

every fix is unique for every case

sorry for my bad english :slight_smile:

Did you not want to remove the worm as well ?
C:\Users\Dicks\Desktop\WindowsActivator.exe

WindowsActivator.exe isn’t on my desktop, and when I search for it, it comes up empty.

OK you can you confirm that you can see hidden files

Yessir. I can see hidden files and I’m logged in as administrator.