Struggling with the 64.111.211.158 Redirect

[Psiman]

Ive been struggling away at this one after being infected yesterday,  so far these are some things Ive noticed (for me anyway):
The redirect isn't hard-coded in the way they usually are, its a soft redirect (I.E. it only redirects once you arrive at a site, in the same way that typing a new address in the address bar would redirect you) and is easily bypassed by pressing back, and it only ever redirects once.

This virus/malware runs Internet explorer invisibly (not visible in any task manager i can find)
it then downloads movies from 10-15 sites at once (mainly ads) easily maxing my downstream speed

Ive disabled flash from IE this seems to have stopped the heavy downloading
 
it seems to be installed as a service, as the svchost.exe is where all the downloading is initiating
Ive noticed at times the memory being used by one particular svchost swells dramatically, sometimes reaching 1.5gb

I thought i narrowed down which service was tainted to com+ event system, but now i'm not so sure, it may be a hidden service.

Ive tried stopping services with the same PID one by one when its downloading, in the end killing the task from task manager is the only thing that stops it, but it restarts itself soon after.

Ive been looking through the various other 64.111.211.158 redirect threads (seem to be a lot in the last 2 days) and haven't seen any resolved, I thought this may help narrow down the problem area.
also i've run a multitude of programs, most are now saying i have no malware (except the cookies from the pages that it continually runs in IE)
at this stage i don't think my logs are going to be useful as they're probably full of the 100 different programs i've tried in the last 2 days

Anyways, more that willing to go through any steps people have, so sick of having to kill svchost
TIA

[Left123]

Hallo,you may have been infected by TDDS.
Please download aswMBR from here http://public.avast.com/~gmerek/aswMBR.htm
1)Double click the aswMBR.exe to run it
2)Click the [Scan] button to start scan
3)On completion of the scan click [Save log], save it to your desktop and post in your next reply

Make sure to post your log in your next reply.

If this doesn't help,i will pm Essexbot,to help you.
Looks like he will be super busy today with all that google redirects,haha .

[haubuchon]

I made the same observations as PSIMan.

While using Process Explorer (sysinternals), I could see that IE processes were spawned from this process/service:

C:\Windows\system32\svchost.exe -k DcomLaunch.

Maybe it can help...

[Left123]

I made the same observations as PSIMan.

While using Process Explorer (sysinternals), I could see that IE processes were spawned from this process/service:

C:\Windows\system32\svchost.exe -k DcomLaunch.

Maybe it can help...

Can you post the aswMBR log?

[haubuchon]

I may be talking too soon, but aswMBR seemd to have killed the beast !!!

I ran the scan, saved the log and clicked FixMBR. The I rebooted and I have no more redirections from firefox, Chrome started to work again and IE is not being spawned anymore. I will keep you posted if it comes back.

Here is the aswMBR log:

------
aswMBR version 0.9.7.705 Copyright(c) 2011 AVAST Software
Run date: 2011-07-11 08:52:27
-----------------------------
08:52:27.244    OS Version: Windows 6.1.7601 Service Pack 1
08:52:27.244    Number of processors: 2 586 0x1706
08:52:27.246    ComputerName: DSI-HA  UserName:
08:52:28.636    Initialize success
08:53:19.792    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
08:53:19.798    Disk 0 Vendor: ST912082 3.AD Size: 114473MB BusType: 3
08:53:19.811    Disk 0 MBR read successfully
08:53:19.819    Disk 0 MBR scan
08:53:19.825    Disk 0 Windows 7 default MBR code found via API
08:53:19.829    Disk 0 unknown MBR code
08:53:19.834    Disk 0 MBR hidden
08:53:19.844    Disk 0 scanning sectors +234438656
08:53:19.881    Disk 0 scanning C:\Windows\system32\drivers
08:53:34.303    Service scanning
08:53:35.425    Disk 0 trace - called modules:
08:53:35.476    ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8783cf16]<<
08:53:35.480    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87826030]
08:53:35.484    3 CLASSPNP.SYS[8d27259e] -> nt!IofCallDriver -> [0x878259c0]
08:53:35.830    \Driver\PCTCore[0x8617d680] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8783cf16
08:53:35.845    Scan finished successfully
08:53:53.344    Disk 0 MBR has been saved successfully to "C:\Users\haubuchon.DSICONSEIL\Desktop\av\MBR.dat"
08:53:53.350    The log file has been saved successfully to "C:\Users\haubuchon.DSICONSEIL\Desktop\av\aswMBR.txt"

[essexboy]

Hi I would like an OTS log please to see if there are any remnants 

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS  to your Desktop

• Close ALL OTHER PROGRAMS.
  
• Double-click on OTS.exe to start the program.
  
• Check the box that says Scan All Users
  
• Under Additional Scans check the following:

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

• Under the Custom Scan box paste this in

%SYSTEMDRIVE%\*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
CREATERESTOREPOINT

• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

Please attach the log in your next post.