BleepingComputer.com: 100ksearches.com redirection

hello, since a few days whenever i search something on google and clicking the search results am getting redirected to 100ksearches.com or some page with a code appears which asks me to confirm the code which am not doing.

since yesterday's avira anti-virus update, avira has found some virus in windows/assembly/gac_32 something but says it cannot remove it and eversince then it's real time guard got disabled and also anti virus programs give me this message - Malware blocked! Object: c:\windows\assembly\tmp\u\800000cb.@ - Process: c:\windows\system32\csrss.exe i don't know how to get rid of this virus, pls help, thanks.

all the scan logs am posting below are full scans and not quick scans.

 DDS.txt (10.31K)
Number of downloads: 3
 Attach.txt (9.08K)
Number of downloads: 1
--
 aswMBR.txt (1.53K)
Number of downloads: 1
--
 TDSSKiller.2.5.15.0_13.08.2011_13.10.45_log.txt (62.49K)
Number of downloads: 1
--
 OTL.Txt (53.21K)
Number of downloads: 1
 Extras.Txt (31.85K)
Number of downloads: 0
--
 mbam-log-2011-08-13 (13-44-53).txt (895bytes)
Number of downloads: 2
--
 hijackthis.log (7.25K)
Number of downloads: 1

This post has been edited by Gamernes: 13 August 2011 - 03:28 AM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom

Hi,

Please do the following

Refer to the ComboFix User's Guide

• Download ComboFix from one of these locations:
  
  Link 1
  Link 2
  
  * IMPORTANT !!! Place ComboFix.exe on your Desktop
  
  
• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  
  
  You can get help on disabling your protection programs here
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  
  
• When finished, it shall produce a log for you. Post that log in your next reply
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  
  ---------------------------------------------------------------------------------------------
  
  
• Ensure your AntiVirus and AntiSpyware applications are re-enabled.
  
  ---------------------------------------------------------------------------------------------

CatByte, on 13 August 2011 - 07:20 AM, said:

 ComboFix.txt (13.87K)
Number of downloads: 1

Hello, thanks for replying. I did as u said i had avast installed so i disabled its real time protection before running combofix and for some reason combofix wasnt progressing past completed stage 50 mark for over an hour so i tried to launch firefox and get here to ask for advice on what to do but my firefox or internet explorer wasnt working! i mean it was acting as if theres no internet connection. so with whatever knowledge i had i restarted the system, hit f8 and restored it. and then i uninstalled avast completely, by the way even after restoring my firefox or ie wasnt recognizing my connection so after uninstalling avast i ran combofix and it finished in about 10 mins and this is the report i got + now my firefox recognizes my internet. weird. am attaching the file thanks

Hi,

Yes, most likely it was Avast interfering, there should be the first log located at C:\qoobox\combofix2.txt if you could please post it,


NEXT


Go here to run an online scanner from ESET.

• Note: You will need to use Internet explorer for this scan
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan
  
• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activeX control to install
  
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  
• Click Scan
  
• Wait for the scan to finish
  
• When the scan completes, press the LIST OF THREATS FOUND button
  
• Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  
• Include the contents of this report in your next reply.
  
• Press the BACK button.
  
• Press Finish

CatByte, on 13 August 2011 - 12:04 PM, said:

theres only combofix-quarantined.txt so am attaching that. by the way, just in case ur wondering all my probs are gone.. no redirections + when my pc got infected my firewall was disabled by the virus but now its back to normal everythings back to normal but just in case to be sure ill send u whatever files u need..

all those tests have made a lot of folders in my c drive.. otl, combofix and all that

 ComboFix-quarantined-files.txt (620bytes)
Number of downloads: 1

i scanned with eset like u asked and it found no threats

This post has been edited by Gamernes: 13 August 2011 - 04:10 PM

Hi

Just some housekeeping to do now, this will clean up all those tools and logs.

Please do the following:

P2P - I see you have P2P software utorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It likely contributed to your current situation. This page will give you further information.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
Please see this topic for more information:
Perils of P2P File Sharing.
I would strongly recommend that you uninstall this/these now. You can do so via Control Panel >> Add or Remove Programs.



NEXT


Your Java is out of date.
Java™ 6 Update 24 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.

• On the General tab, under Temporary Internet Files, click the Settings button.
  
• Next, click on the Delete Files button
  
• There are two options in the window to clear the cache - Leave BOTH Checked
  
  Applications and Applets
  Trace and Log Files
  
  
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  
• Click OK to leave the Temporary Files Window
  
• Click OK to leave the Java Control Panel.

NEXT


You can delete the TDSSKiller, DDS and aswMBR logs and programs from your desktop.


NEXT

Follow these steps to uninstall Combofix

• Make sure your security programs are totally disabled.
  
• Click START then RUN
  
• Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

NEXT


Clean up with OTL:

• Double-click OTL.exe to start the program.
  
• Close all other programs apart from OTL as this step will require a reboot
  
• On the OTL main screen, press the CLEANUP button
  
• Say Yes to the prompt and then allow the program to reboot your computer.

If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

• It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
  Strong passwords: How to create and use them Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.
  
  
  
• Keep Windows updated by regularly checking their website at :
  http://windowsupdate.microsoft.com/
  This will ensure your computer has always the latest security updates available installed on your computer.
  
  
  
• Make Internet Explorer more secure
  
  • Click Start > Run
    
  • Type Inetcpl.cpl & click OK
    
  • Click on the Security tab
    
  • Click Reset all zones to default level
    
  • Make sure the Internet Zone is selected & Click Custom level
    
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  
  
  
  
• Download TFC to your desktop
  
  • Close any open windows.
    
  • Double click the TFC icon to run the program
    
  • TFC will close all open programs itself in order to run,
    
  • Click the Start button to begin the process.
    
  • Allow TFC to run uninterrupted.
    
  • The program should not take long to finish it's job
    
  • Once its finished it should automatically reboot your machine,
    
  • if it doesn't, manually reboot to ensure a complete clean
  
  It's normal after running TFC cleaner that the PC will be slower to boot the first time.
  
  
  
• WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
    
  • Yellow for caution
    
  • Red to stop
  WOT has an addon available for both Firefox and IE
  
  
  
• Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  
  
  
• ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  
  
  
• In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
  PC Safety and Security--What Do I Need?.

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

CatByte, on 14 August 2011 - 07:41 AM, said:

hello i have down all that and now all the folders created during tests in c:\ are gone except for two folders config.msi and recovery.. recovery folder is empty and config.msi has two files in it. they are e8a46e.rbf and e8a472.rbf. i use utorrent to download videogames like league of legends cus their direct downloads are downloading by pando media booster which i dont like to install so i use utorrent to download thru their torrent links thanks

besides this my computer is working like a new copy of os has just been installed on it thanks

those folders are microsoft folders, so i would leave them alone,

good to hear things are working well

stay safe

~CB

This post has been edited by CatByte: 15 August 2011 - 08:02 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.