WiredWX Hobby Weather ToolsLog in

 


description100ksearches.com Empty100ksearches.com

more_horiz
Hello!

Today my computer has been infected: my browsing redirects via 100ksearches.com, my AVG has been neutered, and it really didn't want me to run OTL (it force closes and then locks the program, claiming I don't have permission to run it.)

Obviously with OTL closing before it can do anything, I can't add OTL logs here. I have run aswMBR and Security Check with no problems, however, and the logs are here:

aswMBR.txt
aswMBR version 0.9.8.977 Copyright(c) 2011 AVAST Software
Run date: 2011-07-25 15:42:13
-----------------------------
15:42:13.989 OS Version: Windows 6.1.7600
15:42:13.990 Number of processors: 2 586 0x170A
15:42:13.991 ComputerName: LAPTOP-THE-3RD UserName: Jamie
15:42:15.318 Initialize success
15:44:48.443 AVAST engine defs: 11072500
15:45:19.005 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
15:45:19.010 Disk 0 Vendor: ST9160827AS 3.ADB Size: 152627MB BusType: 11
15:45:19.026 Disk 0 MBR read successfully
15:45:19.029 Disk 0 MBR scan
15:45:19.036 Disk 0 Windows 7 default MBR code
15:45:19.042 Disk 0 scanning sectors +312579760
15:45:19.126 Disk 0 scanning C:\Windows\system32\drivers
15:45:22.428 File: C:\Windows\system32\drivers\dfsc.sys **INFECTED** Win32:Sirefef-F [Drp]
15:45:35.304 Service scanning
15:45:36.962 Modules scanning
15:45:42.021 Module: C:\Windows\System32\Drivers\dfsc.sys **SUSPICIOUS**
15:45:47.266 Disk 0 trace - called modules:
15:45:47.284 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xaddd1f00]<<
15:45:47.621 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8635b2e0]
15:45:47.627 3 CLASSPNP.SYS[8b5c459e] -> nt!IofCallDriver -> [0x85cc7ef8]
15:45:47.635 \Driver\02633880[0x85b85888] -> IRP_MJ_CREATE -> 0xaddd1f00
15:45:48.739 AVAST engine scan C:\Windows
15:45:51.943 AVAST engine scan C:\Windows\system32
15:48:42.235 AVAST engine scan C:\Windows\system32\drivers
15:48:45.294 File: C:\Windows\system32\drivers\dfsc.sys **INFECTED** Win32:Sirefef-F [Drp]
15:48:58.731 AVAST engine scan C:\Users\Jamie
16:04:42.546 AVAST engine scan C:\ProgramData
16:08:22.627 Scan finished successfully
16:08:49.269 Disk 0 MBR has been saved successfully to "C:\Users\Jamie\Desktop\MBR.dat"
16:08:49.278 The log file has been saved successfully to "C:\Users\Jamie\Desktop\aswMBR.txt"

checkup.txt
Results of screen317's Security Check version 0.99.17
Windows 7 (UAC is disabled!)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
AVG 2011
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

SpyNoMore 2.98
Java(TM) 6 Update 26
Java(TM) SE Development Kit 6 Update 26
Java DB 10.6.2.1
Adobe Flash Player 10.3.181.26
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````


Any assistance would be very gratefully recieved. Smile...

Thanks in advance!

Jamie

description100ksearches.com EmptyRe: 100ksearches.com

more_horiz
Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

description100ksearches.com EmptyRe: 100ksearches.com

more_horiz
Thanks for the reply! Here is the ComboFix log.

I had disabled my AVG, but ComboFix claimed otherwise. I ran the scan anyway.

(Doesn't want to let me post due to links/emails. Log is attached.)

description100ksearches.com EmptyRe: 100ksearches.com

more_horiz
Scan for malware

100ksearches.com Bf_new Please download Malwarebytes Anti-Malware from Download.CNET.com.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Copy and paste the entire report in your next reply.

description100ksearches.com EmptyRe: 100ksearches.com

more_horiz
OK, done. It didn't find anything. Here is the log:

Malwarebytes' Anti-Malware 1.51.1.1800
www malwarebytes org

Database version: 7286

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

26/07/2011 20:57:55
mbam-log-2011-07-26 (20-57-55).txt

Scan type: Quick scan
Objects scanned: 172425
Time elapsed: 4 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

description100ksearches.com EmptyRe: 100ksearches.com

more_horiz
ESET Online Scan

Please run a free online scan with the ESET Online Scanner
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

description100ksearches.com EmptyRe: 100ksearches.com

more_horiz
Done. Log is here:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=362c0a0f03d5fc42b576e8dfe2f4c39c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-07-27 08:59:40
# local_time=2011-07-27 09:59:40 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=1032 16777213 100 95 35891 55082770 0 0
# compatibility_mode=5893 16776574 66 94 23996398 64258769 0 0
# compatibility_mode=8192 67108863 100 0 204 204 0 0
# scanned=195281
# found=1
# cleaned=1
# scan_time=8003
C:\Users\Jamie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\57aad6f4-4c43f149 Java/TrojanDownloader.Agent.NCP trojan (cleaned by deleting - quarantined)

description100ksearches.com EmptyRe: 100ksearches.com

more_horiz
Please re-run aswMBR and post a log...

description100ksearches.com EmptyRe: 100ksearches.com

more_horiz
OK, here you go:

aswMBR version 0.9.8.977 Copyright(c) 2011 AVAST Software
Run date: 2011-07-28 20:32:24
-----------------------------
20:32:24.417 OS Version: Windows 6.1.7600
20:32:24.417 Number of processors: 2 586 0x170A
20:32:24.418 ComputerName: LAPTOP-THE-3RD UserName: Jamie
20:32:25.219 Initialize success
20:33:46.026 AVAST engine defs: 11072800
20:33:53.467 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
20:33:53.473 Disk 0 Vendor: ST9160827AS 3.ADB Size: 152627MB BusType: 11
20:33:53.487 Disk 0 MBR read successfully
20:33:53.493 Disk 0 MBR scan
20:33:53.504 Disk 0 Windows 7 default MBR code
20:33:53.521 Disk 0 scanning sectors +312579760
20:33:53.611 Disk 0 scanning C:\Windows\system32\drivers
20:34:15.700 Service scanning
20:34:17.602 Modules scanning
20:34:28.334 Disk 0 trace - called modules:
20:34:28.362 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll PCIIDEX.SYS msahci.sys
20:34:28.378 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86359030]
20:34:28.384 3 CLASSPNP.SYS[8b5bc59e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85e85030]
20:34:29.498 AVAST engine scan C:\Windows
20:34:35.497 AVAST engine scan C:\Windows\system32
20:38:26.089 AVAST engine scan C:\Windows\system32\drivers
20:38:45.963 AVAST engine scan C:\Users\Jamie
20:45:42.947 AVAST engine scan C:\ProgramData
20:49:10.078 Scan finished successfully
20:51:32.717 Disk 0 MBR has been saved successfully to "C:\Users\Jamie\Desktop\MBR.dat"
20:51:32.729 The log file has been saved successfully to "C:\Users\Jamie\Desktop\aswMBR.txt"

description100ksearches.com EmptyRe: 100ksearches.com

more_horiz
Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

  • Slow computer
  • Error messages
  • Fake antivirus alerts or the icon in the system tray
  • svchost.exe running at 100%
  • System crashes or blue screen of death

description100ksearches.com EmptyRe: 100ksearches.com

more_horiz
As far as I'm aware, my computer is functioning normally now - all my prior symptoms have gone, and it's all working fine (and thank you for that!).

description100ksearches.com EmptyRe: 100ksearches.com

more_horiz
Hiya! Your logs appear to be clean. If there are no more issues, then we shall clean up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point

  • Go to Control Panel and select System and Maintenance
  • Select System
  • On the left select Advance System Settings and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name i.e. Clean
  • Select Create
Now we can purge the infected ones
  • Go back to the System and Maintenance page
  • Select Performance Information and Tools
  • On the left select Open Disk Cleanup
  • Select Files from all users and accept the warning if you get one
  • In the drop down box select your main drive i.e. C
  • For a few moments the system will make some calculations
  • Select the More Options tab
  • In the System Restore and Shadow Backups select Clean up
  • Select Delete on the pop up
  • Select OK
  • Select Delete


Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Please download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Tell me in your next reply, if you have completed these tasks:
  • Cleaned System Restore
  • Ran OTC
  • Ran TFC
  • Ran Security Check

Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.

description100ksearches.com EmptyRe: 100ksearches.com

more_horiz
Sorry to keep you waiting!

Ok, I have followed all of those steps, and here is the Security Check log.

Results of screen317's Security Check version 0.99.18
Windows 7 (UAC is disabled!)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
AVG 2011
ESET Online Scanner v3
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java(TM) 6 Update 26
Java(TM) SE Development Kit 6 Update 26
Java DB 10.6.2.1
Adobe Flash Player 10.3.181.26
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````

Everything seems to be running fine, as far as I can tell. Smile...

description100ksearches.com EmptyRe: 100ksearches.com

more_horiz
Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

AntiSpyware

  • SpywareBlaster
    SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  • Spybot - Search & Destroy.
    Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).


NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Securing your computer

  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.


Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

  • Firefox may be downloaded from here: http://www.getfirefox.com
  • Opera is available here: http://www.opera.com/download/


Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

description100ksearches.com EmptyRe: 100ksearches.com

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum