Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

A problem with automated queries to search engines [Solved]

Started by Dilettante , Jul 02 2014 11:16 PM

This topic is locked

#16
Naathim

Posted 15 July 2014 - 06:02 AM

GeekU Minion

Expert
4,568 posts

Hello Vlad

Your machine is pretty clean - tell me after this steps are you able to search without being banned?

Also I need to tell you that I'll be present less often for the next 2-3 days, as my machine serves now as a testing lab for the new infection we have discovered lately (not connected with your case). But I will try to be at least twice per day, early afternoon and evening.

Let's proceed

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

Press the + R on your keyboard at the same time. Type Notepad and click OK.

Copy the entire content of the codebox below and paste into the Notepad document:

start
HKLM\...\Run: [InstallerLauncher] => "C:\Program Files\Common Files\Bitdefender\SetupInformation\{6F57816A-791A-4159-A75F-CFD0C7EA4FBF}\setuplauncher.exe" /run:"C:\Program Files\Common Files\Bitdefender\SetupInformation\{6F57816A-791A-4159-A75F-CFD0C7EA4FBF}\Installer.exe"
C:\Program Files\Common Files\Bitdefender
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-3403200650-3170960564-2564201062-1000\...\Run: [AdobeBridge] => [X]
ShellIconOverlayIdentifiers: 00avast -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
Hosts: 127.0.0.1 activate.adobe.com
AlternateDataStreams: C:\Temp:atYxz5bW8isrhZBnx1
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\91654085.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\91654085.sys => ""="Driver"
end

Click File, Save As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

Right-click on icon and select Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
Press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please post it to your reply.

Clean Temporary Files with TFC

Please download TFC by OldTimer and save it to your desktop.

Right-click on icon and select Run as Administrator to start the tool.
Close any open programs and save your current work.
Click the Start button to begin. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a couple of minutes.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

This tool doesn't generate any report. Instead I recommend to keep it for good maintenance of your machine.

Cheers,
Naat

#17
Dilettante

Posted 15 July 2014 - 06:51 AM

Member

Topic Starter
Member
21 posts

Hello Naat. I'm happy to hear that my PC looks clean.

I'm actually quite lucky in this (because I'm pretty careful), and in 20 years I think I was infected only 3 times, including 1 case of Virus.Win9x.CIH case bake in the 99, I think, when many people had their Flash BIOS wiped (I was saved by Cheyenne Antivirus back then), 1 case of incredibly stupid launching of unknown .exe in the mail (still can't quite explain my actions), and 1 case of spyware which stole my WoW account repeatedly until was found by Kaspersky Antivirus. Maybe something else eludes me now.

Back to the topic.

I've ran a fix with FRST, and I must say I took a liberty on removing "hosts" line, I know why Adobe is blocked, that's because I have legit CC version, yet in the same time I need older versions for some jobs, and the only way I managed to do this was, actually, to use an unregistered older versions together with CC. This sounds stupid, but that's the only way I see now given an unflexible Adobe policies. I know this is wrong, but at the same time maybe not quite.

So, blocked Adobe is okay, I know about this, that's fine, I need to keep it.

Here's the log.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 14-07-2014
Ran by User at 2014-07-15 15:42:05 Run:1
Running from C:\Users\User\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
HKLM\...\Run: [InstallerLauncher] => "C:\Program Files\Common Files\Bitdefender\SetupInformation\{6F57816A-791A-4159-A75F-CFD0C7EA4FBF}\setuplauncher.exe" /run:"C:\Program Files\Common Files\Bitdefender\SetupInformation\{6F57816A-791A-4159-A75F-CFD0C7EA4FBF}\Installer.exe"
C:\Program Files\Common Files\Bitdefender
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-3403200650-3170960564-2564201062-1000\...\Run: [AdobeBridge] => [X]
ShellIconOverlayIdentifiers: 00avast -> {472083B0-C522-11CF-8763-00608CC02F24} => No File
AlternateDataStreams: C:\Temp:atYxz5bW8isrhZBnx1
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\91654085.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\91654085.sys => ""="Driver"
end
*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\InstallerLauncher => value deleted successfully.
"C:\Program Files\Common Files\Bitdefender" => File/Directory not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKU\S-1-5-21-3403200650-3170960564-2564201062-1000\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value deleted successfully.
'HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast' => Key deleted successfully.
'HKLM\Software\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}'=> Key not found.
C:\Temp => ":atYxz5bW8isrhZBnx1" ADS removed successfully.
'HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\91654085.sys' => Key deleted successfully.
'HKLM\System\CurrentControlSet\Control\SafeBoot\Network\91654085.sys' => Key deleted successfully.

==== End of Fixlog ====

#18
Naathim

Posted 15 July 2014 - 07:01 AM

GeekU Minion

Expert
4,568 posts

OK, please run your machine for a day or so and tell me if your issue still occurs. If not, I will sweep out my toys and send you on your merry way, giving you some advice

Don't forget to update me!

Cheers,
Naat

#19
Dilettante

Posted 15 July 2014 - 07:03 AM

Member

Topic Starter
Member
21 posts

Cleaning temporary files also went smoothly.

I have a question about this. Is using this tool any different from manually cleaning the Firefox and IE cache and deleting files from Temp directory?

As you might (or might not) have seen from the scans, I've re-wrote temp variables in Windows to point at C:\Temp and I manually clean it on a semi-unregular basis.

Does the TFC provide any advantages over this?

About the problem. It's been now about 4 days without any issues with search engines. As I mentioned before, those problems are not persistent or regular, yet I haven't had a 4 day streak yet.

Which might mean we accidentally found and killed something, or might mean that the problem indeed was in the ISP or some other user I might share a dynamic IP with.

Again, as I mentioned before, I had a similar problems in a different city with my netbook, and I'm totally sure I did nothing to it that could have cured it, neither was found and cured by it's Antivirus.

So, I'm really not sure.

At least, currently I can work with search without any issues, but of course I would be much happier if I actually understood what was the source of problems.

Is there any way I can do a similar scans on my other PC and netbook? I mean, without bothering you? I understand like maybe 50 to 70% of logs (depending on the depth of scan), so I might be able to educated at where to look and such. Maybe.

#20
Naathim

Posted 15 July 2014 - 07:19 AM

GeekU Minion

Expert
4,568 posts

Cleaning temporary files also went smoothly.
I have a question about this. Is using this tool any different from manually cleaning the Firefox and IE cache and deleting files from Temp directory?
As you might (or might not) have seen from the scans, I've re-wrote temp variables in Windows to point at C:\Temp and I manually clean it on a semi-unregular basis.
Does the TFC provide any advantages over this?

TFC cleans temporary files & cache. It's just a standalone tool to maintain your machine, nothing more. If you do clean it your way - it's ok. I saw that your settings are altered. Nothing harmful, just remember to do it from time to time.

About the problem. It's been now about 4 days without any issues with search engines. As I mentioned before, those problems are not persistent or regular, yet I haven't had a 4 day streak yet.
Which might mean we accidentally found and killed something, or might mean that the problem indeed was in the ISP or some other user I might share a dynamic IP with.

I have a suspect, tbh. There were some strange FireFox extension that ZOEK removed (or at least looks like it's removed from latest FRST logfile).

Again, as I mentioned before, I had a similar problems in a different city with my netbook, and I'm totally sure I did nothing to it that could have cured it, neither was found and cured by it's Antivirus.
So, I'm really not sure.
At least, currently I can work with search without any issues, but of course I would be much happier if I actually understood what was the source of problems.

We'll dig deeper if the problem persist. However, if issues occur even from another computer and in another network, that may mean two things:
- issue is totally separated from your network/system
- there has got to be something in common on both machines (rather than networks).

Is there any way I can do a similar scans on my other PC and netbook? I mean, without bothering you? I understand like maybe 50 to 70% of logs (depending on the depth of scan), so I might be able to educated at where to look and such. Maybe.

I'd say that better way would be to post your logs from each of your systems here for me to analyze. Maybe you do understand the meaning of logs (and that would be great, if so you could even join our GeekU training program if interested), but do you know how to handle it if something more nasty will be found?

#21
Dilettante

Posted 15 July 2014 - 07:34 AM

Member

Topic Starter
Member
21 posts

I have a suspect, tbh. There were some strange FireFox extension that ZOEK removed (or at least looks like it's removed from latest FRST logfile).

I've juggled a little with Firefox extensions, because of my suspicions onto image search addon. I've changed it from 3rd party for the one by Google, I believe.

But I think it was before we got into fight, somewhere soon after my first post. I was trying to not change anything in my system while we're scanning it to not confuse things even more.

Could you maybe point me the ones you suspect? Just in case that was something I actually installed and should not do this again?

Is there any way I can do a similar scans on my other PC and netbook? I mean, without bothering you? I understand like maybe 50 to 70% of logs (depending on the depth of scan), so I might be able to educated at where to look and such. Maybe.

I'd say that better way would be to post your logs from each of your systems here for me to analyze. Maybe you do understand the meaning of logs (and that would be great, if so you could even join our GeekU training program if interested), but do you know how to handle it if something more nasty will be found?

No, I don't know. I was thinking about crying for help when/if I see something weird.

Let me monitor my system for a few days and see how it will behave. I will come back to you if problems will return, or if I will think the issue is gone. Does Friday sound good?

Thank you a lot for your time and help, and I hope this hunt though fruitless have had a little bit of fun for you.

Edited by Dilettante, 15 July 2014 - 07:35 AM.

#22
Naathim

Posted 15 July 2014 - 08:36 AM

GeekU Minion

Expert
4,568 posts

Could you maybe point me the ones you suspect? Just in case that was something I actually installed and should not do this again?

I don't know how much it will tell you, but it's this one:

"РЇРЅРґРµРєСЃ.РЎР»РѕРІР°СЂРё. РџРµСЂРµРІРѕРґ"

Shouldn't be set as default search engine, I think.

No, I don't know. I was thinking about crying for help when/if I see something weird.

Big boys don't cry Better post your logs here, I will do the work for you

Let me monitor my system for a few days and see how it will behave. I will come back to you if problems will return, or if I will think the issue is gone. Does Friday sound good?

Friday is perfectly fine for me. In the meantime I'll try to help someone else and/or fight the infection I've currently got on my machine :lol:

Thank you a lot for your time and help, and I hope this hunt though fruitless have had a little bit of fun for you.

Vlad, you're speaking with a guy who fights malware, reads logs and infects himself for fun. How can you call it fruitless? :lol:

Levity aside, you are always welcome

Cheers,
Naat

#23
Dilettante

Posted 15 July 2014 - 09:43 AM

Member

Topic Starter
Member
21 posts

Could you maybe point me the ones you suspect? Just in case that was something I actually installed and should not do this again?

I don't know how much it will tell you, but it's this one:
"РЇРЅРґРµРєСЃ.РЎР»РѕРІР°СЂРё. РџРµСЂРµРІРѕРґ"
Shouldn't be set as default search engine, I think.

Ah, that's easy. Let me enlighten you where I can :spoton:

That's a search engine for Yandex' Online Dictionaries. This one: http://slovari.yandex.ru/

It's name went a little crazy because it's in cyrillic, but when converted back from UTF-8 it says Яндекс.Словари. Перевод, which stands for Yandex.Dictionaries.Translation

I use it all the time to look up the words missing from my active English vocabulary.

Hope this will be useful for you some other time.

#24
Naathim

Posted 15 July 2014 - 09:50 AM

GeekU Minion

Expert
4,568 posts

Surely Much appreciated.

Now please remember to report here on Friday, because I will need to sweep away my toys. And do the rest of the stuff

#25
Dilettante

Posted 18 July 2014 - 10:40 AM

Member

Topic Starter
Member
21 posts

Hello Naat.

No signs of problem whatsoever.

I guess, you can sweep away your toys, yet better carefully put them in order for easy access, because you will need them soon enough with someone else.

Thanks a lot for your help. I'm slightly sorry we didn't discovered any interesting infection on my PC.

#26
Naathim

Posted 19 July 2014 - 07:59 AM

GeekU Minion

Expert
4,568 posts

Hi Vlad

As I told you earlier, we're nearly finished. Please do these steps for me, as a conclusion.

51a46ae42d560-malwarebytes_anti_malware. Scan with Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

Install the progam and select update.
Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
Click the Scan tab, choose Threat Scan is checked and click Scan Now.
If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
Upon completion of the scan (or after the reboot), click the History tab.
Click Application Logs and double-click the Scan Log.
At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

Scan with Security Check

Please download Security Check by Screen317 and save it to your desktop.

Right-click on icon and select Run as Administrator to start the tool.
Follow onscreen instructions inside the black box. This scan won't take long.
Soon a notepad document called checkup.txt will open automaticaly.

Please include the content of that document.

Clean with DelFix

Please download DelFix by Xplode and save it to your desktop.

Right-click on icon and select Run as Administrator to start the tool.
Ensure that Remove disinfection tools, Purge system restore and Reset system settings are checked.
Push Run.
When finished, it will display a notepad report.

Include it for my review.

#27
Dilettante

Posted 19 July 2014 - 02:40 PM

Member

Topic Starter
Member
21 posts

And so we meet again!

Here's a log from Malwarebytes.

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 19.07.2014
Scan Time: 23:28:26
Logfile: Malwarebutes Log.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.07.19.08
Rootkit Database: v2014.07.17.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: User

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 290269
Time Elapsed: 6 min, 23 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

---

Currently I cannot download SecurityCheck, my browser says "The connection has timed out" again and again.

I will try again later.

P. S. It appears, Anti-Malware changes it's interface since you've wrote the instructions, and there are minor differences. It's not a problem for such an experienced user as me but maybe you should double-check it for future use.

#28
Dilettante

Posted 20 July 2014 - 07:27 AM

Member

Topic Starter
Member
21 posts

Right now I cannot see the page 2 of the thread, whenever I press the button 2, or button Next, or even when I manually enter address http://www.geekstogo...-engines/page-2 , whatever I do, I still see the page 1. Is this even normal? :-? Does it happen to you Naat?

Nevermind, it works now. Not sure what was that though.

Still no luck with downloading SecurityCheck. Is there any alternate link I could use?

Edited by Dilettante, 20 July 2014 - 08:14 PM.

#29
Naathim

Posted 21 July 2014 - 07:12 AM

GeekU Minion

Expert
4,568 posts

Hi Vlad

I am sorry for the delay, but the bug you've mentioned prevented me from replying yesterday. Fortunately it is fixed now, so I am able to finish my work here.

Try downloading Security Check from HERE - I have downloaded a fresh copy and hosted it on my OneDrive for you.
It will come as a zipped file, so you will have to extract it before proceeding. You may do it by right-clicking and choosing Extract All option.

#30
Dilettante

Posted 21 July 2014 - 10:53 AM

Member

Topic Starter
Member
21 posts

Hello Naat, and thank you for the alternate link. Not sure why I cannot reach the original domain.

Here's the log of SecurityCheck, however laconic it is.

Results of screen317's Security Check version 0.99.86
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Adobe Flash Player 14.0.0.125
Mozilla Firefox (30.0)
Mozilla Thunderbird (24.6.0)
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 5%
````````````````````End of Log``````````````````````