Avast WEBforum

Other => Viruses and worms => Topic started by: paulp-nevada on October 09, 2014, 08:08:29 AM

Title: Idle Crawler driving me nuts (logs attached), please help
Post by: paulp-nevada on October 09, 2014, 08:08:29 AM
Reading the descriptions in these forums it appears I have picked up an idle crawler, Avast is constantly blocking my IE attempting to go to a whole list of sites in the background.  The sites I have noted include go.wvydeo.com, xmlka.com, crazy.wleaderswest.stalowa-wola.pl, 199.115.116.237, and 162.144.88.48/indexron.html.

I have run the scans/tools and attached the logs as instructed in forum.avast.com/index.php?topic=53253.0.

None of my go-to bag of tricks seems capable of ridding me of this program and the delays and lagging it is causing is making my laptop unusable.  Any help is appreciated.

I am off for bed in a bit and I will check these forums in the morning.  Thank you in advance for any help.
Title: Re: Idle Crawler driving me nuts (logs attached), please help
Post by: Michael (alan1998) on October 09, 2014, 09:11:15 PM
Thank you. I will notify a remover too assist you as soon as possible.
Title: Re: Idle Crawler driving me nuts (logs attached), please help
Post by: Eddy on October 09, 2014, 09:29:40 PM
1]
Remove Ad-Aware

2]
- Open notepad
- Copy/paste the underneath code in it
- Safe the file as fixlist.txt in the same folder as where you have Farbar
- Start Farbar
- Click the Fix button
- Reboot
- Run a new scan with Farbar and attach the new logs.
- Let us know how the system is behaving.

Code: [Select]
start
HKU\S-1-5-21-2824904820-3854576067-2522612532-1001\...\MountPoints2: {7276c880-a2bc-11e1-943e-685d4311f0e9} - F:\AutoRun.exe
HKU\S-1-5-21-2824904820-3854576067-2522612532-1001\...\MountPoints2: {ccef3ac1-2cd8-11e2-898a-8c89a500ba86} - F:\iLinker.exe
HKU\S-1-5-21-2824904820-3854576067-2522612532-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.woot.com/
SearchScopes: HKCU - {47E3371C-22A2-48CF-B832-C23C6B8785E5} URL =
C:\ProgramData\dpmmsrm.dll
C:\ProgramData\jvnjmue.dll
EmptyTemp:
CMD: bitsadmin /reset /allusers
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
end
Title: Re: Idle Crawler driving me nuts (logs attached), please help
Post by: paulp-nevada on October 10, 2014, 04:52:26 PM
I did as you instructed.  The new logs are attached. 

Avast now reports blocked attempts by a process called C:\windows\SysWow64\svchost.exe to go to 5.45.73.129/aa and /ledoborota.com/aa/ (it looks like only those two sites).

What is my next step?

Thank you again for your help.
Title: Re: Idle Crawler driving me nuts (logs attached), please help
Post by: paulp-nevada on October 10, 2014, 05:07:54 PM
Here is the Fixlog.txt file from running FRST with the fixlist file.  I wasn't sure if you wanted that, too.  It appears to have removed everything listed.

Thank you.
Title: Re: Idle Crawler driving me nuts (logs attached), please help
Post by: PCC Support on October 25, 2014, 11:51:56 PM
I have a customer getting this exact same results.  Has there been any progress on this.
Nothing I've used to scan the system seems to detect it.
Title: Re: Idle Crawler driving me nuts (logs attached), please help
Post by: essexboy on October 25, 2014, 11:55:45 PM
Hi this is relatively new and uses two dlls and a task to activate, an FRST log will show what files they are
Title: Re: Idle Crawler driving me nuts (logs attached), please help
Post by: PCC Support on October 28, 2014, 07:27:34 PM
Here are the two log files from FRST64 you asked me to send you.
Title: Re: Idle Crawler driving me nuts (logs attached), please help
Post by: essexboy on October 28, 2014, 07:39:50 PM
Could you manually delete this folder as my tools cannot handle the coding  C:\Users\ExploreTheRanch\AppData\Roaming\麽鎒駓覜

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
HKU\S-1-5-21-603739272-268466164-1662215265-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
BHO: No Name -> {4F524A2D-5354-2D53-5045-7A786E7484D7} ->  No File
BHO: No Name -> {4F524A2D-5637-4300-76A7-7A786E7484D7} ->  No File
BHO-x32: No Name -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} ->  No File
BHO-x32: No Name -> {4F524A2D-5354-2D53-5045-7A786E7484D7} ->  No File
BHO-x32: No Name -> {4F524A2D-5637-4300-76A7-7A786E7484D7} ->  No File
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {4F524A2D-5637-4300-76A7-7A786E7484D7} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Toolbar: HKLM - No Name - {4F524A2D-5354-2D53-5045-7A786E7484D7} -  No File
Toolbar: HKLM-x32 - No Name - {4F524A2D-5637-4300-76A7-7A786E7484D7} -  No File
Toolbar: HKLM-x32 - No Name - {4F524A2D-5354-2D53-5045-7A786E7484D7} -  No File
2014-10-22 12:59 - 2014-10-22 12:59 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2014-10-22 10:31 - 2014-10-22 10:31 - 00087200 _____ () C:\ProgramData\wrnhoah.tmp
2014-10-22 10:31 - 2014-10-22 10:31 - 00000944 ____H () C:\ProgramData\@system2.att
CustomCLSID: HKU\S-1-5-21-603739272-268466164-1662215265-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
Title: Re: Idle Crawler driving me nuts (logs attached), please help
Post by: PCC Support on October 31, 2014, 09:50:42 PM
Here is the fixlog.txt file.
Title: Re: Idle Crawler driving me nuts (logs attached), please help
Post by: essexboy on October 31, 2014, 09:51:44 PM
Did you manage to delete that folder ?

How is the system running now ?
Title: Re: Idle Crawler driving me nuts (logs attached), please help
Post by: PCC Support on October 31, 2014, 09:59:45 PM
i didn't delete any folders. Which one was I supposed to remove?   I noticed that your tool removed some registry entries. I will restart the PC and see if the problem is gone, will let you know.

Also I'm reattaching the fixlog.txt file, apparently it wasn't done before I attached the file here.
FRST64 seems to be stuck in a loop that says "fixing, please wait..."  I had to manually end the process.
Title: Re: Idle Crawler driving me nuts (logs attached), please help
Post by: essexboy on October 31, 2014, 11:08:31 PM
This folder :

 C:\Users\ExploreTheRanch\AppData\Roaming\麽鎒駓覜

As my tools have problems with that coding

How is the computer behaving now
Title: Re: Idle Crawler driving me nuts (logs attached), please help
Post by: idlecrawlersup on November 21, 2014, 06:35:30 AM
Idle Crawler is not a virus, neither a PUP. It is a very sophisticated marketing tool for SEO. Idle Crawler is installed in your computer because it came with a fellow program which the agreement clearly have mentioned. However to improve Idle Crawler for those who are in need of it, we are looking forward to hear your complaints and compliments to make Idle Crawler a better program
Title: Re: Idle Crawler driving me nuts (logs attached), please help
Post by: Michael (alan1998) on November 21, 2014, 01:34:17 PM
Again, a month old...

Regardless, there are people who hate Idle crawler. You mention it's not a PUP.

BY the definition of the name "Potentially UNWANTED Program". it is a PUP, because it's installed with other programs. I agree, IC isn't a virus as it doesn't self replicate.

Title: Re: Idle Crawler driving me nuts (logs attached), please help
Post by: idlecrawlersup on November 24, 2014, 06:32:22 AM
Idle crawler does get installed with other programs when the user himself accepts the agreement to install Idle Crawler along with other program. However Idle Crawler has been useful and shows the potential of a  great marketing tool, therefore it is not fair to treat it as a PUP by the users who don't use it. Our point is to listen to people and make idle crawler a better place through compliments and complaints.
Title: Re: Idle Crawler driving me nuts (logs attached), please help
Post by: Michael (alan1998) on November 24, 2014, 02:12:35 PM
Well, right now. The people here, do not care for Idle Crawler.

It can as useful as food, or as poop. Doesn't make a difference.

You of all people should know (As a marketer), very few actually read the EULA. Is there ANY option at all to have a "Don't Install Idle Crawler" button?

Can you post me an active download of a program with Idle Crawler so I may check it out?

Edit: Why would a google search, show all Idle results as either, PUP, Adware or a threat?

https://www.google.ca/webhp?sourceid=chrome-instant&rlz=1C1CHWA_enCA606CA606&ion=1&espv=2&ie=UTF-8#q=idle+crawler+GigaClicks