Idle Crawler driving me nuts (logs attached), please help

[REDACTED]

Reading the descriptions in these forums it appears I have picked up an idle crawler, Avast is constantly blocking my IE attempting to go to a whole list of sites in the background.  The sites I have noted include go.wvydeo.com, xmlka.com, crazy.wleaderswest.stalowa-wola.pl, 199.115.116.237, and 162.144.88.48/indexron.html.

I have run the scans/tools and attached the logs as instructed in forum.avast.com/index.php?topic=53253.0.

None of my go-to bag of tricks seems capable of ridding me of this program and the delays and lagging it is causing is making my laptop unusable.  Any help is appreciated.

I am off for bed in a bit and I will check these forums in the morning.  Thank you in advance for any help.

[Michael (alan1998)]

Thank you. I will notify a remover too assist you as soon as possible.

[Eddy]

1]
Remove Ad-Aware

2]
- Open notepad
- Copy/paste the underneath code in it
- Safe the file as fixlist.txt in the same folder as where you have Farbar
- Start Farbar
- Click the Fix button
- Reboot
- Run a new scan with Farbar and attach the new logs.
- Let us know how the system is behaving.

Code: [Select]

start
HKU\S-1-5-21-2824904820-3854576067-2522612532-1001\...\MountPoints2: {7276c880-a2bc-11e1-943e-685d4311f0e9} - F:\AutoRun.exe
HKU\S-1-5-21-2824904820-3854576067-2522612532-1001\...\MountPoints2: {ccef3ac1-2cd8-11e2-898a-8c89a500ba86} - F:\iLinker.exe
HKU\S-1-5-21-2824904820-3854576067-2522612532-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.woot.com/
SearchScopes: HKCU - {47E3371C-22A2-48CF-B832-C23C6B8785E5} URL =
C:\ProgramData\dpmmsrm.dll
C:\ProgramData\jvnjmue.dll
EmptyTemp:
CMD: bitsadmin /reset /allusers
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
end


[REDACTED]

I did as you instructed.  The new logs are attached. 

Avast now reports blocked attempts by a process called C:\windows\SysWow64\svchost.exe to go to 5.45.73.129/aa and /ledoborota.com/aa/ (it looks like only those two sites).

What is my next step?

Thank you again for your help.

[REDACTED]

Here is the Fixlog.txt file from running FRST with the fixlist file.  I wasn't sure if you wanted that, too.  It appears to have removed everything listed.

Thank you.

[REDACTED]

I have a customer getting this exact same results.  Has there been any progress on this.
Nothing I've used to scan the system seems to detect it.

[essexboy]

Hi this is relatively new and uses two dlls and a task to activate, an FRST log will show what files they are

[REDACTED]

Here are the two log files from FRST64 you asked me to send you.

[essexboy]

Could you manually delete this folder as my tools cannot handle the coding  C:\Users\ExploreTheRanch\AppData\Roaming\麽鎒駓覜

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

HKU\S-1-5-21-603739272-268466164-1662215265-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
BHO: No Name -> {4F524A2D-5354-2D53-5045-7A786E7484D7} ->  No File
BHO: No Name -> {4F524A2D-5637-4300-76A7-7A786E7484D7} ->  No File
BHO-x32: No Name -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} ->  No File
BHO-x32: No Name -> {4F524A2D-5354-2D53-5045-7A786E7484D7} ->  No File
BHO-x32: No Name -> {4F524A2D-5637-4300-76A7-7A786E7484D7} ->  No File
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {4F524A2D-5637-4300-76A7-7A786E7484D7} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Toolbar: HKLM - No Name - {4F524A2D-5354-2D53-5045-7A786E7484D7} -  No File
Toolbar: HKLM-x32 - No Name - {4F524A2D-5637-4300-76A7-7A786E7484D7} -  No File
Toolbar: HKLM-x32 - No Name - {4F524A2D-5354-2D53-5045-7A786E7484D7} -  No File
2014-10-22 12:59 - 2014-10-22 12:59 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2014-10-22 10:31 - 2014-10-22 10:31 - 00087200 _____ () C:\ProgramData\wrnhoah.tmp
2014-10-22 10:31 - 2014-10-22 10:31 - 00000944 ____H () C:\ProgramData\@system2.att
CustomCLSID: HKU\S-1-5-21-603739272-268466164-1662215265-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

Here is the fixlog.txt file.

[essexboy]

Did you manage to delete that folder ?

How is the system running now ?

[REDACTED]

i didn't delete any folders. Which one was I supposed to remove?   I noticed that your tool removed some registry entries. I will restart the PC and see if the problem is gone, will let you know.

Also I'm reattaching the fixlog.txt file, apparently it wasn't done before I attached the file here.
FRST64 seems to be stuck in a loop that says "fixing, please wait..."  I had to manually end the process.

[essexboy]

This folder :

 C:\Users\ExploreTheRanch\AppData\Roaming\麽鎒駓覜

As my tools have problems with that coding

How is the computer behaving now

[REDACTED]

Idle Crawler is not a virus, neither a PUP. It is a very sophisticated marketing tool for SEO. Idle Crawler is installed in your computer because it came with a fellow program which the agreement clearly have mentioned. However to improve Idle Crawler for those who are in need of it, we are looking forward to hear your complaints and compliments to make Idle Crawler a better program

[Michael (alan1998)]

Again, a month old...

Regardless, there are people who hate Idle crawler. You mention it's not a PUP.

BY the definition of the name "Potentially UNWANTED Program". it is a PUP, because it's installed with other programs. I agree, IC isn't a virus as it doesn't self replicate.