Idle Crawler Fix needed

Viruses and worms
1

Hello, after reading this post https://forum.avast.com/index.php?topic=154473.0 I believe I have the same issue of Idle Crawler which causes Avast to continuously give audible warning ‘threat has been detected’. Something keeps trying to access go.wvydeo.com/xxx … xxx and avast keeps blocking it and says it’s URL:Mal I have run Avast and a boot scan, plus updated scans from Malwarebytes and Superantispyware and cleaned up everything it found yet this is still popping up many times per day. I would appreciate help in fixing this. There are also many popups from http://cella.dealersolutions.com.au/ xxxxx xxxxxxx (with a date and a series of numbers and letters) on my desktop as a file to download of music, videos and whatever else. I’m hoping that it’s also a byproduct of this idle crawler and that it will also disappear once this is fixed. Thank you.

2

https://forum.avast.com/index.php?topic=53253.0

3

Logs as requested and one more to come in next post

4

Last one

5

Let me know if this cures it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-808636108-839306178-3023647654-1000\...\Run: [Eqpvtion Update] => regsvr32.exe C:\Users\petra\AppData\Local\Eqpvtion\pnctrlAgent.dll HKU\S-1-5-21-808636108-839306178-3023647654-1000\...\Run: [Owcgics] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\petra\AppData\Local\YsqtPack\ToshibaUI.dll HKU\S-1-5-21-808636108-839306178-3023647654-1000\...\Run: [Eqpvtion Update] => regsvr32.exe C:\Users\petra\AppData\Local\Eqpvtion\pnctrlAgent.dll Startup: C:\Users\petra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\help.lnk ShortcutTarget: help.lnk -> C:\Users\petra\AppData\Roaming\Microsoft\Windows\IEUpdate\help.exe (No File) Startup: C:\Users\petra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iscsicli.lnk ShortcutTarget: iscsicli.lnk -> C:\Users\petra\AppData\Roaming\Microsoft\Windows\IEUpdate\iscsicli.exe (No File) Startup: C:\Users\petra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Serviio.lnk ShortcutTarget: Serviio.lnk -> C:\Program Files\Serviio\bin\ServiioConsole.exe () Startup: C:\Users\petra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shrpubw.lnk ShortcutTarget: shrpubw.lnk -> C:\Users\petra\AppData\Roaming\Microsoft\Windows\IEUpdate\shrpubw.exe (No File) CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION 2014-10-15 17:20 - 2014-10-22 13:01 - 00000000 ____D () C:\Users\petra\AppData\Local\Eqpvtion 2014-10-15 17:19 - 2014-10-16 08:15 - 00000000 ____D () C:\Users\petra\AppData\Local\YsqtPack C:\Users\petra\AppData\Local\Eqpvtion C:\ProgramData\Microsoft\Secure EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

6

Thank you. Here is the adw log and attached the FRST log

AdwCleaner v4.002 - Report created 29/10/2014 at 08:51:40

DB v2014-10-26.6

Updated 27/10/2014 by Xplode

Operating System : Windows 7 Professional Service Pack 1 (64 bits)

Username : petra - PETRA-PC

Running from : C:\Users\petra\Desktop\AdwCleaner.exe

Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Users\petra\AppData\Local\apn
Folder Deleted : C:\Users\petra\Documents\Tutorials
Folder Deleted : C:\ProgramData\AlawarEntertainment
Folder Deleted : C:\Users\petra\AppData\Roaming\AlawarEntertainment
Folder Deleted : C:\ProgramData\AlawarWrapper
Folder Deleted : C:\Users\petra\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbolfgndggfhhpbnkgnpjkfhinclbigj
Folder Deleted : C:\Users\petra\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl
File Deleted : C:\Users\petra\AppData\Roaming\Mozilla\Firefox\Profiles\rgg3lsvj.default\user.js

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jbolfgndggfhhpbnkgnpjkfhinclbigj
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl
Key Deleted : HKLM\SOFTWARE\Classes\AppID\secman.DLL
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager
Key Deleted : HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager.1
Key Deleted : HKLM\SOFTWARE\Classes\AppID{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{826D7151-8D99-434B-8540-082B8C2AE556}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{02478D38-C3F9-4EFB-9B51-

7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes{CFF4DB9B-135F-47C0-9269-B4C6572FD61A}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\ImInstaller
Key Deleted : HKCU\Software\Myfree Codec
Key Deleted : HKLM\SOFTWARE\ImInstaller
Key Deleted : HKLM\SOFTWARE\Myfree Codec
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components

\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe

***** [ Browsers ] *****

-\ Internet Explorer v10.0.9200.16750

-\ Mozilla Firefox v32.0.3 (x86 en-US)

-\ Google Chrome v38.0.2125.104

AdwCleaner[R0].txt - [4706 octets] - [29/10/2014 08:49:23]
AdwCleaner[S0].txt - [4294 octets] - [29/10/2014 08:51:40]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4354 octets] ##########

7

Are you still getting the alerts ?

8

Haven’t had any alerts in 24 hours now. I think this might be fixed, thank you so much for your help. Do my logs look clear now?

9

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

10

Thank you. I have run Delfix and disabled Java, have also installed CryptoPrevent. I already have Malwarebytes (plus Superantispyware) and use both regularly. I did have an incident yesterday though. As I was browsing, a download box appeared and started on it’s own… Regcure Pro…I thought I had managed to stop/cancel the download in time. However, when I started my computer this morning, regcure had installed itself and popped up claiming there were over 300 registry issues and to scan now etc etc. I didn’t touch the screens but went straight through and uninstalled the program then rebooted. I hope that was enough? It’s gone from my programs list now.

11

Run adwcleaner to remove all traces… Also install unchecky, details at the end

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

UNCHECKY

A small tool that may help when you download programmes

http://unchecky.com/

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder

Right click on the Unchecky_setup
http://i1059.photobucket.com/albums/t432/cinjo23/uncheckysetupicon.png
or folder and choose to Run as Administrator

Once open click the Install button.

http://i1059.photobucket.com/albums/t432/cinjo23/uncheckysetupwindow.png

Then click on Finish

http://i1059.photobucket.com/albums/t432/cinjo23/uncheckyfinishsetupwindow.png

Unchecky is now installed and will help you keep unwanted check boxes unchecked :wink:

12

Thank you. Have installed Unchecky (what a great little program!) and here is the adw log:

AdwCleaner v4.002 - Report created 01/11/2014 at 08:51:52

DB v2014-10-26.6

Updated 27/10/2014 by Xplode

Operating System : Windows 7 Professional Service Pack 1 (64 bits)

Username : petra - PETRA-PC

Running from : C:\Users\petra\Desktop\New folder\AdwCleaner.exe

Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Users\petra\AppData\Roaming\DriverCure
Folder Deleted : C:\ProgramData\ParetoLogic
Folder Deleted : C:\Users\petra\AppData\Roaming\ParetoLogic

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

  • Not Deleted : HKCU\Software\IM
    Key Deleted : HKCU\Software\ParetoLogic
    Key Deleted : HKLM\SOFTWARE\ParetoLogic

  • Not Deleted : [x64] HKCU\Software\IM
    Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094

***** [ Browsers ] *****

-\ Internet Explorer v10.0.9200.16750

-\ Mozilla Firefox v33.0.2 (x86 en-US)

-\ Google Chrome v38.0.2125.111

AdwCleaner[R0].txt - [1283 octets] - [01/11/2014 08:49:16]
AdwCleaner[S0].txt - [1168 octets] - [01/11/2014 08:51:52]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1228 octets] ##########

13

How is the computer behaving now ?

14

It seems fine right now, has only been about an hour since I ran Adw so will monitor for 24 hours or so and reply back then. Thank you so much.

15

It’s been a couple of days now and all seems well. Thanks again for helping to fix this issue.

16

My pleasure :slight_smile:

17

If it is Idle Crawler that you are trying to remove from your pc, it can be easily removed from Programs/Features in your control panel. Idle Crawler is helpful for people who wants to use it as a SEO tool However in this case you might have installed it mistakenly in your computer.