Jump to content

serious malware running around

Recommended Posts

Hey all, thought I would share this with you, a few days ago one of my sites reported they were having issues with the site showing domain expired, so I checked, it was fine. Then a day later two more sites said same thing, i checked again, all fine (meaning i checked the registrar and also pulled up the sites).


Today i got hit with it. it was like a time bomb, all of a sudden all my sites on the host showed same, domain expired. This image here.






so i began to panic a bit, did someone hack my server or wtheck... After checking intodns (i didn't want to log into my whm for fear of a virus) all seems ok and when i accessed the site using anon proxy it showed fine. So i figured it was something local.


Actually its something worldwide. But if you run malwarebytes (free trial it will find it and you can kill it..


Here is my scan and now all is well. Hope this helps someone to not have a heart attack like i did lol.. :)


Malwarebytes Anti-Malware

Scan Date: 6/29/2014
Scan Time: 4:36:18 PM
Logfile: scanlog.txt
Administrator: Yes

Malware Database: v2014.06.29.09
Rootkit Database: v2014.06.23.02
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: xxxxxxxx

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 316457
Time Elapsed: 4 min, 26 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 2
PUP.Optional.SearchProtect.A, HKLM\SOFTWARE\WOW6432NODE\SEARCHPROTECT, Quarantined, [003d4e3094e73ff701c7d5d806fcb64a], 
PUP.Optional.DefaultTab.A, HKU\S-1-5-21-2476543464-4118117661-2746257878-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\DefaultTab, Quarantined, [e855acd2750612243b9534a0b54dd729], 

Registry Values: 2
PUP.Optional.SearchProtect.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|AppInit_DLLs, C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll, Quarantined, [6cd185f9f18ae3535c44c344ab595da3]
PUP.Optional.SearchProtect.A, HKLM\SOFTWARE\WOW6432NODE\SEARCHPROTECT|InstallDir, C:\PROGRA~2\SearchProtect, Quarantined, [003d4e3094e73ff701c7d5d806fcb64a]

Registry Data: 0
(No malicious items detected)

Folders: 7
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e], 
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\Logs, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e], 
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e], 
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect\Logs, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e], 
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect\rep, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e], 
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\UI, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e], 
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\UI\rep, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e], 

Files: 4
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect\rep\Cvc.dat, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e], 
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect\rep\UserRepository.dat, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e], 
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect\rep\UserSettings.dat, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e], 
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\UI\rep\UIRepository.dat, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e], 

Physical Sectors: 0
(No malicious items detected)



- - - Updated - - -


nevermind its back, just like that its all back again.. i guess ill have to zap all my browsers and reinstall to kill this thing maybe


- - - Updated - - -


http://www.malwareremovalguides.info/pup-optional-searchprotect-a-removal-guide/ I guess its ok, I don't know. somedays I really really really really hate this business and computers...

Link to comment
Share on other sites

ok folks looks like I got it... I decided to do a search for new files created today.. i found a folder with a bunch of language files in it all for different countries, it was called language, so i deleted it but not out of my bin and i got sidetacked and forgot it was there, i just tried and all is well, but sadly i zapped the bin.. so i cant share what i found.


but youll know because the folder called language is in an odd place and youll be like, why are there lang files here, there is not software here.. and that's it.. del it to your bin, try your sites and all should work, then del it from bin....


how I got this I don't know, I never ever click on any links I don't know for sure I know.

Link to comment
Share on other sites

Update on the domain issue folks, i had those lang files (i found them again) but they were in the right place this time, i had them checked and they are fine, somehow they got misdirected from malwarebytes and ended up in the wrong place by themselves. I was just a coincidence that the deal happened to go away when i removed them, just my luck huh.... so we are back to square one, i am looking into some stuff with my host, i will get back with you all.. sorry about that but sometimes troubleshooting sucks and takes you in the wrong direction.


Im actually using google proxy now because my sites are not available. And what is strange is that it only affects my domains that are with my reseller account, non of the other web is affected. My host is working on it but so far they are not able to duplicate the issue like you all were able to do here.


so back to square one, sorry about the wild good chase about the lang files, you try to be quick and get the word out and try to save someone a hassle and it ends up getting egg on you face ya know...


somewhere in the dns chain someone is playing games im sure of it. People from my gaming community in poland and uk and canada are having same issue but not all the time, sometimes it works then in 5 min it goes away. I did figure out that a proxy works, im on google proxy now and sites are accessable, so its not the sites, nothing is wrong with them at all. Its in the dns structure somewhere.


Called my ISP and got their default dns and yep when i change to that i cant access the sites. However poland and canada dont have my ISP so its not the ISP. So it must be somewhere up the chain possibly a regional DNS server maybe. What is strange also is that it only effects the sites i have on the reseller account, no other web is effected. Strange strange. If i find out that someone is doing this on purpose with some kind of hack you can bet money im reporting it to the authorities.


My ISP has no issue pulling up the sites and they are on the same dns however i cant, but its not my local machine because its happening all over.

Edited by durangod
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated