durangod Posted June 29, 2014 Share Posted June 29, 2014 Hey all, thought I would share this with you, a few days ago one of my sites reported they were having issues with the site showing domain expired, so I checked, it was fine. Then a day later two more sites said same thing, i checked again, all fine (meaning i checked the registrar and also pulled up the sites). Today i got hit with it. it was like a time bomb, all of a sudden all my sites on the host showed same, domain expired. This image here. so i began to panic a bit, did someone hack my server or wtheck... After checking intodns (i didn't want to log into my whm for fear of a virus) all seems ok and when i accessed the site using anon proxy it showed fine. So i figured it was something local. Actually its something worldwide. But if you run malwarebytes (free trial it will find it and you can kill it.. Here is my scan and now all is well. Hope this helps someone to not have a heart attack like i did lol.. Malwarebytes Anti-Malware [url]www.malwarebytes.org[/url] Scan Date: 6/29/2014 Scan Time: 4:36:18 PM Logfile: scanlog.txt Administrator: Yes Version: 2.00.2.1012 Malware Database: v2014.06.29.09 Rootkit Database: v2014.06.23.02 License: Trial Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: xxxxxxxx Scan Type: Threat Scan Result: Completed Objects Scanned: 316457 Time Elapsed: 4 min, 26 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Warn PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 2 PUP.Optional.SearchProtect.A, HKLM\SOFTWARE\WOW6432NODE\SEARCHPROTECT, Quarantined, [003d4e3094e73ff701c7d5d806fcb64a], PUP.Optional.DefaultTab.A, HKU\S-1-5-21-2476543464-4118117661-2746257878-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\DefaultTab, Quarantined, [e855acd2750612243b9534a0b54dd729], Registry Values: 2 PUP.Optional.SearchProtect.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|AppInit_DLLs, C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll, Quarantined, [6cd185f9f18ae3535c44c344ab595da3] PUP.Optional.SearchProtect.A, HKLM\SOFTWARE\WOW6432NODE\SEARCHPROTECT|InstallDir, C:\PROGRA~2\SearchProtect, Quarantined, [003d4e3094e73ff701c7d5d806fcb64a] Registry Data: 0 (No malicious items detected) Folders: 7 PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e], PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\Logs, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e], PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e], PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect\Logs, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e], PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect\rep, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e], PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\UI, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e], PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\UI\rep, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e], Files: 4 PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect\rep\Cvc.dat, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e], PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect\rep\UserRepository.dat, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e], PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect\rep\UserSettings.dat, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e], PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\UI\rep\UIRepository.dat, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e], Physical Sectors: 0 (No malicious items detected) (end) - - - Updated - - - nevermind its back, just like that its all back again.. i guess ill have to zap all my browsers and reinstall to kill this thing maybe - - - Updated - - - http://www.malwareremovalguides.info/pup-optional-searchprotect-a-removal-guide/ I guess its ok, I don't know. somedays I really really really really hate this business and computers... 0 Quote Link to comment Share on other sites More sharing options...
durangod Posted June 30, 2014 Author Share Posted June 30, 2014 ok folks looks like I got it... I decided to do a search for new files created today.. i found a folder with a bunch of language files in it all for different countries, it was called language, so i deleted it but not out of my bin and i got sidetacked and forgot it was there, i just tried and all is well, but sadly i zapped the bin.. so i cant share what i found. but youll know because the folder called language is in an odd place and youll be like, why are there lang files here, there is not software here.. and that's it.. del it to your bin, try your sites and all should work, then del it from bin.... how I got this I don't know, I never ever click on any links I don't know for sure I know. 0 Quote Link to comment Share on other sites More sharing options...
durangod Posted July 2, 2014 Author Share Posted July 2, 2014 (edited) Update on the domain issue folks, i had those lang files (i found them again) but they were in the right place this time, i had them checked and they are fine, somehow they got misdirected from malwarebytes and ended up in the wrong place by themselves. I was just a coincidence that the deal happened to go away when i removed them, just my luck huh.... so we are back to square one, i am looking into some stuff with my host, i will get back with you all.. sorry about that but sometimes troubleshooting sucks and takes you in the wrong direction. Im actually using google proxy now because my sites are not available. And what is strange is that it only affects my domains that are with my reseller account, non of the other web is affected. My host is working on it but so far they are not able to duplicate the issue like you all were able to do here. so back to square one, sorry about the wild good chase about the lang files, you try to be quick and get the word out and try to save someone a hassle and it ends up getting egg on you face ya know... somewhere in the dns chain someone is playing games im sure of it. People from my gaming community in poland and uk and canada are having same issue but not all the time, sometimes it works then in 5 min it goes away. I did figure out that a proxy works, im on google proxy now and sites are accessable, so its not the sites, nothing is wrong with them at all. Its in the dns structure somewhere. Called my ISP and got their default dns and yep when i change to that i cant access the sites. However poland and canada dont have my ISP so its not the ISP. So it must be somewhere up the chain possibly a regional DNS server maybe. What is strange also is that it only effects the sites i have on the reseller account, no other web is effected. Strange strange. If i find out that someone is doing this on purpose with some kind of hack you can bet money im reporting it to the authorities. My ISP has no issue pulling up the sites and they are on the same dns however i cant, but its not my local machine because its happening all over. Edited July 2, 2014 by durangod 0 Quote Link to comment Share on other sites More sharing options...
durangod Posted July 8, 2014 Author Share Posted July 8, 2014 http://forum.whmcs.com/showthread.php?90807-i-need-help-badly-Moved this has been resolved, it was a host issue after all, not a virus or an attack. See the link above. 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.