Google telling me my "computer or network may be sending automated queries"

Discussion in 'Malware Help (A Specialist Will Reply)' started by KrypticMind, Apr 17, 2010.

  1. KrypticMind

    KrypticMind Private E-2

    The first problems I noticed was that Avira was not running properly, and I couldn't get into the task manager. These have since been resolved from following the Windows XP Cleaning Procedure running Malwarebytes.

    I still have another problem where every time I try to go to www.google.com, they tell me "We're sorry... but your computer or network may be sending automated queries. To protect our users, we can't process your request right now," and I have to type in random characters to prove "I'm human." Besides that, I think my internet might be a tad slower, but otherwise, I don't notice anything else. I'm sure it's some kind of malware, but I don't know how to remove it. Thanks for any help! :)
     

    Attached Files:

    KrypticMind, Apr 17, 2010
    #1
  2. KrypticMind

    KrypticMind Private E-2

    Logs uploaded.
     

    Attached Files:

    KrypticMind, Apr 17, 2010
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your computer was very badly infected. Just to be on the safe side, please run Malwarebytes one more time and attach another new log. Then continue on with the below.


    Please put your PC into normal startup mode with MSconfig as requested in the READ & RUN ME.

    Also see step 6 and Disable Disk Emulation since you have Daemon Tools installed. This must be done before continuing.


    Download HostsXpert and then follow the below steps.
    • Unzip HostsXpert.zip
    • It will create a folder named HostsXpert in whatever folder you extract it to.
    • Run HostsXpert.exe by double clicking on it.
    • Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
    • Click Restore Microsoft's Hosts File and then click OK.
    • Click the X to exit the program
    Uninstall the below software as requested in the READ & RUN ME:
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    Java(TM) 6 Update 11
    Viewpoint Media Player


    Now run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O4 - HKLM\..\Run: [LMSXXD] LMSXXD.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


    Now please run the below procedure and attach the GMER log:

    GMER - running with a random name


    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • the log from GMER
    • C:\MGlogs.zip
     
    chaslang, Apr 18, 2010
    #3
  4. KrypticMind

    KrypticMind Private E-2

    I ran Malwarebytes again, and I did not get anything.

    I tried running HostsXpert, but I got the following error when I tried to Restore MS's Hosts Files.
    "ERROR: Cannot create file C:\WINDOWS\system32\DRIVERS\ETC\hosts"

    Despite the error, I continued the follow the rest of your instructions, and I've attached the desired log files. Thanks!
     

    Attached Files:

    KrypticMind, Apr 18, 2010
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you Click the Make Writeable? button as requested?

    Locate the below file in Windows Explorer:

    C:\WINDOWS\system32\drivers\etc\hosts

    Then right click on it and select Properties. Uncheck the Read-only and Hidden attributes if they are checked and then click Apply. Tell me what happens.

    Now see if you can right click the file and select Rename. Rename it to hosts.old

    Were you able to rename it?
     
    chaslang, Apr 18, 2010
    #5
  6. KrypticMind

    KrypticMind Private E-2

    I did click the Make Writeable.

    When I tried to uncheck Read-only and clicked Apply, it gave me an error:

    "An erorr occurred applying attributes to the file:

    C:\WINDOWS\system32\drivers\etc\hosts

    Access is denied."
     
    KrypticMind, Apr 18, 2010
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you know what the below folder and file on your Desktop are?
    Code:
    "C:\Documents and Settings\Longphi\desktop\"
1             Apr 17 2010              "1"
106sx5o9.exe  Apr 17 2010      293376  "106sx5o9.exe"
    Do you know what the below file is? It was previously loading at startup. Do you use any kind of Xerox copiers, scanners or printers?
    Code:
    c:\windows\system32\LMSXXD.exe


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Apr 18, 2010
    #7
  8. KrypticMind

    KrypticMind Private E-2

    The folder is where I'm throwing all of these log files, haha, and the weird-named file is GMER. For the Xerox question... Yes, I am using a Xerox printer.

    As for problems, the only one remaining seems to be that Windows Security is telling me that Avira is turned off, but when I check Avira, it's turned on.

    The previous instructions you've given me have fixed my Google problem and another problem where when I searched for something with Google but it would send me to some random page. Thank you for helping me fix the problems. :)

    Looking at the log files, is there anything else wrong with my system?
     

    Attached Files:

    KrypticMind, Apr 18, 2010
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You don't need to save them anywhere. They are already save here in your thread. And saving them in any place but the default locations will make our automatic cleanup processes fail.


    Okay then look in the below folder:

    C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\

    Do you see a file named: LMSXXD.exe.vir

    This unsigned file may be related to your printer and you will need to get a copy back to your Windows\system32 folder named correctly as LMSXXD.exe.

    Uninstall Avira, reboot, and then reinstall. Make sure that you have the current version to reinstall. See: AntiVir Personal Edition
     
    chaslang, Apr 19, 2010
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds