Searching blocked by Google

First topic message reminder :

Over the last week I have been getting repeated requests from Google for captchas to verify I am not a robot. Today, for the first time Google blocked me, with this message:
We're sorry...but your computer or network may be sending automated queries. To protect our users, we can't process your request right now.
Yesterday I downloaded the new version of Malwarebytes, updated and scanned my entire computer. It found nothing. I regularly update daily my Avira. I am stumped and I have no idea what to do next. Any suggestions?

As far as we know here, your computer is indeed clean, bu let's do a couple of other checks:

Please download aswMBR from here

• Save aswMBR.exe to your Desktop
  
• Double click aswMBR.exe to run it
  
• Click the Scan button to start the scan as illustrated below
  

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

• Once the scan finishes click Save log to save the log to your Desktop
  
  
  
• Copy and paste the contents of aswMBR.txt back here for review
  

awembr log file. It sat on the last line related to documents and settings for a very long time with no activity, and finally I clicked on save log. I assume it was finished but it never did say it was complete

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-05-09 19:56:15
-----------------------------
19:56:15.562 OS Version: Windows 5.1.2600 Service Pack 3
19:56:15.562 Number of processors: 2 586 0x170A
19:56:15.562 ComputerName: PRISS UserName:
19:56:16.031 Initialize success
20:08:07.125 AVAST engine defs: 12050900
20:08:18.187 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:08:18.187 Disk 0 Vendor: ST9250315AS 0002SDM1 Size: 238475MB BusType: 3
20:08:18.203 Disk 0 MBR read successfully
20:08:18.218 Disk 0 MBR scan
20:08:18.265 Disk 0 Windows XP default MBR code
20:08:18.265 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 49999 MB offset 63
20:08:18.281 Disk 0 Partition - 00 0F Extended LBA 188465 MB offset 102398310
20:08:18.296 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 188465 MB offset 102398373
20:08:18.312 Disk 0 scanning sectors +488376000
20:08:18.421 Disk 0 scanning C:\WINDOWS\system32\drivers
20:08:31.031 Service scanning
20:08:32.609 Service ASUSProcObsrv E:\I386\AsProcOb.sys **LOCKED** 21
20:08:44.421 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
20:08:48.046 Modules scanning
20:08:56.281 Disk 0 trace - called modules:
20:08:56.312 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys pciide.sys PCIIDEX.SYS
20:08:56.328 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ad25ab8]
20:08:56.343 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000087[0x8ad59f18]
20:08:56.359 5 ACPI.sys[b9e54620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8ad81d98]
20:08:56.781 AVAST engine scan C:\WINDOWS
20:09:07.281 AVAST engine scan C:\WINDOWS\system32
20:11:58.750 AVAST engine scan C:\WINDOWS\system32\drivers
20:12:15.703 AVAST engine scan C:\Documents and Settings\Carolyn Blake
20:13:20.328 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Carolyn Blake\Desktop\MBR.dat"
20:13:20.343 The log file has been saved successfully to "C:\Documents and Settings\Carolyn Blake\Desktop\aswMBR.txt"

Please disregard the previous asw scan, it was incomplete

Correct ASW scan log:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-05-09 20:19:35
-----------------------------
20:19:35.265 OS Version: Windows 5.1.2600 Service Pack 3
20:19:35.265 Number of processors: 2 586 0x170A
20:19:35.265 ComputerName: PRISS UserName:
20:19:35.937 Initialize success
20:19:41.515 AVAST engine defs: 12050900
20:20:00.281 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:20:00.296 Disk 0 Vendor: ST9250315AS 0002SDM1 Size: 238475MB BusType: 3
20:20:00.312 Disk 0 MBR read successfully
20:20:00.328 Disk 0 MBR scan
20:20:00.359 Disk 0 Windows XP default MBR code
20:20:00.375 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 49999 MB offset 63
20:20:00.375 Disk 0 Partition - 00 0F Extended LBA 188465 MB offset 102398310
20:20:00.406 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 188465 MB offset 102398373
20:20:00.421 Disk 0 scanning sectors +488376000
20:20:00.531 Disk 0 scanning C:\WINDOWS\system32\drivers
20:20:16.953 Service scanning
20:20:18.500 Service ASUSProcObsrv E:\I386\AsProcOb.sys **LOCKED** 21
20:20:30.187 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
20:20:33.750 Modules scanning
20:20:50.265 Disk 0 trace - called modules:
20:20:50.312 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys pciide.sys PCIIDEX.SYS
20:20:50.328 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ad25ab8]
20:20:50.343 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000087[0x8ad59f18]
20:20:50.359 5 ACPI.sys[b9e54620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8ad81d98]
20:20:50.812 AVAST engine scan C:\WINDOWS
20:21:03.484 AVAST engine scan C:\WINDOWS\system32
20:24:44.187 AVAST engine scan C:\WINDOWS\system32\drivers
20:25:08.171 AVAST engine scan C:\Documents and Settings\Carolyn Blake
20:49:00.265 AVAST engine scan C:\Documents and Settings\All Users
20:55:33.000 Scan finished successfully
20:57:01.453 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Carolyn Blake\Desktop\MBR.dat"
20:57:01.468 The log file has been saved successfully to "C:\Documents and Settings\Carolyn Blake\Desktop\aswMBR.txt"

Your IP address is likely banned.

Call your ISP to get a new IP address assigned. This is best to be able to access Google again.

Thank you Jay for all your help. I am in Turkey and things are difficult here for getting things like that accomplished. I am leaving in 3 weeks so my problem may be solved then. I have only had this IP address for 3 weeks, having picked up this new service then. I wonder if there could be someone on my network who is doing something to cause this. I deeply appreciate your help and how you stuck with me through this. If I have the same problem when I move to Romania, I will be back to address it again.

It might have actually been malware. ComboFix reported deletions of two of the latest infections, reported in [You must be registered and logged in to see this link.]:

c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Carolyn Blake\g2mdlhlpx.exe IDENTIFIED as Trojan:fake-GoToMeeting Application
c:\documents and settings\Carolyn Blake\new.txt
c:\windows\~INSX362.EXE Commonly a Trojan paired with redirect malware
c:\windows\system32\drivers\etc\hosts.ics Static HOSTS file (modified by malware)
c:\windows\system32\roboot.exe Possibly related to Trojan.ZeroAccess

EXPLAINED:

Google takes these actions prevent DDoS, which is Distributed Denial of Service. When it detects potential suspicious behavior from an IP address, the IP address is put on a temporary or permanent ban list.

Problem is, the malware you had, had the ability to control your computer and send anonymous requests to unknown/known servers, such as Google.

Only way to solve this issue the hard way is to remove the malware first, and then wait it out.

The easy way is to change your IP address after the malware is removed.


Just curious...run this scan real quick:

1. Download Win32kDiag from any of the following locations and save it to your Desktop.
   
   
   
   • Download Win32kDiag (Win32kDiag.exe) - #1
     
   • Download Win32kDiag (Win32kDiag.exe) - #2
     
   • Download Win32kDiag (Win32kDiag.exe) - #3
     

Double-click Win32kDiag.exe to run Win32kDiag and let it finish.

When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.

Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

Ok, I'm on it...back as soon as it's done. I just tried to use Google again and it instantly asked me for a captcha, because of "unusual activity," so I closed it and went back to bing. BRB...

Running from: C:\Documents and Settings\Carolyn Blake\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Carolyn Blake\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

I just now filled out a form to join an online class...first time and only time, and I got this message (not from Google- I accessed the link from my email, and in Firefox)
Security Image Verification

We have received repeated subscriptions from your computer. To prevent automated signups we verify that it is a person signing up, and not an automated script.

Type the characters below, exactly as shown, into the box provided without spaces. The letters are case sensitive.

We monitor our system very closely to prevent the use of harmful programs to submit large numbers of signups, which may cause problems for other users, and generate undue Spam complaints.

Please open Notepad and enter in the following:

@echo off
echo DNS renewal >log.txt
echo %date% >>log.txt
ipconfig /flushdns >>log.txt
pause
ipconfig /release >>log.txt
pause
ipconfig /renew >>log.txt
pause
ipconfig /all >>log.txt
pause
start log.txt
exit

Then, click File > Save as...
Save as dns.bat to your Desktop.
Choose Save as type... All Files.
Click Save.

Then, exit Notepad.

Double-click on dns.bat, and it will finish quickly and launch a log.

Please post that in your next reply.

I had to "press any key" several times to get it to run, after the cmd window opened, but here it is.

DNS renewal
Thu 05/10/2012


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.



Windows IP Configuration



No operation can be performed on Local Area Connection while it has its media disconnected.

No operation can be performed on Local Area Connection 4 while it has its media disconnected.

IP Address for adapter Wireless Network Connection has already been released.



Windows IP Configuration



No operation can be performed on Local Area Connection while it has its media disconnected.

No operation can be performed on Local Area Connection 4 while it has its media disconnected.

An error occurred while renewing interface Wireless Network Connection : The DHCP client has obtained an IP address that is already in use on the network. The local interface will be disabled until the DHCP client can obtain a new address.





Windows IP Configuration



Host Name . . . . . . . . . . . . : PRISS

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller

Physical Address. . . . . . . . . : 90-E6-BA-94-B4-30



Ethernet adapter Local Area Connection 4:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : TAP-Win32 Adapter V9

Physical Address. . . . . . . . . : 00-FF-E9-44-45-15



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Atheros AR9285 Wireless Network Adapter

Physical Address. . . . . . . . . : 00-25-D3-BF-53-68

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 0.0.0.0

Subnet Mask . . . . . . . . . . . : 0.0.0.0

Default Gateway . . . . . . . . . :

DHCP Server . . . . . . . . . . . : 255.255.255.255

You were not connected to the network when these operations were run?

Try the sign up process again for that one thing...

Also, if you do connect to the network, re-run the batch file as above (purposely has the pauses to press any key).

I am not sure about this. I was online through my regular service. What could this mean?
I have seen that "media disconnected" message many times during all these attempts to clean up my system. Yes I am online.

What current firewalls do you have? Do you have one on a router? One on the computer(s)?

First, before I answer your question, what does "media disconnected" indicate is going on?

I use the Windows XP native firewall, set to default. My router is an Airties RT-206v4...European I suppose, and its firewall is on, and this is the description:

Firewall protects your computers and your network aganist harmful attacks from the Internet. Your modem's firewall has Stateful Packet Inspection (SPI) feature that will inspect every packet coming from the Internet to your modem and will not allow any that is not authorized to pass through. Using the Firewall menu, you can also define advanced rules to allow or prohibit local users in your network to access the Internet, to open certain ports that allow packets to reach applications running on local clients, and to forward all incoming traffic to a certain computer.

Media disconnected means the network adapter or LAN adapter or ethernet hub is not connected to the internet.

Go to Start > Run, type in cmd and hit OK.

Type this in to the black box:

ping [You must be registered and logged in to see this link.] > log.txt && log.txt

and hit enter...

post the log back to me please.

I did get a report, and I am assuming I entered the syntax correctly as per spaces.


Pinging phx1-rb-gtm3-tron-xw-lb.cnet.com [64.30.224.82] with 32 bytes of data:



Reply from 64.30.224.82: bytes=32 time=242ms TTL=238

Reply from 64.30.224.82: bytes=32 time=245ms TTL=238

Reply from 64.30.224.82: bytes=32 time=243ms TTL=238

Reply from 64.30.224.82: bytes=32 time=241ms TTL=238



Ping statistics for 64.30.224.82:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 241ms, Maximum = 245ms, Average = 242ms

I did it again, using a copy/paste and got a different response:



Pinging phx1-rb-gtm3-tron-xw-lb.cnet.com [64.30.224.82] with 32 bytes of data:



Reply from 64.30.224.82: bytes=32 time=239ms TTL=238

Reply from 64.30.224.82: bytes=32 time=238ms TTL=238

Reply from 64.30.224.82: bytes=32 time=240ms TTL=238

Reply from 64.30.224.82: bytes=32 time=241ms TTL=238



Ping statistics for 64.30.224.82:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 238ms, Maximum = 241ms, Average = 239ms

Okay...I need a closer test to your country... run this command please, the same way:

ping [You must be registered and logged in to see this link.] > log.txt && log.txt

Post the log when done, please.

Pinging [You must be registered and logged in to see this link.] [85.111.19.108] with 32 bytes of data:



Reply from 85.111.19.108: bytes=32 time=30ms TTL=55

Reply from 85.111.19.108: bytes=32 time=30ms TTL=55

Reply from 85.111.19.108: bytes=32 time=30ms TTL=55

Reply from 85.111.19.108: bytes=32 time=26ms TTL=55



Ping statistics for 85.111.19.108:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 26ms, Maximum = 30ms, Average = 29ms

Very good. Now, I'm curious...which Google are you using? Standard .com or other TLD (top level domain such as .co.uk or .it, etc.)?

Most of the time .com but sometimes my vpn is off and I might end up with .uk, .ro, .md, or .tr. I always make an effort to use US google, but sometimes I use my vpn and go thru UK or Romania or Moldova. I am in Turkey now.

I'm sticking to my previous opinion: [You must be registered and logged in to see this link.]

Thank you Jay for all your help. If your final advice is to get my provider to assign me a new IP address, I can try but I seriously doubt that I will have any success with that. In any case I leave Turkey in 2 weeks on May 28, to go to Romania, and if the problem is local it will be solved then. If I have the same issue, I will let you know.

I don't know if this is pertinent, but there is another user in my household who connects wirelessly as I do to the same router and she has never had this problem. In her case, she only does email and research for her writing, not the heavy usage I do.

You're saying the other user can connect and use Google.com in the same house?

Are your IP addresses similar or different?