Solved

Google search results re-directed to another search page

Posted on 2006-11-01
23
572 Views
Last Modified: 2013-11-16
Hi,
I've got a problem with my Google search results being re-directed to other search sites. I tried SpyBot and it did find pipas.A. I had SpyBot delete it but it came back. Here is my HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 11:17:28 AM, on 11/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Atievxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\System32\alg.exe
C:\WINNT\Explorer.EXE
C:\WINNT\MS\SMS\CORE\BIN\Launch32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DELL\AccessDirect\DadTray.exe
C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\ctfmon.exe
C:\Documents and Settings\calhounj\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Microsoft Find Fast.lnk.disabled
O4 - Global Startup: Office Startup.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.90 85.255.112.225
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.90 85.255.112.225
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\wltrysvc.exe


Thanks For Your Help
0
Comment
Question by:mberman1012
  • 7
  • 6
  • 4
  • +5
23 Comments
 
LVL 11

Expert Comment

by:Paul S
ID: 17852595
I think the problem is the DNS servers

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.90 85.255.112.225
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.90 85.255.112.225

change these values.

use something else

4.2.2.4 always works for me.
0
 

Author Comment

by:mberman1012
ID: 17852846
Still no good.  By the way it's not just Google. I ran a IE search and the same thing happened
0
 
LVL 2

Expert Comment

by:Machin__Shin
ID: 17856151
check your hosts file
c:\windows\system32\drivers\etc\hosts
other than the dns I can't see any processes which would affect it.
0
 
LVL 16

Expert Comment

by:Redwulf__53
ID: 17857711
Disable all non-Microsoft non-verified Add-ibs in IE!
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 17858258
Boot into safe mode (press F8 prior to Windows splash screen)
Run Spybot S&D again
Should be good to go.
0
 

Author Comment

by:mberman1012
ID: 17859111
1. I checked the hosts file - no additions
2. I'll try disablingnon-Microsoft non-verified Add-ins in IE - I'm not in the office today.
3. I already ran Spybot S&D from safe mode still getting re-directed
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 17860390
It sounds like you need to install Wireshark (www.wireshark.org) and run a packet sniff to see where your DNS traffic is going and to verify that it is coming back to you.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 125 total points
ID: 17871084
Hi,
What you have there is wareout infection!

Please do this:
Uninstall UnSpyPC or KillAndClean from Add/Remove Programs if listed:

You must have an active Internet connection when running this fix, in order to download the Brute Force Uninstaller (BFU) from Merijn's page.

If you have problems with your connection:
Please go to Start -> Control Panel, and choose Network Connections.  Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties.  Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.  Click OK twice, and restart your computer.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt)
0
 
LVL 5

Expert Comment

by:cjtraman
ID: 17880221
see adaware application can be of any help.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17892785
mberman1012,
Are you saying that Adaware removes wareout?
Can you please give me some proof that it did???

I have proof that you have wareout infection, and if adaware removes it then I would like to know because my info says it doesn't.



0
 

Author Comment

by:mberman1012
ID: 17895472
I have to apologize I hit accept on the wrong answer. rpggamergirl you posted the correct fix. I ran Fixwareout and it worked. I'll post the Fixwareout and HijackThis logs tomorrow when I'm back at work.

Sorry about that.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 5

Expert Comment

by:cjtraman
ID: 17895700
rpggamergirl,
>>I have proof that you have wareout infection, and if adaware removes it then I would like to know because my info says it doesn't.

Could you please tell us how to check the machine having wareout infection?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17897141
mberman1012,
That's okay, I'll change it then, thanks.


cjtraman,
>>>Could you please tell us how to check the machine having wareout infection?<<<

Which do you want to know? the symptoms when a pc has wareout? Or how to recognize wareout by looking at a hijackthis log? Or do you want to know all the telltale signs of wareout infection?
0
 
LVL 5

Expert Comment

by:cjtraman
ID: 17897187
>>I have proof that you have wareout infection, and if adaware removes it then I would like to know because my info says it doesn't

I would like to know the proof that the machine has wareout infection. may be share with us regarding symptoms of wareout infection
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17897329
There are many proof and telltale signs of wareout but different in every case.

In this question, the proof of wareout are:
Symptoms:
*Google search results being re-directed to other search sites
*Spybot's detection of Pipas.A

And confirmed by the entries in his HJT log:
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.90 85.255.112.225
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.90 85.255.112.225

Note: Hijackthis can not remove wareout, removing entries does nothing while wareout is active.
The fixwareout tool must be run to remove the infection.

There are many other symptoms or signs when a pc has wareout, but not all of the symptoms nor the hijackthis entries will be there. There are other entries to look out for but I'm just talking about this very question.
0
 
LVL 5

Expert Comment

by:cjtraman
ID: 17897463
ok..thanks :-)
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17897558
No problem.

The most common symptom is the search redirection, and the most common entries showing in hijackthis are the 017 entries.

If you want all the telltale signs and symptoms, I'll post them here.
0
 

Author Comment

by:mberman1012
ID: 17905865
First chance I had to post the logs.

--------------------Fixwareout Log------------------

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please
 
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AB24155B0244-BBF8-5074-AE19-58D2BFCC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\wurmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmruw.exe"=-
...
 
PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
 
»»»»» Searching by size/names...
 
»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINNT\SYSTEM32\CSIWP.EXE       51,748 2006-09-26      
C:\WINNT\SYSTEM32\DMRUW.EXE       60,503 2004-08-03
 
Other suspects.
Directory of C:\WINNT\system32
 
»»»»» Misc files.
 
»»»»» Checking for older varients covered by the Rem3 tool.


--------------------HijackThis Log After Fixwareout -------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:49:03 AM, on 11/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Atievxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DELL\AccessDirect\DadTray.exe
C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\MS\SMS\CORE\BIN\Launch32.exe
C:\Documents and Settings\calhounj\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Microsoft Find Fast.lnk.disabled
O4 - Global Startup: Office Startup.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\wltrysvc.exe

Thanks for your help.

0
 
LVL 5

Expert Comment

by:cjtraman
ID: 17907673
Yes, Can you share those information as well?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17911028
mberman1012,
Thanks for the logs, your hijackthis log is okay!

C:\WINNT\SYSTEM32\CSIWP.EXE <-- this file is part of wareout and needs to be deleted.  
 
C:\WINNT\SYSTEM32\DMRUW.EXE <-- this one looks like a wareout file BUT this was created 2 years ago so we can't assume that it is, best for you to have it submitted to jotti.org for an online check if it's bad or not.
http://virusscan.jotti.org/    
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17911074
>>Yes, Can you share those information as well?<<

Sure.


Telltale signs of Wareout infection:

Symptoms:(either one of following)
* User complaints of popups mentioning WareOut
* Google search redirection, bogus search results
* the identification of "Downloader.Agent.uj".
* Spybot detects Pipas.A Trojan
* Pest Patrol reports of QHosts.DF
* "UnSpyPC" or "KillAndClean" in add/remove programs list
* If it's the variant QHosts.DF most scanners run on the infected pc will crashed.


Common "wareout" entries that might appear in logs:

There might be 2 HijackThis entries present or none.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19

O1 - Hosts: localhost 127.0.0.1 <-- sometimes this entry can be the only visible line

O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKLM\..\Run: [HCLEAN32.EXE] C:\WINDOWS\HCLEAN32.EXE <-- rarely visible
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [KillAndClean] "D:\Program Files\KillAndClean\KillAndClean.exe"

One or two random O4s, usually not visible, such as:
O4 - HKLM\..\Run: [dmcup.exe] C:\WINDOWS\System32\dmcup.exe
O4 - HKLM\..\Run: [pcbac.exe] pcbac.exe
O4 - HKLM\..\Run: [dmgow.exe] C:\WINDOWS\system32\dmgow.exe
O4 - HKLM\..\Run: [hgmos.exe] C:\Windows\System32\hgmos.exe

The entry may not be exactly as the one above.
O4 - HKLM\..\Run: [dm***.exe] C:\WINDOWS\system32\dm***.exe
O4 - HKLM\..\Run: [hg***.exe] C:\Windows\System32\hg***.exe
Note: * = a randomly generated letter.

Also entries that looks like these:
O4 - HKLM\..\Run: [exe.oqsmd] C:\WINDOWS\system32\dmsqo.exe
O4 - HKLM\..\Run: [exe.zpomd] C:\WINDOWS\system32\dmopz.exe
O4 - HKLM\..\Run: [exe.jlamd] C:\WINDOWS\system32\dmalj.exe
O4 - HKLM\..\Run: [exe.uqhmd] C:\WINDOWS\system32\dmhqu.exe
O4 - HKLM\..\Run: [exe.somgh] C:\WINDOWS\system32\hgmos.exe
The name after "exe." is the filename reversed; it usually begins with the letters "dm, cs, hg" , as above.


Usually there'll be 017 entries showing in hijackthis log with the following IP Addresses:
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECFF8F98-69BE-40ED-A311-2965DB08F05D}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{24945E12-5B0C-4B95-841C-56FBF0A6DAC0}: NameServer = 195.95.218.1,85.255.112.7
or any O17 with a similar IP resolving to Atrivotechnologies, EstHost hosting company, Tartu Peapostkontor, pk. 12, Estonia, InterCage, or to inhoster, Ukraine.


And here are the most common 017 wareout entries that usually present in hijackthis logs: these entries are almost always present, it's rare not to see them in the log with wareout infection.
O17 - HKLM\System\CS2\Services\Tcpip\..\{12DA6479-F89B-4B48-A2D6-1543A1959EDC}: NameServer = 85.255.113.139,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{829B2203-98D9-493A-B9C9-0CBFE371CDBE}: NameServer = 85.255.115.38,85.255.112.103


*Ewido's log shows the following entries:
[176] VM_00B40000 -> Downloader.Agent.uj : Error during cleaning
[196] VM_009B0000 -> Downloader.Agent.uj : Error during cleaning


*SilentRunners' log will show a five-letter exe usually starting with 'cs', 'dm', 'df', is a sure sign of WareOut:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "cspxq.exe" [null data]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csott.exe" [null data]


*BlackLight will also detects some of the files:
01/21/06 10:00:04 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\cspxq.exe
01/21/06 10:00:05 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\dmbsx.exe
The file names will be random, but the exes are five-letter names beginning with 'cs', 'dm' or 'df'.


Have fun 'wareout' hunting! :)
0
 
LVL 5

Expert Comment

by:cjtraman
ID: 17912156
oops...bigger tale....nice info...thanks...:-)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now