Google search results re-directed to another search page

Hi,
I've got a problem with my Google search results being re-directed to other search sites. I tried SpyBot and it did find pipas.A. I had SpyBot delete it but it came back. Here is my HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 11:17:28 AM, on 11/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Atievxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\System32\alg.exe
C:\WINNT\Explorer.EXE
C:\WINNT\MS\SMS\CORE\BIN\Launch32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DELL\AccessDirect\DadTray.exe
C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\ctfmon.exe
C:\Documents and Settings\calhounj\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Microsoft Find Fast.lnk.disabled
O4 - Global Startup: Office Startup.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.90 85.255.112.225
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.90 85.255.112.225
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\wltrysvc.exe


Thanks For Your Help
mberman1012Asked:
Who is Participating?
 
rpggamergirlCommented:
Hi,
What you have there is wareout infection!

Please do this:
Uninstall UnSpyPC or KillAndClean from Add/Remove Programs if listed:

You must have an active Internet connection when running this fix, in order to download the Brute Force Uninstaller (BFU) from Merijn's page.

If you have problems with your connection:
Please go to Start -> Control Panel, and choose Network Connections.  Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties.  Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.  Click OK twice, and restart your computer.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt)
0
 
Paul SDesktop Support Manager / Network AdministratorCommented:
I think the problem is the DNS servers

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.90 85.255.112.225
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.90 85.255.112.225

change these values.

use something else

4.2.2.4 always works for me.
0
 
mberman1012Author Commented:
Still no good.  By the way it's not just Google. I ran a IE search and the same thing happened
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
Machin__ShinCommented:
check your hosts file
c:\windows\system32\drivers\etc\hosts
other than the dns I can't see any processes which would affect it.
0
 
Redwulf__53Commented:
Disable all non-Microsoft non-verified Add-ibs in IE!
0
 
RPPreacherCommented:
Boot into safe mode (press F8 prior to Windows splash screen)
Run Spybot S&D again
Should be good to go.
0
 
mberman1012Author Commented:
1. I checked the hosts file - no additions
2. I'll try disablingnon-Microsoft non-verified Add-ins in IE - I'm not in the office today.
3. I already ran Spybot S&D from safe mode still getting re-directed
0
 
batry_boyCommented:
It sounds like you need to install Wireshark (www.wireshark.org) and run a packet sniff to see where your DNS traffic is going and to verify that it is coming back to you.
0
 
cjtramanCommented:
see adaware application can be of any help.
0
 
rpggamergirlCommented:
mberman1012,
Are you saying that Adaware removes wareout?
Can you please give me some proof that it did???

I have proof that you have wareout infection, and if adaware removes it then I would like to know because my info says it doesn't.



0
 
mberman1012Author Commented:
I have to apologize I hit accept on the wrong answer. rpggamergirl you posted the correct fix. I ran Fixwareout and it worked. I'll post the Fixwareout and HijackThis logs tomorrow when I'm back at work.

Sorry about that.
0
 
cjtramanCommented:
rpggamergirl,
>>I have proof that you have wareout infection, and if adaware removes it then I would like to know because my info says it doesn't.

Could you please tell us how to check the machine having wareout infection?
0
 
rpggamergirlCommented:
mberman1012,
That's okay, I'll change it then, thanks.


cjtraman,
>>>Could you please tell us how to check the machine having wareout infection?<<<

Which do you want to know? the symptoms when a pc has wareout? Or how to recognize wareout by looking at a hijackthis log? Or do you want to know all the telltale signs of wareout infection?
0
 
cjtramanCommented:
>>I have proof that you have wareout infection, and if adaware removes it then I would like to know because my info says it doesn't

I would like to know the proof that the machine has wareout infection. may be share with us regarding symptoms of wareout infection
0
 
rpggamergirlCommented:
There are many proof and telltale signs of wareout but different in every case.

In this question, the proof of wareout are:
Symptoms:
*Google search results being re-directed to other search sites
*Spybot's detection of Pipas.A

And confirmed by the entries in his HJT log:
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.90 85.255.112.225
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.90 85.255.112.225

Note: Hijackthis can not remove wareout, removing entries does nothing while wareout is active.
The fixwareout tool must be run to remove the infection.

There are many other symptoms or signs when a pc has wareout, but not all of the symptoms nor the hijackthis entries will be there. There are other entries to look out for but I'm just talking about this very question.
0
 
cjtramanCommented:
ok..thanks :-)
0
 
rpggamergirlCommented:
No problem.

The most common symptom is the search redirection, and the most common entries showing in hijackthis are the 017 entries.

If you want all the telltale signs and symptoms, I'll post them here.
0
 
mberman1012Author Commented:
First chance I had to post the logs.

--------------------Fixwareout Log------------------

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please
 
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AB24155B0244-BBF8-5074-AE19-58D2BFCC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\wurmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmruw.exe"=-
...
 
PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
 
»»»»» Searching by size/names...
 
»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINNT\SYSTEM32\CSIWP.EXE       51,748 2006-09-26      
C:\WINNT\SYSTEM32\DMRUW.EXE       60,503 2004-08-03
 
Other suspects.
Directory of C:\WINNT\system32
 
»»»»» Misc files.
 
»»»»» Checking for older varients covered by the Rem3 tool.


--------------------HijackThis Log After Fixwareout -------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:49:03 AM, on 11/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Atievxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DELL\AccessDirect\DadTray.exe
C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\MS\SMS\CORE\BIN\Launch32.exe
C:\Documents and Settings\calhounj\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Microsoft Find Fast.lnk.disabled
O4 - Global Startup: Office Startup.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\wltrysvc.exe

Thanks for your help.

0
 
cjtramanCommented:
Yes, Can you share those information as well?
0
 
rpggamergirlCommented:
mberman1012,
Thanks for the logs, your hijackthis log is okay!

C:\WINNT\SYSTEM32\CSIWP.EXE <-- this file is part of wareout and needs to be deleted.  
 
C:\WINNT\SYSTEM32\DMRUW.EXE <-- this one looks like a wareout file BUT this was created 2 years ago so we can't assume that it is, best for you to have it submitted to jotti.org for an online check if it's bad or not.
http://virusscan.jotti.org/   
0
 
rpggamergirlCommented:
>>Yes, Can you share those information as well?<<

Sure.


Telltale signs of Wareout infection:

Symptoms:(either one of following)
* User complaints of popups mentioning WareOut
* Google search redirection, bogus search results
* the identification of "Downloader.Agent.uj".
* Spybot detects Pipas.A Trojan
* Pest Patrol reports of QHosts.DF
* "UnSpyPC" or "KillAndClean" in add/remove programs list
* If it's the variant QHosts.DF most scanners run on the infected pc will crashed.


Common "wareout" entries that might appear in logs:

There might be 2 HijackThis entries present or none.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19

O1 - Hosts: localhost 127.0.0.1 <-- sometimes this entry can be the only visible line

O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKLM\..\Run: [HCLEAN32.EXE] C:\WINDOWS\HCLEAN32.EXE <-- rarely visible
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [KillAndClean] "D:\Program Files\KillAndClean\KillAndClean.exe"

One or two random O4s, usually not visible, such as:
O4 - HKLM\..\Run: [dmcup.exe] C:\WINDOWS\System32\dmcup.exe
O4 - HKLM\..\Run: [pcbac.exe] pcbac.exe
O4 - HKLM\..\Run: [dmgow.exe] C:\WINDOWS\system32\dmgow.exe
O4 - HKLM\..\Run: [hgmos.exe] C:\Windows\System32\hgmos.exe

The entry may not be exactly as the one above.
O4 - HKLM\..\Run: [dm***.exe] C:\WINDOWS\system32\dm***.exe
O4 - HKLM\..\Run: [hg***.exe] C:\Windows\System32\hg***.exe
Note: * = a randomly generated letter.

Also entries that looks like these:
O4 - HKLM\..\Run: [exe.oqsmd] C:\WINDOWS\system32\dmsqo.exe
O4 - HKLM\..\Run: [exe.zpomd] C:\WINDOWS\system32\dmopz.exe
O4 - HKLM\..\Run: [exe.jlamd] C:\WINDOWS\system32\dmalj.exe
O4 - HKLM\..\Run: [exe.uqhmd] C:\WINDOWS\system32\dmhqu.exe
O4 - HKLM\..\Run: [exe.somgh] C:\WINDOWS\system32\hgmos.exe
The name after "exe." is the filename reversed; it usually begins with the letters "dm, cs, hg" , as above.


Usually there'll be 017 entries showing in hijackthis log with the following IP Addresses:
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECFF8F98-69BE-40ED-A311-2965DB08F05D}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{24945E12-5B0C-4B95-841C-56FBF0A6DAC0}: NameServer = 195.95.218.1,85.255.112.7
or any O17 with a similar IP resolving to Atrivotechnologies, EstHost hosting company, Tartu Peapostkontor, pk. 12, Estonia, InterCage, or to inhoster, Ukraine.


And here are the most common 017 wareout entries that usually present in hijackthis logs: these entries are almost always present, it's rare not to see them in the log with wareout infection.
O17 - HKLM\System\CS2\Services\Tcpip\..\{12DA6479-F89B-4B48-A2D6-1543A1959EDC}: NameServer = 85.255.113.139,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{829B2203-98D9-493A-B9C9-0CBFE371CDBE}: NameServer = 85.255.115.38,85.255.112.103


*Ewido's log shows the following entries:
[176] VM_00B40000 -> Downloader.Agent.uj : Error during cleaning
[196] VM_009B0000 -> Downloader.Agent.uj : Error during cleaning


*SilentRunners' log will show a five-letter exe usually starting with 'cs', 'dm', 'df', is a sure sign of WareOut:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "cspxq.exe" [null data]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csott.exe" [null data]


*BlackLight will also detects some of the files:
01/21/06 10:00:04 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\cspxq.exe
01/21/06 10:00:05 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\dmbsx.exe
The file names will be random, but the exes are five-letter names beginning with 'cs', 'dm' or 'df'.


Have fun 'wareout' hunting! :)
0
 
cjtramanCommented:
oops...bigger tale....nice info...thanks...:-)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.