Google search redirects me to other search sites

When I search in google and click on one of the suggested sites, it often takes me to other search sites - usually nothing to do with the original search.
I have run SmitFraudFix.exe and it tells me I am the victim of a DNS hijack and fixes the problem but when ii reboot the problem has returned.
I have seen problems similar to mine being answered with a suggestion to run HikackThis but i don't know what to do with the output....
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Post the output of the HijackThis log here, and we can take a look. Post it in the attach file window.
marshdocsAuthor Commented:
Hi, Attached is the HijackThis Log.
It's a Wareout infection. Unfortunately I don't think Fixwareout works on Vista. And on second look it doesn't look like the tool is available any more.

I believe we can get this with combofix.

Please download ComboFix from either of these links to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. *
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

* The link below is a list of programs that should be disabled. If yours is not listed and you don't know how to disable it, please ask.

* Close any open browsers.
* WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
* Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
* If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

4. Double click on combofix.exe & follow the prompts.
NOTE: As part of the process combofix will now install the recovery console if required. It is recommended to do so in case of any major issues. This is not a requirement.
5. When finished, it will produce a report for you.
6. Please attach the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.

Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

marshdocsAuthor Commented:
Hi, I ran ComboFix (log attached) and I also attach a new HijackThis log.

Vista doesn't use winlogon system value so just fixing these entries in hijackthis should fix the wareout redirects. I haven't looked at the CF log if there are other nasties present though.

Run Hijackthis and checkmark these entries and while all browsers and other windows are closed except hijackthis, click "Fix checked":
O2 - BHO: (no name) - {CEB57193-6088-475D-B489-F8C76AD12A28} - C:\Windows\system32\adtschem.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0035FA7D-4703-4190-9078-F7E6963CA9EF}: NameServer =;
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCF1BA46-C97C-47C0-BD47-B0EF33D2F346}: NameServer =;
O17 - HKLM\System\CS1\Services\Tcpip\..\{0035FA7D-4703-4190-9078-F7E6963CA9EF}: NameServer =;

C:\Windows\system32\adtschem.dll <-- hijackthis deletes this files usually but just check to make sure it's gone after fixing the entry in Hijackthis.
Agree with rpg. Just fix the 017's.
You can also remove this task file if still present:
C:\Windows\Tasks\Antispyware Scheduled Scan.job

Looks like that rogue was on there at one time but gone now.

You should also avoid playing around with cracks as they will keep getting you infected.

marshdocsAuthor Commented:
Hi both, Thanks for your input.
I run HiJackThis and select the O17 entries and 'Fix Check' but when I do another scan the entries are still there...(all browsers closed etc.)
Should I manually edit the registry to remove these entries??
I attach another HiJackThis.log.
I have removed the Antispyware Scheduled Scan.job entry but don't find C:\Windows\system32\adtschem.dll although there is an C:\Windows\system32\adtschema.dll (with an 'a' before the '.dll')
This PC is my sons so he must have downloaded the offending software...
I've been banging my head against the wall on this....wish I knew exactly how the fixwareout tool worked. There is another file(s) that we cannot see. Likely looks something like....

The file name is random but they all begin with dm...

Have you tried a system restore? I've seen a couple of threads where this solved a stubborn Wareout infection on a Vista machine.

Worth a try.....restore back to a date prior to when problems started.

I'll keep looking into a fix.

Ahhh.....I bet this is why. When you ran HijackThis to fix the 017's, did you run it as an Admin?
You need to do that.

When running HJT right click and select "Run as administrator". Then clear the 017's, reboot, and see if that helps.
I don't think there is a hidden wareout stealth file in Vista, not that i know of but in XP yes there would be.

You would need to disable/stop this service --> "Windows Tribute Service"
C:\Windows\system32\kdhvd.exe <-- and delete this file, this would be the culprit, that's a wareout file.
disable and stop the service either via Start > Run > type in


And disable it from there.

OR: stop and delete that services using sc.exe
Go to Start Menu > Run > type


Press OK then type or copy and paste these commands onto the cmd screen pressing Enter after each line:

sc stop "Windows Tribute Service"
sc delete "Windows Tribute Service"


And fix those 017 entries again.
>>>but don't find C:\Windows\system32\adtschem.dll <<<
I expected hijackthis had deleted the file as it should be when it fixes the 02 line, but sometimes some nasties are hard to get rid of and hijackthis can't delete the file that's why I asked to make sure it's gone.

>>>although there is an C:\Windows\system32\adtschema.dll (with an 'a' before the '.dll')<<<
that file is a legit file please do not remove it.

>>>There is another file(s) that we cannot see. Likely looks something like....

Indi, you are right that some wareout files starts with "dm***.exe
wareout infection uses five-letter EXE file names beginning with 'cs', 'dm', 'df', 'jb' or 'kd'
They are not hidden in Vista though as vista doesn't make use of winlogon system value.
But in my searches, I did notice in Vista logs that I've seen they use a service instead, as this log also shows.
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdhvd.exe <-- a five letter .exe that starts with "kd".
Good stuff rpg. That's interesting. I have found out that the developer of the Wareoutfix tool (Lonny) has pulled the tool, so it's not available any more.

I have not seen many or worked on any Vista machines with Wareout. I've been told by some other experts and you have confirmed this rpg that all we should need to do is fix the 017's, so hopefully that will do it here. There shouldn't be any rootkit present. I guess if just fixing the 017's does not work we could use one of the rootkit scanners to see what's found.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
marshdocsAuthor Commented:
Hi Guys,
I have deleted the O17 lines - it took about 4 times, I would check the O17 line click fix and then another scan and they would still be there. Then would do it again and still there, then again, still there and after the 4th time they have disappeared and stayed gone...
So hopefully all is fixed...
Really loads of thanks for your help.

>>> I have deleted the O17 lines - it took about 4 times <<<

Wareout in Vista usually only just a matter of fixing the entries.
What did you do with the 023 entry? That could be why the 017 entries didn't come off easily as wareout still also has a service running..
Did you fix the 023 entry as well or did you use another scanner?

You may not think so but the below entry belongs to wareout.
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdhvd.exe
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.