Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Google search redirects me to other search sites

Posted on 2008-10-25
Medium Priority
Last Modified: 2013-12-09
When I search in google and click on one of the suggested sites, it often takes me to other search sites - usually nothing to do with the original search.
I have run SmitFraudFix.exe and it tells me I am the victim of a DNS hijack and fixes the problem but when ii reboot the problem has returned.
I have seen problems similar to mine being answered with a suggestion to run HikackThis but i don't know what to do with the output....
Question by:marshdocs
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 4
LVL 20

Expert Comment

ID: 22803964
Post the output of the HijackThis log here, and we can take a look. Post it in the attach file window.

Author Comment

ID: 22804160
Hi, Attached is the HijackThis Log.
LVL 20

Expert Comment

ID: 22804336
It's a Wareout infection. Unfortunately I don't think Fixwareout works on Vista. And on second look it doesn't look like the tool is available any more.

I believe we can get this with combofix.

Please download ComboFix from either of these links to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. *
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

* The link below is a list of programs that should be disabled. If yours is not listed and you don't know how to disable it, please ask.

* Close any open browsers.
* WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
* Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
* If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

4. Double click on combofix.exe & follow the prompts.
NOTE: As part of the process combofix will now install the recovery console if required. It is recommended to do so in case of any major issues. This is not a requirement.
5. When finished, it will produce a report for you.
6. Please attach the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 22804937
Hi, I ran ComboFix (log attached) and I also attach a new HijackThis log.
LVL 47

Expert Comment

ID: 22805309

Vista doesn't use winlogon system value so just fixing these entries in hijackthis should fix the wareout redirects. I haven't looked at the CF log if there are other nasties present though.

Run Hijackthis and checkmark these entries and while all browsers and other windows are closed except hijackthis, click "Fix checked":
O2 - BHO: (no name) - {CEB57193-6088-475D-B489-F8C76AD12A28} - C:\Windows\system32\adtschem.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0035FA7D-4703-4190-9078-F7E6963CA9EF}: NameServer =;
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCF1BA46-C97C-47C0-BD47-B0EF33D2F346}: NameServer =;
O17 - HKLM\System\CS1\Services\Tcpip\..\{0035FA7D-4703-4190-9078-F7E6963CA9EF}: NameServer =;

C:\Windows\system32\adtschem.dll <-- hijackthis deletes this files usually but just check to make sure it's gone after fixing the entry in Hijackthis.
LVL 20

Expert Comment

ID: 22805552
Agree with rpg. Just fix the 017's.
You can also remove this task file if still present:
C:\Windows\Tasks\Antispyware Scheduled Scan.job

Looks like that rogue was on there at one time but gone now.

You should also avoid playing around with cracks as they will keep getting you infected.


Author Comment

ID: 22806500
Hi both, Thanks for your input.
I run HiJackThis and select the O17 entries and 'Fix Check' but when I do another scan the entries are still there...(all browsers closed etc.)
Should I manually edit the registry to remove these entries??
I attach another HiJackThis.log.
I have removed the Antispyware Scheduled Scan.job entry but don't find C:\Windows\system32\adtschem.dll although there is an C:\Windows\system32\adtschema.dll (with an 'a' before the '.dll')
This PC is my sons so he must have downloaded the offending software...
LVL 20

Expert Comment

ID: 22807130
I've been banging my head against the wall on this....wish I knew exactly how the fixwareout tool worked. There is another file(s) that we cannot see. Likely looks something like....

The file name is random but they all begin with dm...

Have you tried a system restore? I've seen a couple of threads where this solved a stubborn Wareout infection on a Vista machine.

Worth a try.....restore back to a date prior to when problems started.

I'll keep looking into a fix.

LVL 20

Expert Comment

ID: 22807282
Ahhh.....I bet this is why. When you ran HijackThis to fix the 017's, did you run it as an Admin?
You need to do that.

When running HJT right click and select "Run as administrator". Then clear the 017's, reboot, and see if that helps.
LVL 47

Expert Comment

ID: 22811070
I don't think there is a hidden wareout stealth file in Vista, not that i know of but in XP yes there would be.

You would need to disable/stop this service --> "Windows Tribute Service"
C:\Windows\system32\kdhvd.exe <-- and delete this file, this would be the culprit, that's a wareout file.
disable and stop the service either via Start > Run > type in


And disable it from there.

OR: stop and delete that services using sc.exe
Go to Start Menu > Run > type


Press OK then type or copy and paste these commands onto the cmd screen pressing Enter after each line:

sc stop "Windows Tribute Service"
sc delete "Windows Tribute Service"


And fix those 017 entries again.
LVL 47

Expert Comment

ID: 22811100
>>>but don't find C:\Windows\system32\adtschem.dll <<<
I expected hijackthis had deleted the file as it should be when it fixes the 02 line, but sometimes some nasties are hard to get rid of and hijackthis can't delete the file that's why I asked to make sure it's gone.

>>>although there is an C:\Windows\system32\adtschema.dll (with an 'a' before the '.dll')<<<
that file is a legit file please do not remove it.
LVL 47

Expert Comment

ID: 22811577

>>>There is another file(s) that we cannot see. Likely looks something like....

Indi, you are right that some wareout files starts with "dm***.exe
wareout infection uses five-letter EXE file names beginning with 'cs', 'dm', 'df', 'jb' or 'kd'
They are not hidden in Vista though as vista doesn't make use of winlogon system value.
But in my searches, I did notice in Vista logs that I've seen they use a service instead, as this log also shows.
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdhvd.exe <-- a five letter .exe that starts with "kd".
LVL 20

Accepted Solution

IndiGenus earned 1000 total points
ID: 22811838
Good stuff rpg. That's interesting. I have found out that the developer of the Wareoutfix tool (Lonny) has pulled the tool, so it's not available any more.

I have not seen many or worked on any Vista machines with Wareout. I've been told by some other experts and you have confirmed this rpg that all we should need to do is fix the 017's, so hopefully that will do it here. There shouldn't be any rootkit present. I guess if just fixing the 017's does not work we could use one of the rootkit scanners to see what's found.


Author Comment

ID: 22811880
Hi Guys,
I have deleted the O17 lines - it took about 4 times, I would check the O17 line click fix and then another scan and they would still be there. Then would do it again and still there, then again, still there and after the 4th time they have disappeared and stayed gone...
So hopefully all is fixed...
Really loads of thanks for your help.

LVL 47

Expert Comment

ID: 22883949
>>> I have deleted the O17 lines - it took about 4 times <<<

Wareout in Vista usually only just a matter of fixing the entries.
What did you do with the 023 entry? That could be why the 017 entries didn't come off easily as wareout still also has a service running..
Did you fix the 023 entry as well or did you use another scanner?

You may not think so but the below entry belongs to wareout.
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdhvd.exe

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, the web development industry is booming, and many people consider it to be their vocation. The question you may be asking yourself is – how do I become a web developer?
When crafting your “Why Us” page, there are a plethora of pitfalls to avoid. Follow these five tips, and you’ll be well on your way to creating an effective page.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question