Solved

Google search redirects me to other search sites

Posted on 2008-10-25
15
954 Views
Last Modified: 2013-12-09
When I search in google and click on one of the suggested sites, it often takes me to other search sites - usually nothing to do with the original search.
I have run SmitFraudFix.exe and it tells me I am the victim of a DNS hijack and fixes the problem but when ii reboot the problem has returned.
I have seen problems similar to mine being answered with a suggestion to run HikackThis but i don't know what to do with the output....
Thanks
Keith
0
Comment
Question by:marshdocs
  • 6
  • 5
  • 4
15 Comments
 
LVL 20

Expert Comment

by:IndiGenus
Comment Utility
Hi,
Post the output of the HijackThis log here, and we can take a look. Post it in the attach file window.
0
 

Author Comment

by:marshdocs
Comment Utility
Hi, Attached is the HijackThis Log.
Thanks
hijackthis.log
0
 
LVL 20

Expert Comment

by:IndiGenus
Comment Utility
It's a Wareout infection. Unfortunately I don't think Fixwareout works on Vista. And on second look it doesn't look like the tool is available any more.

I believe we can get this with combofix.

Please download ComboFix from either of these links to your Desktop.
http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. *
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

* The link below is a list of programs that should be disabled. If yours is not listed and you don't know how to disable it, please ask.
http://www.bleepingcomputer.com/forums/topic114351.html

* Close any open browsers.
* WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
* Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
* If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

4. Double click on combofix.exe & follow the prompts.
NOTE: As part of the process combofix will now install the recovery console if required. It is recommended to do so in case of any major issues. This is not a requirement.
5. When finished, it will produce a report for you.
6. Please attach the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.




0
 

Author Comment

by:marshdocs
Comment Utility
Hi, I ran ComboFix (log attached) and I also attach a new HijackThis log.
Thanks
ComboFix.txt
hijackthis2.log
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility

Vista doesn't use winlogon system value so just fixing these entries in hijackthis should fix the wareout redirects. I haven't looked at the CF log if there are other nasties present though.

Run Hijackthis and checkmark these entries and while all browsers and other windows are closed except hijackthis, click "Fix checked":
O2 - BHO: (no name) - {CEB57193-6088-475D-B489-F8C76AD12A28} - C:\Windows\system32\adtschem.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0035FA7D-4703-4190-9078-F7E6963CA9EF}: NameServer = 85.255.112.132;85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCF1BA46-C97C-47C0-BD47-B0EF33D2F346}: NameServer = 85.255.112.132;85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{0035FA7D-4703-4190-9078-F7E6963CA9EF}: NameServer = 85.255.112.132;85.255.112.12

C:\Windows\system32\adtschem.dll <-- hijackthis deletes this files usually but just check to make sure it's gone after fixing the entry in Hijackthis.
0
 
LVL 20

Expert Comment

by:IndiGenus
Comment Utility
Agree with rpg. Just fix the 017's.
You can also remove this task file if still present:
C:\Windows\Tasks\Antispyware Scheduled Scan.job

Looks like that rogue was on there at one time but gone now.

You should also avoid playing around with cracks as they will keep getting you infected.

C:\temp\OmniPage.Professional.v15.Multilingual.CRACK.ONLY-iND
0
 

Author Comment

by:marshdocs
Comment Utility
Hi both, Thanks for your input.
I run HiJackThis and select the O17 entries and 'Fix Check' but when I do another scan the entries are still there...(all browsers closed etc.)
Should I manually edit the registry to remove these entries??
I attach another HiJackThis.log.
I have removed the Antispyware Scheduled Scan.job entry but don't find C:\Windows\system32\adtschem.dll although there is an C:\Windows\system32\adtschema.dll (with an 'a' before the '.dll')
This PC is my sons so he must have downloaded the offending software...
hijackthis3.log
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 20

Expert Comment

by:IndiGenus
Comment Utility
Hi,
I've been banging my head against the wall on this....wish I knew exactly how the fixwareout tool worked. There is another file(s) that we cannot see. Likely looks something like....
C:\Windows\system32\dmwsh.exe  

The file name is random but they all begin with dm...

Have you tried a system restore? I've seen a couple of threads where this solved a stubborn Wareout infection on a Vista machine.

Worth a try.....restore back to a date prior to when problems started.

I'll keep looking into a fix.

0
 
LVL 20

Expert Comment

by:IndiGenus
Comment Utility
Ahhh.....I bet this is why. When you ran HijackThis to fix the 017's, did you run it as an Admin?
You need to do that.

When running HJT right click and select "Run as administrator". Then clear the 017's, reboot, and see if that helps.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
I don't think there is a hidden wareout stealth file in Vista, not that i know of but in XP yes there would be.


You would need to disable/stop this service --> "Windows Tribute Service"
C:\Windows\system32\kdhvd.exe <-- and delete this file, this would be the culprit, that's a wareout file.
disable and stop the service either via Start > Run > type in

Services.msc

And disable it from there.

OR: stop and delete that services using sc.exe
Go to Start Menu > Run > type

cmd

Press OK then type or copy and paste these commands onto the cmd screen pressing Enter after each line:

sc stop "Windows Tribute Service"
sc delete "Windows Tribute Service"

exit

And fix those 017 entries again.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
>>>but don't find C:\Windows\system32\adtschem.dll <<<
I expected hijackthis had deleted the file as it should be when it fixes the 02 line, but sometimes some nasties are hard to get rid of and hijackthis can't delete the file that's why I asked to make sure it's gone.

>>>although there is an C:\Windows\system32\adtschema.dll (with an 'a' before the '.dll')<<<
that file is a legit file please do not remove it.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility

>>>There is another file(s) that we cannot see. Likely looks something like....
C:\Windows\system32\dmwsh.exe
<<<

Indi, you are right that some wareout files starts with "dm***.exe
wareout infection uses five-letter EXE file names beginning with 'cs', 'dm', 'df', 'jb' or 'kd'
They are not hidden in Vista though as vista doesn't make use of winlogon system value.
But in my searches, I did notice in Vista logs that I've seen they use a service instead, as this log also shows.
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdhvd.exe <-- a five letter .exe that starts with "kd".
0
 
LVL 20

Accepted Solution

by:
IndiGenus earned 250 total points
Comment Utility
Good stuff rpg. That's interesting. I have found out that the developer of the Wareoutfix tool (Lonny) has pulled the tool, so it's not available any more.

I have not seen many or worked on any Vista machines with Wareout. I've been told by some other experts and you have confirmed this rpg that all we should need to do is fix the 017's, so hopefully that will do it here. There shouldn't be any rootkit present. I guess if just fixing the 017's does not work we could use one of the rootkit scanners to see what's found.



0
 

Author Comment

by:marshdocs
Comment Utility
Hi Guys,
I have deleted the O17 lines - it took about 4 times, I would check the O17 line click fix and then another scan and they would still be there. Then would do it again and still there, then again, still there and after the 4th time they have disappeared and stayed gone...
So hopefully all is fixed...
Really loads of thanks for your help.

0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
>>> I have deleted the O17 lines - it took about 4 times <<<

Wareout in Vista usually only just a matter of fixing the entries.
What did you do with the 023 entry? That could be why the 017 entries didn't come off easily as wareout still also has a service running..
Did you fix the 023 entry as well or did you use another scanner?

You may not think so but the below entry belongs to wareout.
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdhvd.exe
 
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Read about why website design really matters in today's demanding market.
"In order to have an organized way for empathy mapping, we rely on a psychological model and trying to model it in a simple way, so we will split the board to three section for each persona and a scenario and try to see what those personas would Do,…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now