Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Web browser being redirected to search sites

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Web browser being redirected to search sites

Unread postby paul.lambert » November 12th, 2006, 12:33 pm

Hi MR experts.

I have a problem with adware/spyware as follows:

I open IE6 with Google as the home page.
I do a search and obtain the normal list of results.

However when I then click on the link I am redirected to random search sites, forums, online stores.

I have tried the following to remove the pest:

Started Windows in Safe Mode.
Run scans with AVG, Adaware, Spybot and A Squared.
The programs do detect viruses and other malware.
The infected files are apparently cleaned and deleted according to the reports.

I then reboot the pc and I am still getting redirected.

If anyone can help me to find the culprit I would be very grateful.
Otherwise I am prepared to reformat and start from scratch.

My Hijackthis log is as follows:


Logfile of HijackThis v1.99.1
Scan saved at 16:21:37, on 12/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll (file missing)
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {0E79192A-C52C-4260-920F-639AC2296203} - http://scripts.downloadv3.com/binaries/ ... _EN_XP.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2054580437
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.co.uk/downloads ... ofupld.cab
O16 - DPF: {71CBDCD9-0830-4470-A890-35D364DA352C} - http://scripts.downloadv3.com/binaries/ ... _EN_XP.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {95460ABD-946A-46FF-9F56-268718323EEE} - http://scripts.downloadv3.com/binaries/ ... 068_XP.cab
O16 - DPF: {BA749BC1-143E-430D-B1DA-1D2AF67A3658} - http://scripts.downloadv3.com/binaries/ ... 069_XP.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8DEE1D07-4183-4026-9440-2FF0E9AE87EC}: NameServer = 85.255.115.52,85.255.112.85
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7B02E37-B9AC-4DFE-9924-C43CDC9EED94}: NameServer = 85.255.115.52,85.255.112.85
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.85
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.85
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.85
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe



Thanks experts!

Paul
paul.lambert
Regular Member
 
Posts: 20
Joined: November 11th, 2006, 3:30 pm
Advertisement
Register to Remove

Unread postby Vino Rosso » November 12th, 2006, 1:43 pm

Hi Paul and welcome to the Malware Removal forums.
My name is Vino Rosso - if it helps, you can call me Vino for short. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a little time to research and, while I complete my training, all my recommended fixes will be checked by an expert.

Please be patient and I'd be grateful if you would note the following:
  • I will working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Finally, please reply to this thread. Do not start a new topic.
I'm working through your log and will be back soon.

Thanks
Vino
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Unread postby paul.lambert » November 12th, 2006, 2:13 pm

Hi Vino,

Thanks for replying so quickly.

I am new to this forum which has been recommended as THE place to come to talk to those that know how to get rid of those really stubborn paininthejacksywares!

Look forward to working with you to sort this out.

Paul
paul.lambert
Regular Member
 
Posts: 20
Joined: November 11th, 2006, 3:30 pm

Unread postby Vino Rosso » November 13th, 2006, 11:40 am

Hi Paul

This may take a few posts to get rid of so let's get started...

1 - Firewall
I have looked through your HijackThis log and cannot see any sign that you are using a firewall. Have you got Windows XP firewall running? If not, please turn it on via Start > Control Panel > Security Center > Windows Firewall. This is better than nothing but it only protects against incoming traffic. It doesn't protect you against outgoing baddies trying to "phone home". I strongly recommend that you install a firewall that monitors traffic in both directions. Please have a look at this article >here< which provides good information and links to free firewalls.
Note: It's possible that your computer's infection will not allow your to access sites where you can download a firewall in which case please ensure you switch on the Windows XP firewall. You can install a firewall once we get rid of your computer's infection.

2 - FixWareout
Please download to your Desktop FixWareout from either >here< or >here<

Double-click Fixwareout.exe to run the program.
Click Next then Install then make sure Run fixit is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Can you please post the contents of the logfile C:\fixwareout\report.txt with your next reply.

3 - Run HJT Scan
Run a scan with HijackThis and tick the following entries, if present:
O16 - DPF: {0E79192A-C52C-4260-920F-639AC2296203} - http://scripts.downloadv3.com/binaries/ ... _EN_XP.cab
O16 - DPF: {71CBDCD9-0830-4470-A890-35D364DA352C} - http://scripts.downloadv3.com/binaries/ ... _EN_XP.cab
O16 - DPF: {95460ABD-946A-46FF-9F56-268718323EEE} - http://scripts.downloadv3.com/binaries/ ... 068_XP.cab
O16 - DPF: {BA749BC1-143E-430D-B1DA-1D2AF67A3658} - http://scripts.downloadv3.com/binaries/ ... 069_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8DEE1D07-4183-4026-9440-2FF0E9AE87EC}: NameServer = 85.255.115.52,85.255.112.85
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7B02E37-B9AC-4DFE-9924-C43CDC9EED94}: NameServer = 85.255.115.52,85.255.112.85
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.85
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.85
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.85


Close all windows except HijackThis
Select Fix Checked in HijackThis.

4 - Network Settings
Now click on Start > Run and type cmd and click on OK
Type ipconfig /flushdns (note the space after ipconfig and before the /)
Press Enter, type exit at the command prompt, then press Enter
The command window will close.

(2000/XP) Only
In the windows control panel (Start > Control Panel), if you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.
Right-click on your default connection, usually local area connection for cable and dsl, and left click on Properties.
Click the Networking tab.
Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot your PC if asked.

5 - Check on status
After you have completed the above, please reboot and provide:
  • the C:\fixWareout\report.txt
  • a new HijackThis log
Remember, if you can, it's worth printing these instructions out before you start.

Good Luck
Vino
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Unread postby paul.lambert » November 13th, 2006, 6:33 pm

Hi Vino,

Firstly I'm afraid I am unable to work on the infected pc this week as I am away on business at the moment.
I shall of course follow your instructions as soon as I return.

I can however confirm the following points:

1) The pc is connected to the internet via ADSL using a Netgear firewall router with all inbound ports closed. I have run GRC Shields UP test to confirm the integrity of the firewall. The XP firewall is therefore turned off as I found that running the s/w and h/w firewalls together can interfere with the running of the email client MS Outlook.

2) The pc IP and DNS were originally set manually with BT nameservers. They now obtain automatically and the router is also set to update its DNS automatically from BT. I forgot to flush the DNS cache though so will do this as you suggest.

I shall post the rest of the results as soon as I can.


Thanks Vino
paul.lambert
Regular Member
 
Posts: 20
Joined: November 11th, 2006, 3:30 pm

Unread postby Vino Rosso » November 13th, 2006, 7:56 pm

Hi Paul

Paul wrote:Firstly I'm afraid I am unable to work on the infected pc this week as I am away on business at the moment.
No problem, I know the feeling!
Should anyone else have access to your computer while you are away, you should inform them not to connect to the internet. We don't want you returning to more problems!

Paul wrote:1) The pc is connected to the internet via ADSL using a Netgear firewall router with all inbound ports closed. I have run GRC Shields UP test to confirm the integrity of the firewall.
OK, this sounds like my set up - isn't it satisfying to get an all-clear from the Shields Up test :) - however I still run Zone Alarm's firewall to protect against any outbound problems.

Paul wrote:2) The pc IP and DNS were originally set manually with BT nameservers. They now obtain automatically and the router is also set to update its DNS automatically from BT. I forgot to flush the DNS cache though so will do this as you suggest.
It is important that the steps of the fix are followed sequentially to give the best chance of getting rid of the WareOut infection. You can reset the DNS servers back to BT's once you are clean. Oh yes, your current DNS servers are in Ukraine ;)

Cheers
Vino
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Unread postby paul.lambert » November 14th, 2006, 11:07 am

Hi Vino,

Just checked in and found your reply - thanks for that :)

I use Sygate Personal Firewall on my laptop to check outbound - just haven't got round to putting it on the home one yet.

Re. the DNS servers - Oh yes, so they are!! :oops:
I guess this is all part of WareOut?

Talk again soon

Paul
paul.lambert
Regular Member
 
Posts: 20
Joined: November 11th, 2006, 3:30 pm

Unread postby Vino Rosso » November 15th, 2006, 4:55 am

Hi Paul

Paul wrote:Re. the DNS servers - Oh yes, so they are!! Embarassed
I guess this is all part of WareOut?

Yes, and we'll get rid of it once you're back from your trip :)
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Unread postby Vino Rosso » November 25th, 2006, 8:32 pm

Hi Paul

It's been quite a while since I've heard from you and, while I appreciate your work may keep you very busy, the type of infection your PC has is such that we must work through fixes in a timely manner otherwise the infection will simply dig in and prove more subborn to remove.

Can you please reply and let me know whether you would still like me to help you and that you will be available to see things through.

Thanks
Vino
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Unread postby paul.lambert » November 26th, 2006, 4:00 pm

Hi Vino,

Yes work has got in the way and I do apologise very much.
I am going to start working on the fixes tomorrow night (Monday) after work.

Your input and support is valued and I certainly don't want to let you down on this one.

Paul
paul.lambert
Regular Member
 
Posts: 20
Joined: November 11th, 2006, 3:30 pm

Unread postby paul.lambert » November 27th, 2006, 3:52 pm

Hi Vino,

I have completed the steps you asked for with the following results.

Interestingly enough I couldn't use your links to the Fixwareout.exe file on this pc as all I got was a 'Server not found' message.
This critter really doesn't want to go without a fight!
So I downloaded it onto another pc and copied onto this one.

When I ran Fixwareout.exe I wasn't asked to reboot but the following report was generated:

Check for missing files
.....
C:\WINDOWS\system32\AUTOEXEC.NT not there
C:\WINDOWS\repair\autoexec.nt not there
C:\WINDOWS\repair\Config.nt not present
.....
End check for missing files
.....
please post this at the forum


Then I fixed the errors suggested in the Hijackthis log, rebooted and rescanned.
The new Highjackthis log after reboot is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 19:45:15, on 27/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Suzette7\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333- CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll (file missing)
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F- 0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2- BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... x86/client /muweb_site.cab?1162054580437
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.co.uk/downloads ... ofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11 \Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

I then flushed the DNS and checked the LAN card is set to DHCP

I hoe this is looking good and we are on the way to getting rid of Wareout.

Regards

Paul
paul.lambert
Regular Member
 
Posts: 20
Joined: November 11th, 2006, 3:30 pm

Unread postby Vino Rosso » November 27th, 2006, 7:52 pm

Hi Paul

FixWareout reported that certain files were missing and therefore could not run properly so we have to restore the missing files.

1 - Replace Missing Files
If you have XP home download this file to your Desktop:
http://homepage.ntlworld.com/spencer.gr ... eFiles.exe

If you have XP Professional download this file to your Desktop:
http://homepage.ntlworld.com/spencer.gr ... ofiles.exe

Go to your Desktop, double-click the downloaded file, and follow the instructions.
Reboot afterwards.

2 - WareOut Fix
Use Windows Explorer to find and double-click on C:\fixwareout\fix-it.bat
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Can you please post the contents of the logfile C:\fixwareout\report.txt

3 - Network Settings
Now click on Start > Run and type cmd and click on OK
Type ipconfig /flushdns (note the space after ipconfig and before the /)
Press Enter, type exit at the command prompt, then press Enter
The command window will close.

(2000/XP) Only
In the windows control panel (Start > Control Panel), if you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.
Right-click on your default connection, usually local area connection for cable and dsl, and left click on Properties.
Click the Networking tab.
Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot your PC if asked.

4 - Check on status
After you have completed the above, please reboot and provide:
  • the C:\fixWareout\report.txt
  • a new HijackThis log
  • and can you please confirm that you switched on the firewall
Remember, if you can, it's worth printing these instructions out before you start.

Good Luck
Vino
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Unread postby paul.lambert » November 28th, 2006, 10:42 am

Hi Vino,

OK, I have completed the tasks as requested.

The fixwareout report is as follows


Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}00D0791B88C2-0A89-2084-6A48-BC426A64{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\rkhmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmhkr.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSIRZ.EXE 51,800 2006-10-26
C:\WINDOWS\SYSTEM32\DMHKR.EXE 61,027 2004-08-04

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.


The new HijackThis report is:

Logfile of HijackThis v1.99.1
Scan saved at 14:36:33, on 28/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Suzette7\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll (file missing)
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2054580437
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.co.uk/downloads ... ofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


I can also confirm that I have turned on the Windows firewall.

Look forward to your reply

Thanks and regards

Paul
paul.lambert
Regular Member
 
Posts: 20
Joined: November 11th, 2006, 3:30 pm

Unread postby paul.lambert » November 28th, 2006, 11:01 am

Hi Vino,

Just a note to say I think I turned on the firewall after running HijackThis. :?

So it might appear its not on in the log.

Regards

Paul
paul.lambert
Regular Member
 
Posts: 20
Joined: November 11th, 2006, 3:30 pm

Unread postby Vino Rosso » November 28th, 2006, 7:58 pm

Hi Paul

OK, Fixwareout ran properly this time.

I note that HijackThis seems to have moved... it was here C:\hijackthis\HijackThis.exe but now is here C:\Documents and Settings\Suzette7\Desktop\HijackThis.exe. It's important that HijackThis is in a folder of its own so the first step will be to move it. We'll then download a couple of programs to prepare for the fix; delete a couple of files; and then run the cleaning programs before an online scan check.

You should consider printing these instructions for reference before proceding.

1 - Move HijackThis
The first thing is we need to move HijackThis into its own folder, away from any Temp folder or directly on the Desktop, as this will allow the program to backup any deletions we make with HijackThis to a safer area.
Go to your Desktop, right-click and select New > Folder > and name it HJT
Drag and drop HijackThis.exe from its current location on to the folder you just created HJT

2 - Program Download
Please download to your Desktop ATF Cleaner by Atribune from >here<. This program is for XP and Windows 2000 only. It does not require any installation and uses minimal system resources. It is set up to clean IE, FireFox and Opera, and detects the browsers you have and greys out the other(s).
We will use this program later.

3 - AVG Anti-Spyware Preparation
Download the trial version of AVG anti-spyware from >here< and save it to your Desktop. If you already have AVG Anti-Spyware installed, please launch the program and follow the instructions below from the third bullet point "On the main screen..."
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this.)
    • Wait until you see the Update Successful message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Do not run the program yet!

If you are having problems with the updater, you can use this link to manually update AVG >AVG Anti-Spyware manual updates<.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

4 - Delete On Reboot With HijackThis
Run HijackThis and click on Open the Misc Tools section
Click on Delete a file on reboot...
Copy and paste the following into the "File name:" text box and then click Open:

C:\WINDOWS\SYSTEM32\CSIRZ.EXE

When you are asked "Do you want to restart your computer now?", click NO.

Repeat the above steps for the following file:

C:\WINDOWS\SYSTEM32\DMHKR.EXE

This time when you are asked "Do you want to restart your computer now?", click YES.

Your PC MUST reboot to delete the files!

5 - Delete Temporary Files
Double-click ATF-Cleaner.exe to run the program.
Under Select Files To Delete choose: Select All
If you rely on system remembered passwords, you should UNcheck Cookies.
Important Do not uncheck anything else!
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All EXCEPT FIREFOX SAVED PASSWORDS
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All EXCEPT COOKIES AND SAVED PASSWORDS
Click the Empty Selected button.
NOTE: If you would like to keep your cookies and saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

6 - Scan With AVG Anti-Spyware
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Re-boot into Normal Mode.

7 - Kaspersky Online Scan
Please do an online scan with >Kaspersky Online Scanner<. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    o Scan using the following Anti-Virus database:
    + Extended (If available otherwise Standard)
    o Scan Options:
    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
8 - Check on status
After you have completed the above, please reboot and provide:
  • the AVG Anti-Spyware report
  • the Kaspersky Scan report
  • a new HijackThis log
  • and a description of how your PC is behaving - what problems are you experiencing?
Remember, if you can, it's worth printing these instructions out before you start.

Good Luck
Vino
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 27 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware