Google search infected?

[FreewheelinFrank]

Your log confirms you do have the DNS hijack. You will either need to follow the removal instructions on the following page, or risk using the company's own uninstaller, as I described in my previous post:

http://www.domainserror.com/remove.php

Before you do that, run HijackThis! again, tick the following items then click 'fix' and reboot:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,

O9 - Extra button: Ãâ·Ñ¾«²ÊÊÓƵ³¬Á÷³©ÔÚÏß¹Û¿´ - {022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com (file missing)

O9 - Extra 'Tools' menuitem: ²¥°ÔµçÊÓ - {022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O16 - DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} (pCastPanel Class) - http://ps.itv.mop.com/dn/files/pCastCtl-1.0.0.94_signed.cab

O18 - Filter: text/html - (no CLSID) - (no file)

Check your internet connection at IE>tools>internet options>connections tab>settings. The 'Use Proxy' box should be unchecked.

Good luck

[basilbrush]

Thanks as always Frank. Thing is I'm not the best when it comes to fixing computer problems. So what you will hav to do is make a nice little list of steps for me to follow 'cos I don't quite understand it at the mo.
The first thing I am about to do is fix the problems you mentioned above in HijackThis.

[SNOWHITE]

Hi FreewheelinFrank
Why are you asking the user to fix with HiJackThis the 09 entries?

9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

They are legitimate, so i just want to know if you have any particular reason for fixing them

[FreewheelinFrank]

Hi SNOWHITE,

The (file missing) tag usually means- in the case of a legitimate application- that the user has uninstalled the application leaving a orphaned entry. These can be removed as a tidy-up operation.

There do seem to be exceptions- as for example in the case of avast! services, where HijackThis! cannot see the file even though the service is running.

The tag can also indicate that a malware file has been deleted by an anti-malware program, again leaving an orphaned entry. These can cause 'file not found' error messages and need fixing.

Hope this helps. 

FwF

[S_A_M.1990]

Yea i had that problem befor but i can't remember how i fixed it sorry.

[SNOWHITE]

Thats what i thought, i would suggest to you in future not to list the legitimate entries for fixing with HJT, as you can only trust that the file is missing only in 02, and probably 03 entries, and NOT on others.

There do seem to be exceptions- as for example in the case of avast! services, where HijackThis! cannot see the file even though the service is running.

That is not just for avast! it is also for other services too.
You are doing nice job and i see you really want to help people with their problems, but today many things are rapidly changing in malware fighting, malwares are becoming more and more difficult to detect and delete, the tools that we are using are also changing... I just want to encourage you to sign up in some of the online schools like the school in Geeks to Go, with your knowledge and ability to do the searches, i think that you will fast finish the school and of course you will have open doors to many interesting and helpful tutorials that are not opened in public. And it would be great to have another avast user and malware fighter there, think on many new things that you can learn there, that can help you in furder helping and fight malwares I will post you the link from Geeks to go, in any case that you decide to join the school, it would be great if you decide to join, there are not many avast users only few of us http://www.geekstogo.com/forum/forums.html
ps: I hope that i didn't offended you in any way, because that is not my intension

[essexboy]

If I may just butt in the 85.255.115.118 85.255.112.199
entry suggests a wareout infection which is now starting to come downloaded with a rootkit element.  There are a few ways to fix this depending on whether or not the rootkit element is present.  The one I would initially recommend is combofix
from here http://download.bleepingcomputer.com/sUBs/zh/BetaB/combofix.exe

1. Download ComboFix.exe
2. Reboot into safe mode
3. Double click on combofix.exe & follow the prompts.
4. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

The unusual characters also indicate a possible chinese infection and again Combofix should work on these

[FreewheelinFrank]

Well, the three people with the problem here have complained of a Google Hijack: they haven't mentioned anything about scam anti-spyware warnings, which is what Wareout seems to be. The IP addresses seem to be a DNS hijack- something I suspect Zlob is beginning to do. For Naimryu  the advice I posted seems to have worked, and I have no reason to believe it won't for hoogan & basilbrush too.

What's the reason for suspecting Wareout? Could you post some links with details? If I'm missing something here, please let me in on the secret. Thanks.

[FreewheelinFrank]

User complaints of popups mentioning WareOut

No they don't.

Some visable lines:

Quote:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19

O1 - Hosts: localhost 127.0.0.1 This may be the only line visible

O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"

O4 - HKLM\..\Run: [HCLEAN32.EXE] C:\WINDOWS\HCLEAN32.EXE rarely visible

EDIT: Forgot link: http://temerc.com/phpBB2/viewtopic.php?t=1287&

None of these is visible.

Most common indication is 017 related line in HJT, pointing to one of several known malware hosting IPs.

IP points to a questionable domains error site whose installer is flagged as malware by some scanners but who claim not to be involved in spyware- not convinced.

I think raman was dead right to spot this as a DNS hijack, but wrong to suggest wareout- at least as far as I can see from the evidence. I'm waiting to be convinced.

[SNOWHITE]

  The IP address is one of the addresses that wareout is using, very persistent 017 lines too. New variants are using rootkit so they are hiding and you cant see them in a log.
Here is one similar address  85.255.115.27,85.255.112.181 and another 85.255.114.74 85.255.112.61

[FreewheelinFrank]

The IP address is one of the addresses that wareout is using

Please post a link.

[SNOWHITE]

The IP address is one of the addresses that wareout is using

Please post a link.

Sorry, that is not possible because its in hidden forum in the Geeks To Go school, you can have access there only if you are in training in upperclassmen Its in the forum for  Spyware Fixes (Special Cases)

[FreewheelinFrank]

Any advice I give here I back up with a source for the information I give, so that others can see why I gave that advice and tell me if I'm wrong or learn something if I was right. I have learnt a lot from the advice of others in this way myself.

If you are going to ask me to take what you say on faith then I'm afraid I cannot do that. I believe this should be a forum of equals, not a forum with an elite few whose advice cannot be questioned because their sources are hidden from those not a member of their elite.

If you are going to give advice on this basis, then I am going to stop helping people on this forum and leave you to it.

Good luck.

[SNOWHITE]

Hi FreewheelinFrank

Any advice I give here I back up with a source for the information I give, so that others can see why I gave that advice and tell me if I'm wrong or learn something if I was right. I have learnt a lot from the advice of others in this way myself.

Sometimes you can not give the back up, because the source is not available for public and its something that a lot of experts are working on. As i said in the post right before Essexboy posted, if you read it carefully you will understand why i posted that for you, it's not because i don't trust you, its because i trust you and i like the way your searching and providing the informations, and most important you have a wish to help people. But sometimes this is not enough, it needs higher level of knowledge and that is why this schools are meant to be.

If you are going to ask me to take what you say on faith then I'm afraid I cannot do that. I believe this should be a forum of equals, not a forum with an elite few whose advice cannot be questioned because their sources are hidden from those not a member of their elite.

This is a forum of equals, and if some of us are sacrificing days in learning the fight with malwares that doesn't make us  "an elite few" just because i don't want to brake the rules in my schools, to provide you information on something that is working on. By the way i don't make the rules in schools,  if something is hidden then there is a reason why it is. If you want to have more opened doors to information then consider to join at least one of the schools, Bleeping and G2G are very similar, SWI is another school where i am too, the only cost that you have to pay is learning.

If you are going to give advice on this basis, then I am going to stop helping people on this forum and leave you to it.

Stoping or not, is your choice, actually you have many choices...

[DavidR]

I'm afraid I have to agree with Frank when it comes to freely offering advice that isn't available to all it seems like some 'black art.' I know and appreciate why you are doing it, but I don't feel it is the way we have worked in the avast forums for some considerable time, advice backed up by links if needed or asked for.

That can really only work in the restricted forums where you and others are either under training or have completed it and have access to that information, but not to my mind the open forums of avast. This is not to dissimilar to a statement previously made that 'someone' would only give advice it the recipient ignored all other advice.

I mean what is so secret about information pertaining to certain IPs being used by Wareout ?