Google search infected?

[SNOWHITE]

David,

I mean what is so secret about information pertaining to certain IPs being used by Wareout ?

There is nothing secret about this, its just that i don't want to provide informations on something that is not opened for public, as i said i don't make the rules. I will try to gain some information for FreewheelinFrank about the wareout infection, but maybe i will not be able to do that every time when there is a new infection  or infection that is evaluating. I will post you the link but i am afraid you will not have access http://www.geekstogo.com/forum/index.php?showtopic=37616&st=30
When i have more time i will post some more info on wareout, maybe today maybe tomorrow, but you have to have on your mind that this informations are changing, as the infections are changing too

BTW i worked hard to gain access to those information

[raman]

There is no need of that information. Goolge gives you everything you need . To see, if it is a wareout infection or not is easy. Check the IP in the "O17" entry. If it is imhoster.com, it is wareout.
Wareout, because in the begining the DNSCHANGER(and downloader) downloaded and installed Wareout(fake AS-Programm) You can easily confirm that by using a rootkitscanner like Blacklight or gmer. The advance of fixwareout is, that it cleans the infection and gives a reliable Logfile.

[basilbrush]

 ???Will someone please help me? This seems to have turned into a debate. FwF, I requested if you could give me advice as a list of steps to follow so I can get rid of this problem. I posted the HJT log and then got it to fix the things you said.

What next?

[raman]

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt

[Credit to: LonnyRJones, Swandog46, and AutoDad.]

[basilbrush]

Thanks raman. much appreciated. please stay online I might need you. (if this thing works that is).

[basilbrush]

Right. the computer is still working thankfully.

Here is the 'report' from fixwareout:

 
Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please
 
Reg Entries that were deleted
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...
 
PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
 
»»»»» Searching by size/names...
 
»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
 
Other suspects.
Directory of C:\WINDOWS\system32
 
»»»»» Misc files.
 
»»»»» Checking for older varients covered by the Rem3 tool.


Here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 18:15, on 06-12-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\system32\pmxinit.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125504601536
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134202248265
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F59F332-A6E3-4E60-8E27-9FBFD6F6BDC4}: NameServer = 85.255.115.118,85.255.112.199
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.118 85.255.112.199
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.118 85.255.112.199
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.118 85.255.112.199
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

[raman]

Youo can use the posting of pskelly from here:
http://forums.spybot.info/archive/index.php/t-6966.html(the rest from 1)) You can also use the ATF Cleaner, if you want. Please post a new Hijackthis log after this, to see, if the "o17" entries changed.

[basilbrush]

sorry what do you mean by 'the rest from 1'   ?

[raman]

I mean this!:)

---cut---
Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)
---cut---

[raman]

Hm, an

ipconfig /renew  [press enter]
and an
ipconfig /flushdns [press enter]

in the dosbox(cmd) should to the job too.....


[edit: Removed "all" from ipconfig /renewall]

[basilbrush]

I cant find the 'networking' tab goddamit!

[raman]

No Problem. Try
ipconfig /renew [press enter]
and an
ipconfig /flushdns [press enter]

in the dosbox, restart and post a new hijackthis log

[basilbrush]

wait i found TCP/IP and double clicked as said. I ticked obtain DNS servers automatically. It didnt ask me to reboot though....

[raman]

Please reboot, to see, if the trojan is still active and post a new hjt log

[basilbrush]

I did Run>cmd>ipconfig /flushdns>exit

Nothing spectacular happened.
Now I am about to reboot and run HJT. I'll post it here.
I really appreciate u helping me.. this problem has happened to me for the first time and has driven me nuts!