Author Topic: Google search infected?  (Read 54167 times)

0 Members and 1 Guest are viewing this topic.

basilbrush

  • Guest
Re: Google search infected?
« Reply #90 on: December 05, 2006, 10:10:40 PM »
Gosh I don't know how u figured out that Avast or Spybot did it already.

I'm running gmer scan now and after that I'll probably have dinner. I'm absolutely starving! I'll post the gmer log in a minute when It's done. I'm only scanning the C drive.

basilbrush

  • Guest
Re: Google search infected?
« Reply #91 on: December 05, 2006, 10:13:54 PM »
The scan has finished though it didnt give any message or anything to suggest it. Theres loads of tabs and each one has a lot of stuff under it. What do I do?

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re: Google search infected?
« Reply #92 on: December 05, 2006, 10:16:53 PM »
You said, that Spybot found something and you let it fix it. Spybot reports some of these Wareouts as Pipa.a. If you are able to find the Spybot report you could take a look at it or look under "recovery" to see, what it fixed.
« Last Edit: December 05, 2006, 10:18:30 PM by raman »
MfG Ralf

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re: Google search infected?
« Reply #93 on: December 05, 2006, 10:17:41 PM »
If gmer says nothing, it found nothing. Thats okay you can somply close it.
And i will leave for today!
MfG Ralf

basilbrush

  • Guest
Re: Google search infected?
« Reply #94 on: December 05, 2006, 10:19:37 PM »
gmer says lots of thingsd though under the different tabs. I dont know if they are threats or what.

basilbrush

  • Guest
Re: Google search infected?
« Reply #95 on: December 05, 2006, 10:20:45 PM »
Theres a whole bunch of things under 'processes' 'modules' and all my internet favourites appear under 'rootkits' for some reason.

basilbrush

  • Guest
Re: Google search infected?
« Reply #96 on: December 05, 2006, 10:21:45 PM »
raman I cannot thank you enough for the help today. Thank God good people still exist in this goddamned world!

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re: Google search infected?
« Reply #97 on: December 05, 2006, 10:24:19 PM »
If gmer found something in "Rootkit"(only rootkit is interesting here), please go to "rootkit", press copy and past it here....
MfG Ralf

basilbrush

  • Guest
Re: Google search infected?
« Reply #98 on: December 05, 2006, 10:28:39 PM »
Here they are. They are just web pages I have put as favourites on the net. Theres also something to do with Windows Media Player

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2006-12-05 21:25:48
Windows 5.1.2600 Service Pack 2


---- Registry - GMER 1.0.12 ----

Reg  \Registry\MACHINE\SOFTWARE\Microsoft\Multimedia\MPlayer2\Extensions\.wvx@?????                   

---- Files - GMER 1.0.12 ----
Reg  \Registry\MACHINE\SOFTWARE\Microsoft\Multimedia\MPlayer2\Extensions\.wvx@?????
ADS  C:\Documents and Settings\Siddiqi\Favorites\About a Ball  Football Stars.url:favicon             
ADS  C:\Documents and Settings\Siddiqi\Favorites\Video Forum - RedCafe.net.url:favicon                 
ADS  C:\Documents and Settings\Siddiqi\Favorites\WebCT 4.1 at Imperial College.url:favicon       


---- EOF - GMER 1.0.12 ----

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re: Google search infected?
« Reply #99 on: December 05, 2006, 10:31:11 PM »
I do not know why gmer report this, but it is not dangerous. I will ask gmer why it report this.
MfG Ralf

basilbrush

  • Guest
Re: Google search infected?
« Reply #100 on: December 05, 2006, 10:32:33 PM »
Wow thanks. Ok so am I in the clear? If yes then thanks again and all the best.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Google search infected?
« Reply #101 on: December 06, 2006, 10:43:47 AM »
I would like to point out something here: not only have I been undermined by people claiming that I have missed something while helping people on this thread because I do not have access to secret information, but this claim itself has, as far as I can see, proved to be wrong.

I asked why it was suggested that this might be Wareout, when nobody had complained of the pop-ups typical of Wareout, and was told that it was because of the 017 entries: infomation that I couldn't be given access to. My own research suggested this was a DNS hijack and my advice was to reset the DNS settings following the instructions on the site linked to in the 017 entries.

Quote
Check the IP in the "O17" entry. If it is imhoster.com, it is wareout.

I must be missing something here. The 017 entries point to domainserror.com. While I cannot know if, in some secret forum, this site is associated with Wareout, I suggest that it may simply be a DHS hijack operation operating sometimes at least with no association with Wareout.

I was told that Wareout uses a rootkit and cannot be seen. I posted a link that showed that some entries are evident even with a rootkit infection.

Well, where is this evidence of a rootkit infection? I believe WareoutFix is supposed to find a rootkit Wareout infection, but it seems to have found nothing, as did BlackLight and Gmer.

Quote
Gnarf, it seems, that Avast or Spybot deleted the file allready(possible?) and the "o17" was only the leftover from the infection.

Maybe there was no Wareout infection. Maybe it was just a DNS hijack like I originally suggested. Maybe some Trojan just reset the DNS server which is why you could fix it by removing the HijackThis! entries, or why the person I advised previously in the thread could fix it by following the instructions to reset the DNS settings in XP.

I don't mind when somebody with more experience than me comes along and offers help on this forum- raman's original help allowed me to spot the DNS hijack. But here three people have undermined the advice I gave and told a user they had an infection which there was really no indication of, and which proved not to be present.

A careful examination of symptoms described, HijackThis! log and information on the web site linked to might have suggested this. If Geek-To-Go are going to jump in every time they see a juicy HijackThis! this log, at least they could read the whole thread carefully without making an instant diagnosis on one 017 entry, underling somebody who's spent a lot of time on the thread already, and claiming expert knowledge the rest of us don't have access to. 

EDIT: Typo



« Last Edit: December 06, 2006, 09:08:42 PM by FreewheelinFrank »
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

mauserme

  • Guest
Re: Google search infected?
« Reply #102 on: December 06, 2006, 09:04:42 PM »
It seemed that you were on the right track to me Frank.

And while its finding a solution that matters in the end, I think an element of condescension entered into this thread that was completely out of place.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Google search infected?
« Reply #103 on: December 06, 2006, 09:06:57 PM »
Quote
If I may just butt in the 85.255.115.118 85.255.112.199
entry suggests a wareout infection which is now starting to come downloaded with a rootkit element.

Confirmation that these 017 entries pointing to domainserror.com need not necessarily be anything to do with Wareout or a rootkit infection here:

Quote
Care needs to be taken when cleaning machines infected with this trojan because of the modifications made to the TCPIP interface settings. You need to go to the network setting on your machine (via Control Panel) and revert back your old DNS settings. After doing the required changes, you will be prompted with a message box similar to the following:


Quote
When program is run (usually by user executing the file), the file would copy itself to:
%SYSTEMROOT%\SYSTEM32\HGQHP.EXE

and removes itself from the directory it originally existed in. The program would also do some modifications to the Windows Registry (changing DNS entries).

Quote
Symptoms:
Presence of the file:
%SYSTEMROOT%\SYSTEM32\HGQHP.EXE
Having DNS entries in any of your network adaptors with the values:
85.255.112.132
85.255.113.13

Quote
To do a complete recovery, some modifications are required to the Windows Registry, restoring the keys to their original values. The interface settings modified are within the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Tcpip\Parameters\Interfaces

All this is the result of a Trojan.

http://vil.nai.com/vil/content/v_136602.htm

The McAfee write up states that this DNSChanger Trojan may also download other malware, so it would be wise to suspect other malware might be present, even rootkits, but the presence of these 017 entries does not confirm that Wareout is present.

If there is no sign of the original Trojan, and no indication of a hidden infection (in the case of Wareout, popups and the presence of some HijackThis! entries not hidden by the rootkit, as described in my previous link) reverting to previous DNS settings may fix this, as Naimryu discovered.

Quote
Anyway,  after following your links FreewheelinFrank... I fixed the 017 - HKLM entries with Hijack This. This seems to have done the job!!!

     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Google search infected?
« Reply #104 on: December 12, 2006, 02:38:07 PM »
I managed to track down some more information on this.

Quote
Comment from rpggamergirl
Date: 11/08/2006 04:18AM PST
   Comment    

There are many proof and telltale signs of wareout but different in every case.

In this question, the proof of wareout are:
Symptoms:
*Google search results being re-directed to other search sites
*Spybot's detection of Pipas.A

And confirmed by the entries in his HJT log:
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.90 85.255.112.225
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.90 85.255.112.225

Note: Hijackthis can not remove wareout, removing entries does nothing while wareout is active.
The fixwareout tool must be run to remove the infection.

There are many other symptoms or signs when a pc has wareout, but not all of the symptoms nor the hijackthis entries will be there. There are other entries to look out for but I'm just talking about this very question.

Quote
Comment from rpggamergirl
Date: 11/08/2006 04:54AM PST
   Comment    

No problem.

The most common symptom is the search redirection, and the most common entries showing in hijackthis are the 017 entries.

If you want all the telltale signs and symptoms, I'll post them here.

Quote
Comment from rpggamergirl
Date: 11/09/2006 05:40PM PST
   Comment    

>>Yes, Can you share those information as well?<<

Sure.


Telltale signs of Wareout infection:

Symptoms:(either one of following)
* User complaints of popups mentioning WareOut
* Google search redirection, bogus search results
* the identification of "Downloader.Agent.uj".
* Spybot detects Pipas.A Trojan
* Pest Patrol reports of QHosts.DF
* "UnSpyPC" or "KillAndClean" in add/remove programs list
* If it's the variant QHosts.DF most scanners run on the infected pc will crashed.


Common "wareout" entries that might appear in logs:

There might be 2 HijackThis entries present or none.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19

O1 - Hosts: localhost 127.0.0.1 <-- sometimes this entry can be the only visible line

O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKLM\..\Run: [HCLEAN32.EXE] C:\WINDOWS\HCLEAN32.EXE <-- rarely visible
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [KillAndClean] "D:\Program Files\KillAndClean\KillAndClean.exe"

One or two random O4s, usually not visible, such as:
O4 - HKLM\..\Run: [dmcup.exe] C:\WINDOWS\System32\dmcup.exe
O4 - HKLM\..\Run: [pcbac.exe] pcbac.exe
O4 - HKLM\..\Run: [dmgow.exe] C:\WINDOWS\system32\dmgow.exe
O4 - HKLM\..\Run: [hgmos.exe] C:\Windows\System32\hgmos.exe

The entry may not be exactly as the one above.
O4 - HKLM\..\Run: [dm***.exe] C:\WINDOWS\system32\dm***.exe
O4 - HKLM\..\Run: [hg***.exe] C:\Windows\System32\hg***.exe
Note: * = a randomly generated letter.

Also entries that looks like these:
O4 - HKLM\..\Run: [exe.oqsmd] C:\WINDOWS\system32\dmsqo.exe
O4 - HKLM\..\Run: [exe.zpomd] C:\WINDOWS\system32\dmopz.exe
O4 - HKLM\..\Run: [exe.jlamd] C:\WINDOWS\system32\dmalj.exe
O4 - HKLM\..\Run: [exe.uqhmd] C:\WINDOWS\system32\dmhqu.exe
O4 - HKLM\..\Run: [exe.somgh] C:\WINDOWS\system32\hgmos.exe
The name after "exe." is the filename reversed; it usually begins with the letters "dm, cs, hg" , as above.


Usually there'll be 017 entries showing in hijackthis log with the following IP Addresses:
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECFF8F98-69BE-40ED-A311-2965DB08F05D}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{24945E12-5B0C-4B95-841C-56FBF0A6DAC0}: NameServer = 195.95.218.1,85.255.112.7
or any O17 with a similar IP resolving to Atrivotechnologies, EstHost hosting company, Tartu Peapostkontor, pk. 12, Estonia, InterCage, or to inhoster, Ukraine.


And here are the most common 017 wareout entries that usually present in hijackthis logs: these entries are almost always present, it's rare not to see them in the log with wareout infection.
O17 - HKLM\System\CS2\Services\Tcpip\..\{12DA6479-F89B-4B48-A2D6-1543A1959EDC}: NameServer = 85.255.113.139,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{829B2203-98D9-493A-B9C9-0CBFE371CDBE}: NameServer = 85.255.115.38,85.255.112.103


*Ewido's log shows the following entries:
[176] VM_00B40000 -> Downloader.Agent.uj : Error during cleaning
[196] VM_009B0000 -> Downloader.Agent.uj : Error during cleaning


*SilentRunners' log will show a five-letter exe usually starting with 'cs', 'dm', 'df', is a sure sign of WareOut:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "cspxq.exe" [null data]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csott.exe" [null data]


*BlackLight will also detects some of the files:
01/21/06 10:00:04 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\cspxq.exe
01/21/06 10:00:05 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\dmbsx.exe
The file names will be random, but the exes are five-letter names beginning with 'cs', 'dm' or 'df'.


Have fun 'wareout' hunting! :)

A big thanks to rpggamergirl for sharing this information on Expert Sexchange Experts' Exchange.

http://www.experts-exchange.com/Security/Q_22045521.html?qid=22045521

Some information on FixWareout from the author:

Quote
LonnyRJones's Avatar
 
Join Date: Oct 2005
Posts: 5,069
   
Default
Usualy an accompaning fake antispyware gets installed along with a rootkit
or to put it better files that can stealth themselves.
wareout, unspypc etc are the fake programs
Both of which will unkindly remove all my runs if i let it.

The stealth part of the infection normal runs from

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"System"
Its invisible and can rename the file at each PC restart
A run running from HKLM that also changes each time the pc is restarted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Usualy the two start points above are present but it is possible to have either and not the other.


These keys are also involved
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls

http://forums.spybot.info/showthread.php?t=8243&highlight=fixwareout+description

The infection is known under various aliases/ variants. Spybot calls it Pipus.A:

http://forums.spybot.info/showthread.php?t=8243&highlight=fixwareout+description

Thanks LonnyRJones for this information.

Ewido calls it Trojan.downloader.uj- it will detect but not remove it. There is another removal tool, and a list of aliases here:

http://blog.evilissimo.net/2006/08/07/how-to-remove-trojandownloaderuj/

avast! calls it Win32:Agent-IU.

In summary, detections by these programs of the following malware indicate a stealthed infection, requiring a specialist removal tool:

Spybot: Pipus.A
Ewido/AVG Anti-Spyware: Trojan.downloader.uj
avast!: Win32:Agent-IU

DNS settings must also be restored after clearing the infection.

That still leaves the mystery of why Naimryu and basilbrush were able to cure the Google hijack just by resetting DNS/deleting rogue 017 entries without seeing any signs of stealthed malware. Either anti-malware programs are now removing the stealth Trojan but leaving the 017 entries, or other malware is also installing the hijack. The fact that nobody in this thread has complained of Wareout pop-ups is also a mystery.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog