Redirected to searathand.com

Discussion in 'Malware Help (A Specialist Will Reply)' started by exitsfunnel, Jun 22, 2006.

  1. exitsfunnel

    exitsfunnel Private E-2

    Hello,

    I started having the following problem with my internet access this morning: I would enter valid urls into my browser window but would be directed to a page telling me that the domain was invalid and offering the option to do a search instead. The page included the text 'searchathand.com' Obviously, this is some sort of virus or trojan or something.

    So, I followed all of the steps in the 'Read and Run Me First' post with the one exception. I was unable to run the pandasoftware stuff in safe mode because I couldn't load the page due to the redirects mentioned above. I don't know why I *was* able to load bitdefender but I was. In any event, I was able to run the panda stuff after I booted into normal mode so I do have the log, but I figured that I should still mention the deviation from the instructions. I should also mention that I do now seem able to access sites (ie, www.yahoo.com) which I couldn't this morning but I notice that if I enter a url which is actually invalid I'm still redirected to the 'searchathand' page so I assume I've still got a problem. I've attached the logs; if someone could take a look at them, I'd really appreciate it. The OS is Win2000 - let me know if I can provide any further information.

    -exits
     

    Attached Files:

    exitsfunnel, Jun 22, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Did you set your start pages to about:blank on purpose?

    Let's start by downloading HOSTER and then follow the below steps.
    • Unzip Hoster to a convenient folder such as C:\Hoster
    • Run Hoster.exe, click Restore Original Hosts and then click OK.
    • Click the X to exit the program
    You have a Wareout infection!

    Look in Add/Remove programs for UnSpyPC and uninstall if found.

    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://swandog46.geekstogo.com/Fixwareout.exe
    • Save it to your desktop and then run it by double clicking on it. It creates a folder named c:\fixwareout.
    • Click Next, then Install.
    • Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.
    • The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
    • Your system may take longer than usual to load; this is normal.
    • When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items if they still exist:
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4A2226C6-469F-48AF-AA8C-6A473732D41D}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A0A7CA88-7E1D-4E79-B036-A5A77A01023C}: NameServer = 85.255.116.174,85.255.112.82


    After clicking Fix Checked, close HijackThis, and click OK to proceed.

    At the end of the fix, reboot into safe mode and use Windows Explorer to double check for the below files and delete if found:
    c:\winnt\system32\dgprpsetup.exe
    C:\WINNT\SmFzb24\mAIWvZb.vbs
    C:\WINNT\system32\howiper.exe
    C:\Program Files\UnSpyPC <--- delete the whole folder if found

    Now reboot into normal mode and please attach the contents of the logfile C:\fixwareout\report.txt

    There could be additional cleanup to do from Wareout and it the log will let us know.

    Also attach a new HijackThis log. And tell me how things are working now!!
     
    chaslang, Jun 23, 2006
    #2
  3. exitsfunnel

    exitsfunnel Private E-2

    Hi Chaslang,

    Thanks for taking the time to help. I'm afraid I'm having *real*
    problems. I'll describe as carefully as I can what I did and what the
    unfortunate results seem to have been.

     

    Attached Files:

    exitsfunnel, Jun 23, 2006
    #3
  4. exitsfunnel

    exitsfunnel Private E-2

    Clarification and another question

    Regarding the trouble restarting: I've played around quite a bit and the situation seems to be that if I restart it and leave my hands off it will boot back up though very, very slowly. If however, I try to boot into safe mode by pressing F8 at the 'Starting Windows' screen then it just hangs. I've left it for more than a half an hour and it never progresses beyond that screen if I've tried to boot into safe mode. This behavior is obviously related to either having run FixWareout or having deleted those to files using hijackThis. In either event, is there any way to undo what I've done?

    On a (probably) unrelated note, I have two more questions regarding IE. I'm running IE 6.0.2800.1106 and I'm having some trouble with a Pop-Up Blocker. It's blocking Pop-ups on certain sites for which I'd like it not to. I'm sure that there is some way to disable the blocker per site but I can't find out where to do it. I'm not even sure if the blocker is part of IE or something external though I'm pretty sure it's the latter. How can I find out so that I can change the settings? One last IE question: before I started trying to solve my malware problems the behavior of IE with respect to IE was to open up links in an expanded window, now it seems to open them in just a small window which I then have to manually resize. Does anyone know how to change this? Sorry for rambling, but if anyone could provide any insite on any of these issues I'd greatly appreciate it.

    -exits
     
    exitsfunnel, Jun 23, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Clarification and another question

    You did not delete any files with HijackThis. You just removed registry keys that were causing you to be hijacked to Russian webservers by WareOut.


    Based on what I saw in your log, you are not running any popup blocker. What is the name of the popup blocker you think you have installed?

    Open up ONE (and only one) IE browser window. Expand it to the size you want. Now click on the X at the top right of the window to exit the browser. Now reopen a new browser. Is the size OK now? This is not normally malware. It is normally just a last save setting in your system.

    We have some more to fix!

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
    O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    After clicking Fix, exit HJT.
    Now look for the below file with Windows Explorer and delete it if found.
    C:\WINNT\SYSTEM32\CSVDE.EXE

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST)    .

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Jun 24, 2006
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds