Jim Lawrence
accessd at shaw.ca
Sat Aug 7 13:08:19 CDT 2010
Hi Tina: It looks like it is going to take some personal intervention to remove this virus. With IE, it takes its queues from a registry location where the default or home page is stored so IE itself is probably not infected. What is happening is that a process is being run that pushes a new location into registry and that is the same with 'blocked the access' to certain web locations. Run Regedit and navigate to somewhere like this: hkey_current_user\software\microsoft\internet explorer\... (from memory so check). In this location is all the setting that control IE. A dozen weird hacks can be pushed into this location. I would check "Main" In there is stored all the search/default/load locations. These are most likely chanced. Changing these will not give long term relief as the virus will do another update and you are back where you started from. Now you have to find the program that is doing the work. A sophisticated virus usually has a number of layers like an onion so removing it is not easy. Just finding and removing the working virus usually does not work as yet another segment of the program just replaces it and the app that does the replacement very likely also has auto-restarting backup. First look at the list of startup location given to you by Hack-This. There are only so many locations where apps will be automatically started. Check out each of the auto-boot files. Rest assured one of your villains will be there. It is carefully named so it sounds like a legitimate file but it is not. I.E. named winex... sounds legit but it is fake. It may actually be correctly named but will be placed in a wrong directory. When you find the culprit file and location you can delete it but that will not solve your problem as virus will just rewrite itself at the next cycle or reboot. I have fond a little trick to stopping the file from coming back. Go into notepad and save a file with the same name and to the same location as the one you just deleted, then within file-explorer find the file you just created and flag it read-only. This process of discovery and removal will be a bit trial and error as the virus is not going to be simple to remove... after all it have defeated all virus protection already. A tough virus usually has at least 3 to 5 locations where it reboots from. After finishing you can go to the IE regiry on the offending computer, bring up the IE registry settings as previously mentioned and do the same on your laptop... cross-reference and fix any thing that seems out of place. If you have not already done so run a rootkit checker. Here is a good location for getting information and possible Rootkit virus... http://www.pchell.com/support/rootkitremovaltools.shtml These are real tough nuts and they are not always successful removed. If you have one and it can not be removed re-installation is the only solution. Another method for fixing Windows is to rebuild the OS which will set everything back to initial install settings but all the data and info files will be in place and still there. When rebooting with the original CD, do not select the '...Recovery Console..." option, continue and select the repair option "R". Note: that any missing SPs or updates will have to be reinstalled. You can send me the Hack-this startup list and log files if you feel two sets of eyes would be better than one. HTH Jim -----Original Message----- From: dba-tech-bounces at databaseadvisors.com [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Tina Norris Fields Sent: Saturday, August 07, 2010 6:16 AM To: Discussion of Hardware and Software issues Subject: Re: [dba-Tech] Svchost.exe error - Update 2 Back again, After looking at the huge number of dlls and other processes that appeared to be connected to dwwin.exe, I opted for a different approach. Acting on Rusty's comment, I used the Vipre rescue and had it run a deep scan. It found and cleaned 4 threat traces in the Registry. IE7 would still not allow access to Windows update - I could get to lots of Internet places, including microsoft.com, but anything that got close to updating Windows resulted in the notice that IE could not display that page, that I might not be connected to the Internet, etc. - not the common page I usually see when IE really can't reach the Internet, but one with messages in red font and enclosed in black-bordered boxes. Also, the errant redirect continued to happen - there are about three different ones that I saw more than once - one looked like a local news page, but it is not something Brad chose (http://www.news9today.net/money-news/latest-news.php?ex=002&tid=AOXUS1) I've followed up on that one now, myself - it is an advertisement entry point, if you try to select news, or politics, or anything from its navigation bar, you are sent to a page to sign up for making lots of money (http://www.quickcashkit.net/index2/?hop=inet2aff2&ex=002). - one is a 'find single mates' invitation (http://matelocal.com/2273/?subid=directcpv-preferred-1&affid=7167) - one was an urgent notice that the PC is infected, click here to fix it (looked very similar to the AntivirXP2009 that got my Dad's computer a couple years ago). Attempting to reach the Internet Options still yielded the message that that operation was "canceled due to security restrictions on this computer, please contact your system administrator." Persuaded that something was hijacking Brad's IE7, I downloaded HiJackThis and ran that - I am not experienced at reading that log, but I really didn't spot the culprit. If one of you is knowledgeable about analyzing that log, and would be willing to look it over, please let me know and I will pass it along to you. Since I could get to the Internet, I went to mozilla.com and downloaded the current Firefox, installed it and used it to get to microsoft.com where I downloaded IE8 for manual installation. Once IE8 was installed, we had access to the Tools > Internet Options dialog box. Yay! But, we still could not get to Windows update! And, the redirect still popped up. His OS was WinXP SP2, whose support ended July 13, 2010 - so, I searched for how to get SP3 when I couldn't get to Windows update. I did finally find a way to download that for manual installation. SP3 was successfully installed yesterday after supper. But, guess what - this morning, the redirect is still there, and IE cannot get to Windows update, and, of course the old bugaboo "generic service host error" is still popping up. This syndrome has to be an infection of some kind I'm thinking. Unless, as Jim suggested, the corruption is in a location that cannot be substituted and the only real solution is to get a new hard drive. Or, perhaps this is a combination of things 1) a corruption at the boot tracks, and 2) a hijacker of some sort. I'm ready to start pricing good SATA hard drives for Brad's computer. He has to have a functional and reliable computer for his business (don't we all?). But, it's very difficult for me to let go of a mystery like this - I really want to solve it. Do you wizards have any more good thoughts for me? What is redirecting Brad's IE browser? What is preventing IE from getting to Windows update? What is calling the svchost.exe error? Thanks again, T