[dba-Tech] Svchost.exe error - Update 2

Jim Lawrence accessd at shaw.ca
Sat Aug 7 13:08:19 CDT 2010 

Hi Tina:

It looks like it is going to take some personal intervention to remove this
virus. With IE, it takes its queues from a registry location where the
default or home page is stored so IE itself is probably not infected.

What is happening is that a process is being run that pushes a new location
into registry and that is the same with 'blocked the access' to certain web
locations. Run Regedit and navigate to somewhere like this:
hkey_current_user\software\microsoft\internet explorer\... (from memory so
check). In this location is all the setting that control IE. A dozen weird
hacks can be pushed into this location. I would check "Main" In there is
stored all the search/default/load locations. These are most likely chanced.
Changing these will not give long term relief as the virus will do another
update and you are back where you started from. Now you have to find the
program that is doing the work.

A sophisticated virus usually has a number of layers like an onion so
removing it is not easy. Just finding and removing the working virus usually
does not work as yet another segment of the program just replaces it and the
app that does the replacement very likely also has auto-restarting backup.

First look at the list of startup location given to you by Hack-This. There
are only so many locations where apps will be automatically started. Check
out each of the auto-boot files. Rest assured one of your villains will be
there. It is carefully named so it sounds like a legitimate file but it is
not. I.E. named winex... sounds legit but it is fake. It may actually be
correctly named but will be placed in a wrong directory.

When you find the culprit file and location you can delete it but that will
not solve your problem as virus will just rewrite itself at the next cycle
or reboot. I have fond a little trick to stopping the file from coming back.

Go into notepad and save a file with the same name and to the same location
as the one you just deleted, then within file-explorer find the file you
just created and flag it read-only.

This process of discovery and removal will be a bit trial and error as the
virus is not going to be simple to remove... after all it have defeated all
virus protection already. A tough virus usually has at least 3 to 5
locations where it reboots from.

After finishing you can go to the IE regiry on the offending computer, bring
up the IE registry settings as previously mentioned and do the same on your
laptop... cross-reference and fix any thing that seems out of place.

If you have not already done so run a rootkit checker. Here is a good
location for getting information and possible Rootkit virus... 

http://www.pchell.com/support/rootkitremovaltools.shtml

These are real tough nuts and they are not always successful removed. If you
have one and it can not be removed re-installation is the only solution.

Another method for fixing Windows is to rebuild the OS which will set
everything back to initial install settings but all the data and info files
will be in place and still there. When rebooting with the original CD, do
not select the '...Recovery Console..." option, continue and select the
repair option "R". Note: that any missing SPs or updates will have to be
reinstalled.

You can send me the Hack-this startup list and log files if you feel two
sets of eyes would be better than one.

HTH
Jim  



-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Tina Norris
Fields
Sent: Saturday, August 07, 2010 6:16 AM
To: Discussion of Hardware and Software issues
Subject: Re: [dba-Tech] Svchost.exe error - Update 2

Back again,

After looking at the huge number of dlls and other processes that 
appeared to be connected to dwwin.exe, I opted for a different approach.

Acting on Rusty's comment, I used the Vipre rescue and had it run a deep 
scan.  It found and cleaned 4 threat traces in the Registry.
IE7 would still not allow access to Windows update - I could get to lots 
of Internet places, including microsoft.com, but anything that got close 
to updating Windows resulted in the notice that IE could not display 
that page, that I might not be connected to the Internet, etc. - not the 
common page I usually see when IE really can't reach the Internet, but 
one with messages in red font and enclosed in black-bordered boxes.  
Also, the errant redirect continued to happen - there are about three 
different ones that I saw more than once
- one looked like a local news page, but it is not something Brad chose 
(http://www.news9today.net/money-news/latest-news.php?ex=002&tid=AOXUS1) 
I've followed up on that one now, myself - it is an advertisement entry 
point, if you try to select news, or politics, or anything from its 
navigation bar, you are sent to a page to sign up for making lots of 
money (http://www.quickcashkit.net/index2/?hop=inet2aff2&ex=002).
- one is a 'find single mates' invitation 
(http://matelocal.com/2273/?subid=directcpv-preferred-1&affid=7167)
- one was an urgent notice that the PC is infected, click here to fix it 
(looked very similar to the AntivirXP2009 that got my Dad's computer a 
couple years ago). 
Attempting to reach the Internet Options still yielded the message that 
that operation was "canceled due to security restrictions on this 
computer, please contact your system administrator."

Persuaded that something was hijacking Brad's IE7, I downloaded 
HiJackThis and ran that - I am not experienced at reading that log, but 
I really didn't spot the culprit.  If one of you is knowledgeable about 
analyzing that log, and would be willing to look it over, please let me 
know and I will pass it along to you.

Since I could get to the Internet, I went to mozilla.com and downloaded 
the current Firefox, installed it and used it to get to microsoft.com 
where I downloaded IE8 for manual installation.  Once IE8 was installed, 
we had access to the Tools > Internet Options dialog box.  Yay!  But, we 
still could not get to Windows update!  And, the redirect still popped up. 

His OS was WinXP SP2, whose support ended July 13, 2010 - so, I searched 
for how to get SP3 when I couldn't get to Windows update.  I did finally 
find a way to download that for manual installation.  SP3 was 
successfully installed yesterday after supper.  But, guess what - this 
morning, the redirect is still there, and IE cannot get to Windows 
update, and, of course the old bugaboo "generic service host error" is 
still popping up. 

This syndrome has to be an infection of some kind I'm thinking.  Unless, 
as Jim suggested, the corruption is in a location that cannot be 
substituted and the only real solution is to get a new hard drive.  Or, 
perhaps this is a combination of things 1) a corruption at the boot 
tracks, and 2) a hijacker of some sort.

I'm ready to start pricing good SATA hard drives for Brad's computer.  
He has to have a functional and reliable computer for his business 
(don't we all?).  But, it's very difficult for me to let go of a mystery 
like this - I really want to solve it.  Do you wizards have any more 
good thoughts for me?  What is redirecting Brad's IE browser?  What is 
preventing IE from getting to Windows update?  What is calling the 
svchost.exe error?

Thanks again,
T

More information about the dba-Tech mailing list