Tina Norris Fields
tinanfields at torchlake.com
Sun Aug 8 06:21:39 CDT 2010
Hi Jim, I've sent you the HiJackThis log from Brad's computer off-list. Thank you for looking it over for me. T Jim Lawrence wrote: > Hi Tina: > > It looks like it is going to take some personal intervention to remove this > virus. With IE, it takes its queues from a registry location where the > default or home page is stored so IE itself is probably not infected. > > What is happening is that a process is being run that pushes a new location > into registry and that is the same with 'blocked the access' to certain web > locations. Run Regedit and navigate to somewhere like this: > hkey_current_user\software\microsoft\internet explorer\... (from memory so > check). In this location is all the setting that control IE. A dozen weird > hacks can be pushed into this location. I would check "Main" In there is > stored all the search/default/load locations. These are most likely chanced. > Changing these will not give long term relief as the virus will do another > update and you are back where you started from. Now you have to find the > program that is doing the work. > > A sophisticated virus usually has a number of layers like an onion so > removing it is not easy. Just finding and removing the working virus usually > does not work as yet another segment of the program just replaces it and the > app that does the replacement very likely also has auto-restarting backup. > > First look at the list of startup location given to you by Hack-This. There > are only so many locations where apps will be automatically started. Check > out each of the auto-boot files. Rest assured one of your villains will be > there. It is carefully named so it sounds like a legitimate file but it is > not. I.E. named winex... sounds legit but it is fake. It may actually be > correctly named but will be placed in a wrong directory. > > When you find the culprit file and location you can delete it but that will > not solve your problem as virus will just rewrite itself at the next cycle > or reboot. I have fond a little trick to stopping the file from coming back. > > Go into notepad and save a file with the same name and to the same location > as the one you just deleted, then within file-explorer find the file you > just created and flag it read-only. > > This process of discovery and removal will be a bit trial and error as the > virus is not going to be simple to remove... after all it have defeated all > virus protection already. A tough virus usually has at least 3 to 5 > locations where it reboots from. > > After finishing you can go to the IE regiry on the offending computer, bring > up the IE registry settings as previously mentioned and do the same on your > laptop... cross-reference and fix any thing that seems out of place. > > If you have not already done so run a rootkit checker. Here is a good > location for getting information and possible Rootkit virus... > > http://www.pchell.com/support/rootkitremovaltools.shtml > > These are real tough nuts and they are not always successful removed. If you > have one and it can not be removed re-installation is the only solution. > > Another method for fixing Windows is to rebuild the OS which will set > everything back to initial install settings but all the data and info files > will be in place and still there. When rebooting with the original CD, do > not select the '...Recovery Console..." option, continue and select the > repair option "R". Note: that any missing SPs or updates will have to be > reinstalled. > > You can send me the Hack-this startup list and log files if you feel two > sets of eyes would be better than one. > > HTH > Jim > > > > -----Original Message----- > From: dba-tech-bounces at databaseadvisors.com > [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Tina Norris > Fields > Sent: Saturday, August 07, 2010 6:16 AM > To: Discussion of Hardware and Software issues > Subject: Re: [dba-Tech] Svchost.exe error - Update 2 > > Back again, > > After looking at the huge number of dlls and other processes that > appeared to be connected to dwwin.exe, I opted for a different approach. > > Acting on Rusty's comment, I used the Vipre rescue and had it run a deep > scan. It found and cleaned 4 threat traces in the Registry. > IE7 would still not allow access to Windows update - I could get to lots > of Internet places, including microsoft.com, but anything that got close > to updating Windows resulted in the notice that IE could not display > that page, that I might not be connected to the Internet, etc. - not the > common page I usually see when IE really can't reach the Internet, but > one with messages in red font and enclosed in black-bordered boxes. > Also, the errant redirect continued to happen - there are about three > different ones that I saw more than once > - one looked like a local news page, but it is not something Brad chose > (http://www.news9today.net/money-news/latest-news.php?ex=002&tid=AOXUS1) > I've followed up on that one now, myself - it is an advertisement entry > point, if you try to select news, or politics, or anything from its > navigation bar, you are sent to a page to sign up for making lots of > money (A known bad url was replaced by VIPRE). > - one is a 'find single mates' invitation > (http://matelocal.com/2273/?subid=directcpv-preferred-1&affid=7167) > - one was an urgent notice that the PC is infected, click here to fix it > (looked very similar to the AntivirXP2009 that got my Dad's computer a > couple years ago). > Attempting to reach the Internet Options still yielded the message that > that operation was "canceled due to security restrictions on this > computer, please contact your system administrator." > > Persuaded that something was hijacking Brad's IE7, I downloaded > HiJackThis and ran that - I am not experienced at reading that log, but > I really didn't spot the culprit. If one of you is knowledgeable about > analyzing that log, and would be willing to look it over, please let me > know and I will pass it along to you. > > Since I could get to the Internet, I went to mozilla.com and downloaded > the current Firefox, installed it and used it to get to microsoft.com > where I downloaded IE8 for manual installation. Once IE8 was installed, > we had access to the Tools > Internet Options dialog box. Yay! But, we > still could not get to Windows update! And, the redirect still popped up. > > His OS was WinXP SP2, whose support ended July 13, 2010 - so, I searched > for how to get SP3 when I couldn't get to Windows update. I did finally > find a way to download that for manual installation. SP3 was > successfully installed yesterday after supper. But, guess what - this > morning, the redirect is still there, and IE cannot get to Windows > update, and, of course the old bugaboo "generic service host error" is > still popping up. > > This syndrome has to be an infection of some kind I'm thinking. Unless, > as Jim suggested, the corruption is in a location that cannot be > substituted and the only real solution is to get a new hard drive. Or, > perhaps this is a combination of things 1) a corruption at the boot > tracks, and 2) a hijacker of some sort. > > I'm ready to start pricing good SATA hard drives for Brad's computer. > He has to have a functional and reliable computer for his business > (don't we all?). But, it's very difficult for me to let go of a mystery > like this - I really want to solve it. Do you wizards have any more > good thoughts for me? What is redirecting Brad's IE browser? What is > preventing IE from getting to Windows update? What is calling the > svchost.exe error? > > Thanks again, > T > > _______________________________________________ > dba-Tech mailing list > dba-Tech at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-tech > Website: http://www.databaseadvisors.com > >