[dba-Tech] Svchost.exe error - Update 2

Tina Norris Fields tinanfields at torchlake.com
Sun Aug 8 06:21:39 CDT 2010


Hi Jim,

I've sent you the HiJackThis log from Brad's computer off-list.  Thank 
you for looking it over for me.

T

Jim Lawrence wrote:
> Hi Tina:
>
> It looks like it is going to take some personal intervention to remove this
> virus. With IE, it takes its queues from a registry location where the
> default or home page is stored so IE itself is probably not infected.
>
> What is happening is that a process is being run that pushes a new location
> into registry and that is the same with 'blocked the access' to certain web
> locations. Run Regedit and navigate to somewhere like this:
> hkey_current_user\software\microsoft\internet explorer\... (from memory so
> check). In this location is all the setting that control IE. A dozen weird
> hacks can be pushed into this location. I would check "Main" In there is
> stored all the search/default/load locations. These are most likely chanced.
> Changing these will not give long term relief as the virus will do another
> update and you are back where you started from. Now you have to find the
> program that is doing the work.
>
> A sophisticated virus usually has a number of layers like an onion so
> removing it is not easy. Just finding and removing the working virus usually
> does not work as yet another segment of the program just replaces it and the
> app that does the replacement very likely also has auto-restarting backup.
>
> First look at the list of startup location given to you by Hack-This. There
> are only so many locations where apps will be automatically started. Check
> out each of the auto-boot files. Rest assured one of your villains will be
> there. It is carefully named so it sounds like a legitimate file but it is
> not. I.E. named winex... sounds legit but it is fake. It may actually be
> correctly named but will be placed in a wrong directory.
>
> When you find the culprit file and location you can delete it but that will
> not solve your problem as virus will just rewrite itself at the next cycle
> or reboot. I have fond a little trick to stopping the file from coming back.
>
> Go into notepad and save a file with the same name and to the same location
> as the one you just deleted, then within file-explorer find the file you
> just created and flag it read-only.
>
> This process of discovery and removal will be a bit trial and error as the
> virus is not going to be simple to remove... after all it have defeated all
> virus protection already. A tough virus usually has at least 3 to 5
> locations where it reboots from.
>
> After finishing you can go to the IE regiry on the offending computer, bring
> up the IE registry settings as previously mentioned and do the same on your
> laptop... cross-reference and fix any thing that seems out of place.
>
> If you have not already done so run a rootkit checker. Here is a good
> location for getting information and possible Rootkit virus... 
>
> http://www.pchell.com/support/rootkitremovaltools.shtml
>
> These are real tough nuts and they are not always successful removed. If you
> have one and it can not be removed re-installation is the only solution.
>
> Another method for fixing Windows is to rebuild the OS which will set
> everything back to initial install settings but all the data and info files
> will be in place and still there. When rebooting with the original CD, do
> not select the '...Recovery Console..." option, continue and select the
> repair option "R". Note: that any missing SPs or updates will have to be
> reinstalled.
>
> You can send me the Hack-this startup list and log files if you feel two
> sets of eyes would be better than one.
>
> HTH
> Jim  
>
>
>
> -----Original Message-----
> From: dba-tech-bounces at databaseadvisors.com
> [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Tina Norris
> Fields
> Sent: Saturday, August 07, 2010 6:16 AM
> To: Discussion of Hardware and Software issues
> Subject: Re: [dba-Tech] Svchost.exe error - Update 2
>
> Back again,
>
> After looking at the huge number of dlls and other processes that 
> appeared to be connected to dwwin.exe, I opted for a different approach.
>
> Acting on Rusty's comment, I used the Vipre rescue and had it run a deep 
> scan.  It found and cleaned 4 threat traces in the Registry.
> IE7 would still not allow access to Windows update - I could get to lots 
> of Internet places, including microsoft.com, but anything that got close 
> to updating Windows resulted in the notice that IE could not display 
> that page, that I might not be connected to the Internet, etc. - not the 
> common page I usually see when IE really can't reach the Internet, but 
> one with messages in red font and enclosed in black-bordered boxes.  
> Also, the errant redirect continued to happen - there are about three 
> different ones that I saw more than once
> - one looked like a local news page, but it is not something Brad chose 
> (http://www.news9today.net/money-news/latest-news.php?ex=002&tid=AOXUS1) 
> I've followed up on that one now, myself - it is an advertisement entry 
> point, if you try to select news, or politics, or anything from its 
> navigation bar, you are sent to a page to sign up for making lots of 
> money (A known bad url was replaced by VIPRE).
> - one is a 'find single mates' invitation 
> (http://matelocal.com/2273/?subid=directcpv-preferred-1&affid=7167)
> - one was an urgent notice that the PC is infected, click here to fix it 
> (looked very similar to the AntivirXP2009 that got my Dad's computer a 
> couple years ago). 
> Attempting to reach the Internet Options still yielded the message that 
> that operation was "canceled due to security restrictions on this 
> computer, please contact your system administrator."
>
> Persuaded that something was hijacking Brad's IE7, I downloaded 
> HiJackThis and ran that - I am not experienced at reading that log, but 
> I really didn't spot the culprit.  If one of you is knowledgeable about 
> analyzing that log, and would be willing to look it over, please let me 
> know and I will pass it along to you.
>
> Since I could get to the Internet, I went to mozilla.com and downloaded 
> the current Firefox, installed it and used it to get to microsoft.com 
> where I downloaded IE8 for manual installation.  Once IE8 was installed, 
> we had access to the Tools > Internet Options dialog box.  Yay!  But, we 
> still could not get to Windows update!  And, the redirect still popped up. 
>
> His OS was WinXP SP2, whose support ended July 13, 2010 - so, I searched 
> for how to get SP3 when I couldn't get to Windows update.  I did finally 
> find a way to download that for manual installation.  SP3 was 
> successfully installed yesterday after supper.  But, guess what - this 
> morning, the redirect is still there, and IE cannot get to Windows 
> update, and, of course the old bugaboo "generic service host error" is 
> still popping up. 
>
> This syndrome has to be an infection of some kind I'm thinking.  Unless, 
> as Jim suggested, the corruption is in a location that cannot be 
> substituted and the only real solution is to get a new hard drive.  Or, 
> perhaps this is a combination of things 1) a corruption at the boot 
> tracks, and 2) a hijacker of some sort.
>
> I'm ready to start pricing good SATA hard drives for Brad's computer.  
> He has to have a functional and reliable computer for his business 
> (don't we all?).  But, it's very difficult for me to let go of a mystery 
> like this - I really want to solve it.  Do you wizards have any more 
> good thoughts for me?  What is redirecting Brad's IE browser?  What is 
> preventing IE from getting to Windows update?  What is calling the 
> svchost.exe error?
>
> Thanks again,
> T
>
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com
>
>   



More information about the dba-Tech mailing list