Tina Norris Fields
tinanfields at torchlake.com
Sun Aug 15 11:53:31 CDT 2010
Thanks Rusty, I will check that. There are still issues, but at least the computer is functional and Brad is able to conduct his business. Jim gave an analysis of the HiJackThis log I had, with detailed instructions on what I can do to clean up that computer. Between Brad's schedule and mine, I have not yet taken care of that little chore. Thanks for checking up on me. I do appreciate it. T Rusty Hammond wrote: > Tina, > > Are you still having issue? Since you can now get to Tools/Internet Options. > Have you gone to the Connections tab, then LAN Settings and made sure there is > not a proxy server setup? If so, delete the information and uncheck the Use a > proxy server ... option. I've seen this as a leftover from viruses before and > the proxy server is doing the redirecting of sites. > > HTH > > Rusty > > > > > ________________________________ > From: Tina Norris Fields <tinanfields at torchlake.com> > To: Discussion of Hardware and Software issues <dba-tech at databaseadvisors.com> > Sent: Sun, August 8, 2010 6:21:39 AM > Subject: Re: [dba-Tech] Svchost.exe error - Update 2 > > Hi Jim, > > I've sent you the HiJackThis log from Brad's computer off-list. Thank > you for looking it over for me. > > T > > Jim Lawrence wrote: > >> Hi Tina: >> >> It looks like it is going to take some personal intervention to remove this >> virus. With IE, it takes its queues from a registry location where the >> default or home page is stored so IE itself is probably not infected. >> >> What is happening is that a process is being run that pushes a new location >> into registry and that is the same with 'blocked the access' to certain web >> locations. Run Regedit and navigate to somewhere like this: >> hkey_current_user\software\microsoft\internet explorer\... (from memory so >> check). In this location is all the setting that control IE. A dozen weird >> hacks can be pushed into this location. I would check "Main" In there is >> stored all the search/default/load locations. These are most likely chanced. >> Changing these will not give long term relief as the virus will do another >> update and you are back where you started from. Now you have to find the >> program that is doing the work. >> >> A sophisticated virus usually has a number of layers like an onion so >> removing it is not easy. Just finding and removing the working virus usually >> does not work as yet another segment of the program just replaces it and the >> app that does the replacement very likely also has auto-restarting backup. >> >> First look at the list of startup location given to you by Hack-This. There >> are only so many locations where apps will be automatically started. Check >> out each of the auto-boot files. Rest assured one of your villains will be >> there. It is carefully named so it sounds like a legitimate file but it is >> not. I.E. named winex... sounds legit but it is fake. It may actually be >> correctly named but will be placed in a wrong directory. >> >> When you find the culprit file and location you can delete it but that will >> not solve your problem as virus will just rewrite itself at the next cycle >> or reboot. I have fond a little trick to stopping the file from coming back. >> >> Go into notepad and save a file with the same name and to the same location >> as the one you just deleted, then within file-explorer find the file you >> just created and flag it read-only. >> >> This process of discovery and removal will be a bit trial and error as the >> virus is not going to be simple to remove... after all it have defeated all >> virus protection already. A tough virus usually has at least 3 to 5 >> locations where it reboots from. >> >> After finishing you can go to the IE regiry on the offending computer, bring >> up the IE registry settings as previously mentioned and do the same on your >> laptop... cross-reference and fix any thing that seems out of place. >> >> If you have not already done so run a rootkit checker. Here is a good >> location for getting information and possible Rootkit virus... >> >> http://www.pchell.com/support/rootkitremovaltools.shtml >> >> These are real tough nuts and they are not always successful removed. If you >> have one and it can not be removed re-installation is the only solution. >> >> Another method for fixing Windows is to rebuild the OS which will set >> everything back to initial install settings but all the data and info files >> will be in place and still there. When rebooting with the original CD, do >> not select the '...Recovery Console..." option, continue and select the >> repair option "R". Note: that any missing SPs or updates will have to be >> reinstalled. >> >> You can send me the Hack-this startup list and log files if you feel two >> sets of eyes would be better than one. >> >> HTH >> Jim >> >> >> >> -----Original Message----- >> From: dba-tech-bounces at databaseadvisors.com >> [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Tina Norris >> Fields >> Sent: Saturday, August 07, 2010 6:16 AM >> To: Discussion of Hardware and Software issues >> Subject: Re: [dba-Tech] Svchost.exe error - Update 2 >> >> Back again, >> >> After looking at the huge number of dlls and other processes that >> appeared to be connected to dwwin.exe, I opted for a different approach. >> >> Acting on Rusty's comment, I used the Vipre rescue and had it run a deep >> scan. It found and cleaned 4 threat traces in the Registry. >> IE7 would still not allow access to Windows update - I could get to lots >> of Internet places, including microsoft.com, but anything that got close >> to updating Windows resulted in the notice that IE could not display >> that page, that I might not be connected to the Internet, etc. - not the >> common page I usually see when IE really can't reach the Internet, but >> one with messages in red font and enclosed in black-bordered boxes. >> Also, the errant redirect continued to happen - there are about three >> different ones that I saw more than once >> - one looked like a local news page, but it is not something Brad chose >> (http://www.news9today.net/money-news/latest-news.php?ex=002&tid=AOXUS1) >> I've followed up on that one now, myself - it is an advertisement entry >> point, if you try to select news, or politics, or anything from its >> navigation bar, you are sent to a page to sign up for making lots of >> money (A known bad url was replaced by VIPRE). >> - one is a 'find single mates' invitation >> (http://matelocal.com/2273/?subid=directcpv-preferred-1&affid=7167) >> - one was an urgent notice that the PC is infected, click here to fix it >> (looked very similar to the AntivirXP2009 that got my Dad's computer a >> couple years ago). >> Attempting to reach the Internet Options still yielded the message that >> that operation was "canceled due to security restrictions on this >> computer, please contact your system administrator." >> >> Persuaded that something was hijacking Brad's IE7, I downloaded >> HiJackThis and ran that - I am not experienced at reading that log, but >> I really didn't spot the culprit. If one of you is knowledgeable about >> analyzing that log, and would be willing to look it over, please let me >> know and I will pass it along to you. >> >> Since I could get to the Internet, I went to mozilla.com and downloaded >> the current Firefox, installed it and used it to get to microsoft.com >> where I downloaded IE8 for manual installation. Once IE8 was installed, >> we had access to the Tools > Internet Options dialog box. Yay! But, we >> still could not get to Windows update! And, the redirect still popped up. >> >> His OS was WinXP SP2, whose support ended July 13, 2010 - so, I searched >> for how to get SP3 when I couldn't get to Windows update. I did finally >> find a way to download that for manual installation. SP3 was >> successfully installed yesterday after supper. But, guess what - this >> morning, the redirect is still there, and IE cannot get to Windows >> update, and, of course the old bugaboo "generic service host error" is >> still popping up. >> >> This syndrome has to be an infection of some kind I'm thinking. Unless, >> as Jim suggested, the corruption is in a location that cannot be >> substituted and the only real solution is to get a new hard drive. Or, >> perhaps this is a combination of things 1) a corruption at the boot >> tracks, and 2) a hijacker of some sort. >> >> I'm ready to start pricing good SATA hard drives for Brad's computer. >> He has to have a functional and reliable computer for his business >> (don't we all?). But, it's very difficult for me to let go of a mystery >> like this - I really want to solve it. Do you wizards have any more >> good thoughts for me? What is redirecting Brad's IE browser? What is >> preventing IE from getting to Windows update? What is calling the >> svchost.exe error? >> >> Thanks again, >> T >> >> _______________________________________________ >> dba-Tech mailing list >> dba-Tech at databaseadvisors.com >> http://databaseadvisors.com/mailman/listinfo/dba-tech >> Website: http://www.databaseadvisors.com >> >> >> > _______________________________________________ > dba-Tech mailing list > dba-Tech at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-tech > Website: http://www.databaseadvisors.com > > > > > _______________________________________________ > dba-Tech mailing list > dba-Tech at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-tech > Website: http://www.databaseadvisors.com > >