Re: Drive by virus help




NB: If you had no anti-virus application installed or the subscription had expired *when the machine first got infected* and/or your subscription has since expired and/or the machine's not been kept fully-patched at Windows Update, don't waste your time with any of the below: Format & reinstall Windows. A Repair Install will NOT help!

[LOOK!!! => Your headers (Microsoft Outlook Express 6.00.2900.2180; Microsoft MimeOLE V6.00.2900.3198) tell us that your WinXP computer is NOT fully patched!]

1. See if you can download/run the MSRT manually: http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the MSRT on a non-infected machine, then transfer MRT.EXE to the infected machine and rename it to SCAN.EXE before running it.

2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection' scan (only!) in Safe Mode with Networking, if need be: http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Chances are you will need to seek expert assistance in http://spywarehammer.com/simplemachinesforum/index.php?board=10.0, http://www.spywarewarrior.com/viewforum.php?f=5, http://www.dslreports.com/forum/cleanup, http://www.bluetack.co.uk/forums/index.php, http://aumha.net/viewforum.php?f=30 or other appropriate forums as well.**

If these procedures look too complex - and there is no shame in admitting this isn't your cup of tea - take the machine to a local, reputable and independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

David wrote:
I got infected with a drive by download a couple of days ago and I have
almost cleaned it all up, but not sure. I just need a bit of help to finish
off.

Let me explain the situation if it helps...

It appears that a site I went to was infected. My history has gersoft.info
and a title of My computer Online Scan. This popped up various JS alerts and
opened some windows.

I then noticed my google links were going to other sites not relevant to
what I searched for. It had also changed my home page to google.com

I found an IE add on that I disabled and removed. The addon was
C:\WINDOWS\system32\advpac.dll
I also found msword98.exe in the system32 folder. It was running in task
manager.

I got rid of both files then went to regedit to check my run keys. I found 3
keys, one for msword98, another one I can't remember and a third one for
regedit, [Regedit32] C:\WINDOWS\system32\regedit.exe

I deleted all the keys (out of both user and machine) but the regedit one
kept coming back (sure sign of something not right).

I rebooted in safe mode, deleted the regedit key then back into normal
windows. Sure enough, it has come back.

I looked in task manager and sorted all processes by name. I have a number
of svchost.exe but two were noticable as being run by SYSTEM where all the
others had no name.

I also noted one was using a LOT of memory. I terminated it and it came
back, which meant there was a watchdog service running somewhere.

So, it took me a while, but I managed to terminate both svchost.exe that
were being run by SYSTEM. They kept starting each other up.

Once I got that done, I checked registry and deleted the regedit key and it
stayed gone. So, something in these svchosts was doing it.

Now, I can't see any out of place services in my services except maybe
Office Source Engine, but that points to an MS signed file.

Here is my HKLM\Software\Microsoft\Windows NT\CurrentVersion\svchost...

bthsvcs BthSrv
DcomLaunch DcomLaunch TermService
HTTPFilter HTTPFilter
imgsvc StiSvc
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
netsvcs 6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc
EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon
LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation
Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS Sharedaccess
SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt wscsvc
xmlprov BITS wuauserv ShellHWDetection helpsvc WmdmPmSN
NetworkService DnsCache
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc
rpcss RpcSs
termsvcs TermService

I am not sure what should be going here and what I can safely remove. Also,
I am not sure if anything here will automatically stop that service from
being hosted.

Any ideas on how I can fix this and stop it from running again. At the
moment, I don't know if I have caught everything and I don't want to sign on
to anything financial until I do.

Damn these drive by downloads. I have been hit 3 times within the past 10
months. One of them was just not going to go away and I had to restore from
a backup. (I gave it a week trying to resolve it and ended up abandoning
it.) Why don't website hosts look after their websites and close some of
these loopholes?

Oh, I have since run sysinternals RootkitRevealer and avg and they have
found nothing.

Any help would be appreciated.

.