Re: Drive by virus help
- From: "David" <david.colliver.NEWS@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 10 Aug 2009 09:38:45 +0100
Hi,
I am an experienced computer user. I used to do tech support up until about
10 years ago when I moved into programming.
I am pretty good at handling virii and keeping my notebook clean. However,
this one appeared different.
I used onecare and it found two files (one I was aware of, that I had
renamed out of the way). Both were part of Trojan:Win32/Delf.gen!C
I have had problems with some of the windows updates crashing my notebook
while installing, so can't keep it up to date. Aside from that, some of my
software relies on specific versions of windows applications and without a
thorough test of the updates, I can't just simply update everything.
However, even though your response helped me to resolve the issue, it didn't
really answer my question (though I admit, I didn't ask the question
clearly). An answer that I could use for future reference and my knowledge.
That was:
How do I stop something being started up by svchost.exe. I can stop things
starting up from the Run key and from startup quite easily, but I have no
clue about svchost, especially if I can't see the service in the services
console.
Anyhow, thank you for your help. It is much appreciated.
--
Best regards,
Dave Colliver.
http://www.AshfieldFOCUS.com
~~
http://www.FOCUSPortals.com - Local franchises available
"PA Bear [MS MVP]" <PABearMVP@xxxxxxxxx> wrote in message
news:%23P%23lP%23RGKHA.4732@xxxxxxxxxxxxxxxxxxxxxxx
NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!
[LOOK!!! => Your headers (Microsoft Outlook Express 6.00.2900.2180;
Microsoft MimeOLE V6.00.2900.3198) tell us that your WinXP computer is NOT
fully patched!]
1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx
NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.
2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection'
scan (only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm
3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum, not here.
Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware
**Chances are you will need to seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php,
http://aumha.net/viewforum.php?f=30 or other appropriate forums as well.**
If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
David wrote:
I got infected with a drive by download a couple of days ago and I have
almost cleaned it all up, but not sure. I just need a bit of help to
finish
off.
Let me explain the situation if it helps...
It appears that a site I went to was infected. My history has
gersoft.info
and a title of My computer Online Scan. This popped up various JS alerts
and
opened some windows.
I then noticed my google links were going to other sites not relevant to
what I searched for. It had also changed my home page to google.com
I found an IE add on that I disabled and removed. The addon was
C:\WINDOWS\system32\advpac.dll
I also found msword98.exe in the system32 folder. It was running in task
manager.
I got rid of both files then went to regedit to check my run keys. I
found 3
keys, one for msword98, another one I can't remember and a third one for
regedit, [Regedit32] C:\WINDOWS\system32\regedit.exe
I deleted all the keys (out of both user and machine) but the regedit one
kept coming back (sure sign of something not right).
I rebooted in safe mode, deleted the regedit key then back into normal
windows. Sure enough, it has come back.
I looked in task manager and sorted all processes by name. I have a
number
of svchost.exe but two were noticable as being run by SYSTEM where all
the
others had no name.
I also noted one was using a LOT of memory. I terminated it and it came
back, which meant there was a watchdog service running somewhere.
So, it took me a while, but I managed to terminate both svchost.exe that
were being run by SYSTEM. They kept starting each other up.
Once I got that done, I checked registry and deleted the regedit key and
it
stayed gone. So, something in these svchosts was doing it.
Now, I can't see any out of place services in my services except maybe
Office Source Engine, but that points to an MS signed file.
Here is my HKLM\Software\Microsoft\Windows NT\CurrentVersion\svchost...
bthsvcs BthSrv
DcomLaunch DcomLaunch TermService
HTTPFilter HTTPFilter
imgsvc StiSvc
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
netsvcs 6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc
EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon
LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc
NWCWorkstation
Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS
Sharedaccess
SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt
wscsvc
xmlprov BITS wuauserv ShellHWDetection helpsvc WmdmPmSN
NetworkService DnsCache
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc
rpcss RpcSs
termsvcs TermService
I am not sure what should be going here and what I can safely remove.
Also,
I am not sure if anything here will automatically stop that service from
being hosted.
Any ideas on how I can fix this and stop it from running again. At the
moment, I don't know if I have caught everything and I don't want to sign
on
to anything financial until I do.
Damn these drive by downloads. I have been hit 3 times within the past 10
months. One of them was just not going to go away and I had to restore
from
a backup. (I gave it a week trying to resolve it and ended up abandoning
it.) Why don't website hosts look after their websites and close some of
these loopholes?
Oh, I have since run sysinternals RootkitRevealer and avg and they have
found nothing.
Any help would be appreciated.
.
- Follow-Ups:
- Re: Drive by virus help
- From: PA Bear [MS MVP]
- Re: Drive by virus help
- From: Malke
- Re: Drive by virus help
- References:
- Drive by virus help
- From: David
- Re: Drive by virus help
- From: PA Bear [MS MVP]
- Drive by virus help
- Prev by Date: Re: Down loads
- Next by Date: Re: cannot get correct widescreen resolution(s)
- Previous by thread: Re: Drive by virus help
- Next by thread: Re: Drive by virus help
- Index(es):
Relevant Pages
|
