D
David
Hi all,
I got infected with a drive by download a couple of days ago and I have
almost cleaned it all up, but not sure. I just need a bit of help to finish
off.
Let me explain the situation if it helps...
It appears that a site I went to was infected. My history has gersoft.info
and a title of My computer Online Scan. This popped up various JS alerts and
opened some windows.
I then noticed my google links were going to other sites not relevant to
what I searched for. It had also changed my home page to google.com
I found an IE add on that I disabled and removed. The addon was
C:\WINDOWS\system32\advpac.dll
I also found msword98.exe in the system32 folder. It was running in task
manager.
I got rid of both files then went to regedit to check my run keys. I found 3
keys, one for msword98, another one I can't remember and a third one for
regedit, [Regedit32] C:\WINDOWS\system32\regedit.exe
I deleted all the keys (out of both user and machine) but the regedit one
kept coming back (sure sign of something not right).
I rebooted in safe mode, deleted the regedit key then back into normal
windows. Sure enough, it has come back.
I looked in task manager and sorted all processes by name. I have a number
of svchost.exe but two were noticable as being run by SYSTEM where all the
others had no name.
I also noted one was using a LOT of memory. I terminated it and it came
back, which meant there was a watchdog service running somewhere.
So, it took me a while, but I managed to terminate both svchost.exe that
were being run by SYSTEM. They kept starting each other up.
Once I got that done, I checked registry and deleted the regedit key and it
stayed gone. So, something in these svchosts was doing it.
Now, I can't see any out of place services in my services except maybe
Office Source Engine, but that points to an MS signed file.
Here is my HKLM\Software\Microsoft\Windows NT\CurrentVersion\svchost...
bthsvcs BthSrv
DcomLaunch DcomLaunch TermService
HTTPFilter HTTPFilter
imgsvc StiSvc
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
netsvcs 6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc
EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon
LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation
Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS Sharedaccess
SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt wscsvc
xmlprov BITS wuauserv ShellHWDetection helpsvc WmdmPmSN
NetworkService DnsCache
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc
rpcss RpcSs
termsvcs TermService
I am not sure what should be going here and what I can safely remove. Also,
I am not sure if anything here will automatically stop that service from
being hosted.
Any ideas on how I can fix this and stop it from running again. At the
moment, I don't know if I have caught everything and I don't want to sign on
to anything financial until I do.
Damn these drive by downloads. I have been hit 3 times within the past 10
months. One of them was just not going to go away and I had to restore from
a backup. (I gave it a week trying to resolve it and ended up abandoning
it.) Why don't website hosts look after their websites and close some of
these loopholes?
Oh, I have since run sysinternals RootkitRevealer and avg and they have
found nothing.
Any help would be appreciated.
--
Best regards,
Dave Colliver.
http://www.AshfieldFOCUS.com
~~
http://www.FOCUSPortals.com - Local franchises available
I got infected with a drive by download a couple of days ago and I have
almost cleaned it all up, but not sure. I just need a bit of help to finish
off.
Let me explain the situation if it helps...
It appears that a site I went to was infected. My history has gersoft.info
and a title of My computer Online Scan. This popped up various JS alerts and
opened some windows.
I then noticed my google links were going to other sites not relevant to
what I searched for. It had also changed my home page to google.com
I found an IE add on that I disabled and removed. The addon was
C:\WINDOWS\system32\advpac.dll
I also found msword98.exe in the system32 folder. It was running in task
manager.
I got rid of both files then went to regedit to check my run keys. I found 3
keys, one for msword98, another one I can't remember and a third one for
regedit, [Regedit32] C:\WINDOWS\system32\regedit.exe
I deleted all the keys (out of both user and machine) but the regedit one
kept coming back (sure sign of something not right).
I rebooted in safe mode, deleted the regedit key then back into normal
windows. Sure enough, it has come back.
I looked in task manager and sorted all processes by name. I have a number
of svchost.exe but two were noticable as being run by SYSTEM where all the
others had no name.
I also noted one was using a LOT of memory. I terminated it and it came
back, which meant there was a watchdog service running somewhere.
So, it took me a while, but I managed to terminate both svchost.exe that
were being run by SYSTEM. They kept starting each other up.
Once I got that done, I checked registry and deleted the regedit key and it
stayed gone. So, something in these svchosts was doing it.
Now, I can't see any out of place services in my services except maybe
Office Source Engine, but that points to an MS signed file.
Here is my HKLM\Software\Microsoft\Windows NT\CurrentVersion\svchost...
bthsvcs BthSrv
DcomLaunch DcomLaunch TermService
HTTPFilter HTTPFilter
imgsvc StiSvc
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
netsvcs 6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc
EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon
LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation
Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS Sharedaccess
SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt wscsvc
xmlprov BITS wuauserv ShellHWDetection helpsvc WmdmPmSN
NetworkService DnsCache
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc
rpcss RpcSs
termsvcs TermService
I am not sure what should be going here and what I can safely remove. Also,
I am not sure if anything here will automatically stop that service from
being hosted.
Any ideas on how I can fix this and stop it from running again. At the
moment, I don't know if I have caught everything and I don't want to sign on
to anything financial until I do.
Damn these drive by downloads. I have been hit 3 times within the past 10
months. One of them was just not going to go away and I had to restore from
a backup. (I gave it a week trying to resolve it and ended up abandoning
it.) Why don't website hosts look after their websites and close some of
these loopholes?
Oh, I have since run sysinternals RootkitRevealer and avg and they have
found nothing.
Any help would be appreciated.
--
Best regards,
Dave Colliver.
http://www.AshfieldFOCUS.com
~~
http://www.FOCUSPortals.com - Local franchises available