Drive by virus help

[David]

Hi all,

I got infected with a drive by download a couple of days ago and I have
almost cleaned it all up, but not sure. I just need a bit of help to finish
off.

Let me explain the situation if it helps...

It appears that a site I went to was infected. My history has gersoft.info
and a title of My computer Online Scan. This popped up various JS alerts and
opened some windows.

I then noticed my google links were going to other sites not relevant to
what I searched for. It had also changed my home page to google.com

I found an IE add on that I disabled and removed. The addon was
C:\WINDOWS\system32\advpac.dll
I also found msword98.exe in the system32 folder. It was running in task
manager.

I got rid of both files then went to regedit to check my run keys. I found 3
keys, one for msword98, another one I can't remember and a third one for
regedit, [Regedit32] C:\WINDOWS\system32\regedit.exe

I deleted all the keys (out of both user and machine) but the regedit one
kept coming back (sure sign of something not right).

I rebooted in safe mode, deleted the regedit key then back into normal
windows. Sure enough, it has come back.

I looked in task manager and sorted all processes by name. I have a number
of svchost.exe but two were noticable as being run by SYSTEM where all the
others had no name.

I also noted one was using a LOT of memory. I terminated it and it came
back, which meant there was a watchdog service running somewhere.

So, it took me a while, but I managed to terminate both svchost.exe that
were being run by SYSTEM. They kept starting each other up.

Once I got that done, I checked registry and deleted the regedit key and it
stayed gone. So, something in these svchosts was doing it.

Now, I can't see any out of place services in my services except maybe
Office Source Engine, but that points to an MS signed file.

Here is my HKLM\Software\Microsoft\Windows NT\CurrentVersion\svchost...

bthsvcs BthSrv
DcomLaunch DcomLaunch TermService
HTTPFilter HTTPFilter
imgsvc StiSvc
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
netsvcs 6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc
EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon
LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation
Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS Sharedaccess
SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt wscsvc
xmlprov BITS wuauserv ShellHWDetection helpsvc WmdmPmSN
NetworkService DnsCache
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc
rpcss RpcSs
termsvcs TermService

I am not sure what should be going here and what I can safely remove. Also,
I am not sure if anything here will automatically stop that service from
being hosted.

Any ideas on how I can fix this and stop it from running again. At the
moment, I don't know if I have caught everything and I don't want to sign on
to anything financial until I do.

Damn these drive by downloads. I have been hit 3 times within the past 10
months. One of them was just not going to go away and I had to restore from
a backup. (I gave it a week trying to resolve it and ended up abandoning
it.) Why don't website hosts look after their websites and close some of
these loopholes?

Oh, I have since run sysinternals RootkitRevealer and avg and they have
found nothing.

Any help would be appreciated.

--
Best regards,
Dave Colliver.
http://www.AshfieldFOCUS.com
~~
http://www.FOCUSPortals.com - Local franchises available

 

[PA Bear [MS MVP]]

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

[LOOK!!! => Your headers (Microsoft Outlook Express 6.00.2900.2180;
Microsoft MimeOLE V6.00.2900.3198) tell us that your WinXP computer is NOT
fully patched!]

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection' scan
(only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Chances are you will need to seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php,
http://aumha.net/viewforum.php?f=30 or other appropriate forums as well.**

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

I got infected with a drive by download a couple of days ago and I have
almost cleaned it all up, but not sure. I just need a bit of help to
finish
off.

Let me explain the situation if it helps...

It appears that a site I went to was infected. My history has gersoft.info
and a title of My computer Online Scan. This popped up various JS alerts
and
opened some windows.

I then noticed my google links were going to other sites not relevant to
what I searched for. It had also changed my home page to google.com

I found an IE add on that I disabled and removed. The addon was
C:\WINDOWS\system32\advpac.dll
I also found msword98.exe in the system32 folder. It was running in task
manager.

I got rid of both files then went to regedit to check my run keys. I found
3
keys, one for msword98, another one I can't remember and a third one for
regedit, [Regedit32] C:\WINDOWS\system32\regedit.exe

I deleted all the keys (out of both user and machine) but the regedit one
kept coming back (sure sign of something not right).

I rebooted in safe mode, deleted the regedit key then back into normal
windows. Sure enough, it has come back.

I looked in task manager and sorted all processes by name. I have a number
of svchost.exe but two were noticable as being run by SYSTEM where all the
others had no name.

I also noted one was using a LOT of memory. I terminated it and it came
back, which meant there was a watchdog service running somewhere.

So, it took me a while, but I managed to terminate both svchost.exe that
were being run by SYSTEM. They kept starting each other up.

Once I got that done, I checked registry and deleted the regedit key and
it
stayed gone. So, something in these svchosts was doing it.

Now, I can't see any out of place services in my services except maybe
Office Source Engine, but that points to an MS signed file.

Here is my HKLM\Software\Microsoft\Windows NT\CurrentVersion\svchost...

bthsvcs BthSrv
DcomLaunch DcomLaunch TermService
HTTPFilter HTTPFilter
imgsvc StiSvc
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
netsvcs 6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc
EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon
LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation
Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS Sharedaccess
SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt wscsvc
xmlprov BITS wuauserv ShellHWDetection helpsvc WmdmPmSN
NetworkService DnsCache
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc
rpcss RpcSs
termsvcs TermService

I am not sure what should be going here and what I can safely remove.
Also,
I am not sure if anything here will automatically stop that service from
being hosted.

Any ideas on how I can fix this and stop it from running again. At the
moment, I don't know if I have caught everything and I don't want to sign
on
to anything financial until I do.

Damn these drive by downloads. I have been hit 3 times within the past 10
months. One of them was just not going to go away and I had to restore
from
a backup. (I gave it a week trying to resolve it and ended up abandoning
it.) Why don't website hosts look after their websites and close some of
these loopholes?

Oh, I have since run sysinternals RootkitRevealer and avg and they have
found nothing.

Any help would be appreciated.

 

[David]

Hi,

I am an experienced computer user. I used to do tech support up until about
10 years ago when I moved into programming.

I am pretty good at handling virii and keeping my notebook clean. However,
this one appeared different.

I used onecare and it found two files (one I was aware of, that I had
renamed out of the way). Both were part of Trojan:Win32/Delf.gen!C

I have had problems with some of the windows updates crashing my notebook
while installing, so can't keep it up to date. Aside from that, some of my
software relies on specific versions of windows applications and without a
thorough test of the updates, I can't just simply update everything.

However, even though your response helped me to resolve the issue, it didn't
really answer my question (though I admit, I didn't ask the question
clearly). An answer that I could use for future reference and my knowledge.

That was:
How do I stop something being started up by svchost.exe. I can stop things
starting up from the Run key and from startup quite easily, but I have no
clue about svchost, especially if I can't see the service in the services
console.

Anyhow, thank you for your help. It is much appreciated.

--
Best regards,
Dave Colliver.
http://www.AshfieldFOCUS.com
~~
http://www.FOCUSPortals.com - Local franchises available

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

[LOOK!!! => Your headers (Microsoft Outlook Express 6.00.2900.2180;
Microsoft MimeOLE V6.00.2900.3198) tell us that your WinXP computer is NOT
fully patched!]

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection'
scan (only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Chances are you will need to seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php,
http://aumha.net/viewforum.php?f=30 or other appropriate forums as well.**

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

I got infected with a drive by download a couple of days ago and I have
almost cleaned it all up, but not sure. I just need a bit of help to
finish
off.

Let me explain the situation if it helps...

It appears that a site I went to was infected. My history has
gersoft.info
and a title of My computer Online Scan. This popped up various JS alerts
and
opened some windows.

I then noticed my google links were going to other sites not relevant to
what I searched for. It had also changed my home page to google.com

I found an IE add on that I disabled and removed. The addon was
C:\WINDOWS\system32\advpac.dll
I also found msword98.exe in the system32 folder. It was running in task
manager.

I got rid of both files then went to regedit to check my run keys. I
found 3
keys, one for msword98, another one I can't remember and a third one for
regedit, [Regedit32] C:\WINDOWS\system32\regedit.exe

I deleted all the keys (out of both user and machine) but the regedit one
kept coming back (sure sign of something not right).

I rebooted in safe mode, deleted the regedit key then back into normal
windows. Sure enough, it has come back.

I looked in task manager and sorted all processes by name. I have a
number
of svchost.exe but two were noticable as being run by SYSTEM where all
the
others had no name.

I also noted one was using a LOT of memory. I terminated it and it came
back, which meant there was a watchdog service running somewhere.

So, it took me a while, but I managed to terminate both svchost.exe that
were being run by SYSTEM. They kept starting each other up.

Once I got that done, I checked registry and deleted the regedit key and
it
stayed gone. So, something in these svchosts was doing it.

Now, I can't see any out of place services in my services except maybe
Office Source Engine, but that points to an MS signed file.

Here is my HKLM\Software\Microsoft\Windows NT\CurrentVersion\svchost...

bthsvcs BthSrv
DcomLaunch DcomLaunch TermService
HTTPFilter HTTPFilter
imgsvc StiSvc
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
netsvcs 6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc
EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon
LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc
NWCWorkstation
Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS
Sharedaccess
SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt
wscsvc
xmlprov BITS wuauserv ShellHWDetection helpsvc WmdmPmSN
NetworkService DnsCache
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc
rpcss RpcSs
termsvcs TermService

I am not sure what should be going here and what I can safely remove.
Also,
I am not sure if anything here will automatically stop that service from
being hosted.

Any ideas on how I can fix this and stop it from running again. At the
moment, I don't know if I have caught everything and I don't want to sign
on
to anything financial until I do.

Damn these drive by downloads. I have been hit 3 times within the past 10
months. One of them was just not going to go away and I had to restore
from
a backup. (I gave it a week trying to resolve it and ended up abandoning
it.) Why don't website hosts look after their websites and close some of
these loopholes?

Oh, I have since run sysinternals RootkitRevealer and avg and they have
found nothing.

Any help would be appreciated.

 

[Malke]

I am an experienced computer user. I used to do tech support up until
about 10 years ago when I moved into programming.

Tech support 10 years ago was quite different than it is now. This is not to
disparage your Mad Skilz, just a comment.

(snippage)

I have had problems with some of the windows updates crashing my notebook
while installing, so can't keep it up to date. Aside from that, some of my
software relies on specific versions of windows applications and without a
thorough test of the updates, I can't just simply update everything.

Then use virtual machines instead of running an unpatched, compromised
system. This is what most developers/testers do. Find out why the updates
are "crashing" your notebook. Something is wrong because none of my Windows
machines and none of my clients' Windows machines "crash" with updates. One
of the first rules for good security is to keep your operating system
patched. This is not limited to Windows operating systems.

How do I stop something being started up by svchost.exe. I can stop things
starting up from the Run key and from startup quite easily, but I have no
clue about svchost, especially if I can't see the service in the services
console.

You don't. Lots of necessary things use svchost.exe. You keep your computer
clean, virus/malware-free, patched, and you practice Safe Hex. Then you
won't get infected.

Svchost.exe in Windows XP - http://support.microsoft.com/kb/314056/EN-US/
and http://windowsxp.mvps.org/svchost.htm

Malke

 

[David]

Hi,

Yeah, I know the IT support world has moved on a lot since I did it. Still,
my general OS skills should still be good.

My current notebook is about 3 or 4 years old now. I will be getting a new
one soon and when that arrives, I will be using VMs on it as a lot of the
software I use doesn't work under vista and probably won't work under
Windows 7. I don't think my current machine has the power to handle another
VM as well as my main OS.

I am currently implementing other data security measures for my stuff. I am
trying to get my NTBackup working without failing out on volume shadow copy.
I will also be utilising my SVN to backup (and version) my developments.
(VSS is failing on MSDEWriter, which then knocks off VSS for all other files
in use as well)

Coming from a support background though, I have worked with many companies
that do not roll out any updates until they have been thoroughly tested in
their working scenario. This is because the updates can and do cause
problems.

--
Best regards,
Dave Colliver.
http://www.AshfieldFOCUS.com
~~
http://www.FOCUSPortals.com - Local franchises available

 

[Twayne]

It sounds like you could really benefit from using either Norton Ghost
or Acronis True Image, both are disk imaging programs.
I doubt very much that ntbackup will work across operating systems
like XP and Vista or 7. For whatever reason they never seem to be
backward compatible so keep the old system around until you're certain
the new setup is running perfectly. Historically though you may lose
backups prior to the new machine. I'm sure if I'm wrong someone will
step in and correct me but I'm pretty sure I'm right, just not positive.

Imaging programs don't have operating system ties and thus don't care
what the OS is as long as they can run on it. The two I mentioned seem
to be the best/most popular and should play nicely for you. Still:
Check their usability on your OS before purchasing, of course as one
should always do, just in case.
You'll appreciate the bells & whistles and easy use of either imaging
program. If you need to clone drives, I know Ghost can but not sure of
True Image - if it matters, you'd have to check on that. With two
external terabyte drives I find I can keep nearly a year's worth of
historical data at hand and periodically I make it permanent by copying
to DVDs that go off to my sister's for storage (we trade backups).

BootItNG is another imaging program that's decent as long as you are on
the techie side; not as user friendly but fully functional although I
haven't looked at it in years. It used to be free: Norton and Acronis
are not, but have trial periods.

HTH,

Twayne`

 

[PA Bear [MS MVP]]

You're welcome & thanks for your feedback.

What Malke said. See these references in your efforts to avoid problems
like this in the future:

Protect Your PC!
http://www.microsoft.com/athome/security/computer/default.mspx

Steps To Help Prevent Spyware
http://www.microsoft.com/protect/computer/spyware/prevent.mspx

Steps to Help Prevent Computer Worms
http://www.microsoft.com/protect/computer/viruses/worms/prevent.mspx

Avoid Rogue Security Software!
http://www.microsoft.com/protect/computer/viruses/rogue.mspx

NB: No security software or built-on OS security (e.g., UAC; Protected Mode)
can protect your computer against your own, chosen actions (e.g., P2P
file-sharing; ignoring legitimate security warnings; failing to keep your
computer fully-patched).



David wrote:

How do I stop something being started up by svchost.exe. I can stop things
starting up from the Run key and from startup quite easily, but I have no
clue about svchost, especially if I can't see the service in the services
console.

Anyhow, thank you for your help. It is much appreciated.

<snip>