Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win32/heur hijacked my svhost [Moved]


  • Please log in to reply
23 replies to this topic

#1 raas311

raas311

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 24 July 2009 - 10:05 PM

I have found viruses with AVG and AVG wont clean them because they are white-listed. The virus is win32/heur it has attached itself to all my svhost files. There is another trojan and I believe the file it effects is c:\windows\system32\drivers\etc\host. There is alot more going on.

I feel like I am being tricked into believing my system is safe. I have AVG antivirus only. my firewall is VISTA and I am convinced it is compromised. Can any one please offer me some insight.

I cannot connect to any of the usual scanner sites. I always get a page with "diagnose with windows" or something like that and when I press yes it always gives me an error message saying that windows cannot solve this problem and I should contact my internet service provider. I have tried Kaspersky, Housecall (trendMicro), PandaSoft, Norton (Symantec), and Mcafffe. I cannot connect to any of them online. But I get my google home page. I can type in anything else and browse any other websites. I have dds and hjt reports waiting and avg reports. I will post them toanyone who would like to help.

I also have my web search trying to creep up in my start up. Also, recently a do_not_delete_file is in my start up, registry entrys, and in windows system 32 folder. AVG did not find these other problems and weird files, I have simply whatched them pop up out of nowhere and see traces of them system event logs.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:54 PM

Posted 24 July 2009 - 10:38 PM

What you describe sounds like malware issues, so I am moving this topic to the Am I Infected forum.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 PM

Posted 24 July 2009 - 11:44 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



Lets take a look with Malwarebytes

Please download Malwarebytes' Anti-Malware from here:
Malwarebytes
Please rename the file BEFORE downloading to zztoy.exe instead of mbam-setup.exe

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Double Click zztoy.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


If Malwarebytes won't install or run

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
Computer Pro

#4 raas311

raas311
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 25 July 2009 - 11:58 AM

Hi Computer Pro,

Thank you for for your time. I am attempting to link to the mallwarebytes but to no avail. The same thing is happening when I go to Kasperksy, housecall, panda etc.. I cannot link to any site that would give me any type of scanner! Very frustrating. I appreciate any feed back or advice you can give me.

Thanks again Raas311

#5 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 PM

Posted 25 July 2009 - 12:06 PM

is there a way that you could transfer the file from another computer via USB or CD?
Computer Pro

#6 snowdrop

snowdrop

  • Members
  • 513 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 25 July 2009 - 12:27 PM

Could you please clarify...

my firewall is VISTA


Do you actually mean this is your Windows version and NOT your firewall/OR that your OS is Vista and you have ITS Firewall enabled?


What is your Installed Resident Antivirus program?

What other protection programs do you have ?

#7 raas311

raas311
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 25 July 2009 - 03:12 PM

is there a way that you could transfer the file from another computer via USB or CD?



Not today, but if you have a suggestion then please share it. I will try to get another computer here. Just tell me what to do.

#8 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 PM

Posted 25 July 2009 - 03:17 PM

Maybe dro by a neighbor's house and ask for a favor to let you download something to your USB
Computer Pro

#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:54 PM

Posted 25 July 2009 - 03:23 PM

http://www.filehippo.com/download_malwarebytes_anti_malware/

See if you can access this download

When you hit save, you might rename it then

Try this to install MBAM

Try renaming the setup file to install.com

try installing in safe mode

Here's a random renamer for MBAM if you can get it installed

http://kixhelp.com/wr/files/mb/randmbam.exe

Here's a link for MBAM definition update

http://www.gt500.org/malwarebytes/database.jsp
Chewy

No. Try not. Do... or do not. There is no try.

#10 raas311

raas311
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 25 July 2009 - 03:25 PM

Could you please clarify...

my firewall is VISTA


Do you actually mean this is your Windows version and NOT your firewall/OR that your OS is Vista and you have ITS Firewall enabled?


What is your Installed Resident Antivirus program?

What other protection programs do you have ?



HI snow drop,

Sorry bout the confusion. I was refering to my OS and I have windows firewall enabled. I am not running any other firewalls. My resideent antivirus program is AVG Antivirus.

I have a number of programs I will state a few here:

---AVG Antivirus
---Advanced System Care
---Advanced Uninstaller Pro
---NTI Backup Now
---IOBit Security 360
---Vuze

These are primarly programs that I frequently use. they deal mostly with program and system files.

#11 snowdrop

snowdrop

  • Members
  • 513 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 25 July 2009 - 04:13 PM

My resideent antivirus program is AVG Antivirus.


Is it this version
the full version of AVG
http://www.avg.com/product-avg-internet-se...amp;cmpid=fs013

as if so you are actually running two firewalls :thumbsup:


Vuze


You may wish to reconsider this as it has the potential for P2P hazzards

http://www.vuze.com/app

secret sauce behind Vuze is peer-to-peer technology (often called P2P), and specifically, a protocol called bittorrent. So, what is P2P? What is bittorrent? How does it work and why should it matter to you? Learn more >

>>> http://www.vuze.com/corp/Technology.html

You may be sharing more than you know and recieving more than you wish to>>>>>>>>>>

I would politey suggest you may wish to uninstall that program :flowers:

Have you managed to follow Dachews; help to get the Malwarebytes program from a legit sourse onto the computer ??

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:54 PM

Posted 25 July 2009 - 05:35 PM

We may be spinning our wheels here, virut has gotten a new file update

C:\WINDOWS\system32\do_not_delete.exe



Everything else points to that already.

You said you had do_not_delete_file, are you sure about the file part?
Chewy

No. Try not. Do... or do not. There is no try.

#13 raas311

raas311
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 25 July 2009 - 05:48 PM

My resideent antivirus program is AVG Antivirus.


Is it this version
the full version of AVG
http://www.avg.com/product-avg-internet-se...amp;cmpid=fs013

as if so you are actually running two firewalls :thumbsup:


Vuze


You may wish to reconsider this as it has the potential for P2P hazzards

http://www.vuze.com/app

secret sauce behind Vuze is peer-to-peer technology (often called P2P), and specifically, a protocol called bittorrent. So, what is P2P? What is bittorrent? How does it work and why should it matter to you? Learn more >

>>> http://www.vuze.com/corp/Technology.html

You may be sharing more than you know and recieving more than you wish to>>>>>>>>>>

I would politey suggest you may wish to uninstall that program :flowers:

Have you managed to follow Dachews; help to get the Malwarebytes program from a legit sourse onto the computer ??



Ok well,

First off I am using supposed full version of AVG Antivirus 8.5. I have however seen another AVG 8.5 version called AVG Internet security. In my version i have Antivius, Web Shield, Resident Shield, Email Scanner, Anti-Spyware, Anti-RootKit, Link Scanner. and Update-Manager. I have seen Firewall and a few other software on some one elses computer but thiers was AVG Internet Security not AVG Antivirus. Apparenetly they both have version 8.5.

Second I did manage to install Malwarebytes and after a scan of only 250000 or so files it detected only one infection:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\services\del

This might be the root cause of my "do_not_delete in my start up.

Since then i have done nothing accept post here.

Hope this helps.

P.S. I will uninstall vuze.

Edited by raas311, 25 July 2009 - 05:51 PM.


#14 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 PM

Posted 25 July 2009 - 05:54 PM

Can you please post your Malwarebytes log?
Computer Pro

#15 raas311

raas311
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 25 July 2009 - 05:55 PM

http://www.filehippo.com/download_malwarebytes_anti_malware/

See if you can access this download

When you hit save, you might rename it then

Try this to install MBAM

Try renaming the setup file to install.com

try installing in safe mode

Here's a random renamer for MBAM if you can get it installed

http://kixhelp.com/wr/files/mb/randmbam.exe

Here's a link for MBAM definition update

http://www.gt500.org/malwarebytes/database.jsp


Thank You Dachew.

Ok well,


I did manage to install Malwarebytes and after a scan of only 250000 or so files it detected only one infection:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\services\del

I hope this fixed the do_not_delete entries the registry.

Since then i have done nothing accept post here.

Hope this helps.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users