Seems to be simular to the daosearch

[roofy]

Hi there all,
I have been infected with 16 viruses that have been resolved so far but there are more on my system. I have found these virsues through Nortans AV, which I have on my system which had fund 12 small virsues, and I also tried the sampled online virus scan from Trendmicro which found 4 serious viruses. I think what Nortans found was some older viruses that I had through the past week which was nothing compared to what Trendmicro found. Trendmicro found 4 viruses called troj_small.yh which you can findhttp://www.trendmicro.com/vinfo/virusencyc...e=TROJ_SMALL.YH

Doing a search in this fourm this virus that I have seems simular to what the daosearch was doing. Also, I know I am still infected becuase every time I change my homepage back to where I want it, the virus still changes the web site to its virual website. In addition it blocks me from doing online virus scans by redirecting me to it's virual site as well. Also I atleast know of this one virus that it is redirecting me. It is called SVCHOST.EXE. Yeah I know, svchost is a necessory file for windows but it also can be a virus. How do I know? by disabling it in msconfig, and I also sent the file to be scanned at www.virustotal.com. If you don't what this site does, it allows you to send single files one at a time to be scanned with 18 popular AV company's such as McAffee, Panda, AntiVir, BitDefender, Nortans, and many more. After doing this scan some of them found that this file is a virus, and some of them didn't. However the Sites that did find this as a virus, and by going to there sites, they all said that they have no information as of yet on how to resolve this issue, but they are working very hard on this matter.

Also doing a HiJack this which finds the redirect site log, doesn't completely remove it. Meaning it just comes right back after you restart. I am going to do another HiJack this scan and post it in here latter but for now here is what it looks like in msconfig

Startup item: SVCHOST.EXE; Command:C:\WINDOWS\system32\Services\{EF4CF5BD-C167-4842-8865-DE6703B2B0E3}\SVCHOST.EXE

... and the location doesn't point to it's true registry because I have disabled it. So I don't know exactly where it is untill I re-enable it

and BTW, there are 3 files in this folder...
1. SVCHOST.EXE
2.SVCHOST.DLL
3. SVCHOST32.DLL

[roofy]

Ok guys, like I said I would, here is my Hi Jack Log

Logfile of HijackThis v1.99.1
Scan saved at 3:26:01 PM, on 5/11/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\WScript.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\Services\{EF4CF5BD-C167-4842-8865-DE6703B2B0E3}\SVCHOST.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{EF4CF5BD-C167-4842-8865-DE6703B2B0E3}\SVCHOST.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[roofy]

Hi there,
Should I just try to follow one of the other posts that where posted through this fourum in the topic of the daosearch virus? I have read at least 7 threads in here and all of them that I nocticed where told to do something different. Meaning not all of them didn't say just go to so and so site do a scan and come back and post it. Each and every one seemed to have different asnswers So I wasn't sure which one to choose from and that I don't think mine is exactly the same. I just mean that the daosearch virus patern seems to be simular to what I have gone through. Also rember that I have already deleted 16 viruses, so maybe thats what is confusing you. If so all I can say is, that out of all the scans I have done and deleting the infected files, TrendMicro encyclopedia on the virus troj_small.yh was exactly what I was getting. If your not sure what this does I have posted a link to Trendmicros encylopedia on this topic in my original post in this thread. The problem though is it also says that this type of virus also allows the attacker to add more viruses besides the troj_small.yh virus. And I beleive thats where I am at as of right now.

[guestolo]

Can you do the following please

Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/

O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs

O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{EF4CF5BD-C167-4842-8865-DE6703B2B0E3}\SVCHOST.EXE

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Next: Open Hijackthis>>Open Misc tools section>>Open "Delete File on Reboot"
In the File name field
Copy and paste the bold below into the Open field

C:\WINDOWS\System32\Services\{EF4CF5BD-C167-4842-8865-DE6703B2B0E3}\SVCHOST.EXE

Then click OPEN
Reboot the computer
Back in windows

Find and delete this folder
C:\WINDOWS\System32\Services <-this folder

Post back a fresh hijackthis log

[roofy]

Well, I haven't checked if I can go to Trendmicro page with any misleading links as of yet, but doing your procedure and looking at the fresh Hijack This log, it seems that everything has been cleared. Anywho, here is my latest HiJack this log....

Logfile of HijackThis v1.99.1
Scan saved at 12:22:27 AM, on 5/12/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HijackThis\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

... and thank you very, very, very, very much!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />
I am happy now and maybe I can actually get some sleep tonight considering that I haven't slept in 2 days. Also I will keep a watch out if you think or know that we are not done, as well as checking out if there are other suspicious clues if there are any. thanks again

[guestolo]

Just for a double check, can you open Hijackthis>>Open Misc tools section>>Open Hosts file manager
Click the Open In Notepad button
Can you copy and paste back the Hosts text file that opens

Is your version of Windows Legit??
Why so far behind on Windows Updates???

[roofy]

Hi guestolo,

Just to double check, can you open Hijackthis>>Open Misc tools section>>Open Host manager>> ...

Sure no problem, hough I don't know what these are, but here it is...

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

Is your version of Windows Legit??
Why so far behind on Windows Updates???

yes it is. The reason is, I used to have SP2 running but I wasn't sure if it was because someone installed a rootkit or what but my available memory had dropped to 150MB of ram and my system became unstable. The weird part was I was running SP2 since the day it was available for download up untill 2 weeks ago when my memory had dropped dramatically from 325MB to 150MB. When this happened I, posted my question in google, and all the poeple who replied back could say was, run a scan with nortans and then run a scan with ad-aware. Nothing was resolved so I asked my manufacture and they said to do a system recovery. Then when this virus happened I posted back in google and they said to format the hard drive. They didn't even ask any questions what was going on or gave any thought into it. I thought this was really rediculas and I really didn't want to re-format my hard drive agian. So I did a lot of investagation on this before even thinking of formatting the hard drive and I thank god I found this site, and I also thank you for helping me. Thats why I said such a long thank you to you becuase of the experinces I had went through. Especially with the company Symantec. They wanted to charge me a starting rate of $39.95 to remove the virus, when I demanded them that I should get help because your damb program does not detect this virus.

I swear that is these AV companys who are building these viruses, and then they say that they come up with a fix by charging you 39.95 every year so that you can download their  patches. I am thinking of going back to my old program PC Cillin from TrendMicros considering that Nortans does not have the troj_small.yh virus definition. If it did, it would of got rid of most of this infection and then all I had to do is delete the svchoost virus, like you showed me how to do.

Also you wouldn't have any recomendations for a firewall software after I upgrade my system back to SP2 would ya? I was told that windows sp2 firewall is too standard, and it isn't the greates program. Though I do have a Linksys Firewall router, I also like to have a software version as well. And another thing, what do you recomend as a browser. I am nenver using IE again, and I hear good and bad things about Mozzilla but what do you think of it? Do you think I should use Netscape instead?

[guestolo]

Hosts file looks good
Seeing that everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster 3.3 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer


IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
IE-Spyad is compatible with Service Pack 2 as well
If your wondering

Also, if you would like to use a better software firewall than the one XP provides
I like Sygates, but you must make up your own mind  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />
You can find a link to Sygates
HERE
You won't want to run Sygates or whatever firewall you go with and XP's too
Not a good idea running more than one software firewall on your system

Browser, I'm a little Bias because I don't use anything else but
Mozilla Firefox
Internet Explorer only when I have to, nowadays that just seems to be just for Windows updates

Stay safe  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />

[Taralom]

Locking this topic as the original poster problems have been resolved

Anyone else
Please, Read This