Strange malicious script/spyware dropper/virus DOService
anonymous_at_discussions.microsoft.com
Date: 12/09/03
- Next message: BillW1701: "Fictitious Microsoft Security Update email"
- Previous message: anonymous_at_discussions.microsoft.com: "Re: BackDoor.Afcore.AT"
- In reply to: Lindsay: "Strange malicious script/spyware dropper/virus DOService"
- Next in thread: Mike Burgess: "Re: Strange malicious script/spyware dropper/virus DOService"
- Reply: Mike Burgess: "Re: Strange malicious script/spyware dropper/virus DOService"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 9 Dec 2003 14:55:11 -0800
>-----Original Message-----
>My boyfriend had a little *ahem* accident the other day
>in which he clicked "yes" accidentally to a box that
>popped up on a website.
>
>Now his computer is plagued with problems. He's running
>Windows XP, unsure what service pack because I am not
>there to look at his comp, however since clicking this
>link the following things have happened:
>
>1) 9-10 svchost.exe tasks running, using 99-100% CPU
>time, making it unable to do ANYTHING without being in
>safemode.
> -I had him do a search for the program and found two
>instances:
>C:\Windows\System32\svchost.exe *the valid one*
>C:\Windows\svchost.exe *the questionable one*
> -Upon deleting the one in the "Windows" folder, he
>is now able to restart in normal Windows mode without
>having the CPU time. He's back down to approx. 4-5
>processes running now. I'm assuming that was the
>culprit/virus.
>
>2) Since clicking on this link, numerous spyware programs
>have been dropped on his computer, ie) ones fron n-Case,
>ezSearchBar, istsvc.exe ??, and more. IE homepage
>address has been changed to match the ez-search.net
>site. This too was caused by this malicious script, and
>here's the kicker:
>
>3) To uninstall n-Case and the other spywares, you have
>to access the internet. My boyfriend is on a LAN with
>his family, running a firewall on their server, and he
>has antivirus protection, which baffles me as to why it
>didn't catch this. He has updated definitions.
>
>Well, this little SOB virus has also figured out how to
>disable internet access. The network connections say
>that it is connected to the network, however when he
>opens internet explorer NOTHING will connect. I know
>that this is not related to the svchost.exe file, because
>the one that exists is supposed to be where it is.
>
>The Repair option for the network does no good, it simply
>again says "Local Area Connection : connection speed" as
>if he's connected to the network. He's tried disabling
>it and re-enabling it, to no avail.
>
>Is it possible that this virus has screwed with his
>internet settings as well? I know it's possible.
>
>I've found little to nothing in reference to a virus with
>C:\Windows\svchost.exe, and even less relating to the
>spyware dropping.
>
>We've also both had problems with bitTorrent lately, as
>have a few friends. Since installing bitTorrent from the
>real programmer's site, we've had issues with system
>instability, crashing, and freezing. I have been the
>least infected, however I am also the one running a
>firewall with tight options and backed by lord knows how
>many college firewalls. Several friends have had
>computers crashing using this program. Is it possible
>that the virus and spyware dropper could be related to
>bitTorrent instead of the website he visited? I mean,
>could someone have figured out how to exploit something
>with the svchost.exe file through bitTorrent, sort of how
>the whole RPC viruses were doing through the internet by
>sending packets to cause buffer overflows?
>
>Has anyone heard of any of these things and can lead me
>to an answer? He really doesn't want to reformat, and
>since we've got the computer up and running again I feel
>that if the internet problem could be solved, we could
>not only get rid of that nasty spyware but also get an
>updated firewall for him and see what the virus scanner
>has to say.
>
>Thanks to all for suffering through this, I know it was a
>long post, and any help is appreciated,
>
>~Lindsay
>.
>Hey Lindsay,
Thanks for posting this easy-search IE garbage, as it has
happened to me also. Lets research this thing, and get
rid of it.
I all of a sudden, after a "ahem" bad click on a website,
discovered easy-search for IE. Also, several favorite
sites added to my list, which I don't want. Bad sites.
Ran a web based virus check, Trend micro, and they
found "BKDR_JEEMP.C virus, and TROJ_TARNO.A virus. Troj
is new, discovered Nov 5th 2003.
Deleted all the bad files, and it comes back. Changes my
IE back, re adds the bad web sites.
This is my first virus, and I'm not sure of what to do
next. Where do we look?
I printed Trend Micro's detail list on both, implemented
both, got rid of Troj.
Also, my cable internet connection is operating
correctly.
Thanks for any info. Lets keep at this, I'm just not sure
where to go for help. I actually posted this issue last
night also.
Cheers,
Wade
- Next message: BillW1701: "Fictitious Microsoft Security Update email"
- Previous message: anonymous_at_discussions.microsoft.com: "Re: BackDoor.Afcore.AT"
- In reply to: Lindsay: "Strange malicious script/spyware dropper/virus DOService"
- Next in thread: Mike Burgess: "Re: Strange malicious script/spyware dropper/virus DOService"
- Reply: Mike Burgess: "Re: Strange malicious script/spyware dropper/virus DOService"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
