[geekay]

Hi Metallica,

I am exhausted. I ran a virus scan and found that there were 4 infections, out of which 3 were cleaned. But the Spybot32 worm could not be cleaned or deleted. I will log in again after a few hours. Please suggest the future course of action. Thank you

[Advertisements]

We're making progress. Don't despair and give me some time for my private life OK.

Had to get some diner or I would have fallen over.

This next step should take us a big step towards clean.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\system32\lsyss.exe
  C:\WINDOWS\UHV0dHVyIEt1bWFy\command.exe
  
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

After the reboot download delcmdservice (by Marckie), and save it to your Desktop.

• Unzip the content to your Desktop (a folder named delcmdservice)
• Double-click on the delcmdservice folder
• Double-click on delreg.bat to launch the tool
• When the tool has finished, please reboot your computer

Next click Start > Run > services.msc >OK
The services window will open
Scroll down to:
Remote Plugin Service
Rightclick that line and Stop the service if it is running.
Then rightclick again and choose Properties.
On the General tab set the Startuptype to disabled.

Then run HijackThis and click Config > Misc Tools > Delete an NT service
In the box copy & paste:
Remote Plugin Service
Let HijackThis remove that service and reboot again.

Now post a fresh HijackThis log.

Regards,

[Metallica]

We're making progress. Don't despair and give me some time for my private life OK.

Had to get some diner or I would have fallen over.

This next step should take us a big step towards clean.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\system32\lsyss.exe
  C:\WINDOWS\UHV0dHVyIEt1bWFy\command.exe
  
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

After the reboot download delcmdservice (by Marckie), and save it to your Desktop.

• Unzip the content to your Desktop (a folder named delcmdservice)
• Double-click on the delcmdservice folder
• Double-click on delreg.bat to launch the tool
• When the tool has finished, please reboot your computer

Next click Start > Run > services.msc >OK
The services window will open
Scroll down to:
Remote Plugin Service
Rightclick that line and Stop the service if it is running.
Then rightclick again and choose Properties.
On the General tab set the Startuptype to disabled.

Then run HijackThis and click Config > Misc Tools > Delete an NT service
In the box copy & paste:
Remote Plugin Service
Let HijackThis remove that service and reboot again.

Now post a fresh HijackThis log.

Regards,

[geekay]

I am sorry if I had given you the impression that I am rushing you for help. I do understand that you need your own time and I really appreciate the help you are providing me. I am in office now and I will follow your instructions after I get back home. Thank you!

[Metallica]

No problem. Just trying to make you aware of the fact that it could take a while sometimes.

[geekay]

Hi,

I followed your instructions. No messages after using killbox.exe. The following is the HijackThis log.


----------

Logfile of HijackThis v1.99.1
Scan saved at 7:47:00 PM, on 10/26/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Owner\Desktop\Repair Tools\hello\bsxsys.exe.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hinduonnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hinduonnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://symantec2.atg...oad/tgctlcm.cab
O16 - DPF: {2B866353-E598-4403-8E4D-B871AB30DC55} (Speed Class) - http://www.singnet.c...a/SpeedCtrl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1159191525156
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

[Metallica]

Very good. One more trojan to deal with.

Click Start > Run > services.msc > OK

The list of services will open.
Scroll down to
Network Monitor
Select the service by rightclicking on it and choose Stop
Then rightclick again and choose Properties.
One the General tab you will find a drop down box for the Startup Type
Set that to disabled.

Then run HijackThis and click Config > Misc Tools > Delete an NT service
Paste this in the box:
Network Monitor
and let HijackThis remove the service.

Reboot and delete this folder:
C:\Program Files\Network Monitor

Then let me know how the computer is running.


Regards,

[geekay]

Done it. So far so good. Do you want me to post HijackThis now? I have a couple of questions. How do I know whether my Windows XP is updated with SP2? If not where do I get it? Can't find it in windows update.

I purchased mcafee antivirus. However, my pc presently has norton antivirus and firewall. Both are valid for another month. Should I goahead and uninstall norton and install mcafee?

What are the precautions should I take so that such thing do not happen in future?

thank you so much for your help.

[Metallica]

If you run HijackThis and this line is gone:
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
then all should be fine now.

Your HijackThis log says you don't have SP2 and are at SP1
All the options to get it can be found here:
http://www.microsoft...p2/default.mspx

McAfee and Norton AntiVirus are quite comparable, so switch whenever you find the time.
Bookmark this thread for removing Norton:
http://www.geekstogo...are-t43188.html

Have you already found another firewall?

For precautions have a look at my site

And you're welcome.

[geekay]

Yes! It is gone! I am so relieved.

I visited the microsoft website and it says my computer is already been upgraded with sp2.

Is there any free firewall that you recommend?

I visited your website a few hours ago. It is in dutch, right? You have an english version?

[Metallica]

Yes the one I linked to is an English translation parked at the geekstogo domain:
http://metallica.geekstogo.com/

I have always used Kerio firewalls. They have a free version:
http://www.sunbelt-s...e.com/Kerio.cfm

I'm puzzled about the service pack though.
The header of the HijackThis log says.

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Can you surf to this site:
http://www.microsoft...;displaylang=en
Select the correct language (I guessed English)
Disregard the speech to get the smaller download. That will take you to the page that said it was already installed.

Regards,

[geekay]

Hi,

You were correct. When I visited the link you mentioned earlier, I could update my windows with sp2. it took a few hours.

My browser (IE) does not allow pop ups for my web based email, eventhough I allow pop ups for this site. some one in office told me to reinstall java. should i do that? if so, how do i do it?

Again, thanks for instilling 'life' in my computer!

[Metallica]

My pleasure.

[geekay]

Sorry to bother you again.

After downloading SP2, I have these two messages appearing on my screen after I log in.

First Message:
svchost.exe - Application Error

The instruction at "0x745f2780" referenced memory at "0x00000000". The memory could not be "read".
Click on OK to terminate the program
Click on Cancel to debug the program.

I clicked on cancel to debug, but the message reappears after I log in.

Second message:

Generic Host Process for Win32 Services

Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.

If you were in the middle of something, the information you were working on might be lost.

Please tell microsoft about this problem.

We have created an error report that you can send to help us improve Generic Host Processes for Win32 Services. We will treat this report as confidential and anonymous.

To see what data this error report contains, click here.

There is also a debug button in this message. However, nothing happens after clicking and this message repeats when I log in at a later time.

I don't know whether it is a malware problem or software problem.

Please help. Thank you.

[Metallica]

Click Start > Run > services.msc > OK

The list of services will open. Scroll down to the one that is called simply "Server"
Rightclick that service and choose Properties.
On the Gneral tab set the Startup Type to Manual.

Then reboot. Did that solve it?

[geekay]

No, it didn't solve the problem. The messages appeared again.