My PC Hell Forum

I am being plagued by what Ms call a "Malicious software attack trying to gain control of my computer"
Whenever I'm online I frequently get this pop up stating "Generic host process for win 32 services has encountered a problem and needs to close", after a few minutes I get an online crash and I become "offline" even though the "online icon" is still there.
Ms suggest installing their latest security update. Well I have been there and done that and no change. I have even downloaded Ms's "Malicious software removal tool", I used it and it took an hour to scan my pc and found nothing.I have even tried "System restore" but that doesn't work anymore.
I really am in a bit of a fix - advice would be appreciated.

Hi and welcome, are you sure that it is an MS warning as some malware may emulate this.  PM me a HJT log or post it here whatever is easier for you and I will see if you have any problems.  HJT available from  http://www.tomcoyote.org/hjt/   left hand side of the page.  You may have a trojan or possibly a smitfraud infection, but to be sure I need to know what's running..  I have set this thread to notify

Hi Essexboy, thank you for your reply. I have done a HJT log and here it is:

Logfile of HijackThis v1.99.1
Scan saved at 11:32:07, on 25/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\Fmctrl.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe
C:\Program Files\j2 Messenger 4.0\J2GTray.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\home\LOCALS~1\Temp\Rar$EX00.220\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/index_narrow.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [FmctrlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: j2 DllCmd 4.0.lnk = C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: j2 Tray Menu 4.0.lnk = C:\Program Files\j2 Messenger 4.0\J2GTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156282148499
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156282118747
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://riverbelle.microgaming.com/riverbelle/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35745C20-F620-4329-81C0-36CF7F89CDD0}: NameServer = 80.225.254.178 80.225.254.186
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Hi Adventurer looking now - Answers in my next post  :tiphat:

Back Again ;

Please rerun HJT and place a check mark against the following

O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)

Unable to find anything out about the next one, but if you do not recognise Instant Buzz I would also recommend it's deletion
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\WINDOWS\System32\shdocvw.dll

Close all other windows except HJT and select fix checked.

Apart from that you are clean.  However I did some research on your problem in case it was not malware and found a Netapi.dll that may be causing it.  A fix is available from MS at this address

http://www.microsoft.com/downloads/details.aspx?familyid=2996b9b6-03ff-4636-861a-46b3eac7a305&displaylang=en

Could you run it and let me know if your problem still exists, if it does I will carry out further research 

Hi again Essexboy,
It sure is difficult typing with my fingers crossed but I think you may have fixed it!
I have been online for two hours now without a crash, so it's looking good.
I zapped the two items 02 and 09 (I don't know what the instant buzz thing was either but never mind, it's buzzed off now!)
I also downloaded and ran the Netapi.dll fix.
I am told that Essex girls are not too clever, it seems the boys are just the opposite.
Thank you for your help.

Hi Adventurer I found that instant buzz on one of my terciary sites and it is Adware I am looking for a fix now,  Sorry about that..  But I'm glad the netapi.dll fix worked..

Unfortunately there is no quick fix for it However, I will talk you thorugh the basics...

First go to add/remove programs in control panel and find Instant Buzz (may be one or two words) Uninstal

The go to explorer and remove the following folder
 
C:\Program Files \instant buzz

Then remove the following files (should be in the system32 folder)

ibbar.dll
ibdaemon.exe
ibmh.dll
ibsetup.exe

Follow this with a full scan with Ewido

Click here to download ewido  (http://www.ewido.net/en/download/) anti-malware - it is a trial version of the program.
Install ewido.
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen.
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Then click on Start Update
The update will start and a progress bar will show the updates being installed. Then:
Click on scanner
Click on Complete System Scan and the scan will begin (do not open any folders or open the windows control panel while the scan is in progress).
While the scan is in progress you will be prompted to clean files, click OK
When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
Now close ewido.

When you have done could you post the EWIDO report.  Again sorry for the error   :tiphat:

Hi again Essexboy,
I have done what you advised.
There is no trace of "instant buzz", I think we zapped it all yesterday.
I have downloaded, installed and scanned with "Ewido" and I can't believe how many nasties there are on my computer! I presume they are cleaned and/or quarantined now.
Prepare for a long list as follows:

Couldn't send it - too big!
Hopefully it's in the attachment.

Nice one Adventurer you are now squeaky clean.  Keep Ewido as it is a free programme, all you have to do is update it manualy just before you scan with it..

Now to clean up  your system restore, instructions to follow:

Go Start > All Programs > Accessories > System tools then select system restore.
When it pops up select Create a restore point then press next.  Give it a name e.g. Clean then select create.

When it has finished go to system tools again but this time select Disc Cleanup.  It will ask for the drive and then do it's thing for a moment or two.  A dialogue will then pop up with 2 tabs. Select more options  and at the bottom you will find System restore Clean up.  Press OK you will then get a couple of warnings accept them.

You now have 1 clean system restore point that will work..

Essexboy,
I did the "System restore" thing this morning.
Yes I really am squeaky clean, well my computer is anyway.
Your help has been much appreciated - thank you.

Here to help.  No problem  :tiphat: