proper virus removal help

June 12th, 2006, 1:43 pm

my dad stupidly downloaded kazaa on this brand new norton "protected" computer. after uninstallation i have noticed that several warning windows are opening in norton.

first of all: norton doesn't work properly

i chose "block always" and it keeps returning about 6 times than again for 6 times in an hour or if i reset, i get the warnings for several different .exe files and searched for them in google and discovered that all were viruses/malware or files which could be re-written and turned into malware in the system.

now the norton site says how to remove them but its instructions are impossible to carry out, for example: i was told to run a scan while in safe mode = impossible, i cannot run programs in safe mode. i will add the filenames of the files i am suspecting next time they show up but for now is there any advice anyone can give me? other that disconnect the internet then smash my pc of course


list of susspected filenames:

ccEvtMgr.exe - tryign to access the internet using one or more unrecognised modules - !some! of the modules - ntdsapi.dll fastprox.dll wbemsvc.dll HPPRESE2.LOC

NAVW32.exe - this file was discussed on a forum i found by searching google and they said it was a security hole in windows

SVCHOST.exe - running from several system folders, a few in the proccesses, comes up on the end now thing on shut down

June 12th, 2006, 1:46 pm

I sugest removing Kazaa, Removing Norton (and buy a decent one, some free ones are better than nortan)

If you still experiance problems, the amount of Trojans (and other Spyware) downloaded by Kazaa, it may be best to wipe the machine, and re-install your Windows OS.

Remember to back up all your applications, and work before attampting this. As it is best to delete the partition, and re-install. and This can not be undone (Well it can, but no easy)

June 12th, 2006, 1:50 pm

also i run about 3 full system scans with norton a day and nothing is ever found

June 12th, 2006, 1:53 pm

Nortan does not always find Virus's and rarley find spyware

The best thing to do is re-install XP

If you have SpyWare, they will have opened a door into your machine. Deleting the spyware may get rid of it, but the door remains open. Meaning more spyware can come in.

The only way to close the doors, is to re-install your OS

June 12th, 2006, 1:57 pm

thats retarded, will system restore work? I made a backup the second i turned on the pc before the internet was connected etc

June 12th, 2006, 2:02 pm

no, it wont. It only takes an hour or 2 to re-install your windows OS.

June 12th, 2006, 2:20 pm

oh? what about my files and stuff? what if the viruses are also held outside the os

June 12th, 2006, 2:24 pm

oh no! now this:
http://www.bozebo.com/files/pages/tools ... rbella.JPG

June 12th, 2006, 2:24 pm

Everything is held on your HardDrive

Deleting Partition C will delete the HardDrive

When you Re-Install your OS, you will have NOTHING on there.

Everything will be deleted.

As I said, if SpyWare gets in, it will open Doors. Which lets other SpyWare get in

ADVICE

Close all running apps manually

Do CTRL + ALT + DEL

Click on Running Processors, and tell us what it there.
This will give us some idea of what Virus's you have running

June 12th, 2006, 2:42 pm

http://www.bozebo.com/files/pages/tools ... lation.JPG

a little collation i have made of the processes with all my programs closed

June 12th, 2006, 2:44 pm

some of the things in that collation are obviously viruses / spyware etc. i searched sme of them on google, many are dangerous and stuck there by kazaa, some are exploitable OS programs.

eg:
" Description:
csrss.exe is the main executable for the Microsoft Client/Server Runtime Server Subsystem. This process manages most graphical commands in Windows. This program is important for the stable and secure running of your computer and should not be terminated.

Note: csrss.exe could also be a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. It could also be a registered security risk and should be removed immediately. "

June 12th, 2006, 2:53 pm

Now, Lets name the known Virus's

hpqimzone.exe

INSTRUCTIONS ON REMOVING THIS

READ ALL BEFORE FOLLOWING INSTUCTIONS

open up for File Finder (START MENU, FIND)

search for
hpqimzone.exe

When You have Located it, Open TaskManager, and STOp this application running

Now Single Click on the File hpqimzone.exe and Hold Down the SHIFT key, then press Delete, then ok, (STILL HOLDING DOWN THE SHIFT KEY), till the file is deleted

Then Click Start, RUN
Type in REGEDIT

then Find Every Instance of hpqimzone

And DELETE them

This will delete this file.

If there are multiple files found associated with this application, make sure you follow the same procedure for all.

WARNING

MAke sure you only do this with KNOWN virus's, if you attempt this with a SYS CONFIG file, then you will loose your OS.

June 12th, 2006, 2:56 pm

it has 34 associated dlls



and it looks like my printer files, not to worry, i can always re-install it

June 12th, 2006, 2:58 pm

cannot delete.. its "protected"

June 12th, 2006, 3:03 pm

You NEED to stop the process running

The reason it is protected is because it is open (Running in processors)

You have to be quick, as it may be set,
If CLOSED
OPEN NOW