Tech Support Forum - View Single Post - HJT+analyser log : download trojan=isrvs\sysupd.dll

Geekgirl · 03-17-2005, 10:58 AM

Hello again chris

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

You have placed HJT in a Temporary location. Please move to a proper location before doing the fix.
(Always create a Folder for HiJackThis anywhere but your Temp/Temporary Internet Folders or Desktop. A good place to make a folder would be in My Documents, as this is where it will save the backup files needed if there's a problem.)

You also have an outdated version of HJT. Please Download the newer version HiJackThis 1.99.1. Delete the outdated one and use this newer one for your fix.

Turn off System Restore by doing the following:

Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Download / Install / Update / and Run:
Adaware SE check for any updates before running it.
Get the plug-in for fixing VX2 variants. You can download it at this SITE
To run this tool, install to the hard drive, then open Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection.

Download and install Spybot S&D . Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.

Scan your pc with this free online scanner:
RAV AntiVirus

Also download CWShredderto your Desktop.
To use CWShredder, simply start the program, use the "Check for updates" to make sure you have the latest version, then hit fix".

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. You will use this later.

Download WinsockFix and unzip it. Then double-click on it to run it

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one (You must kill them one at a time).

C:\WINDOWS\system32\P2P Networking\P2P Networking.exe <---------P2P - I see you have P2P software installed on your machine (i.e.). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation. I will make recommendations below for removal, which you can choose to ignore, where this P2P application is involved. I’ll leave the decision to you.

C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\WINDOWS\system32\vmss\vmss.exe
C:\WINDOWS\system32\certmgr8.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\system32\cdrtc885.exe

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

MyWay
NewDotNet
POWERSEARCH
MaxSpeed

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: ohb - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - C:\WINDOWS\system32\hsrb.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: PowerSearch - {4E7BD74F-2B8D-469E-A3EE-FB7FA682AA7D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrsdfp\pwrsdp1.dll (file missing)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-A3EE-FB7FA682AA7D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrsdfp\pwrsdp1.dll (file missing)
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [b3dupdate] C:\WINDOWS\BDE\b3dsetup.Exe -silent -p "C:\WINDOWS\BDE" -s setup.cab
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [f612673f7202] C:\WINDOWS\system32\certmgr8.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [njuwtjxi] c:\windows\system32\njuwtjxi.exe
O4 - HKLM\..\Run: [b3d3f89dd50b] C:\WINDOWS\system32\cdrtc885.exe
O4 - Global Startup: updater.lnk = C:\Program Files\Common files\updater\wupdater.exe
O8 - Extra context menu item: SirSearch - file://C:\Program Files\PWRSDP1\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\ms.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/drm.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1096915116216
O16 - DPF: {DE910060-8EFB-44B9-B492-75180696643F} (iiittt Class) - http://www.hotsearchbar.com/toolbar30/hsrb.cab
O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq.com/members/DD_v4_Member.CAB
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\system32\P2P Networking\P2P Networking.exe
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\WINDOWS\system32\vmss\vmss.exe
C:\WINDOWS\system32\certmgr8.exe
C:\WINDOWS\isrvs\
C:\WINDOWS\system32\cdrtc885.exe
C:\WINDOWS\BTGrab.dll
C:\Program Files\MyWay
C:\WINDOWS\system32\ hsrb.dll
C:\Program Files\NewDotNet
C:\PROGRA~1\POWERS~1\
c:\windows\system32\njuwtjxi.exe
C:\WINDOWS\system32\cdrtc885.exe
C:\Program Files\Common files\updater\
C:\WINDOWS\system32\ms.exe

For this removal, can you tell me what else is in that folder before deleting:
C:\WINDOWS\BDE

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.
Empty your Recycle Bin.

Reboot your System in normal mode.

Please post a fresh Hijack This log so that we can check if your system is clean.

03-17-2005, 10:58 AM	#3 (permalink)
Geekgirl Assistant Manager, Microsoft Support Join Date: Jan 2005 Location: Six-burgh, Pennsylvania Posts: 14,120 OS: 98SE/WinXP Home/WinXP Pro/Vista/Windows 7	Hello again chris Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. You have placed HJT in a Temporary location. Please move to a proper location before doing the fix. (Always create a Folder for HiJackThis anywhere but your Temp/Temporary Internet Folders or Desktop. A good place to make a folder would be in My Documents, as this is where it will save the backup files needed if there's a problem.) You also have an outdated version of HJT. Please Download the newer version HiJackThis 1.99.1. Delete the outdated one and use this newer one for your fix. Turn off System Restore by doing the following: Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK. Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Download / Install / Update / and Run: Adaware SE check for any updates before running it. Get the plug-in for fixing VX2 variants. You can download it at this SITE To run this tool, install to the hard drive, then open Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Download and install Spybot S&D . Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation. Scan your pc with this free online scanner: RAV AntiVirus Also download CWShredderto your Desktop. To use CWShredder, simply start the program, use the "Check for updates" to make sure you have the latest version, then hit fix". The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. You will use this later. Download WinsockFix and unzip it. Then double-click on it to run it Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one (You must kill them one at a time). C:\WINDOWS\system32\P2P Networking\P2P Networking.exe <---------P2P - I see you have P2P software installed on your machine (i.e.). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation. I will make recommendations below for removal, which you can choose to ignore, where this P2P application is involved. I’ll leave the decision to you. C:\WINDOWS\system32\wsxsvc\wsxsvc.exe C:\WINDOWS\system32\vmss\vmss.exe C:\WINDOWS\system32\certmgr8.exe C:\WINDOWS\isrvs\desktop.exe C:\WINDOWS\system32\cdrtc885.exe Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: MyWay NewDotNet POWERSEARCH MaxSpeed Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms= R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens R3 - Default URLSearchHook is missing O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL O2 - BHO: ohb - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - C:\WINDOWS\system32\hsrb.dll O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll O2 - BHO: PowerSearch - {4E7BD74F-2B8D-469E-A3EE-FB7FA682AA7D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrsdfp\pwrsdp1.dll (file missing) O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-A3EE-FB7FA682AA7D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrsdfp\pwrsdp1.dll (file missing) O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [b3dupdate] C:\WINDOWS\BDE\b3dsetup.Exe -silent -p "C:\WINDOWS\BDE" -s setup.cab O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe O4 - HKLM\..\Run: [f612673f7202] C:\WINDOWS\system32\certmgr8.exe O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe O4 - HKLM\..\Run: [njuwtjxi] c:\windows\system32\njuwtjxi.exe O4 - HKLM\..\Run: [b3d3f89dd50b] C:\WINDOWS\system32\cdrtc885.exe O4 - Global Startup: updater.lnk = C:\Program Files\Common files\updater\wupdater.exe O8 - Extra context menu item: SirSearch - file://C:\Program Files\PWRSDP1\Cache\SelectedContextSearch.htm O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\ms.exe O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\ms.exe O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/drm.cab O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1096915116216 O16 - DPF: {DE910060-8EFB-44B9-B492-75180696643F} (iiittt Class) - http://www.hotsearchbar.com/toolbar30/hsrb.cab O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq.com/members/DD_v4_Member.CAB O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll *Please remember to close all other windows, including browsers then click Fix checked.* Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\system32\P2P Networking\P2P Networking.exe C:\WINDOWS\system32\wsxsvc\wsxsvc.exe C:\WINDOWS\system32\vmss\vmss.exe C:\WINDOWS\system32\certmgr8.exe C:\WINDOWS\isrvs\ C:\WINDOWS\system32\cdrtc885.exe C:\WINDOWS\BTGrab.dll C:\Program Files\MyWay C:\WINDOWS\system32\ hsrb.dll C:\Program Files\NewDotNet C:\PROGRA~1\POWERS~1\ c:\windows\system32\njuwtjxi.exe C:\WINDOWS\system32\cdrtc885.exe C:\Program Files\Common files\updater\ C:\WINDOWS\system32\ms.exe For this removal, can you tell me what else is in that folder before deleting: C:\WINDOWS\BDE Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Empty your Recycle Bin. Reboot your System in normal mode. Please post a fresh Hijack This log so that we can check if your system is clean. __________________ Compare NOD32 to your current antivirus and anti-spyware solution, HERE How to back up and restore the registry in Windows XP and Windows Vista Or Windows 7 How to back up and restore the registry in Windows 98/ ME / NT 4.0 / 2000 I DO NOT ACCEPT EMAILS AND WILL NOT REPLY TO THEM !!!!! TSF DOES NOT SUPPORT ASSISTANCE THROUGH EMAIL OR PRIVATE MESSAGES, PLEASE KEEP ALL QUESTIONS IN THE OPEN FORUM *The Pittsburgh Steelers - 6 X Superbowl Champions !!!!!!!* *The Pittsburgh Penguins - 2009 Stanley Cup Champions !!!!!!!*