Tech Support Forum - View Single Post - HJT+analyser log : download trojan=isrvs\sysupd.dll

chrisvilleneuve · 03-19-2005, 10:11 AM

Hello again geekgirl, here is how it went :

Got rid of everything with ad-aware
No vx2 variant
Got rid of everything with spybot
No dso exploit
RAV found my virus, couldn't clean it
Run swshredder, didn't work because I had a "virtual memory error" so I couldn't run it. My computer is a P II 400 Mhz, pretty old so...
Run winsocfix, everything ok
Run HJT, couldn't kill any of the 6 process because they were not there. I figured that ad-aware and spybot removed everything... so nothing was done there
Out of the 4 programs to remove, there was only 2 in my list : maxspeed and new.net. I removed them
Run HJT, removed the lines you told me. I would say that half of what you told me to take out wasn't there. So I figured that what I did so far took it out or something.
Fixed the lines, everything ok.
Deleted the programs and folders from the list you gave me. About half of them were already gone.
Run cleanup!
There was no folder named c:\windows\BDE
Restart computer, and the popup screen from Norton was gone. I figured the virus was gone.

But the day after (this morning), I scanned my computer with norton and he found the damn thing again!!! But this time when I told him to get rid of it, he was able to!!! I rescanned and there was nothing left. The virus was in the backup I created for the registry. I guess that since he wasn't "active" in my computer, Norton was able to take it out? Anyway, here is the extension that Norton gave me :

documents and settings/Mel/Mes documents/hijackthis/backups

I didn't put back the "system restore" on so far, I guess I should wait for all of this to be over? Just let me know when I can safely put it back on.

And here is the final HJT analyzer log :

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 00:13:06, on 2005-03-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr-ca\msnappau.exe
C:\Program Files\Control Kids\Control kids.exe
C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
C:\Documents and Settings\Mel\Mes documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://ca.msn.com/?lang=fr-ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN
Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
Files\MSN Apps\MSN Toolbar\01.02.3000.1001\fr-ca\msntb.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} -
C:\PROGRA~1\CONTRO~2\zeropop.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
Files\MSN Apps\MSN Toolbar\01.02.3000.1001\fr-ca\msntb.dll
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN
Apps\Updater\01.02.3000.1001\fr-ca\msnappau.exe"
O4 - HKLM\..\Run: [Control Kids] C:\Program Files\Control Kids\Control kids.exe
O8 - Extra context menu item: Pages liées - res://c:\program
files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://c:\program
files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: SirSearch - file://C:\Program
Files\PWRSDP1\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Version de la page actuelle disponible dans le
cache Google - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) -
http://www.ravantivirus.com/scan/ravonline.cab
O18 - Filter: text/html - {C6F62B7A-5450-4A2F-8687-6CEEC3AEB055} -
C:\WINDOWS\system32\controlkids2.dll
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec
Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation
- C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program
Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe

End of KRC HijackThis Analyzer Log.
====================================================================

Thank you very much again

03-19-2005, 10:11 AM	#4 (permalink)
chrisvilleneuve Registered User Join Date: Mar 2005 Posts: 4 OS: XP	Hello again geekgirl, here is how it went : Got rid of everything with ad-aware No vx2 variant Got rid of everything with spybot No dso exploit RAV found my virus, couldn't clean it Run swshredder, didn't work because I had a "virtual memory error" so I couldn't run it. My computer is a P II 400 Mhz, pretty old so... Run winsocfix, everything ok Run HJT, couldn't kill any of the 6 process because they were not there. I figured that ad-aware and spybot removed everything... so nothing was done there Out of the 4 programs to remove, there was only 2 in my list : maxspeed and new.net. I removed them Run HJT, removed the lines you told me. I would say that half of what you told me to take out wasn't there. So I figured that what I did so far took it out or something. Fixed the lines, everything ok. Deleted the programs and folders from the list you gave me. About half of them were already gone. Run cleanup! There was no folder named c:\windows\BDE Restart computer, and the popup screen from Norton was gone. I figured the virus was gone. But the day after (this morning), I scanned my computer with norton and he found the damn thing again!!! But this time when I told him to get rid of it, he was able to!!! I rescanned and there was nothing left. The virus was in the backup I created for the registry. I guess that since he wasn't "active" in my computer, Norton was able to take it out? Anyway, here is the extension that Norton gave me : documents and settings/Mel/Mes documents/hijackthis/backups I didn't put back the "system restore" on so far, I guess I should wait for all of this to be over? Just let me know when I can safely put it back on. And here is the final HJT analyzer log : ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\Norton AntiVirus\navapsvc.exe O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 00:13:06, on 2005-03-19 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr-ca\msnappau.exe C:\Program Files\Control Kids\Control kids.exe C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe C:\Documents and Settings\Mel\Mes documents\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/?lang=fr-ca/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens R3 - Default URLSearchHook is missing O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\fr-ca\msntb.dll O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\PROGRA~1\CONTRO~2\zeropop.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\fr-ca\msntb.dll O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr-ca\msnappau.exe" O4 - HKLM\..\Run: [Control Kids] C:\Program Files\Control Kids\Control kids.exe O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: SirSearch - file://C:\Program Files\PWRSDP1\Cache\SelectedContextSearch.htm O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O18 - Filter: text/html - {C6F62B7A-5450-4A2F-8687-6CEEC3AEB055} - C:\WINDOWS\system32\controlkids2.dll O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe End of KRC HijackThis Analyzer Log. ==================================================================== Thank you very much again