HJT+analyser log : download trojan=isrvs\sysupd.dll

chrisvilleneuve · 03-16-2005, 09:08 AM

Here is my analyzer log :

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.98.2
Scan saved at 14:54:50, on 2005-03-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr-ca\msnappau.exe
C:\WINDOWS\system32\P2P Networking\P2P Networking.exe
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\WINDOWS\system32\vmss\vmss.exe
C:\WINDOWS\system32\certmgr8.exe
C:\WINDOWS\isrvs\desktop.exe
C:\Program Files\Control Kids\Control kids.exe
C:\WINDOWS\system32\cdrtc885.exe
C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Documents and Settings\Mel\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?app...DQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.isearch.com/index.php?app...DQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.isearch.com/index.php?app...DQ6NTo5&Terms=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/?lang=fr-ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.com/index.php?app...DQ6NTo5&Terms=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: ohb - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - C:\WINDOWS\system32\hsrb.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: PowerSearch - {4E7BD74F-2B8D-469E-A3EE-FB7FA682AA7D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrsdfp\pwrsdp1.dll (file missing)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\fr-ca\msntb.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\PROGRA~1\CONTRO~2\zeropop.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\fr-ca\msntb.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-A3EE-FB7FA682AA7D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrsdfp\pwrsdp1.dll (file missing)
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr-ca\msnappau.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [b3dupdate] C:\WINDOWS\BDE\b3dsetup.Exe -silent -p "C:\WINDOWS\BDE" -s setup.cab
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [f612673f7202] C:\WINDOWS\system32\certmgr8.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [njuwtjxi] c:\windows\system32\njuwtjxi.exe
O4 - HKLM\..\Run: [Control Kids] C:\Program Files\Control Kids\Control kids.exe
O4 - HKLM\..\Run: [b3d3f89dd50b] C:\WINDOWS\system32\cdrtc885.exe
O4 - Global Startup: updater.lnk = C:\Program Files\Common files\updater\wupdater.exe
O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: SirSearch - file://C:\Program Files\PWRSDP1\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\ms.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/drm.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1096915116216
O16 - DPF: {DE910060-8EFB-44B9-B492-75180696643F} (iiittt Class) - http://www.hotsearchbar.com/toolbar30/hsrb.cab
O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq.com/members/DD_v4_Member.CAB
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

End of KRC HijackThis Analyzer Log.
====================================================================

Thank you

Chris Bouchard

Geekgirl · 03-16-2005, 01:08 PM

Hi chris and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

You may wish to Subscribe to this thread (Thread Tools) so that you are notified when a reply has been made.

Please be patient with me during this time.

Geekgirl · 03-17-2005, 10:58 AM

Hello again chris

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

You have placed HJT in a Temporary location. Please move to a proper location before doing the fix.
(Always create a Folder for HiJackThis anywhere but your Temp/Temporary Internet Folders or Desktop. A good place to make a folder would be in My Documents, as this is where it will save the backup files needed if there's a problem.)

You also have an outdated version of HJT. Please Download the newer version HiJackThis 1.99.1. Delete the outdated one and use this newer one for your fix.

Turn off System Restore by doing the following:

Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Download / Install / Update / and Run:
Adaware SE check for any updates before running it.
Get the plug-in for fixing VX2 variants. You can download it at this SITE
To run this tool, install to the hard drive, then open Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection.

Download and install Spybot S&D . Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.

Scan your pc with this free online scanner:
RAV AntiVirus

Also download CWShredderto your Desktop.
To use CWShredder, simply start the program, use the "Check for updates" to make sure you have the latest version, then hit fix".

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! ( Alternate Link if main link don't work) and install it. You will use this later.

Download WinsockFix and unzip it. Then double-click on it to run it

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one (You must kill them one at a time).

C:\WINDOWS\system32\P2P Networking\P2P Networking.exe <---------P2P - I see you have P2P software installed on your machine (i.e.). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation. I will make recommendations below for removal, which you can choose to ignore, where this P2P application is involved. I’ll leave the decision to you.

C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\WINDOWS\system32\vmss\vmss.exe
C:\WINDOWS\system32\certmgr8.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\system32\cdrtc885.exe

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

MyWay
NewDotNet
POWERSEARCH
MaxSpeed

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: ohb - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - C:\WINDOWS\system32\hsrb.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: PowerSearch - {4E7BD74F-2B8D-469E-A3EE-FB7FA682AA7D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrsdfp\pwrsdp1.dll (file missing)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-A3EE-FB7FA682AA7D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrsdfp\pwrsdp1.dll (file missing)
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [b3dupdate] C:\WINDOWS\BDE\b3dsetup.Exe -silent -p "C:\WINDOWS\BDE" -s setup.cab
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [f612673f7202] C:\WINDOWS\system32\certmgr8.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [njuwtjxi] c:\windows\system32\njuwtjxi.exe
O4 - HKLM\..\Run: [b3d3f89dd50b] C:\WINDOWS\system32\cdrtc885.exe
O4 - Global Startup: updater.lnk = C:\Program Files\Common files\updater\wupdater.exe
O8 - Extra context menu item: SirSearch - file://C:\Program Files\PWRSDP1\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\ms.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/drm.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1096915116216
O16 - DPF: {DE910060-8EFB-44B9-B492-75180696643F} (iiittt Class) - http://www.hotsearchbar.com/toolbar30/hsrb.cab
O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq.com/members/DD_v4_Member.CAB
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\system32\P2P Networking\P2P Networking.exe
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\WINDOWS\system32\vmss\vmss.exe
C:\WINDOWS\system32\certmgr8.exe
C:\WINDOWS\isrvs\
C:\WINDOWS\system32\cdrtc885.exe
C:\WINDOWS\BTGrab.dll
C:\Program Files\MyWay
C:\WINDOWS\system32\ hsrb.dll
C:\Program Files\NewDotNet
C:\PROGRA~1\POWERS~1\
c:\windows\system32\njuwtjxi.exe
C:\WINDOWS\system32\cdrtc885.exe
C:\Program Files\Common files\updater\
C:\WINDOWS\system32\ms.exe

For this removal, can you tell me what else is in that folder before deleting:
C:\WINDOWS\BDE

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.
Empty your Recycle Bin.

Reboot your System in normal mode.

Please post a fresh Hijack This log so that we can check if your system is clean.

chrisvilleneuve · 03-19-2005, 10:11 AM

Hello again geekgirl, here is how it went :

Got rid of everything with ad-aware
No vx2 variant
Got rid of everything with spybot
No dso exploit
RAV found my virus, couldn't clean it
Run swshredder, didn't work because I had a "virtual memory error" so I couldn't run it. My computer is a P II 400 Mhz, pretty old so...
Run winsocfix, everything ok
Run HJT, couldn't kill any of the 6 process because they were not there. I figured that ad-aware and spybot removed everything... so nothing was done there
Out of the 4 programs to remove, there was only 2 in my list : maxspeed and new.net. I removed them
Run HJT, removed the lines you told me. I would say that half of what you told me to take out wasn't there. So I figured that what I did so far took it out or something.
Fixed the lines, everything ok.
Deleted the programs and folders from the list you gave me. About half of them were already gone.
Run cleanup!
There was no folder named c:\windows\BDE
Restart computer, and the popup screen from Norton was gone. I figured the virus was gone.

But the day after (this morning), I scanned my computer with norton and he found the damn thing again!!! But this time when I told him to get rid of it, he was able to!!! I rescanned and there was nothing left. The virus was in the backup I created for the registry. I guess that since he wasn't "active" in my computer, Norton was able to take it out? Anyway, here is the extension that Norton gave me :

documents and settings/Mel/Mes documents/hijackthis/backups

I didn't put back the "system restore" on so far, I guess I should wait for all of this to be over? Just let me know when I can safely put it back on.

And here is the final HJT analyzer log :

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 00:13:06, on 2005-03-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr-ca\msnappau.exe
C:\Program Files\Control Kids\Control kids.exe
C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
C:\Documents and Settings\Mel\Mes documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://ca.msn.com/?lang=fr-ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN
Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
Files\MSN Apps\MSN Toolbar\01.02.3000.1001\fr-ca\msntb.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} -
C:\PROGRA~1\CONTRO~2\zeropop.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
Files\MSN Apps\MSN Toolbar\01.02.3000.1001\fr-ca\msntb.dll
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN
Apps\Updater\01.02.3000.1001\fr-ca\msnappau.exe"
O4 - HKLM\..\Run: [Control Kids] C:\Program Files\Control Kids\Control kids.exe
O8 - Extra context menu item: Pages liées - res://c:\program
files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://c:\program
files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: SirSearch - file://C:\Program
Files\PWRSDP1\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Version de la page actuelle disponible dans le
cache Google - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) -
http://www.ravantivirus.com/scan/ravonline.cab
O18 - Filter: text/html - {C6F62B7A-5450-4A2F-8687-6CEEC3AEB055} -
C:\WINDOWS\system32\controlkids2.dll
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec
Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation
- C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program
Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe

End of KRC HijackThis Analyzer Log.
====================================================================

Thank you very much again

Geekgirl · 03-20-2005, 12:56 PM

Not much left just 1 more entry to remove

Turn off System Restore by doing the following:

Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R3 - Default URLSearchHook is missing

Please remember to close all other windows, including browsers then click Fix checked.

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.
Empty your Recycle Bin.

Reboot your System in normal mode.

Other than that your log is clean. Are there any problems now? If not, you should be set to go.

If you disabled System Restore, make sure to enable it now.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided.

chrisvilleneuve · 03-21-2005, 12:39 PM

I think we got it now! Everything is back to normal. I'll be more careful from now on...

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 13:43:30, on 2005-03-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr-ca\msnappau.exe
C:\Program Files\Control Kids\Control kids.exe
C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
C:\Documents and Settings\Mel\Mes documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/?lang=fr-ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\fr-ca\msntb.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\PROGRA~1\CONTRO~2\zeropop.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\fr-ca\msntb.dll
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr-ca\msnappau.exe"
O4 - HKLM\..\Run: [Control Kids] C:\Program Files\Control Kids\Control kids.exe
O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: SirSearch - file://C:\Program Files\PWRSDP1\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O18 - Filter: text/html - {C6F62B7A-5450-4A2F-8687-6CEEC3AEB055} - C:\WINDOWS\system32\controlkids2.dll
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe

End of KRC HijackThis Analyzer Log.
====================================================================

I put back system restore on winXP. Thanks again

Geekgirl · 03-21-2005, 01:31 PM

Hey Chris

Your log is clean

Are there any problems now? If not, you should be set to go.

If you disabled System Restore, make sure to enable it now.

Thank you so much for visiting TSF and letting us help you.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided.

chrisvilleneuve · 03-23-2005, 07:52 AM

Everything is A-ok

Thank you so much!!!

Geekgirl · 03-23-2005, 08:17 AM

Your very Welcome, Thank you for letting TSF help you

03-16-2005, 09:08 AM	#1 (permalink)
chrisvilleneuve Registered User Join Date: Mar 2005 Posts: 4 OS: XP	HJT+analyser log : download trojan=isrvs\sysupd.dll Here is my analyzer log : ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\Norton AntiVirus\navapsvc.exe O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.98.2 Scan saved at 14:54:50, on 2005-03-06 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr-ca\msnappau.exe C:\WINDOWS\system32\P2P Networking\P2P Networking.exe C:\WINDOWS\system32\wsxsvc\wsxsvc.exe C:\WINDOWS\system32\vmss\vmss.exe C:\WINDOWS\system32\certmgr8.exe C:\WINDOWS\isrvs\desktop.exe C:\Program Files\Control Kids\Control kids.exe C:\WINDOWS\system32\cdrtc885.exe C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\LimeWire\LimeWire.exe C:\Documents and Settings\Mel\Local Settings\Temp\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?app...DQ6NTo5&Terms= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.isearch.com/index.php?app...DQ6NTo5&Terms= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.isearch.com/index.php?app...DQ6NTo5&Terms= R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/?lang=fr-ca/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.com/index.php?app...DQ6NTo5&Terms= R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens R3 - Default URLSearchHook is missing O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL O2 - BHO: ohb - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - C:\WINDOWS\system32\hsrb.dll O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll O2 - BHO: PowerSearch - {4E7BD74F-2B8D-469E-A3EE-FB7FA682AA7D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrsdfp\pwrsdp1.dll (file missing) O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\fr-ca\msntb.dll O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\PROGRA~1\CONTRO~2\zeropop.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\fr-ca\msntb.dll O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-A3EE-FB7FA682AA7D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrsdfp\pwrsdp1.dll (file missing) O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr-ca\msnappau.exe" O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [b3dupdate] C:\WINDOWS\BDE\b3dsetup.Exe -silent -p "C:\WINDOWS\BDE" -s setup.cab O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe O4 - HKLM\..\Run: [f612673f7202] C:\WINDOWS\system32\certmgr8.exe O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe O4 - HKLM\..\Run: [njuwtjxi] c:\windows\system32\njuwtjxi.exe O4 - HKLM\..\Run: [Control Kids] C:\Program Files\Control Kids\Control kids.exe O4 - HKLM\..\Run: [b3d3f89dd50b] C:\WINDOWS\system32\cdrtc885.exe O4 - Global Startup: updater.lnk = C:\Program Files\Common files\updater\wupdater.exe O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: SirSearch - file://C:\Program Files\PWRSDP1\Cache\SelectedContextSearch.htm O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\ms.exe O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\ms.exe O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/drm.cab O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1096915116216 O16 - DPF: {DE910060-8EFB-44B9-B492-75180696643F} (iiittt Class) - http://www.hotsearchbar.com/toolbar30/hsrb.cab O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq.com/members/DD_v4_Member.CAB O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll End of KRC HijackThis Analyzer Log. ==================================================================== Thank you Chris Bouchard

03-16-2005, 01:08 PM	#2 (permalink)
Geekgirl Assistant Manager, Microsoft Support Join Date: Jan 2005 Location: Six-burgh, Pennsylvania Posts: 14,117 OS: 98SE/WinXP Home/WinXP Pro/Vista/Windows 7	Hi chris and welcome to TSF. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p You may wish to Subscribe to this thread (Thread Tools) so that you are notified when a reply has been made. Please be patient with me during this time. __________________ Compare NOD32 to your current antivirus and anti-spyware solution, HERE How to back up and restore the registry in Windows XP and Windows Vista Or Windows 7 How to back up and restore the registry in Windows 98/ ME / NT 4.0 / 2000 I DO NOT ACCEPT EMAILS AND WILL NOT REPLY TO THEM !!!!! TSF DOES NOT SUPPORT ASSISTANCE THROUGH EMAIL OR PRIVATE MESSAGES, PLEASE KEEP ALL QUESTIONS IN THE OPEN FORUM *The Pittsburgh Steelers - 6 X Superbowl Champions !!!!!!!* *The Pittsburgh Penguins - 2009 Stanley Cup Champions !!!!!!!*

03-17-2005, 10:58 AM	#3 (permalink)
Geekgirl Assistant Manager, Microsoft Support Join Date: Jan 2005 Location: Six-burgh, Pennsylvania Posts: 14,117 OS: 98SE/WinXP Home/WinXP Pro/Vista/Windows 7	Hello again chris Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. You have placed HJT in a Temporary location. Please move to a proper location before doing the fix. (Always create a Folder for HiJackThis anywhere but your Temp/Temporary Internet Folders or Desktop. A good place to make a folder would be in My Documents, as this is where it will save the backup files needed if there's a problem.) You also have an outdated version of HJT. Please Download the newer version HiJackThis 1.99.1. Delete the outdated one and use this newer one for your fix. Turn off System Restore by doing the following: Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK. Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Download / Install / Update / and Run: Adaware SE check for any updates before running it. Get the plug-in for fixing VX2 variants. You can download it at this SITE To run this tool, install to the hard drive, then open Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Download and install Spybot S&D . Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation. Scan your pc with this free online scanner: RAV AntiVirus Also download CWShredderto your Desktop. To use CWShredder, simply start the program, use the "Check for updates" to make sure you have the latest version, then hit fix". The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! ( Alternate Link if main link don't work) and install it. You will use this later. Download WinsockFix and unzip it. Then double-click on it to run it Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one (You must kill them one at a time). C:\WINDOWS\system32\P2P Networking\P2P Networking.exe <---------P2P - I see you have P2P software installed on your machine (i.e.). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation. I will make recommendations below for removal, which you can choose to ignore, where this P2P application is involved. I’ll leave the decision to you. C:\WINDOWS\system32\wsxsvc\wsxsvc.exe C:\WINDOWS\system32\vmss\vmss.exe C:\WINDOWS\system32\certmgr8.exe C:\WINDOWS\isrvs\desktop.exe C:\WINDOWS\system32\cdrtc885.exe Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: MyWay NewDotNet POWERSEARCH MaxSpeed Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms= R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens R3 - Default URLSearchHook is missing O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL O2 - BHO: ohb - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - C:\WINDOWS\system32\hsrb.dll O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll O2 - BHO: PowerSearch - {4E7BD74F-2B8D-469E-A3EE-FB7FA682AA7D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrsdfp\pwrsdp1.dll (file missing) O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-A3EE-FB7FA682AA7D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrsdfp\pwrsdp1.dll (file missing) O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [b3dupdate] C:\WINDOWS\BDE\b3dsetup.Exe -silent -p "C:\WINDOWS\BDE" -s setup.cab O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe O4 - HKLM\..\Run: [f612673f7202] C:\WINDOWS\system32\certmgr8.exe O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe O4 - HKLM\..\Run: [njuwtjxi] c:\windows\system32\njuwtjxi.exe O4 - HKLM\..\Run: [b3d3f89dd50b] C:\WINDOWS\system32\cdrtc885.exe O4 - Global Startup: updater.lnk = C:\Program Files\Common files\updater\wupdater.exe O8 - Extra context menu item: SirSearch - file://C:\Program Files\PWRSDP1\Cache\SelectedContextSearch.htm O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\ms.exe O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\ms.exe O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/drm.cab O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1096915116216 O16 - DPF: {DE910060-8EFB-44B9-B492-75180696643F} (iiittt Class) - http://www.hotsearchbar.com/toolbar30/hsrb.cab O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq.com/members/DD_v4_Member.CAB O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll *Please remember to close all other windows, including browsers then click Fix checked.* Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\system32\P2P Networking\P2P Networking.exe C:\WINDOWS\system32\wsxsvc\wsxsvc.exe C:\WINDOWS\system32\vmss\vmss.exe C:\WINDOWS\system32\certmgr8.exe C:\WINDOWS\isrvs\ C:\WINDOWS\system32\cdrtc885.exe C:\WINDOWS\BTGrab.dll C:\Program Files\MyWay C:\WINDOWS\system32\ hsrb.dll C:\Program Files\NewDotNet C:\PROGRA~1\POWERS~1\ c:\windows\system32\njuwtjxi.exe C:\WINDOWS\system32\cdrtc885.exe C:\Program Files\Common files\updater\ C:\WINDOWS\system32\ms.exe For this removal, can you tell me what else is in that folder before deleting: C:\WINDOWS\BDE Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Empty your Recycle Bin. Reboot your System in normal mode. Please post a fresh Hijack This log so that we can check if your system is clean. __________________ Compare NOD32 to your current antivirus and anti-spyware solution, HERE How to back up and restore the registry in Windows XP and Windows Vista Or Windows 7 How to back up and restore the registry in Windows 98/ ME / NT 4.0 / 2000 I DO NOT ACCEPT EMAILS AND WILL NOT REPLY TO THEM !!!!! TSF DOES NOT SUPPORT ASSISTANCE THROUGH EMAIL OR PRIVATE MESSAGES, PLEASE KEEP ALL QUESTIONS IN THE OPEN FORUM *The Pittsburgh Steelers - 6 X Superbowl Champions !!!!!!!* *The Pittsburgh Penguins - 2009 Stanley Cup Champions !!!!!!!*

03-19-2005, 10:11 AM	#4 (permalink)
chrisvilleneuve Registered User Join Date: Mar 2005 Posts: 4 OS: XP	Hello again geekgirl, here is how it went : Got rid of everything with ad-aware No vx2 variant Got rid of everything with spybot No dso exploit RAV found my virus, couldn't clean it Run swshredder, didn't work because I had a "virtual memory error" so I couldn't run it. My computer is a P II 400 Mhz, pretty old so... Run winsocfix, everything ok Run HJT, couldn't kill any of the 6 process because they were not there. I figured that ad-aware and spybot removed everything... so nothing was done there Out of the 4 programs to remove, there was only 2 in my list : maxspeed and new.net. I removed them Run HJT, removed the lines you told me. I would say that half of what you told me to take out wasn't there. So I figured that what I did so far took it out or something. Fixed the lines, everything ok. Deleted the programs and folders from the list you gave me. About half of them were already gone. Run cleanup! There was no folder named c:\windows\BDE Restart computer, and the popup screen from Norton was gone. I figured the virus was gone. But the day after (this morning), I scanned my computer with norton and he found the damn thing again!!! But this time when I told him to get rid of it, he was able to!!! I rescanned and there was nothing left. The virus was in the backup I created for the registry. I guess that since he wasn't "active" in my computer, Norton was able to take it out? Anyway, here is the extension that Norton gave me : documents and settings/Mel/Mes documents/hijackthis/backups I didn't put back the "system restore" on so far, I guess I should wait for all of this to be over? Just let me know when I can safely put it back on. And here is the final HJT analyzer log : ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\Norton AntiVirus\navapsvc.exe O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 00:13:06, on 2005-03-19 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr-ca\msnappau.exe C:\Program Files\Control Kids\Control kids.exe C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe C:\Documents and Settings\Mel\Mes documents\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/?lang=fr-ca/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens R3 - Default URLSearchHook is missing O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\fr-ca\msntb.dll O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\PROGRA~1\CONTRO~2\zeropop.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\fr-ca\msntb.dll O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr-ca\msnappau.exe" O4 - HKLM\..\Run: [Control Kids] C:\Program Files\Control Kids\Control kids.exe O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: SirSearch - file://C:\Program Files\PWRSDP1\Cache\SelectedContextSearch.htm O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O18 - Filter: text/html - {C6F62B7A-5450-4A2F-8687-6CEEC3AEB055} - C:\WINDOWS\system32\controlkids2.dll O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe End of KRC HijackThis Analyzer Log. ==================================================================== Thank you very much again

03-20-2005, 12:56 PM	#5 (permalink)
Geekgirl Assistant Manager, Microsoft Support Join Date: Jan 2005 Location: Six-burgh, Pennsylvania Posts: 14,117 OS: 98SE/WinXP Home/WinXP Pro/Vista/Windows 7	Not much left just 1 more entry to remove Turn off System Restore by doing the following: Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK. Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R3 - Default URLSearchHook is missing *Please remember to close all other windows, including browsers then click Fix checked.* Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Empty your Recycle Bin. Reboot your System in normal mode. Other than that your log is clean. Are there any problems now? If not, you should be set to go. If you disabled System Restore, make sure to enable it now. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided. __________________ Compare NOD32 to your current antivirus and anti-spyware solution, HERE How to back up and restore the registry in Windows XP and Windows Vista Or Windows 7 How to back up and restore the registry in Windows 98/ ME / NT 4.0 / 2000 I DO NOT ACCEPT EMAILS AND WILL NOT REPLY TO THEM !!!!! TSF DOES NOT SUPPORT ASSISTANCE THROUGH EMAIL OR PRIVATE MESSAGES, PLEASE KEEP ALL QUESTIONS IN THE OPEN FORUM *The Pittsburgh Steelers - 6 X Superbowl Champions !!!!!!!* *The Pittsburgh Penguins - 2009 Stanley Cup Champions !!!!!!!*

03-21-2005, 12:39 PM	#6 (permalink)
chrisvilleneuve Registered User Join Date: Mar 2005 Posts: 4 OS: XP	I think we got it now! Everything is back to normal. I'll be more careful from now on... ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\Norton AntiVirus\navapsvc.exe O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 13:43:30, on 2005-03-21 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr-ca\msnappau.exe C:\Program Files\Control Kids\Control kids.exe C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe C:\Documents and Settings\Mel\Mes documents\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/?lang=fr-ca/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\fr-ca\msntb.dll O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\PROGRA~1\CONTRO~2\zeropop.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\fr-ca\msntb.dll O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr-ca\msnappau.exe" O4 - HKLM\..\Run: [Control Kids] C:\Program Files\Control Kids\Control kids.exe O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: SirSearch - file://C:\Program Files\PWRSDP1\Cache\SelectedContextSearch.htm O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O18 - Filter: text/html - {C6F62B7A-5450-4A2F-8687-6CEEC3AEB055} - C:\WINDOWS\system32\controlkids2.dll O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe End of KRC HijackThis Analyzer Log. ==================================================================== I put back system restore on winXP. Thanks again

03-21-2005, 01:31 PM	#7 (permalink)
Geekgirl Assistant Manager, Microsoft Support Join Date: Jan 2005 Location: Six-burgh, Pennsylvania Posts: 14,117 OS: 98SE/WinXP Home/WinXP Pro/Vista/Windows 7	Hey Chris Your log is clean Are there any problems now? If not, you should be set to go. If you disabled System Restore, make sure to enable it now. Thank you so much for visiting TSF and letting us help you. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided. __________________ Compare NOD32 to your current antivirus and anti-spyware solution, HERE How to back up and restore the registry in Windows XP and Windows Vista Or Windows 7 How to back up and restore the registry in Windows 98/ ME / NT 4.0 / 2000 I DO NOT ACCEPT EMAILS AND WILL NOT REPLY TO THEM !!!!! TSF DOES NOT SUPPORT ASSISTANCE THROUGH EMAIL OR PRIVATE MESSAGES, PLEASE KEEP ALL QUESTIONS IN THE OPEN FORUM *The Pittsburgh Steelers - 6 X Superbowl Champions !!!!!!!* *The Pittsburgh Penguins - 2009 Stanley Cup Champions !!!!!!!*

03-23-2005, 07:52 AM	#8 (permalink)
chrisvilleneuve Registered User Join Date: Mar 2005 Posts: 4 OS: XP	Everything is A-ok Thank you so much!!!

03-23-2005, 08:17 AM	#9 (permalink)
Geekgirl Assistant Manager, Microsoft Support Join Date: Jan 2005 Location: Six-burgh, Pennsylvania Posts: 14,117 OS: 98SE/WinXP Home/WinXP Pro/Vista/Windows 7	Your very Welcome, Thank you for letting TSF help you __________________ Compare NOD32 to your current antivirus and anti-spyware solution, HERE How to back up and restore the registry in Windows XP and Windows Vista Or Windows 7 How to back up and restore the registry in Windows 98/ ME / NT 4.0 / 2000 I DO NOT ACCEPT EMAILS AND WILL NOT REPLY TO THEM !!!!! TSF DOES NOT SUPPORT ASSISTANCE THROUGH EMAIL OR PRIVATE MESSAGES, PLEASE KEEP ALL QUESTIONS IN THE OPEN FORUM *The Pittsburgh Steelers - 6 X Superbowl Champions !!!!!!!* *The Pittsburgh Penguins - 2009 Stanley Cup Champions !!!!!!!*