[tmsbird]

Hi everybody, I have a virus problem I think. My son stuck his fuji xd card into His friends computer and download some photos on to it. When he put it back in his camera it would not read. I took it out and put it in my computer and tried to read it and the ‘my computer’ prog just locks up and won’t read it. I tried to reformat it in his camera but it still fails to read.
I then tried to run Norton in case I had a virus from the card but that won’t run now either! I tried to remove and reinstall Norton even using the removal tool but that doesn’t seem to work. I guess I’ve got ‘something’ blocking it.
I’ve been reading through the malware instructions posting and have followed most of the steps. Although the AVG antivirus scan I ran in safe mode worked but it failed to save the log. I ran it again in normal mode and have posted that instead.
I’ve installed Avast antivirus, BHOclean, Superantispyware and AVG Antispyware and left my computer to get on with it.
I have not tried the card again and am reluctant to put any other cards, usb sticks or my ipods back on to the system until I know its clean.
So if you could check my logs and advise me how to clean the card I’d really appreciate it.
Cheers Tim

[evilfantasy]

Welcome to TCF.

I don't see any malware in the HijackThis log but there are som entries to clean up.

Open HijackThis and select "Do a system scan only"

Place a check mark next to:

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...aniaFWBInitial Setup1.0.0.15-3.cab
O24 - Desktop Component 0: (no name) - https://www.yourpsp.com/i/psp_registration/bg_page.gif
O24 - Desktop Component 1: (no name) - http://www.wwe.com/superstars/smackd...onphotos/30.jp g

Close all windows except HijackThis and click "Fix checked"

There are still entries from Symantec/Norton. You may want to run the removal tool again.

There is a tool for cleaning virus from flash drives, but I don't think it will work on a xd card.

I am at a loss on what to do at the moment but I will look around and see if I can turn anything up.

[serverguy]

I could find nothing other than what evilfantasy found either. It looks pretty clean to me.

Do you know if your son put anything on the XD card other than photos? Never heard of a person getting a virus on one of them before

[pete21]

same here..is there even enuf room on them cards to hold a virus..sumets up tho as its affected your pc.. if the worst coms to it you could just re install windows id format the harddrive tho first to get rid of eney viruses ...thats wot id doo insted of messing around tryin to fix the pc as it sounds to me sumets gone realy rong..as for the card its beond me hehe :)

[tmsbird]

Hi guys thanks for the replies. I have done the check you suggested and I went through the various symantec and norton folders and deleted everything manually. I've got 3 files left that will do delete NAVShExt.loc, NavShExt.dll and isRes.dll. Any ideas what these do and how I can delete them? Norton removal tool and normal removal wouldn't work. I'm a bit fed up with Norton they haven't even replied to my emails.
I also had affined of mine look at the xd card. He used linux and said it did have a virus in the boot sector, which has also corrupted the second sector so he's trying to reformat it for me.
Having finally sorted everything out what do you suggest I leave running on the system?
I’ve got AVG spyware, Superantispyware, BHO clean, trojan hunter guard and avast.
Thanks again

[mbonwick]

NAVShExt.loc is located in a subfolder of "C:\Program Files". Known file sizes on Windows XP are 9376 bytes (83% of all occurrence), 9328 bytes.
A .dll file (Dynamic Link Library) is a special type of Windows program containing functions that other programs can call. This .dll file can be injected to all running processes and can change or manipulate their behavior. The process has no file description. The program has no visible window. File NAVShExt.loc is a Verisign signed file. NAVShExt.loc is digitally signed. There is no detailed description of this service. It can change the behavior of other programs or manipulate other programs. The file is not a Windows system file. NAVShExt.loc seems to be a compressed file. Therefore the technical security rating is 58% dangerous

NavShExt.dll - see above

isRes.dll - something to do with install routines I think. Best left well alone

[evilfantasy]

Press ctrl+alt+delete (all at the same time) to bring up task manager.

Click the processes tab and look for NAVShExt and NavShExt also look for anything to do with symantec or norton and right click them and choose End Process.

Then go and try to delete them.

isRes.dll as Mbonwick said I would leave alone.

As far as security that looks good, you might also check out WinPatrol 2007 The 2007 version is free so don't download the WinPatrol Plus which is the paid version.

[tmsbird]

had a look but neither is running. Just out of curiosity my system idle process always seems to be running about 98% mem usage! is that right? And also is there a way of finding out what all the running processes are? a sort of explain the taskmanager.
sorry last question do you know of anything that checks cards and usb drives?
Cheers

[evilfantasy]

Process Explorer

Also, attach a new HijackThis log and I will see if I can find the processes in it.

[tmsbird]

log enclosed