[tmsbird]

Hi everybody, I have a virus problem I think. My son stuck his fuji xd card into His friends computer and download some photos on to it. When he put it back in his camera it would not read. I took it out and put it in my computer and tried to read it and the ‘my computer’ prog just locks up and won’t read it. I tried to reformat it in his camera but it still fails to read.
I then tried to run Norton in case I had a virus from the card but that won’t run now either! I tried to remove and reinstall Norton even using the removal tool but that doesn’t seem to work. I guess I’ve got ‘something’ blocking it.
I’ve been reading through the malware instructions posting and have followed most of the steps. Although the AVG antivirus scan I ran in safe mode worked but it failed to save the log. I ran it again in normal mode and have posted that instead.
I’ve installed Avast antivirus, BHOclean, Superantispyware and AVG Antispyware and left my computer to get on with it.
I have not tried the card again and am reluctant to put any other cards, usb sticks or my ipods back on to the system until I know its clean.
So if you could check my logs and advise me how to clean the card I’d really appreciate it.
Cheers Tim

[evilfantasy]

Welcome to TCF.

I don't see any malware in the HijackThis log but there are som entries to clean up.

Open HijackThis and select "Do a system scan only"

Place a check mark next to:

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...aniaFWBInitial Setup1.0.0.15-3.cab
O24 - Desktop Component 0: (no name) - https://www.yourpsp.com/i/psp_registration/bg_page.gif
O24 - Desktop Component 1: (no name) - http://www.wwe.com/superstars/smackd...onphotos/30.jp g

Close all windows except HijackThis and click "Fix checked"

There are still entries from Symantec/Norton. You may want to run the removal tool again.

There is a tool for cleaning virus from flash drives, but I don't think it will work on a xd card.

I am at a loss on what to do at the moment but I will look around and see if I can turn anything up.

[serverguy]

I could find nothing other than what evilfantasy found either. It looks pretty clean to me.

Do you know if your son put anything on the XD card other than photos? Never heard of a person getting a virus on one of them before

[pete21]

same here..is there even enuf room on them cards to hold a virus..sumets up tho as its affected your pc.. if the worst coms to it you could just re install windows id format the harddrive tho first to get rid of eney viruses ...thats wot id doo insted of messing around tryin to fix the pc as it sounds to me sumets gone realy rong..as for the card its beond me hehe :)

[tmsbird]

Hi guys thanks for the replies. I have done the check you suggested and I went through the various symantec and norton folders and deleted everything manually. I've got 3 files left that will do delete NAVShExt.loc, NavShExt.dll and isRes.dll. Any ideas what these do and how I can delete them? Norton removal tool and normal removal wouldn't work. I'm a bit fed up with Norton they haven't even replied to my emails.
I also had affined of mine look at the xd card. He used linux and said it did have a virus in the boot sector, which has also corrupted the second sector so he's trying to reformat it for me.
Having finally sorted everything out what do you suggest I leave running on the system?
I’ve got AVG spyware, Superantispyware, BHO clean, trojan hunter guard and avast.
Thanks again

[mbonwick]

NAVShExt.loc is located in a subfolder of "C:\Program Files". Known file sizes on Windows XP are 9376 bytes (83% of all occurrence), 9328 bytes.
A .dll file (Dynamic Link Library) is a special type of Windows program containing functions that other programs can call. This .dll file can be injected to all running processes and can change or manipulate their behavior. The process has no file description. The program has no visible window. File NAVShExt.loc is a Verisign signed file. NAVShExt.loc is digitally signed. There is no detailed description of this service. It can change the behavior of other programs or manipulate other programs. The file is not a Windows system file. NAVShExt.loc seems to be a compressed file. Therefore the technical security rating is 58% dangerous

NavShExt.dll - see above

isRes.dll - something to do with install routines I think. Best left well alone

[evilfantasy]

Press ctrl+alt+delete (all at the same time) to bring up task manager.

Click the processes tab and look for NAVShExt and NavShExt also look for anything to do with symantec or norton and right click them and choose End Process.

Then go and try to delete them.

isRes.dll as Mbonwick said I would leave alone.

As far as security that looks good, you might also check out WinPatrol 2007 The 2007 version is free so don't download the WinPatrol Plus which is the paid version.

[tmsbird]

had a look but neither is running. Just out of curiosity my system idle process always seems to be running about 98% mem usage! is that right? And also is there a way of finding out what all the running processes are? a sort of explain the taskmanager.
sorry last question do you know of anything that checks cards and usb drives?
Cheers

[evilfantasy]

Process Explorer

Also, attach a new HijackThis log and I will see if I can find the processes in it.

[tmsbird]

log enclosed

[evilfantasy]

OK lets try this.

Enable Viewing Of Hidden System Files & Folders

1. Right Click Start.
2. Select Control Panel.
3. Select the Tools menu and click Folder Options.
4. Select the View Tab.
5. Under the Hidden files and folders heading select Show hidden files and folders.
6. Uncheck the Hide extensions for known file types option.
7. Uncheck the Hide protected operating system files (recommended) option.
8. Click Apply.
9. Click OK.

Open HijackThis and select Do a system scan only.
Place a check mark next to

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

Close all windows and click "Fix checked"


Press ctrl+alt+delete (all at the same time) to bring up task manager.

Click the processes tab and look for:
symlcsvc.exe

Right click it and choose End Process.


Now from the desktop double click "MY Computer" then double click "Local Disk C"

Locate and delete these files/folders (in bold) C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Symantec should now be gone.

Rehide Hidden System Files and Folders

1. Open My Computer
2. Select the Tools menu and click Folder Options
3. Select the View tab.
4. Under the Advanced settings box option select the following:
5. Select Hide extensions for known file types
6. Select Hide protected operating system files
7. Select Do not show hidden files and folders
8. Click OK

[tmsbird]

What happens if I delete everything in the symatec folder? in fact all of symantec from my system. it still wont delete by the way

[serverguy]

There should be no problem with deleting the whole Symantec folder.

To get it to delete you may have to go into Safe Mode:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, begin tapping F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.
5. Press enter.

Then delete it. This should work.

[tmsbird]

i know its a bit late but just to say thanks to everybody for the help. Everything seems to be working fine now. My friend is still trying to rebuild the xd card with the unknown virus on it but thats another story.
Cheers

[evilfantasy]

Thanks for letting us know.

Safe surfing.......