Member Avatar for faisalniazi

Hello guys,

I need some solid help here. Here is my HaijackThis report. I need to get rid of anything thats causing me all the memory drains especially this W32/Bube.gen with my explorer.exe which McAfee does recognize but cannot do anything about it.

Any help is appreciated... thanks

Logfile of HijackThis v1.99.1
Scan saved at 10:12:17 PM, on 5/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\WINDOWS\system32\crypserv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\ltmsg.exe
C:\WINDOWS\System32\tp4serv.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
c:\windows\system32\cstcvn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\TelkomInternet Web Accelerator\telkominternetaccel.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Khan\pd33.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Go!Zilla\gozilla.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Temporary\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F3 - REG:win.ini: run=C:\WINDOWS\System32\svhost.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\TelkomInternet Web Accelerator\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsf7D.dll
O2 - BHO: IEHlprObj Class - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\GO!ZILLA\GoIEHlp.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tqjuugl] c:\windows\system32\cstcvn.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\pd33.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [SpeedswitchXP] C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\pd33.exe
O4 - Global Startup: TelkomInternet Web Accelerator.lnk = C:\Program Files\TelkomInternet Web Accelerator\telkominternetaccel.exe
O8 - Extra context menu item: Download with Go!Zilla - file://C:\PROGRA~1\GO!ZILLA\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\TelkomInternet Web Accelerator\telkominternetaccel.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\TelkomInternet Web Accelerator\telkominternetaccel.exe/227
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,8/McUpdatePortal.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D11C0A19-B0C0-4A43-A915-83C89C507DC6}: NameServer = 196.43.1.11 196.25.1.11
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

  • 2 Contributors
  • 3 Replies
  • 280 Views
  • 4 Days Discussion Span
  • Latest Post Latest Post by crunchie

Recommended Answers

All 3 Replies

Member Avatar for crunchie

Please go here for the instructions on how to remove the Bube.d (aka Win32.Beavis) Removal [isrvs] infection. Please follow the removal instructions exactly.


Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml


Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

Member Avatar for faisalniazi

Ok I got done with all the scanning. Before posting thelog file.

  • I had a problem with Kav as it deleted my explorer, luckily there was one explorer.exe quarantened before hand so I was able to use that. I rechecked the file again and Kav said it was clean.
  • I had lots of trojans and spyware removed but I still have a couple of problems. the I.E opens with some trafic popup.. I assume this is the Aurora Pop ups as these also place annoying icons in my desktop

help me out with this if you could please...

LOG FILE HIJACKTHIS


Logfile of HijackThis v1.99.1
Scan saved at 12:13:19, on 24/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Temporary\Antivirus\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\TelkomInternet Web Accelerator\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsx124.dll
O2 - BHO: IEHlprObj Class - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\GO!ZILLA\GoIEHlp.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O4 - Global Startup: TelkomInternet Web Accelerator.lnk = C:\Program Files\TelkomInternet Web Accelerator\telkominternetaccel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,8/McUpdatePortal.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe


EWIDO REPORT


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------


+ Created on:           06:32:50, 24/05/2005
+ Report-Checksum:      2E6EFF97


+ Date of database:     23/05/2005
+ Version of scan engine:   v3.0


+ Duration:             366 min
+ Scanned Files:            72662
+ Speed:                3.30 Files/Second
+ Infected files:           112
+ Removed files:            112
+ Files put in quarantine:      112
+ Files that could not be opened:   0
+ Files that could not be cleaned:  0


+ Binder:       Yes
+ Crypter:      Yes
+ Archives:     Yes


+ Scanned items:
C:\


+ Scan result:
C:\WINDOWS\LastGood\webhdll.dll -> Spyware.WebHancer -> Cleaned with backup
C:\WINDOWS\SYSTEM32\nsb45.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINDOWS\SYSTEM32\nsd15.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINDOWS\SYSTEM32\P2P Networking\MARSHAL.DLL -> Spyware.P2PNetworking -> Cleaned with backup
C:\WINDOWS\SYSTEM32\P2P Networking\P2P Networking.exe -> Spyware.P2PNetworking -> Cleaned with backup
C:\WINDOWS\gcqqmbgmvp.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\isrvs\mfiltis.dll -> Spyware.ISearch.d -> Cleaned with backup
C:\WINDOWS\isrvs\desktop.exe -> Spyware.ISearch.d -> Cleaned with backup
C:\WINDOWS\isrvs\msdbhk.dll -> Spyware.Isearch.a -> Cleaned with backup
C:\WINDOWS\isrvs\isearch.xpi/chrome/isearch.jar/content/isearch/isearch.js -> Spyware.ISearch.e -> Cleaned with backup
C:\WINDOWS\isrvs\ffisearch.exe -> Spyware.Isearch -> Cleaned with backup
C:\WINDOWS\TEMP\Altnet\Setup.exe -> Spyware.Altnet.b -> Cleaned with backup
C:\WINDOWS\TEMP\Altnet\adm4.dll -> Spyware.Altnet.a -> Cleaned with backup
C:\WINDOWS\TEMP\Altnet\adm25.dll -> Spyware.Altnet.b -> Cleaned with backup
C:\WINDOWS\TEMP\Altnet\adm.exe -> Spyware.Altnet.a -> Cleaned with backup
C:\WINDOWS\TEMP\Altnet\admdloader.dll -> Spyware.Altnet.b -> Cleaned with backup
C:\WINDOWS\TEMP\Altnet\admfdi.dll -> Spyware.Altnet.b -> Cleaned with backup
C:\WINDOWS\TEMP\Altnet\admprog.dll -> Spyware.Altnet.b -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\WebP2PInstaller.dll -> TrojanDownloader.WebP2PInstaller -> Cleaned with backup
C:\Program Files\Kazaa\TopSearch.dll -> Spyware.Altnet.d -> Cleaned with backup
C:\Program Files\whInstall\whInstaller.exe -> Spyware.WebHancer -> Cleaned with backup
C:\Program Files\whInstall\webhdll.dll -> Spyware.WebHancer -> Cleaned with backup
C:\Program Files\Trend Micro\Internet Security\VSS5PCDT.001 -> Spyware.ISearch.d -> Cleaned with backup
C:\Program Files\Trend Micro\Internet Security\VSS6D0B5.000 -> Spyware.Isearch -> Cleaned with backup
C:\Documents and Settings\Khan\Local Settings\Temp\p2psetup.exe -> Spyware.P2PNetworking -> Cleaned with backup
C:\Documents and Settings\Khan\Local Settings\Temp\__unin__.exe -> Spyware.AltnetBDE -> Cleaned with backup
C:\Documents and Settings\Khan\Local Settings\Temporary Internet Files\Content.IE5\6SQ57H0W\Nail[1].exe -> Trojan.Nail -> Cleaned with backup
C:\Documents and Settings\Khan\Local Settings\Temporary Internet Files\Content.IE5\VBHPD5DE\aurora[1].exe -> Spyware.BetterInternet.c -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@search.msn[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@bluestreak[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@ads01.bpath[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@ads.addynamix[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@deliver.ads.uigc[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@cgi-bin[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@fl01.ct2.comclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@xiti[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@www.smartadserver[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@www.nethit-free[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@mediamgr.ugo[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@S0011-00-12-14-212925-43362[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@bravenet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@hb.lycos[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@burstnet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@tradedoubler[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@banner3.inet-traffic[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@inet-traffic[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@ad.ir[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@counter[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@bfast[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@perf.overture[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@zedo[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@www.popuptraffic[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@c5.zedo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@www.myaffiliateprogram[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@geocities[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@spylog[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@myway[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@targetnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@servedby.netshelter[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@servedby.advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@a.websponsors[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Khan\Cookies\khan@clickthrutraffic[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP27\A0004623.DLL -> Spyware.WebHancer -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP27\A0004630.EXE -> Spyware.MyWay.b -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP27\A0004631.DLL -> Spyware.MyWay.e -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP27\A0004633.exe -> Spyware.AltnetBDE -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP27\A0004635.dll -> Spyware.BrilliantDigital.1007 -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP27\A0004637.dll -> Spyware.Altnet.b -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP27\A0004639.dll -> Spyware.Altnet.b -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP27\A0004640.dll -> Spyware.Altnet.b -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP27\A0004641.EXE -> Spyware.Altnet.a -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP27\A0004642.dll -> Spyware.Altnet.a -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP27\A0004643.dll -> Spyware.Altnet.b -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP27\A0004644.EXE -> Spyware.AltnetBDE -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP27\A0004645.exe -> Spyware.AltnetBDE -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP28\A0004653.DLL -> Spyware.ToolBar.MyWay.g -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP34\A0004879.dll -> Spyware.Claria -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP34\A0004880.dll -> Spyware.Gator -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP34\A0004881.dll -> Spyware.Claria -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP34\A0004882.dll -> Spyware.Gator.6041 -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP34\A0004893.dll -> Spyware.Claria -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP34\A0004894.dll -> Spyware.Gator -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP34\A0004896.dll -> Spyware.Gator.6051 -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP34\A0004897.dll -> Spyware.Gator.6051 -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP34\A0004898.dll -> Spyware.Claria -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP34\A0004899.dll -> Spyware.Claria -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP34\A0004901.dll -> Spyware.Gator.6051 -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP34\A0004902.dll -> Spyware.Claria -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP43\A0005265.exe -> Spyware.Superbar -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP62\A0021688.exe -> Spyware.ISearch.d -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP62\A0028775.exe -> Spyware.WebHancer.351 -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP62\A0028776.dll -> Spyware.WebHancer -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP62\A0032809.exe -> Spyware.ISearch.d -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP62\A0032842.exe -> Spyware.WebHancer -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP62\A0043972.exe -> Spyware.ISearch.d -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP62\A0033901.exe -> Spyware.ISearch.d -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP62\A0033928.exe -> Spyware.ISearch.d -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP62\A0033935.exe -> Spyware.BetterInternet.c -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP62\A0035929.exe -> Spyware.ISearch.d -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP62\A0036966.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP62\A0036971.exe -> Spyware.ISearch.d -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP62\A0045028.exe -> TrojanDownloader.IstBar.is -> Cleaned with backup
C:\System Volume Information\_restore{CAD5DD38-CA73-46E8-8C18-B732701C5FC7}\RP62\A0045029.exe -> TrojanDownloader.IstBar.is -> Cleaned with backup
C:\Temporary\Super Serials 2K\s2k.serials2k7.1.zip/s2k.hacking.exe -> Dialer.Generic -> Cleaned with backup
C:\Temporary\Super Serials 2K\s2k.serials2k7.1\s2k.hacking.exe -> Dialer.Generic -> Cleaned with backup



::Report End
Edited by happygeek because: fixed formatting
Member Avatar for crunchie

Was that log taken in safe mode? If so, please do the next one in normal mode.

-

Now, let's open a command prompt by going to the start menu and then select 'Run'.

In the box that pops up type in 'cmd'. The command prompt will open.

OR

You can go to Start -> Programs -> Accessories -> Command Prompt. Unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u nsx124.dll
regsvr32 /u mfiltis.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save typing them in.

===============

Run HiJackThis, click "Scan", then check(tick) the following, if present:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsx124.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to "view system and hidden files/ folders:"

folders...

C:\WINDOWS\isrvs

files...

C:\WINDOWS\System32\nsx124.dll

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

To help protect your system from hostile ActiveX content, or special 'downloadable' files:

Download, install and keep updated, SpywareBlaster. If you've installed it for the first time:

1) Check for any available updates; if present, they'll be automatically downloaded and installed.
2) Next, "Enable all protection".
3) Exit the program.

-

Note: Remember to regularly check for updates.

===============

After rebooting your PC, rescan with hijackthis and post a new log.
Let me know how things are now.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.