Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

C:\WINNT\isrvs\sysupd.dll & msnavc32[RESOLVED]


  • This topic is locked This topic is locked

#1
megapax

megapax

    Member

  • Member
  • PipPip
  • 12 posts
I ran cw shredder, spybot, adaware, and I have symantec antivirus, which periodically informs me that it has detected the isrvs virus but is unable to remove it. Msnavc32.exe remains on my system as well. And there is an annoying little search tool bar peeking up at me every so often. My windows media player has been taken over. On the bright side, aliens have not invaded my home, although I am becoming very paranoid lately. I am not a computer savvy individual and I am starting to panic. Please help. Here is my HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 8:55:33 AM, on 2/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINNT\System32\PSSVC.EXE
C:\PROGRA~1\NavNT\DefWatch.exe
C:\DMI\bin\dmisrv.exe
C:\DMI\bin\delldmi.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\DMI\bin\win32sl.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\DMI\bin\nic.exe
C:\DMI\bin\coo.exe
C:\DMI\bin\dnar.exe
C:\DMI\bin\nodemngr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\qttask.exe
C:\Program Files\Kill Popup\KillPopup.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\WINNT\system32\LXSUPMON.EXE
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Uavrs\Wjoej.exe
C:\Program Files\hpdll\hpdll.exe
C:\Program Files\hpdll\tempdl\RAS012505.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\winnt\system32\msnavc32.exe
C:\Program Files\nls3vbri\nls3vbri.exe
C:\WINNT\isrvs\desktop.exe
C:\WINNT\system32\ntlorts.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\nottsnmp.exe
C:\WINNT\system32\sysmonnt.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.popupsear...sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINNT\ZServ.dll
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINNT\Helper101.dll
O2 - BHO: (no name) - {0722C99F-CC31-4155-ACFE-85629F52E60D} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {07C52CB1-E3AC-4548-A32A-5B48D552C8CF} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {0C62E32B-45D9-43B5-9667-CBB9E004DC51} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {0EA6F4C4-6E9F-4F4F-9B0A-F3DBCE77B8E5} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {158F0E0D-1146-4AD7-928F-B210C26348CE} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {1730630D-0717-4BB6-8ECE-58F8E06DF977} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {1A4B7260-740D-43EB-9F84-A387C03708A4} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {242B2746-E3AA-4E75-B7F8-EC240CC2DF47} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {2639417F-24A9-46AE-868C-EA53103E6D84} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {284A165F-C8A8-46F6-A570-F89095F19060} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {28FE6AF4-8070-4A0E-891B-4663154436BD} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {2C0E63F5-692E-4F47-8089-AC924778FDC2} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {43D64023-2E94-437A-9CE7-3F3C7B5C2116} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {4586B8A1-23D6-4315-AD29-3CB6C63B52E3} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {49F9D152-210A-45EB-8378-F65B5FA3EE8B} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {4A310699-038E-402D-97D9-B0C0468FEE3A} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {521527DB-E565-4DFB-867D-A8B03859FA42} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {52987CB6-3AAD-4151-8884-DAD6C3EE7690} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {530B4F4D-CB8E-4BA1-BFCA-7D26725A99EB} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53EA209B-A215-4DE7-8BEF-BBAF7438EF1E} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {5A384B18-1267-41EA-B542-6BCAD0F035DD} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
O2 - BHO: (no name) - {5B888D5C-1E20-46EA-AE47-4FB2F85CE2B9} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {5EA34304-85FF-4361-84AA-4976F096F453} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {6CB357E5-7ED3-4636-A34C-6D2DE5CB25F9} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {73C3F6DE-6E1F-4CD0-9307-8545E1C0F935} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {7451E86E-20EA-4341-8024-C19AFE873E0C} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {77E0F405-30FD-40AC-9E30-FF9977BBBAD7} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {7974E862-CF34-4857-8C2B-ADC8B67F0C50} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: SDWin32 Class - {8C645624-ED6D-44AB-8922-A0108CBE409F} - C:\WINNT\system32\dkvoi.dll
O2 - BHO: (no name) - {8EEE81E3-FE45-4D0F-94CC-DDB12E85E017} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {941EC85D-78AF-421C-931A-0C84902E878C} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {A1360057-5EBA-4606-9034-5F8CFEEE0240} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {A25D8FE3-25B3-4C63-A2F1-D74915DF8361} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {A9B06050-9E51-4738-A805-224F18D8DD51} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {AA256EB9-5BE9-47A1-BE78-40E4D7F08D4C} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {AA562628-5456-4AE1-83A8-A07D030E3806} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {AE8BA5B8-AB1A-4188-AD15-23C3C4AFC9AA} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {AF020B79-0229-4EA0-A554-720FF839A1E8} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {B1B2A0B3-4508-4B90-A224-792E5232CC6C} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {B4470525-D54C-4C6E-827A-883B88CF9EB8} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {B536FEF1-3367-4DC8-AE5F-D0748C2DAD4A} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {B546D270-CFAE-4039-BC6A-FFE3BA37DFBE} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {B5DBF1F5-7560-48BE-8404-FE88D01AD249} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {B7158317-EEE0-4C81-B1E2-215FC1FB5ED0} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {B82B05F0-0A36-4B07-A6C8-081D40C5DE0A} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {B88D248C-6E61-4E56-9996-2A409E1AEAAE} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {B8B37D4A-03E5-4F06-B5C5-1583734E5FDC} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {BCF8807D-F237-48EB-A40A-5ACEC7ADBF0E} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {CB50F729-31E2-4E56-B089-FC8641505607} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {CD3E56EE-77C7-4124-8000-5427682D6BDE} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: SDWin32 Class - {DF9B8CD9-C269-4022-88E2-92D463535AAE} - C:\WINNT\system32\khbtt.dll
O2 - BHO: (no name) - {E4280FFA-01B0-4CC8-B7EC-F87EABB188E0} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {F4EBD1B0-E66D-4824-B2E4-7A144795A466} - C:\Program Files\nls3vbri\nls3vbri.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [Kill Popup] C:\Program Files\Kill Popup\KillPopup.exe
O4 - HKLM\..\Run: [olphstn] "C:\WINNT\system32\olphstn.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKLM\..\Run: [Zxzytz] C:\Program Files\Uavrs\Wjoej.exe
O4 - HKLM\..\Run: [HPNT] C:\Program Files\hpdll\hpdll.exe
O4 - HKLM\..\Run: [Visual Element Fx] C:\Program Files\hpdll\tempdl\RAS012505.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [App32dll] C:\winnt\system32\msnavc32.exe lee0105
O4 - HKLM\..\Run: [nls3vbri] C:\Program Files\nls3vbri\nls3vbri.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [2Fmh36h] ntlorts.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [tetdxoe] C:\WINNT\system32\tetdxoe.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Jo5nRWNtV] nottsnmp.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .hpb: C:\Program Files\Internet Explorer\PLUGINS\nphpipb.dll
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2EC77245-C97C-4F5E-80D1-9B280C4CD820} - http://download.mail...or/instmtdr.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...n/GoogleNav.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon....es/vzWebIns.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://recruitmax.w...bex/ieatgpc.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {E6A86FF2-AE57-11D3-B1F5-0010833427C9} - http://hpprintit.com/hpipb/pbsetup.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup144.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kindredpartners.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kindredpartners.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = kindredpartners.com
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi megapax

Please set your system to show all files; see here for how to do this if you're unsure.

During the fix do NOT connect to the internet. Unless you can memorize these instructions, it would be a good idea to print them out.

Close all programs down, leaving only HijackThis running.
Place a check against the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.popupsear...sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINNT\ZServ.dll
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINNT\Helper101.dll
O2 - BHO: (no name) - {0722C99F-CC31-4155-ACFE-85629F52E60D} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {07C52CB1-E3AC-4548-A32A-5B48D552C8CF} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {0C62E32B-45D9-43B5-9667-CBB9E004DC51} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {0EA6F4C4-6E9F-4F4F-9B0A-F3DBCE77B8E5} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {158F0E0D-1146-4AD7-928F-B210C26348CE} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {1730630D-0717-4BB6-8ECE-58F8E06DF977} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {1A4B7260-740D-43EB-9F84-A387C03708A4} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {242B2746-E3AA-4E75-B7F8-EC240CC2DF47} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {2639417F-24A9-46AE-868C-EA53103E6D84} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {284A165F-C8A8-46F6-A570-F89095F19060} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {28FE6AF4-8070-4A0E-891B-4663154436BD} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {2C0E63F5-692E-4F47-8089-AC924778FDC2} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {43D64023-2E94-437A-9CE7-3F3C7B5C2116} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {4586B8A1-23D6-4315-AD29-3CB6C63B52E3} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {49F9D152-210A-45EB-8378-F65B5FA3EE8B} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {4A310699-038E-402D-97D9-B0C0468FEE3A} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {521527DB-E565-4DFB-867D-A8B03859FA42} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {52987CB6-3AAD-4151-8884-DAD6C3EE7690} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {530B4F4D-CB8E-4BA1-BFCA-7D26725A99EB} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {53EA209B-A215-4DE7-8BEF-BBAF7438EF1E} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {5A384B18-1267-41EA-B542-6BCAD0F035DD} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {5B888D5C-1E20-46EA-AE47-4FB2F85CE2B9} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {5EA34304-85FF-4361-84AA-4976F096F453} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {6CB357E5-7ED3-4636-A34C-6D2DE5CB25F9} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {73C3F6DE-6E1F-4CD0-9307-8545E1C0F935} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {7451E86E-20EA-4341-8024-C19AFE873E0C} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {77E0F405-30FD-40AC-9E30-FF9977BBBAD7} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {7974E862-CF34-4857-8C2B-ADC8B67F0C50} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: SDWin32 Class - {8C645624-ED6D-44AB-8922-A0108CBE409F} - C:\WINNT\system32\dkvoi.dll
O2 - BHO: (no name) - {8EEE81E3-FE45-4D0F-94CC-DDB12E85E017} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {941EC85D-78AF-421C-931A-0C84902E878C} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {A1360057-5EBA-4606-9034-5F8CFEEE0240} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {A25D8FE3-25B3-4C63-A2F1-D74915DF8361} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {A9B06050-9E51-4738-A805-224F18D8DD51} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {AA256EB9-5BE9-47A1-BE78-40E4D7F08D4C} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {AA562628-5456-4AE1-83A8-A07D030E3806} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {AE8BA5B8-AB1A-4188-AD15-23C3C4AFC9AA} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {AF020B79-0229-4EA0-A554-720FF839A1E8} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {B1B2A0B3-4508-4B90-A224-792E5232CC6C} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {B4470525-D54C-4C6E-827A-883B88CF9EB8} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {B536FEF1-3367-4DC8-AE5F-D0748C2DAD4A} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {B546D270-CFAE-4039-BC6A-FFE3BA37DFBE} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {B5DBF1F5-7560-48BE-8404-FE88D01AD249} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {B7158317-EEE0-4C81-B1E2-215FC1FB5ED0} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {B82B05F0-0A36-4B07-A6C8-081D40C5DE0A} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {B88D248C-6E61-4E56-9996-2A409E1AEAAE} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {B8B37D4A-03E5-4F06-B5C5-1583734E5FDC} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {BCF8807D-F237-48EB-A40A-5ACEC7ADBF0E} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {CB50F729-31E2-4E56-B089-FC8641505607} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {CD3E56EE-77C7-4124-8000-5427682D6BDE} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: SDWin32 Class - {DF9B8CD9-C269-4022-88E2-92D463535AAE} - C:\WINNT\system32\khbtt.dll
O2 - BHO: (no name) - {E4280FFA-01B0-4CC8-B7EC-F87EABB188E0} - C:\Program Files\nls3vbri\nls3vbri.dll
O2 - BHO: (no name) - {F4EBD1B0-E66D-4824-B2E4-7A144795A466} - C:\Program Files\nls3vbri\nls3vbri.dll
O4 - HKLM\..\Run: [olphstn] "C:\WINNT\system32\olphstn.exe"
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKLM\..\Run: [Zxzytz] C:\Program Files\Uavrs\Wjoej.exe
O4 - HKLM\..\Run: [HPNT] C:\Program Files\hpdll\hpdll.exe
O4 - HKLM\..\Run: [Visual Element Fx] C:\Program Files\hpdll\tempdl\RAS012505.exe
O4 - HKLM\..\Run: [App32dll] C:\winnt\system32\msnavc32.exe lee0105
O4 - HKLM\..\Run: [nls3vbri] C:\Program Files\nls3vbri\nls3vbri.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [2Fmh36h] ntlorts.exe
O4 - HKLM\..\Run: [tetdxoe] C:\WINNT\system32\tetdxoe.exe
O4 - HKCU\..\Run: [Jo5nRWNtV] nottsnmp.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB
O16 - DPF: {2EC77245-C97C-4F5E-80D1-9B280C4CD820} - http://download.mail...or/instmtdr.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://recruitmax.w...bex/ieatgpc.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)


Click on Fix Checked and exit HijackThis.

Reboot into Safe Mode: see here if you don't know how to do this.

Using Windows Explorer, locate the following files/folders, and delete them if found.

C:\WINNT\ZServ.dll<--Delete this file
C:\WINNT\BTGrab.dll<--Delete this file
C:\WINNT\Helper101.dll<--Delete this file
C:\Program Files\nls3vbri\nls3vbri.dllDelete the whole folder
C:\WINNT\system32\khbtt.dll<--Delete this file
C:\WINNT\system32\olphstn.exe<--Delete this file
C:\Program Files\Windows ServeAd\WinServAd.exe<--Delete this file
C:\Program Files\Uavrs\Wjoej.exe<--Delete the whole folder
C:\Program Files\hpdll\hpdll.exe<--Delete the whole folder
C:\Program Files\hpdll\tempdl\RAS012505.exe<--Delete the whole folder
C:\winnt\system32\msnavc32.exe lee0105
ntlorts.exe<--Delete this file
C:\WINNT\system32\tetdxoe.exe[/b]<--Delete this file
nottsnmp.exe<--Delete this file
C:\WINNT\system32\ sysmonnt <--Delete this file
C:\WINNT\system32\dkvoi.dll <--Delete this file

Exit Explorer, and reboot as normal afterwards.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working.

kc :tazz:
  • 0

#3
megapax

megapax

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I did the best I could to hunt down and delete the files you indicated. My system is still under attack. I had a lot difficulty getting on line. It seems like every application I have is trying to access the internet. I am getting a lot of virus notifications "RECYCLERS" and trojan downloaders. I have AVG antivirus prog. which has healed some but been able to take no action with the others. The main culprit still seems to be isrvs\sysupd.dll, which comes up reapeatedly. Thank you for your help so far, I really want my computer back. Here' my latest log:



Logfile of HijackThis v1.98.2
Scan saved at 4:04:08 PM, on 2/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINNT\System32\PSSVC.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\DMI\bin\dmisrv.exe
C:\DMI\bin\delldmi.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\DMI\bin\win32sl.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\DMI\bin\nic.exe
C:\DMI\bin\coo.exe
C:\DMI\bin\dnar.exe
C:\DMI\bin\nodemngr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\qttask.exe
C:\WINNT\system32\LXSUPMON.EXE
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{C
A0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O2 - BHO: (no name) - {48945938-F3C1-4930-8B1B-BE002588B3C7} - C:\Program Files\nls3vbri\nls3vbri.dll (file missing)
O2 - BHO: (no name) - {4F8D95F6-3D4F-4A35-94E4-4AF92C561D5D} - C:\Program Files\nls3vbri\nls3vbri.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {8E2E0DDB-CFE2-4F8C-BBD9-2800BB51300A} - C:\Program Files\nls3vbri\nls3vbri.dll (file missing)
O2 - BHO: (no name) - {93831E38-1A91-43B1-A537-F88EE244E7AD} - C:\Program Files\nls3vbri\nls3vbri.dll (file missing)
O2 - BHO: (no name) - {AC0EA5FC-695E-4895-A1BA-B25BE382BACA} - C:\Program Files\nls3vbri\nls3vbri.dll (file missing)
O2 - BHO: (no name) - {ECA473F2-FC41-4798-8831-65F7D3E286AB} - C:\Program Files\nls3vbri\nls3vbri.dll (file missing)
O2 - BHO: (no name) - {F40B349B-3E91-492F-81FF-A01402A089BF} - C:\Program Files\nls3vbri\nls3vbri.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [Kill Popup] C:\Program Files\Kill Popup\KillPopup.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [tetdxoe] C:\WINNT\system32\tetdxoe.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .hpb: C:\Program Files\Internet Explorer\PLUGINS\nphpipb.dll
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2EC77245-C97C-4F5E-80D1-9B280C4CD820} - http://download.mail...or/instmtdr.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...n/GoogleNav.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon....es/vzWebIns.CAB
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {E6A86FF2-AE57-11D3-B1F5-0010833427C9} - http://hpprintit.com/hpipb/pbsetup.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup144.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kindredpartners.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kindredpartners.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = kindredpartners.com
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
  • 0

#4
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi megapax

Please set your system to show all files; How to view hidden files and folders.

Copy and paste this text document and save it to your desktop. Or if you have a printer you can print these instructions.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items.

R3 - URLSearchHook: (no name) - _{C
A0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O2 - BHO: (no name) - {48945938-F3C1-4930-8B1B-BE002588B3C7} - C:\Program Files\nls3vbri\nls3vbri.dll (file missing)
O2 - BHO: (no name) - {4F8D95F6-3D4F-4A35-94E4-4AF92C561D5D} - C:\Program Files\nls3vbri\nls3vbri.dll (file missing)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {8E2E0DDB-CFE2-4F8C-BBD9-2800BB51300A} - C:\Program Files\nls3vbri\nls3vbri.dll (file missing)
O2 - BHO: (no name) - {93831E38-1A91-43B1-A537-F88EE244E7AD} - C:\Program Files\nls3vbri\nls3vbri.dll (file missing)
O2 - BHO: (no name) - {AC0EA5FC-695E-4895-A1BA-B25BE382BACA} - C:\Program Files\nls3vbri\nls3vbri.dll (file missing)
O2 - BHO: (no name) - {ECA473F2-FC41-4798-8831-65F7D3E286AB} - C:\Program Files\nls3vbri\nls3vbri.dll (file missing)
O2 - BHO: (no name) - {F40B349B-3E91-492F-81FF-A01402A089BF} - C:\Program Files\nls3vbri\nls3vbri.dll (file missing)
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [tetdxoe] C:\WINNT\system32\tetdxoe.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)


Click on Fix Checked and exit HijackThis.

Reboot into Safe Mode: see here if you don't know how to do this.

Using Windows Explorer, locate the following files/folders, and delete them if found.

C:\WINNT\isrvs\ffisearch.exe
C:\WINNT\system32\tetdxoe.exe


Exit Explorer, and reboot as normal afterwards.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working.

kc :tazz:
  • 0

#5
megapax

megapax

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
My system seems to be running better, but the isrvs\ffisearch.exe and the isrvs\sysupdt.dll file were not removed. I could not locate them. I accessed the isrvs folder, but they were not there. Can I delete the whole folder? On a seperate matter. My windows media player no longer functions and is being used for a conduit to the internet. When I went to delete it, a message popped up telling me that other programs will be affected if I continue. How can I safely get rid of my media playe? thank you again for your continued help. I have hope now. Here's my latest log:

Logfile of HijackThis v1.98.2
Scan saved at 10:40:33 AM, on 2/26/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINNT\System32\PSSVC.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\DMI\bin\dmisrv.exe
C:\DMI\bin\delldmi.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\DMI\bin\win32sl.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\DMI\bin\nic.exe
C:\DMI\bin\coo.exe
C:\DMI\bin\dnar.exe
C:\DMI\bin\nodemngr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\qttask.exe
C:\WINNT\system32\LXSUPMON.EXE
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [Kill Popup] C:\Program Files\Kill Popup\KillPopup.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .hpb: C:\Program Files\Internet Explorer\PLUGINS\nphpipb.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2EC77245-C97C-4F5E-80D1-9B280C4CD820} - http://download.mail...or/instmtdr.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...n/GoogleNav.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon....es/vzWebIns.CAB
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {E6A86FF2-AE57-11D3-B1F5-0010833427C9} - http://hpprintit.com/hpipb/pbsetup.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup144.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kindredpartners.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kindredpartners.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = kindredpartners.com
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
  • 0

#6
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi megapax

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items.
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll (file missing)
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)


Click on Fix Checked and exit HijackThis.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working.

How to remove Media player go to start>control panel>add remove programs> click on add/remove windows components> uncheck the box for media player

kc :tazz:
  • 0

#7
megapax

megapax

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Everything seems ok with my computer now, although the two isrvs items have not been removed. Does this pose a risk for reinfection? Also what specific programs would you recommend to maintain a secure system, free or otherwise? Here is my latest log:


Logfile of HijackThis v1.98.2
Scan saved at 5:11:17 PM, on 2/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINNT\System32\PSSVC.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\DMI\bin\dmisrv.exe
C:\WINNT\System32\svchost.exe
C:\DMI\bin\delldmi.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\DMI\bin\win32sl.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\DMI\bin\nic.exe
C:\DMI\bin\coo.exe
C:\DMI\bin\dnar.exe
C:\DMI\bin\nodemngr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\qttask.exe
C:\WINNT\system32\LXSUPMON.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [Kill Popup] C:\Program Files\Kill Popup\KillPopup.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .hpb: C:\Program Files\Internet Explorer\PLUGINS\nphpipb.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2EC77245-C97C-4F5E-80D1-9B280C4CD820} - http://download.mail...or/instmtdr.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...n/GoogleNav.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon....es/vzWebIns.CAB
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {E6A86FF2-AE57-11D3-B1F5-0010833427C9} - http://hpprintit.com/hpipb/pbsetup.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup144.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kindredpartners.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kindredpartners.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = kindredpartners.com
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
  • 0

#8
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi megapax

I am shutting down for tonight bacon to tomorrow

Pick up your log the ok

Kc :tazz:
  • 0

#9
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi megapax

Please set your system to show all files; see here for how to do this if you're unsure.


Close all programs down, leaving only HijackThis running.
Place a check against the following items:

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll (file missing)
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)


Click on Fix Checked and exit HijackThis.

Reboot into Safe Mode: see here if you don't know how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINNT\isrvs\ffisearch.exe <--Delete the whole folder

Exit Explorer, and reboot as normal afterwards.

Post back a fresh HijackThis log and we'll take another look.

Kc :tazz:
  • 0

#10
megapax

megapax

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I successfully removed the C:\WINNT\isrvs folder, but HJT still did not remove the three items. However I was able to find the first two in the registry and delete them. The filter: text/html remains though. I have had no problems with my computer in the meantime. Thank you for all of your effort. Here is my latest log:

Logfile of HijackThis v1.98.2
Scan saved at 9:07:35 AM, on 3/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINNT\System32\PSSVC.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\DMI\bin\dmisrv.exe
C:\DMI\bin\delldmi.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\DMI\bin\win32sl.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\DMI\bin\nic.exe
C:\DMI\bin\coo.exe
C:\DMI\bin\dnar.exe
C:\DMI\bin\nodemngr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\qttask.exe
C:\WINNT\system32\LXSUPMON.EXE
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [Kill Popup] C:\Program Files\Kill Popup\KillPopup.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .hpb: C:\Program Files\Internet Explorer\PLUGINS\nphpipb.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2EC77245-C97C-4F5E-80D1-9B280C4CD820} - http://download.mail...or/instmtdr.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...n/GoogleNav.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon....es/vzWebIns.CAB
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {E6A86FF2-AE57-11D3-B1F5-0010833427C9} - http://hpprintit.com/hpipb/pbsetup.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup144.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kindredpartners.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kindredpartners.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = kindredpartners.com
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
  • 0

#11
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi megapax

Search your system for files like this ADW_ISEARCH.A. If found delete them.

Kc
  • 0

#12
megapax

megapax

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I was hunting down Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} and when I searched the registry it sent me to the following path:

HKEY_USERS/S-1-5-21-895553523-1324799350-790764824-1622/Software/Microsoft/Internet Explorer/Explorer Bars/{C4EE31F3-4768-11D2-BE5C-00A0C9A8DA1}

In this folder are two files:
ContainingTextMRU, which has two items- default(value not set) and 000 (off limits)

The other folder, FilesNamedMRU, has 24 items including ADW_ISEARCH.A. and the above Filter: text/html file. There are also many such as isrvs, Ad Tools, Windows Ad Tools, etc. which bear the names of the various infections I have been working to purge. There are also two hijackthis files and additional Filter text/html, HTM, HTML .Should I delete all these items or the whole folder?
  • 0

#13
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi megapax

Please only delete the items with Malware names, When in the registery backup firt before deleteing any items.

Kc :tazz:
  • 0

#14
Guest_thatman_*

Guest_thatman_*
  • Guest
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP