100+ malware installs in one hit

Yep, thats 100.

It infects Explorer, and causes merry hell with the infected machine.

The only automated tool that does anything with this yet is KAV Personal 5.0 (you can get a free 30 day trial, fully functional that will remove it for you). We have found a number of AVs detect and claim to cure it but instead, they quarantine and/or delete the infected explorer.exe leaving you with no desktop.

Information on how to run KAV to combat this multiple infection can be found here, courtesy of Calamity Jane, Microsoft MVP. It's possible that you may still need assistance with removing all the infections, however. For this, you should refer to any sites who are a member of ASAP (Alliance of Security Analysis Professionals).

It seems THIS is the "unfixable infection" I was rambling about some time ago - some of the domains from our old friend SP2Fu***d make an unwelcome appearance. Most of the processes are hidden all over the place, so even after an apparent fix, as soon as you go back online all the garbage reinstalls.

The isrvs folder is typically seen in this infection, but many other malwares are common to it so that may not be a definite sign of infection. However...

If you find something similar to the below when running HijackThis, you need help immediately as this infection could mangle the host PC completely if not fixed:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = »searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »searchmiracle.com/sp.php
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\boln.dll
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: (no name) - {2B5E7117-24E7-5914-3794-A3D089E4A773} - (no file)
O2 - BHO: (no name) - {57798B92-1E52-BB11-3BF1-51F50C193253} - (no file)
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [tibs5] C:\WINNT\system32\tibs5.exe
O4 - HKLM\..\Run: [12C.tmp] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\12C.tmp.exe 0 10001
O4 - HKLM\..\Run: [Web Service] C:\WINNT\system32\sm.exe
O4 - HKLM\..\Run: [12C.tmp.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\12C.tmp.exe 0 10001
O4 - HKLM\..\Run: [version] C:\WINNT\system32\Mthnzl.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\system32\Yfkadl.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [15E.tmp] C:\WINNT\TEMP\15E.tmp.exe 3 10001
O4 - HKLM\..\Run: [15E.tmp.exe] C:\WINNT\TEMP\15E.tmp.exe 3 10001
O4 - HKLM\..\Run: [4.tmp] C:\WINNT\TEMP\4.tmp.exe 0 10001
O4 - HKLM\..\Run: [4.tmp.exe] C:\WINNT\TEMP\4.tmp.exe 0 10001
O4 - HKLM\..\Run: [rE4W37i] jdbtil.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvayb32.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2fucked.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\wnim.dll
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\wnim.dll

We will post more updates on this as we get it. A dedicated manual removal tool is currently in develeopment and will hopefully be available shortly.

As it stands, there already appears to be some problems with KAV removing this infection. Watch as this epic, three page attempted removal shambles towards an inevitable doom - and I quote:

"When my computer tried to restart, I received the message that it could not load Explorer.exe and I had to reinstall Windows.

That's where I'm at right now... My computer will not start. Is this indeed the end??"

For now, it goes without saying that you should ensure your machine is fully patched, and take care when visiting unkown sites. You never know what kind of welcome you're going to get, and if it's anything like the one above, you'd be better off hoping there's nobody home...