iSearch help!!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by opey, Feb 19, 2005.

  1. opey

    opey Private E-2

    P4 1.7, 256mb RAM
    Windows XP SP2


    I have a serious piece of spyware that loads every spyware program i've ever seen. i keep my computer very clean and keep close watch on the processes, installed programs, etc. one day my computer was idle and when i came back to it, it was bombarded with tons of ads, a few dialers, and new icons on the desktop (supposed spyware removal tools :rolleyes: ). i began by killing the 20+ processes that had been created. then i ran spybot, adaware, and microsoft antispyware. it seems that all the spyware can be removed except isearck and desktop search which seem to be the same thing. in normal mode the files and registry keys are impossible to remove. u can't even disable the startup files in msconfig. so i did a search and found your site...

    Ok, i followed your standard procedure EXACTLY... word for word. i followed every step exactly how it said to. I ran everything in safe mode, etc. I'm not a computer newb. I am a technician, and this spyware has me STUMPED! after i ran everything in your sticky thread I also ran Microsoft Antispyware which found more to be deleted. I made sure that there was nothing running in the startup. there were no BHO browser plugins or anything. I had absolutely no problems browsing the net in safe mode... no pop ups etc. i even let the pc sit for awhile to see if the stuff would come back. before i ran all the programs all the spyware would even autoload in safemode.

    as soon as i rebooted into normal mode everything came back like i did nothing. whatever this spyware is took control of my computer and loaded everything back on in seconds. now my computer is in the exact same state it was back at square one.

    In short... help!! :eek:

    PS: I've attached my hijackthis log. im 99% sure you'll be needing it. if not, i apologize. also, i had to kill all the processes just to have the CPU power to run the program. if this effects hijackthis i can TRY to run it with all the spyware running.
     

    Attached Files:

  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    First, Update your version of HJT to Hijack This 1.99.1 and do another scan with the new version and post a new log, before we continue.

    Second, Make sure when running HJT THAT ALL OPEN BROWSERS ARE CLOSED!

    C:\Program Files\Internet Explorer\iexplore.exe
     
  3. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    In the mean time lets go ahead and start.

    First, Please look in Add or Remove Programs for the following and Uninstall them if found:

    180solutions

    Internet Optimizer

    Power Scan



    Please print out these instructions so that you can operate with All Browser Windows CLOSED.
    Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

    Now scan with HijackThis and Check the Boxes for the following:

    Again, make sure All Browser Windows are Closed when you Click FIX.


    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=154944

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    R3 - Default URLSearchHook is missing

    O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\windows\nem220.dll

    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll

    O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\windows\system32\boln.dll

    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

    O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe

    O4 - HKLM\..\Run: [version] C:\windows\system32\Ccwreb.exe

    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe

    O4 - HKLM\..\Run: [secure] C:\windows\system32\Ajyqdx.exe

    O4 - HKLM\..\Run: [tinkz] C:\WINDOWS\tinkz.exe

    O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer

    O4 - HKLM\..\Run: [Desktop Search] C:\windows\isrvs\desktop.exe

    O4 - HKLM\..\Run: [ffis] C:\windows\isrvs\ffisearch.exe

    O4 - HKLM\..\Run: [utmpyg] c:\windows\system32\utmpyg.exe

    O4 - HKLM\..\Run: [farmmext] C:\windows\farmmext.exe

    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

    O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\ERINME~1\LOCALS~1\Temp\djtopr1150.exe"

    O15 - Trusted Zone: *.addictivetechnologies.com

    O15 - Trusted Zone: *.admin2cash.biz

    O15 - Trusted Zone: *.awmdabest.com

    O15 - Trusted Zone: *.bettersearch.biz

    O15 - Trusted Zone: *.c4tdownload.com

    O15 - Trusted Zone: *.clickspring.net

    O15 - Trusted Zone: *.crazywinnings.com

    O15 - Trusted Zone: *.f1organizer.com

    O15 - Trusted Zone: *.finefind.nettraffic2cash.biz

    O15 - Trusted Zone: *.iframe.biz

    O15 - Trusted Zone: *.megapornix.com

    O15 - Trusted Zone: *.mt-download.com

    O15 - Trusted Zone: *.newiframe.biz

    O15 - Trusted Zone: *.overpro.com

    O15 - Trusted Zone: *.pizdato.biz

    O15 - Trusted Zone: *.private-dialer.biz

    O15 - Trusted Zone: *.private-iframe.biz

    O15 - Trusted Zone: *.slotch.com

    O15 - Trusted Zone: *.sp2admin.biz

    O15 - Trusted Zone: *.sp2****ed.biz

    O15 - Trusted Zone: *.topconverting.com

    O15 - Trusted Zone: *.vse-moe.biz

    O15 - Trusted Zone: *.windupdates.com

    O15 - Trusted Zone: *.xxxtoolbar.com

    O15 - Trusted Zone: *.ysbweb.com

    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll




    NOW:
    Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

    C:\WINDOWS\isrvs <--- Delete Whole Folder!

    C:\Program Files\ISTsvc <--- Delete Whole Folder!

    C:\Program Files\Power Scan <--- Delete Whole Folder!

    C:\Program Files\180solutions <--- Delete Whole Folder!

    C:\Program Files\Internet Optimizer <--- Delete Whole Folder!

    C:\WINDOWS\system32\boln.dll

    C:\WINDOWS\system32\Ccwreb.exe

    C:\WINDOWS\system32\Ajyqdx.exe

    C:\WINDOWS\system32\utmpyg.exe

    C:\WINDOWS\tinkz.exe

    C:\WINDOWS\farmmext.exe

    C:\WINDOWS\nem220.dll



    NEXT:
    Run CCleaner and Spybot S&D and have Spybot fix what it finds.


    Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin


    And Click OK.


    Reboot to Normal Windows and Scan with HijackThis and attach that log.
    Let me know of any problems you may have encountered with the above instructions and how your computer is running now.

    Good Luck!
     
  4. opey

    opey Private E-2

    Believe it or not, all browsers were closed. This spyware puts several iexplorer.exe entries in the processes even tho there are no browsers open. Anyway, I'm making a log of any notable situations while following your procedure so I don't leave anything out for you.


    1. 180solutions, Internet Optimizer, and Power Scan were not found in the Add/Remove Programs list. The only item in that list that shouldn't be there is called "Best Search Engine!!!" When you click "Uninstall" the entry simply goes away, but when you close Add/Remove Progams and re-open it the entry is back.


    2. When I ran HijackThis again the following items were not found:

    O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\windows\nem220.dll
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
    O4 - HKLM\..\Run: [version] C:\windows\system32\Ccwreb.exe
    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
    O4 - HKLM\..\Run: [secure] C:\windows\system32\Ajyqdx.exe
    O4 - HKLM\..\Run: [tinkz] C:\WINDOWS\tinkz.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\ERINME~1\LOCALS~1\Temp\djtopr1150.exe"

    The following items came back after scanning again:

    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
    O4 - HKLM\..\Run: [Desktop Search] C:\windows\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\windows\isrvs\ffisearch.exe
    O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll


    3. When deleting files in Safe Mode with hidden files shown the following files could not be located:

    C:\Program Files\ISTsvc (Folder)
    C:\WINDOWS\system32\boln.dll
    C:\WINDOWS\system32\Ccwreb.exe
    C:\WINDOWS\system32\Ajyqdx.exe
    C:\WINDOWS\tinkz.exe
    C:\WINDOWS\nem220.dll


    4. While running CCleaner I found that the "Best Search Engine!!!" item in the Add/Remove Programs list actually triggers C:\WINDOWS\system32\boln.dll, which is now deleted. I removed the item. And just to note, because I know what's about to happen when I restart, the only startup items that CCleaner or msconfig show are Microsoft Antispyware, ctfmon, and pctvoice.


    5. After running spybot and the Clean Manager I restarted into normal mode, and it all came back. This time I'll try to get a HJT log with all the processes running even tho my processor usage is at 100%.
     

    Attached Files:

  5. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Let try this!

    Close all open Internet Explorer windows.

    1) Click Start > Run, type the following command and click Ok:

    regsvr32 /u C:\WINDOWS\system32\toolbar.dll (or toolbar_.dll)

    Note: If you get any errors with the above step just procede.

    2) Click Start > Run, type the following command and click Ok:

    regedit

    NOTE: Please make a backup of your registry before modifying it!

    3) In Registry Editor look for the following keys and remove any if they exist.


    HKEY_CLASSES_ROOT\clsid\{1c78ab3f-a857-482e-80c0-3a1e5238a565}

    HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{1c78ab3f-a857-482e-80c0-3a1e5238a565}

    HKEY_LOCAL_MACHINE\clsid\{1c78ab3f-a857-482e-80c0-3a1e5238a565}

    HKEY_LOCAL_MACHINE\software\classes\clsid\{1c78ab3f-a857-482e-80c0-3a1e5238a565}

    HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar\{1c78ab3f-a857-482e-80c0-3a1e5238a565}

    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{1c78ab3f-a857-482e-80c0-3a1e5238a565}


    4) Reboot, Once Windows has loaded go into the directory:

    C:\WINDOWS\system32

    And look for the file(s) below, delete any that are found.

    toolbar.dl

    toolbar.dll

    toolbar_.dll



    5) Now let's give this a try. Usually I dont tell people to use uninstallers but it may help

    Download the iSearch Uninstaller


    6) Go in and delete this whole directory:

    C:\windows\isrvs


    Now Reboot to Normal Windows and Scan with HijackThis and attach that log.
    Let me know of any problems you may have encountered with the above instructions and how your computer is running now.

    Good Luck!
     
  6. opey

    opey Private E-2

    1. Neither toolbar.dll or toolbar_.dll were found when running regsvr32.

    2. None of those values were found in regedit. Also, there was no Windows directory under HKEY_CLASSES_ROOT\software\microsoft\. I thought u mightve meant HKEY_LOCAL_MACHINE but there was no {1c78ab3f-a857-482e-80c0-3a1e5238a565} key in there anyway. There was also no CLSID under HKEY_LOCAL_MACHINE.

    3. toolbar.dl, toolbar.dll, and toolbar_.dll were not found.

    4. All the uninstaller did was take its shortcuts off the desktop.

    5. I deleted the isrvs folder in Safe Mode but it just came right back.
     

    Attached Files:

  7. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    I have to run out for a little while, but I have asked Chaslang to work on your logs. He will be in when time permits. Hang in there!

    Thanks Bj:)
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You must not be doing something correctly because in one of your previous messages you said:
    However many of those are definitely still in your log. And they will always be there unless you Fix them with HijackThis and then delete the files related to them.

    Some of the files are just renaming themselves each time you do not fix them correctly.
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please download http://ralphcaddell.com/Uploads/deldomains.zip and unzip it to your desktop. Do not run it yet.

    Please make sure that System Restore is disabled and Viewing of Hidden Files is Enabled as per the tutorial.

    Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED and with your connection to the internet physically unplugged.

    Exit Browsers now before continuing and unplug your cable. And do not reconnect or run any browsers until told to do so.


    First Step:

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\windows\fskoplgx.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\program files\180solutions\sais.exe
    C:\WINDOWS\qfsrqnml.exe
    C:\windows\system32\Ssfmft.exe
    C:\windows\system32\utmpyg.exe
    C:\windows\system32\calc.exe <--- why are you running calc.exe ???
    C:\DOCUME~1\ERINME~1\LOCALS~1\Temp\tosX4m.exe
    C:\Program Files\ISTsvc\istsvc.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=154944
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\windows\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=1002663
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
    O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\windows\dlmax.dll
    O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\windows\nem220.dll
    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
    O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\windows\system32\boln.dll
    O4 - HKLM\..\Run: [CaTD4cOA] C:\windows\fskoplgx.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
    O4 - HKLM\..\Run: [version] C:\windows\system32\Qjhcgc.exe
    O4 - HKLM\..\Run: [qfsrqnml] C:\WINDOWS\qfsrqnml.exe
    O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer
    O4 - HKLM\..\Run: [secure] C:\windows\system32\Ssfmft.exe
    O4 - HKLM\..\Run: [Desktop Search] C:\windows\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\windows\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [utmpyg] c:\windows\system32\utmpyg.exe
    O4 - HKLM\..\Run: [farmmext] C:\windows\farmmext.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\RunOnce: [Desktop Search Removal Tool] "C:\windows\inst\kill.exe" /VERYSILENT /NOCANCEL /NORESTART /SP-
    O4 - HKLM\..\RunOnce: [Bonus Sites Removal Tool] "C:\windows\inst\kill.exe" /VERYSILENT /NOCANCEL /NORESTART /SP-
    O4 - HKLM\..\RunOnce: [iSearch Toolbar Removal Tool] "C:\windows\inst\kill.exe" /VERYSILENT /NOCANCEL /NORESTART /SP-
    O15 - Trusted Zone: *.addictivetechnologies.com
    O15 - Trusted Zone: *.addictivetechnologies.net
    O15 - Trusted Zone: *.admin2cash.biz
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.bettersearch.biz
    O15 - Trusted Zone: *.c4tdownload.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.crazywinnings.com
    O15 - Trusted Zone: *.f1organizer.com
    O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
    O15 - Trusted Zone: *.iframe.biz
    O15 - Trusted Zone: *.megapornix.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.newiframe.biz
    O15 - Trusted Zone: *.overpro.com
    O15 - Trusted Zone: *.pizdato.biz
    O15 - Trusted Zone: *.private-dialer.biz
    O15 - Trusted Zone: *.private-iframe.biz
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.sp2admin.biz
    O15 - Trusted Zone: *.sp2****ed.biz
    O15 - Trusted Zone: *.topconverting.com
    O15 - Trusted Zone: *.vse-moe.biz
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.ysbweb.com
    O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\windows\fskoplgx.exe
    C:\Program Files\Internet Optimizer <--- the whole folder
    C:\program files\180solutions <--- the whole folder
    C:\WINDOWS\qfsrqnml.exe
    C:\windows\system32\Ssfmft.exe
    C:\windows\system32\utmpyg.exe
    C:\DOCUME~1\ERINME~1\LOCALS~1\Temp <-- delete all files & subfolder that it allows you to delete here!
    C:\Program Files\ISTsvc <--- the whole folder
    C:\windows\inst <--- the whole folder
    C:\Program Files\Power Scan <--- the whole folder
    C:\windows\dlmax.dll
    C:\windows\nem220.dll
    C:\windows\system32\boln.dll
    C:\windows\system32\Qjhcgc.exe
    C:\WINDOWS\qfsrqnml.exe
    C:\windows\system32\Ssfmft.exe
    C:\windows\isrvs\desktop.exe <--- delete all files in this c:\windows\isrvs folder
    C:\windows\isrvs\ffisearch.exe
    C:\WINDOWS\isrvs\sysupd.dll
    c:\windows\isrvs <--- now after delete all files in the folder delete this folder
    C:\windows\farmmext.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

    Then, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin

    And Click OK.

    Second Step:

    While still in safe mode.
    Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.

    Third Step:

    While still in safe mode. Copy and paste the information in the below quote box to notepad. Save it to a file that you will have access to later when you boot into safe mode. Name it fix.reg. Then boot into safe mode, run Windows Explorer and locate the fix.reg file. Doubleclick it and grant it permission to merge in the registry entries.




    Fourth Step:

    Reboot into normal mode and with cable still unplugged get a new HJT log and call hjtlog1.log. Exit HJT.

    Now plug your cable back in and open one browser and then close it. Now get another HJT log and call it hjtlog2.log

    Now come back here and post both HJT logs and provide feedback on what happen while doing these steps.
     
  10. opey

    opey Private E-2

    that's because the second time i ran HJT a whole day went by of my spyware blockers trying to take stuff off etc. but when i ran it after i followed his instructions i had just rebooted into normal mode and everything was freshly reloaded. and the longer my computer sits the more stuff gets loaded onto it.

    I will try your instructions now tho.
     
  11. opey

    opey Private E-2

    ok... here we go...

    1. I had already killed all the processes before I saw your post so nothing was running. Also, calc.exe opens by itself like the rest of it. I have no idea why, but calc.exe goes away I end the process tree for utmpyg.exe in Task Manager.

    2. The problem with these HJT logs is by the time I get a response and run HJT again I have different results and new entries. Like I said, the longer my computer sits, the more junk gets loaded onto it. So with that said, Heres the situation now:

    The following entries didn't show up in this HJT scan:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_...count_id=154944
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\windows\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...ount_id=1002663
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\windows\nem220.dll
    O4 - HKLM\..\Run: [version] C:\windows\system32\Qjhcgc.exe
    O4 - HKLM\..\Run: [qfsrqnml] C:\WINDOWS\qfsrqnml.exe
    O4 - HKLM\..\Run: [secure] C:\windows\system32\Ssfmft.exe
    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

    The following NEW entries were found in this HJT scan:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\windows\BTGrab.dll
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\windows\systb.dll
    O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
    O4 - HKLM\..\Run: [cfRq] C:\windows\fvcrlqqr.exe
    O4 - HKLM\..\Run: [Win Server Updt] C:\windows\wupdt.exe
    O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
    O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab

    I will fix the new entries and add the following NEW files found in HJT to your list to delete:
    C:\windows\BTGrab.dll
    C:\windows\systb.dll
    C:\Program Files\SideFind\sfbho.dll (whole SideFind folder)
    C:\Program Files\SideFind\sidefind.dll (whole SideFind folder)
    C:\windows\fvcrlqqr.exe
    C:\windows\wupdt.exe
    C:\WINDOWS\isrvs\mfiltis.dll (whole isrvs folder)

    3. I fixed all the items and ran HJT just to check and the following entries were still there:
    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
    O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\windows\system32\boln.dll
    O4 - HKLM\..\Run: [Desktop Search] C:\windows\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\windows\isrvs\ffisearch.exe
    O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

    4. I booted into Safe Mode and deleted all the files. The following files were not found:
    C:\WINDOWS\qfsrqnml.exe
    C:\windows\nem220.dll
    C:\windows\system32\Qjhcgc.exe

    5. deldomains was successfully installed in Safe Mode. I rebooted back into Safe Mode and successfully ran fix.reg.

    Everything seems to be running ok, but as you can see, the ffis entry is still in HJT. it is also still in the startup along with soft.exe which is disabled. I don't know what soft.exe does but I know it used to load with the rest of the spyware files.
     

    Attached Files:

  12. opey

    opey Private E-2

    ok, after i posted my last message, I closed the browser again, and all the spyware came back. Just to clarify, when I opened the browser like you asked. My startpage (www.google.com) came up. I waited a minute then closed it. I ran HJT again and saved the log. Then I opened my browser again and selected this thread from my Favorites. I posted my message, and closed the browser. Once the browser was closed, the cpu started working so i checked the processes, and sure enough, everything was loading back on.

    I took another HJT scan. NO PROGRAMS were running when I did the scan.
     

    Attached Files:

  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Stop rebooting or shutting down your PC and do not fix anything on your own. Not even using Task Manager. The log that you post next MUST reflect the actual state of your PC and if you reboot or shut down things it will not.

    If you already changed anything (including killing any processes), reboot right now and do absolutely nothing after reboot but the following:
    1) Save a new HJT log
    2) come here and post the log
    3) do not do anything else, do not power down or reboot.
    4) Wait for an answer (you can disconnect the cable to you dial-up, cable or DSL modem to be secure but nothing else).


    Some of your problems are more than likely due to poor security measures! No firewall and no antivirus application. We may have to fix that.

    What is the version number of your Microsoft AntiSpyware?
     
  14. opey

    opey Private E-2

    Ok, you have to understand that all this stuff is locking my computer up. sometimes it gets bule screen errors and restarts. Also, Microsoft Antispyware constantly scans and tries to uninstall the spyware. Even tho it says that it gets rid of it, it actually does next to nothing. I am running Microsoft Antispyware 1.0.509.

    So, now I rebooted and let my computer sit for an hour. I closed the 4539756344398573 popups and dialers, and I took an HJT log. I opened IE to type this message, and I won't do anything else but check for a response until i recieve instructions.

    I can tell you what I have noticed over the past several days. No matter what I delete and what processes are running, all thsi spyware loads onto the computer as long as there is an internet connection. I booted into safe mode with networking with the ethernet unplugged and ran all my spyware programs that were on this site. I ran Microsoft Antispyware and manually deleted every file and registry entry that it displayed as a potential threat. I ran each program several times until I recieved no threats. I deleted every temporary file on the computer. I made sure that there was nothing set to run on startup. I rebooted back into safe mode with networking and plugged my ethernet back in. I let the computer sit idle without opening any programs at all. I came back to it in about an hour and it was all loaded back on. It seems no matter what processes are running or if u don't even open any programs, this stuff gets loaded on like clockwork. it seems like the system is doing a check for the components every 15 minutes or so. even when all the stuff is loaded on and running it gets reloaded. u can tell because it puts shortcuts on the desktop. u can see the shortcuts flash and load back on while new processes start to run.

    Anyway, here is my HJT log. I hope you guys are good, because I am stumped. If this was my computer I would've reformatted 2 days ago. lol

    Thanks for your help and patience thus far.
     

    Attached Files:

  15. opey

    opey Private E-2

    sorry to make another post, but overnight without touching a thing, more spyware was loaded on. I ran HJT to check and it was different. Nothing went away but more entries were added. The computer can barely load a program now.
     

    Attached Files:

  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    So I guess you did not do what I said about disconnecting the cable to the internet to be secure.

    You seem to be having great problems in removing this malware and I'm not completerly sure why all of these are proving so difficult. Some of them are difficult and do insist on coming back but many of your problems should not. Either we are having a problem with the directions being given (do you understand them) or following them and getting all the items deleted. Also I would be willing to bet that another major contributing factor is the lack of protection on your PC. You have no antivirus application and no software firewall.

    Please refer to this: How to Protect yourself from malware!
    And first install a firewall. I would use ZoneAlarmFree or Sygate. After installing the firewall make sure your only give permission for things you absolutely recognize to go out or come in.

    Next install an antivirus. I would recommend using Avast! Although it is free you will just need to give them an email address to get a free registration number good for a year. Then run a full in depth scan of your system using Avast and have it fix anything it finds. Save the log and post it back here later.

    Now go to this step in the How to Protect thread: 7) Adjust Active X security settings
    and make sure that your set all of those options as recommended.

    Now run a full scan of your system using Microsoft Antispyware and fix what it finds (save the log and post it back here later).

    After you do all of the above, post a new HijackThis log, and the logs from Avast and MS Antispyware and do not reboot. (You will need to post two messages because only two attachments can be in a single message.) Again while waiting for an answer you can still (even though you have a firewall) be absolutely secure by unplugging your cable to the internet.

    Questions:
    1) Is system restore still disabled?
    2) Tell me if all the settings below are set as indicated:
    Click Start and select Explore.
    Select the Tools menu and click Folder Options.
    Select the View Tab.
    Under the Hidden files and folders heading select Show hidden files and folders.
    Uncheck the Hide extensions for known file types option.
    Uncheck the Hide protected operating system files (recommended) option.
    Click Apply.
    Click OK.
     
    Last edited: Feb 21, 2005
  17. PhilliePhan

    PhilliePhan Guest

    Hey Chas,

    As I mentioned to you the other day, AV companies are catching up to this isrvs baddie!! Kaspersky Anti-Virus Personal 5.0
    now cleans this thoroughly + much of the crap that comes with it!! Suggest you download and run the 30 day trial.


    OPEY - You should print this out for reference!

    You must disable the resident AV and install KAV 5.0.

    When Installing, do the following as you come to them:

    Uncheck the Operate According to Recommended Settings Box

    Uncheck the Use Real-time Protection against Network Attacks Box

    Uncheck the Use The iStreams Technology Box


    Now, allow KAV 5.0 to download and install Updates. Then, look under Settings > Configure Updater and select Extended Database > OK > Check for Updates and allow those to install.

    Then, Click Settings > Configure On-Demand Scan Settings and Set Scan Level to Maximum > Perform Recommended Action > OK

    NOW, Close ALL Programs (including KAV 5.0) and Browsers!

    Physically Disconnect from the Internet - Pull the Cable!!

    Boot to SAFE MODE

    OPEN KAV 5.0 BUT DO NOT RUN IT YET!!!

    Open Task Manager (Ctrl-Alt-Del) and RightClick explorer.exe and END IT!!

    Everything will go blank except for KAV 5.0 and Task Manager. DO NOT CLOSE THEM!!

    Now : Start a FULL SYSTEM SCAN. Click the Protection Tab and select Scan My Computer .

    This process may take HOURS . . . . LET IT RUN!

    When the Scan and Cleanup are done, go to Task Manager and select File / New Task and type explorer.

    Close KAV 5.0 and TaskManager and reboot to Normal Windows and get a fresh HijackThis Log and let us know how things shook out!

    Best Luck :)

    PP
     
  18. opey

    opey Private E-2

    yup, explorer.exe was infected with a virus. never seen that one before. I knew it wasn't just me doing something stupid. Anyway, I ran deldomains again to get rid of te one trusted site that wouldn't go away. everything else is gone. all programs are reporting no threats. Let's hope my sister can keep it this way!!

    Thanks for all your help guys. This is by far the worst threat I've ever seen... especially since theres virtually no support for it on the web.
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Thanks PP!

    Opey,

    You still need to get all the protection in place on that PC. Without a firewall you are doomed to have more problems.

    You should also reboot a couple times and then post a follow up HJT log.
     
  20. PhilliePhan

    PhilliePhan Guest

    No problem, my friend! You know how I hate to see you Floundering . . . . :D ;)

    OPEY - Glad to hear things are looking up. If you don't mind paying for AV, you may be well served to stick with Kaspersky! Suggest you employ the additional protections Chas recommends - lots of "hard to kill" baddies floating around these days!

    PP :)
     
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You mean like you were doing in tblue's thread. :p
     
  22. PhilliePhan

    PhilliePhan Guest

    Too many cooks spoiled that broth! Can't pin that one on me, my friend! :p ;)
     
  23. opey

    opey Private E-2

    yea guys, i set my sister up with zone alarm and Avast. Microsoft Antispyware is set to scan everynight as well as Avast. I've rebooted a lot since the trojan was taken off. HJT is showing no threats as well as every other spyware scanner I run. I repair PC's for a living guys and I have NEVER had this much trouble getting a threat off the computer. You don't know how close I was to formatting the hard drive. You guys just save all my little sister's illegal music lol.

    Funny thing is when I built this computer I put Norton's Internet Security on it, and that was nowhere to be found... only traces of the program were left. She swears she didn't delete it. :rolleyes:

    anyway, thanks a lot guys. I can unignore my safe entries in HJT and upload a log for you if you want but im 100% sure they're all safe.

    I do have a zone alarm question for u guys tho. I noticed that streaming audio files wont play in WMP10 while its active. if i disable it they play. media player is set to allowed in zone alarm. any knowledge about this?
     
  24. tblue

    tblue Corporal

    lmao....... like we were all doing
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds