iSearch Toolbar and W32/DOWNLOADER.YQ - Take 2

Re: iSearch Toolbar and W32/DOWNLOADER.YQ

What steps left by TheOldThug? This is your first message. No one told you to try anything. Are you referring to our standard cleanup procedures in the sticky thread: READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Here is the standard procedure spelled out:

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Why can't you run Norton or Housecall? Be specific. Did you run all the other steps? If not why not?

If you completed all steps of the READ ME then finish following my previous instructions!

 

Did you run the online scans from safe mode or normal boot mode? Safe mode is better if you have internet access while in safe mode.

Just get HijackThis 1.99.1 and post your log. Just run in and do a scan. Save the log and post it. Do not do anything else with it.

 

I'm referring to the HijackThis log. Just download HijackThis and extract the executable file that is in the download (the download is a compressed file call HijackThis.zip). What you extract from the ZIP will be hijackthis.exe. You need to put it in a folder your create name C:\Program File\HJT. And then run hijackthis.exe, save a log. Saving the log creates a file named hijackthis.log. In a new reply window click Go Advanced and then Manage Attachments. Browse to the file on your PC and select it. Then upload it and save your message.

 

Assuming you have the hijackthis.log file saved on your PC and you know where it is:

- Click the Reply button here to answer a message
- At the bottom of the message window click the Go Advanced button
- then scroll down a little until you see the Manage Attachments button and click it.
- in the window that comes up click the Browse button and browse to the location on your PC where the hijackthis.log file is saved.
- select it by double clicking on it.
- Then click the Upload button. Observe the messages in that Window you should either see that the file is attached or the could be an error message if you did something wrong.
- then close that window
- then save your message

 

You have to stop using Kazaa. That is the root of almost all of your problems.

Please download and install and run this: Kazaa Spyware Removal

Click Start and select Control Panel. Then select Add/Remove programs and uninstall if found:
- Weather Bug
- IE Toolbar

Do you use eBay's toolbar? If not, look for an uninstall for it too and use it.

Please download, install and run Microsoft® Windows AntiSpyware 1.0.509 (Beta 1)
Clean what it finds. Please save an post a log if you can.

Then move on to my next message.

 

Okay after completing the steps of my previous message. Continue with the steps below.

Some of the items I'm suggesting to fix below may already be gone due to the other fixes but I just leaving them here for a just in case. If you don't see them just ignore the item and continue:

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).


Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\wdskctl.exe
C:\windows\system32\yjynqqz.exe
C:\windows\system32\calc.exe <--- were you running Windows calculator program. If so, remember to shut down unnecessary programs before scanning.
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\system32\Fonxdr.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\PROGRA~1\COMMON~1\tsa\tsm2.exe

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: Var1Helper Class - {1C4DA27D-4D52-4465-A089-98E01BB725CA} - C:\WINDOWS\System32\inetdctr.dll
O3 - Toolbar: IE Toolbar - {54BEDD5E-CDF7-4e97-8481-AE381AF7F110} - C:\PROGRA~1\BETTER~1\BHGTBU~1.DLL
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [yjynqqz] c:\windows\system32\yjynqqz.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Pdbmbh.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Fonxdr.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA\Kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\jan\Application Data\DownloadPlus.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/Ud3rT0n5.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030105/cccabs/CleverContent.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {7CA3D0A3-7E2E-4AAB-A75E-FAB8ECA8BD95} (Skilljam Game Player Object) - http://cashgames.skilljam.com/ssp/SSP.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\ZServ.dll
C:\WINDOWS\System32\inetdctr.dll
C:\Program Files\BETTER~1\BHGTBU~1.DLL <--- this is a shortened file name that you will have to figure out. I would believe the whole Better~1 folder should be deleted.
C:\WINDOWS\System32\idctup20.exe
C:\WINDOWS\wdskctl.exe
C:\windows\system32\yjynqqz.exe
C:\WINDOWS\isrvs <--- the whole folder
C:\WINDOWS\system32\Pdbmbh.exe
C:\WINDOWS\system32\Fonxdr.exe
C:\Program Files\KaZaA <--- the whole folder
C:\Program Files\AWS\WEATHE~1 <--- the whole folder (probably named WeatherBug)
C:\Program Files\Ebates_MoeMoneyMaker <--- the whole folder
C:\Program Files\Common Files\tsa <--- the whole folder
C:\Documents and Settings\jan\Application Data\DownloadPlus.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

Now:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin
And Click OK.
Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

It is always a good idea to read thru procedure first to make sure you understand them before you start. Interrupting in midstream can sometimes defeat the whole purpose/effectiveness of the procedure.

No I did not want Network Support! I would have asked for it if I want it.

Windows Explorer can be run many different ways. One simple way is to right click Start and select Explore. You must have seen program at one time or another. Especially since you had to somewhat use it to enable viewing of hidden files as per the Read ME. Did you do step 3 of the READ ME FIRST?

You may have to start the whole process over again. Check you HJT log to see if any of the lines came back.

 

You just need to navigate up and down thru the folders by clicking on them. Folders can be expanded so that you can see what is in them by clicking on the + sign. Clicking a minus sign contracts (shrinks) the folder.

For one example: with Windows Explorer open in the left pane just scroll up/down and look for the folder named Windows. Select it by left clicking on it then expand it by click the plus sign (if not already expanded). If you get any messages about whether you want to do this or not say yes. Windows likes to hide certain folders from your view for safety reasons, but instead of helping to protect users from themselves, it has made it easier for malware to hide.

Now in the right window pane scroll up and down to locate the file (like Pdbmbh.exe). Then right click on it and select Delete

Do similar for the other files and folders. This is really a very basic function that you should be able to do. It is not complicated. Experiment with it and I think you will see it is easy.

Maybe reading some of the below will help:

http://www.fbeedle.com/win95ce/00-7ch06.pdf <--- you need Adobe Acrobat Read installed to read this. You can download Acrobat Reader here if you need it: http://www.adobe.com/products/acrobat/readstep2.html

http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/windowsxp/home/using/productdoc/en/app_win_explorer.asp

http://www.megweb.uct.ac.za/starting/Topic51.htm

 

You're welcome. But it would be a good idea to post a follow up HijackThis log to double check.

 

It did not get posted. Post one now. Let's make sure nothing is still hiding in there.
Make sure you look to see if the attachment is there before logging off.