iSearch Toolbar and W32/DOWNLOADER.YQ

You have mentioned using 3 antivirus applications (not including the online Symantec scan because it is not an installed antivirus app). You mentioned McAfee, Authentium, and now Avast. If you have all of these installed, you must choose which one you want to use and uninstall the others. You must only use one antivirus application!

If you are still having problems, do the below.

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Reboot your system into safe mode and do not run anything but what is requested.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: (no name) - {64634180-B0EA-48B6-82B7-9620D33362C1} - (no file)
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
O16 - DPF: {79B96C72-C0D0-4DC8-BC7E-9F314A918228} - http://ak.imgfarm.com/images/nocache/myspeedbar/myinitialsetup1.0.0.7.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1437/ftp.coupons.com/v3123/cpbrkpie.cab


After clicking Fix, exit HJT.

Now reboot again into safe mode and use Windows Explorer to delete:

C:\WINDOWS\isrvs <-- the whole folder
C:\WINDOWS\mqrt.dll or c:\windows\system32\mqrt.dll


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

You forgot the log Martie.

You should check this out too:

How to Protect yourself from malware!

 

It's a good thing I asked for your log. You still have problems.

I asked you to delete:
C:\WINDOWS\isrvs <-- the whole folder

not just the isvrs.dll file.


If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\isrvs <--- the whole folder
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Let me know if you have any problems deleting this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Martie,

If your sure those lines are no longer in your HJT log, I don't need to see it. If you want me to check it over to make sure, you can post it. Either way you should now perform the steps in the below thread:

How to Protect yourself from malware!

 

Copy and paste the information in the below quote box to notepad. Save it to a file that you will have access to later when you boot into safe mode. Name it fix.reg. Then boot into safe mode, run Windows Explorer and locate the fix.reg file. Doubleclick it and grant it permission to merge in the registry entries.

Then run HJT (while in safe mode) and fix (if still there):
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

Now open a command prompt by click Start, Run and enter cmd and click OK.
Now enter the following commands each follow by the enter key:
cd c:\windows
dir isrvs <--- tell me if you get any output for this
exit

Now reboot a couple of times and let me know if those lines are gone or have come back.

 

You're welcome! Your log is now clean!

 

Let's try there own removal tool and see what happens:

http://toolbar.isearch.com/uninstall/

 

Please post your log from Spybot that shows the iSearch problem.

Also search your registry for iSearch and tell me what matches you get (provide full registry key info which should be the same as what Spybot reveals).

 

Download the Registry Search Tool from here:

http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:

iSearch

Press 'OK'

The search will run for a while then alert you when it is finished.

Press 'OK' and copy the contents of the WordPad window and post in this thread.


Also post a new HJT log.

 

Make sure you have system restore disabled and viewing of hidden files enabled.


Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.



Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O4 - HKLM\..\RunOnce: [Desktop Search Removal Tool] "C:\WINDOWS\inst\kill.exe" /VERYSILENT /NOCANCEL /NORESTART /SP-
O4 - HKLM\..\RunOnce: [Bonus Sites Removal Tool] "C:\WINDOWS\inst\kill.exe" /VERYSILENT /NOCANCEL /NORESTART /SP-
O4 - HKLM\..\RunOnce: [iSearch Toolbar Removal Tool] "C:\WINDOWS\inst\kill.exe" /VERYSILENT /NOCANCEL /NORESTART /SP-


After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\inst <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Let me know if you have any problems finding or deleting any of these files.


Now reboot in normal mode and post a new HJT log. And tell me how things are working.
See if Spybot still detects anything.

 

You're clean now!


Hmmm! Gave him to the Met's? Seemed like you lost him to me!