Isearchtech problem

If you cannot run the online scans in safe mode the READ ME tells you to run them in normal boot mode.

After completing the scans, do the below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

There are no signs of the TrendMicro and Symantec online scans being run in your log.
If they were run, they would leave traces in the O16 section of your log. Are you sure you ran them?? What browser did you used to run them?

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteycr32.exe

Is the below something you installed and know to be safe? If not, fix it too.
O4 - Startup: WallpaperKing.lnk = C:\Program Files\WallpaperKing\WP.exe3

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\windows\system32\eliteycr32.exe <--- also look for and delete other files beginning with elite and ending with exe. There could be as many as ten more.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Yes fix all the folders and files but did you forget to fix the one I gave before and to delete al the files. Did you find the files? You need to fix the below line using HJT and delete all the files beginning with elite and ending in exe especially eliteycr32.exe

O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteycr32.exe

Also, post you Spybot log!

 

You forgot to post the logs!

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixspy.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Double-click on the fixspy.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to add into the registry say yes.

After doing the above check Spybot now. Tell me how things look.

 

Do you get that message if you run Spybot after booting in safe mode?

 

The Spybot problem has been documented in the below link:

http://forums.net-integration.net/index.php?showtopic=28756

 

If you are still having problems try two things:

1) Make sure you now have the current version of SpyBot-Search & Destroy


2) Please download, install, and update: Spy Sweeper

Then run a full scan with Spy Sweeper and fix what it finds. Post the log from Spy Sweeper as an attachment.

 

Please start your own thread for your problem. If you have run all the steps in the READ ME. You should be posting in your own thread. This is considered thread hijacking which is similar to what the malware is doing to you.