ISearchTech Problem

sjpa · May 4, 2005

Sorry for not posting my problem on New Thread. Pretty new here.

Anyway here it is again.

I have the same problem for many days now. I followed the whole regimen of the spyware tools as listed in your regimen, but to no avail the IST still remains. Keeps popping up even after clean bill of health in safe mode, even after cleaning out the registry. Also in the registry I found snapple as in Legacy_Snapple still there and will not be erased also HW Clock as in Legacy_HWClock. So sometimes in AdAware will pop up as DyFuca. Both spybot and the adaware always says that they deleted it, but again pops up.

I did not use the HiJack as the warnings scared me off.

Also how long after the cleaning does one enable the system restore again so the cleaning keeps in effect? How long to close down before restarting? I tried many times at different intervals but to no avail. Just from one opening and closing of the registry after deletion will find IST appears again.
So what to do?

chaslang · May 4, 2005

Try running the below tool. Download it first and then boot into safe mode with no network support and run the tool.

http://securityresponse.symantec.com/avcenter/FxIstbar.exe

Do not enable System Restore until all problems are fixed.
I do not know what you mean in the below, please clarify what you are talking about:

How long to close down before restarting? I tried many times at different intervals but to no avail. Just from one opening and closing of the registry after deletion will find IST appears again.
Click to expand...

Have you run ALL steps in the READ ME FIRST?

sjpa · May 4, 2005

Thank you very much for your reply. I just downloaded the FxISTBar. I have used it but to know avail. I followed the instructions - using it in safe mode where it workks. It always says there is no Adware-ISTbar on my computer, but when I restart in regular mode and then do Spybot and Ad-Aware it finds it again (DyFuca and IST). Also still in registry. etc. What next??

There are instances when you use antispyware or antivirus that you are asked to wait 30 seconds before rebooting or before restarting for the cleaning to take effect. What is the correct procedure for the maximum effect?

Yes I ran all the steps in lthe READ ME FIRST.

chaslang · May 4, 2005

The time frame you are talking about is to allow the power supplies in your PC to actually get to zero volts and to allow enough time to make sure all devices like hard disks and CD drives have completely shutdown before you power back up. Doing a power cycle to quickly can damage your harddisk? Waiting a minute should be more than sufficient and it won't kill you.

Please run the steps below.

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

Also please post as attachments your Ad-Aware and Spybot logs.

sjpa · May 5, 2005

Do I run it in safe or regular mode?

chaslang · May 5, 2005

sjpa said:

Do I run it in safe or regular mode?
Click to expand...

As indicated in the sticky thread, HijackThis is always run in normal boot mode unless otherwise requested.

sjpa · May 5, 2005

I am attaching the log files from HJT, adaware and spybot.

sjpa · May 5, 2005

Here is the spybot log

chaslang · May 6, 2005

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

For your ISearchTech.PowerScan problem, do the following:

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixwp.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Double-click on the fixwp.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to add to the registry say yes.

REGEDIT4
[-HKEY_USERS\S-1-5-21-1844237615-1343024091-854245398-1003\Software\IST]
Click to expand...

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\rklwsbe.exe
C:\WINDOWS\System32\msnupdateit.exe
C:\WINDOWS\System32\msnupdateit.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [EGUAeCV] C:\WINDOWS\rklwsbe.exe
O4 - HKLM\..\Run: [Firewall Updater] msnupdateit.exe
O4 - HKLM\..\RunServices: [Firewall Updater] msnupdateit.exe
O4 - HKCU\..\Run: [Firewall Updater] msnupdateit.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\rklwsbe.exe
C:\WINDOWS\System32\msnupdateit.exe
C:\WINDOWS\System32\msnupdateit.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now reboot in normal mode and post a new HJT log. And tell us how things are working.

sjpa · May 7, 2005

Hi, I started the first part and got to the point of clicking on the registry key to add idt to the registry. I said yes, but the computer came back with "the file is not a registry script file and you can only import binary registry script files from the registry editor."

I went into the regestry editor but here it again it said the file is not a registry file and cannot be imported.

sjpa · May 7, 2005

Success ! Went back to the file and edited it. It seems that there was an empty line before the key line so I deleted the line. When I again asked to import it it went without a hitch.

sjpa · May 7, 2005

OK, I think all is well now. Did all that was asked. Did adaware and spybot came up clean. Am attaching the new hijack log.

After the clean bill of health I turn on the system restore and hide folders again?

Thanks for all the help.

chaslang · May 7, 2005

You're welcome! Your log is clean! Yes you can enable system restore now! Hiding folders is not necessary and does not buy you any protection except maybe from yourself (you know... to hide protected operationg system files from you to avoid deleting by mistake). I always show everything because it makes it easier to find malware when you get any.

What you should do now is the steps in the below link:
How to Protect yourself from malware!

Log in or Sign up

ISearchTech Problem

sjpa Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

sjpa Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

sjpa Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

sjpa Private E-2

Attached Files:

hijackthis.log

adaware log may 5.TXT

sjpa Private E-2

Attached Files:

SpybotSD.Results may 5.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

sjpa Private E-2

sjpa Private E-2

sjpa Private E-2

Attached Files:

May 7 hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member