persistent isearch and hotsearch

If you have run ALL the steps of the READ ME FIRST and still have a problem, make sure you follow the guidelines below and post your HJT log.


Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Try giving this a run:

http://securityresponse.symantec.com/avcenter/FxIstbar.exe

It comes from this link:
http://securityresponse.symantec.com/avcenter/venc/data/adware.istbar.html#removalinstructions

Then run the below steps:

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).
Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side.
Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\smss32.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: ohb - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - C:\WINDOWS\system32\hsrb.dll
O4 - HKLM\..\Run: [UsbD] C:\WINDOWS\system32\smss32.exe
O4 - HKLM\..\Run: [7AOcmú*ÀaîžaaøY§ÄC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\eyvis.exe
O9 - Extra button: (no name) - {F2570A0D-001D-477D-93D1-D05EF5EB95CD} - (no file)
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\system32\hsrb.dll

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Do you know what this Atheros Service is:
O23 - Service: Atheros Configuration Service - Unknown - C:\WINDOWS\system32\acs.exe


Also a comment: be careful using Microsoft AntiSpyware it has problems with deteting valid items as bad (this is referred to as false positives). One of them is two hits on a registry key with Search Squire. The registry key it finds was put into the restricted zone by Spybot (or similar) to protect you. MS Antispyware wrongly detects this as bad and removes it. It also Detects this file c:\winnt\avxoscan\bdupd.dll as Brilliant Digital. This is also a false positive. This is BitDefender.

 

Run HJT again and have it fix these lines:


R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)

Also I forgot a couple items to clean up last time. Find these and delete them (if found):
C:\Program Files\ISTsvc <--- the whole folder
C:\WINDOWS\eyvis.exe


How are things running?

 

You're welcome! Your all clean now! You should now check out the information here:
How to Protect yourself from malware!