PLEASE HELP!!! im in isearch deskbar hell!

hi everyone,

i have this isearch deskbar crap popping up in the right lower corner of my regular deskbar. I've read all the spyware and trojan stuff on here and installed all the necessary programs and scanned with them by following the steps. Ad-Aware SE and Spybot found some isearch files and removed them so I thought the problem would be solved but when I returned in normal mode that stupid deskbar was still there. I've downloaded and installed the Hijack This 1.99 but I didn't run it yet. I've read the HJT tutorial but I don't know what to remove or delete or whatever after I run it to get rid of this deskbar thing. CAN SOMEONE PLEASE HELP ME? I'm going nuts here lol

 

Hi Eurotrash,

If you are certain that you've exhausted the Tutorial's options ( including the Online Scans), then go ahead and send us a HijackThis Log. Be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!

If you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’ve been tied up with work these days, but somebody will try to take a look at your log when they get a chance.

Best
PP

 

hi,

thanks for replying. i ran HJT and here's my log attached.

M

 

Hi EuroTrash,

I do not know what this is: C:\WINDOWS\System32\cdmodem1.exe
Instead of deleting it recklessly (My SOP ) perhaps you should RENAME it something like cdmodem1.bad

AllRightyThen!
Please look in Add or Remove Programs for the following and Uninstall it if found:

ISearch

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now scan with HijackThis and Check the Boxes for the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)

R3 - URLSearchHook: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)

O4 - HKLM\..\Run: [93987b68882f] C:\WINDOWS\System32\cdmodem1.exe

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe

O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - Shdocvw.dll (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode and navigate to and DELETE the following if they should remain:

C:\PROGRAM FILES\INCREDIFIND ---> The Folder

C:\WINDOWS\isrvs ---> The Folder

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits.

Best luck
PP

 

Hi,

I did everything you suggested and when I rebooted the isearch deskbar was gone! so thank you so much for your help. The only concern I have is when I ran HJT again I noticed that:
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe

O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

those 2 things I fixed like you said were still in my new log....so I don't know if I got rid of the problem completely. Anyway, here's my new log. Let me know what you think. Thanks again.

M

 

I almost forgot...I don't know if it helps but CCleaner removed some stuff and Spybot S & D didn't find anything.

M

 

Hi ET,

Were you able to Delete C:\WINDOWS\isrvs ---> The Folder?

Is that folder there now?

Also, did you rename C:\WINDOWS\System32\cdmodem1.exe ?
Do you recognize it as something you need? I've never run across it - Perhaps it might be associated with the others? Navigate to it, RightClick it and look at properties and Version Tab and tell me what it says.

I know you said you did everything, just doublechecking

Anyhoo, make sure System Restore is OFF &Fix these lines with HijackThis:

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

Then, see if you can find the isrvs folder. Delete ALL files and sub-folders within it and then delete the folder itself.

Then, run CCleaner for good measure.
Reboot and post a fresh log & tell me how you fared with the above.

PP

 

Hey PP,

I was able to delete C:\WINDOWS\isrvs the first time and I didn't find it anywhere on my laptop when I looked now. I did a search thing and it came up with nothing with that name.

I renamed cdmodem1.exe to cdmodem1.bad like you suggested. I have no idea what this file is or if I need it as you can imagine When I right click on it and look at Properties, there's no Version Tab. The General Tab just says that it's a BAD file (now that I've changed it) and that it opens with "unknown application" and then there are some creation dates and the size and location. There's a Virus Tab which says that Trend Micro inspected it and found no viruses.

I did everything you said, didn't find any isrvs folders. I ran HJT afterwards and I still see those 2 things in it. Anyway, the search thing disapeared from my desktop so I guess it's ok, you don't have to waste your time on this. I really appreciate your help so far. I attached the latest log.

Thanks

 

Hi ET,

Not a waste of time

This thing can sometimes be a real pain! You could try booting to Safe Mode and fixing those lines with HJT - That may do it. This new HJT is a bit buggy. Don't know if that contributes to the problem.

If the folder has been eradicated, you're likely OK. If need be, we can use regedit to remove the orphaned registry keys. Let me know.

Go ahead and leave the questionable file named Bad - if it turns out that you do need it for something legit, just rename it again.

For the future, take a look at Chaslang's suggestions:Malware Protection

PP

 

Hi PP,

I did what you suggested (Fix in Safe Mode with HJT) and those two things are gone so thanks alot! You're the best!

 

Great! Glad we could help

Happy and Safe Computing!

PP