i-search removal

[gerryd77]

Hi

I would appreciate any advice on how to get rid of the i-search spyware that has taken over my homepage. I have ran both Adaware and Spybot but neither as helped on this occasion. Does anyone have a (hopefully free) solution.

Cheers

[TomcaT]

Hi

I would appreciate any advice on how to get rid of the i-search spyware that has taken over my homepage. I have ran both Adaware and Spybot but neither as helped on this occasion. Does anyone have a (hopefully free) solution.

Cheers

You need "hi-jack this" and a program called "CWS shredder".

If you search this forum, for these programs you will find links for them, READ the instructions carefully if I remember correctly hi-jack you can do some real damage.

[Schadenfroh]

post your hijackthis log for review, we will tell you what is safe to remove in order to solver your problem.

Download Hijackthis

[gerryd77]

Thanx for the advice guys. will give it a go.

cheers

[gerryd77]

hi

i ran hijack this and did a little research into using it. the log below shows the line:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wvww.us/

but every time i remove it it keeps reappearing.

when i save the log and open it in notepad it shows a lot of lines that start:

C:\PROGRAM or c:\

however the log in hijack this does not show any of these and i can't, therefore, delete any of these even though i believe that the line:

C:\WINDOWS\ptsnoop.exe

needs deleted.

Here is the log anyway and i would be grateful for any thoughts.

cheers

Logfile of HijackThis v1.98.2

Scan saved at 18:23:17, on 05/10/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\MDM.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\MOUSE\SYSTEM\EM_EXEC.EXE

C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE

C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\ptsnoop.exe

C:\PROGRAM FILES\PCI AUDIO APPLICATIONS\MIXER.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE

C:\WINDOWS\SYSTEM\SVCSYS.EXE

C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE

C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE

C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hotlola.b3.nu

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.btopenworld.com/searchpane

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wvww.us/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=webcache.cableinet.co.uk:8080;https=webcache.cableinet.co.uk:8080;ftp=webcache.cableinet.co.uk:

8080;gopher=webcache.cableinet.co.uk:8080;

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.cableinet.co.uk;*.cableinet.net;*.telewest.co.uk;<local>

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe

O4 - HKLM\..\Run: [Onscreen Display] C:\Program Files\Netropa\Onscreen Display\OSD.exe

O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe /launchpad

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup

O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

O4 - HKLM\..\RunServices: [HC Reminder] hc.exe

O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [MSSVC] "C:\WINDOWS\SYSTEM\svcsys.exe" 8192

O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Freeserve - {3D0573C0-AD0B-11D4-A398-A7F33692D641} - http://www.freeserve.net/packard-bell/ (file missing) (HKCU)

O9 - Extra button: PB Home - {3D0573C1-AD0B-11D4-A398-A7F33692D641} - http://www.packardbell-europe.com/ (file missing) (HKCU)

O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll

O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll

O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll

O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll

O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll

O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com

O15 - Trusted Zone: http://chat.msn.co.uk

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab

[TomcaT]

Can you also post which processes are running AFTER you have started the PC.

Lots in that log, will have a read and come back to you.

[Schadenfroh]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hotlola.b3.nu

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.btopenworld.com/searchpane

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wvww.us/

O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT

look suspecious

[TomcaT]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hotlola.b3.nu

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.btopenworld.com/searchpane

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wvww.us/

O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT

look suspecious

The btopenworld one is okay, agree about the others, but even if you delete these the processes that are running will just put the entries back.

You need to identify which processes are running that are not your normal programs and check to see if they are either valid operating system files or files from programs you have installed. (Google is good for this)

Once identified you need to boot in safe mode, and remove the offending files..... I normally rename them with a .old extension, just in case they are 'real' and I can turn them back again.

Boot up as normal and check to see if the 'bad' processes are running. re-run hi-jack this and remove the entries mentioned.

If you are not sure which processes, post your task manager screen up and will have a look.

[gerryd77]

thanks for your time guys. i will not get the chance to do anything til tomorrow night, but will do a suggested asap. cheers

[gerryd77]

was away for a while hence not getting back to you guys. managed to learn a few things thanx to the info you gave me and was able to sort the problem myself.

thanx for your help

[tarquel]

Be sure to check out the CWSshredder - its **** useful and sometimes, you'll run it on a machine that you didnt think had any sort of spyware infection and it tells you its removed some hehe

http://www.spywareinfo.com/~merijn/downloads.html

(and scroll down a bit)

Even though the project is suspended, its a useful tool to have in your collection

along with the other tools on that page.

Regards,

N.

[evyrwmmn]

i need urgent advice to remove i-search!!!

mine is as below.. please help..

Logfile of HijackThis v1.99.1

Scan saved at 11:26:14 AM, on 11/20/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\Melvin\Programs\BlueSoleil 1.6.1.4 release 050606\BTNtService.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\TkcgSlVOSU9S\command.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\System32\svchost.exe

C:\windows\adtech2005.exe

C:\Program Files\Spyware Doctor\swdoctor.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Melvin\Programs\hijackthis\HijackThis.exe

C:\Program Files\Outlook Express\msimn.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com.sg/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.sg

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/

R3 - Default URLSearchHook is missing

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://sg.yahoo.com/"); (C:\Documents and Settings\NG JUNIOR\Application Data\Mozilla\Profiles\default\mas2gctl.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\NG JUNIOR\Application Data\Mozilla\Profiles\default\mas2gctl.slt\prefs.js)

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Melvin\Programs\snagit\SnagItIEAddin.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [LaunchApp] Alaunch

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe

O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe

O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe

O4 - HKLM\..\Run: [msnsyslog] C:\WINDOWS\msnappm.exe

O4 - HKLM\..\RunServices: [system Startup] voltio.exe

O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: BlueSoleil.lnk = ?

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - blank (file missing)

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - blank (file missing)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - blank (file missing)

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Melvin\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Melvin\ICQ\ICQ.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121691544580

O16 - DPF: {9E30754B-29A9-41CE-8892-70E9E07D15DC} - http://activex.microsoft.com/objects/ocget.dll

O16 - DPF: {D2BD7935-05FC-11D2-9059-00C04FD7A1BD} - http://activex.microsoft.com/objects/ocget.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\e002lado1d0c.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: System Service (a7) - Unknown owner - C:\WINDOWS\System32\systems.exe" -netsvcs (file missing)

O23 - Service: Auto Update Client (AUCL) - Unknown owner - C:\WINDOWS\system32\auclt.exe (file missing)

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Melvin\Programs\BlueSoleil 1.6.1.4 release 050606\BTNtService.exe

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TkcgSlVOSU9S\command.exe

O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe

O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

hope that you can reply to my email at ng_melvin@hotmail.com with advice soonest possible...

[Yahoo]

Please try adware SE it is a good tool for spywares .. also CWsherder ...