Can't get rid of Jetsearch.org in IE 1

[EdiTek]

I'm stuck with this worm/spyware in IE.
The default home page is set to jetsearch.org.
Looking into this for removal instructions I've found reference to runsvc.exe - stop that process & remove that plus registry changes. I cannot find that process on this system anyware.
Has anyone run into this problem?
Does anyone know how to get rid of this?

Any help will be greatly appreciated.
Thanks,

 

[DestinysDream]

Have you ran Adaware/Spybot/HJT or anything?

If anyone calls and says "I know a little something about computers" just tell them to reformat it.

 

[JPLWU]

Good to install Spybot/Adaware, and make sure that you update the referene files for both of them before running. That will make sure you have the latest spyware removal instructions. Also you may want to boot into safe mode, because if that process is running while you scan your computer, then it will not delete it, it will just run again at startup. If your research told you where that file is located, you may want to try and see if it is hidden. Just go into command and do an attrib and the file name, to remove the hidden property, just type in the same thing with -h after it. If you are not good with dos, just use cd to navigate among folders, dir to tell you what folders you can navigate to and remember you can only use 8 characters so documents and settings would be docume~1.

If you think you can, you might...if you know you can then you will.

A+

 

[EdiTek]

I've tried adaware & another spyware removal app that's freeware - no luck. I've run AV scans from the PC & at TrendMicro's online scan.
The only details I can find is to stop the runsvc.exe, change registry, delete the file object.

 

[carrr]

Run HJT! and post up a log for inspection.

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[DestinysDream]

EdiTek,
My concern is that you have the about:blank and another *ware item on top of it. If it is about:blank welcome to the bottom of the up hill fight.

If anyone calls and says "I know a little something about computers" just tell them to reformat it.

 

[perkinst]

How do I get rid of IEPlugin. This file was one found by Spy Doctor.

 

[carrr]

perkinst,

Best practice in these forums is to start a new post rather than latch on to another, unrelated post.

You can find help here, though:

http://www.pestpatrol.com/PestInfo/I/IEPlugin.asp

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[JPLWU]

A stupid thought, but did you try to just change the homepage yet? Internet explorer, tools, internet options...also what about critical updates have you updated IE with service pack 1?

If you think you can, you might...if you know you can then you will.

A+

 

[EdiTek]

Yup...been there done that. When you restart it goes back to Jetsearch.
Also change every reference to jetsearch in the registry & restarted...same results.
Now I'm in safe mode, scanning w/ everything I can. Even got my fingers cross & said some prayers but I don't have high hopes...yet.

 

[JPLWU]

Last thought, check Hkey local machine -software- microsoft windows -current version -run and the run once folder and the run services folder, I sometimes find an executable in the run services folder that plugs a registry key back into the run folder, that has a name different than jetsearch.

If you think you can, you might...if you know you can then you will.

A+

 

[EdiTek]

Thanks JPLWU,
I checked that registry location & did find some spyware starting up there. I also came across runsvn32.exe but am not familiar with this.
I cannot find any references to this out on the web anywhere. Does anyone know anything about this process? Could this be creating my problem?

 

[JPLWU]

are you sure its not runsvc32.exe that is a virus, and I have heard of that before, check your registry one more time please. Due to the nature of the virus that is, you may want to think about a reimage if it turns out to be it.

If you think you can, you might...if you know you can then you will.

A+

 

[EdiTek]

I was finally able to find runsvc32.exe in the registry & got rid of that but runsvn32.exe was also correct. It's in the registry & runs as a process at startup. I got rid of that too but still received the same results.
After running scans in safe mode & manually stripping all the bad stuff from the registry...doing all this 2-3 times it was always the same thing.
The good news in all this is...it's not my computer =o)
Why anyone would be using a broadband without a firewall or antivirus is just plain lunacy.
As a result, even though I enjoyed this challenge, I ended up giving DestinysDream's advice & reformated.

Thanks everyone for all of your help.

Enjoy the holiday.
~Editek

 

[carrr]

Did you not disable system restore before yanking the entry and the file?

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[EdiTek]

Yup, System restore was disabled before making any changes & scans. Just figured enough was enough. Everything is working fine now & the users now have active & up to day antivirus & firewall.