isearch.spyware

ingresman · Oct 12, 2005

Hi all,

I've searched on this forum here for info but I'm totaly lost.

I've got the Microsoft spyware tool which catches instlation of isearch and this seems to work well. But what I can't work out is what is trying to install it.
When I boot up the machine is when this occurs. I've looked for BHO, stuff in the registry for start up program and nothing looks a miss. Something looks to be starting internet explorer but I can't see where.
So I'm stumped, does any one know of a good list of software that may have it embeded.
Machine runs XP SP1
many thnaks in advance

electronicsfreak · Oct 12, 2005

I reccomend downloading spybot search and destroy. I have the links below

http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10401314.html?tag=lst-0-1

http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10399602.html?tag=lst-0-1

do a full system scan on adaware. Also if neither of these get rid of it download hijack this. Open and extract it to desktop or prefered folder. Open the program and choose do a system scan and save a logfile and post the information on here and I will get to it when I can.

http://www.download.com/HijackThis/3000-8022_4-10379544.html?tag=lst-0-1

pechenegs · Oct 12, 2005

go to add/remove and uninstall iSearch tolbar and anything else related to it,delete it's folder from c:\program files!

http://securityresponse.symantec.com/avcenter/venc/data/spyware.isearch.html

Download hijack this from the link below.Please do this. Click here:

http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

to download HijackThis. Click scan and save a logfile, then post it here so
we can take a look at it for you. Don't click fix on anything in hijack this
as most of the files are legitimate.

erikhertzel · Oct 12, 2005

First, try this:

http://toolbar.isearch.com/uninstall/

If that doesn't work:

Here is how to remove isearch from IE on XP:

I am VERY suspicious of using MFR's websites for removal
of crap I did NOT ask for... so...

in regedit search for/remove the following:

!!! ALWAYS EXPORT A COPY OF YOUR REGISTRY BEFORE
ATTEMPTING CHANGES!!!

HKEY_CLASSES_ROOT\CLSID\{1C78AB3F-A857-482e-80C0-3A1E5238A565}

HKEY_CLASSES_ROOT\CLSID\{1C78AB3F-A857-482e-80C0-3A1E5238A565}

HKEY_CLASSES_ROOT\iSearch.Object

HKEY_CLASSES_ROOT\iSearch.Object.1

HKEY_CLASSES_ROOT\TypeLib\{6D3F5DE4-E980-4407-A10F-9AC771ABAAE6}

HKEY_CURRENT_USER\Software\iSearch

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&iSearch The Web

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1C78AB3F-A857-482e-80C0-3A1E5238A565}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iSearch.Object

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iSearch.Object.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{6D3F5DE4-E980-4407-A10F-9AC771ABAAE6}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1C78AB3F-A857-482E-80C0-3A1E5238A565}\DownloadInformation
>>DELETE ONLY THIS KEY!!! :

http://toolbar.isearch.com/install/00010/initial.cab

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{1AE2F26C-8E23-4930-A68D-9E681A764001}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
>>DELETE ONLY THIS KEY!!! : {1C78AB3F-A857-482e-80C0-3A1E5238A565}

HKEY_USERS\S-1-5-21-329068152-1972579041-725345543-500\Software\iSearch

HKEY_USERS\S-1-5-21-329068152-1972579041-725345543-500\Software\Microsoft\Internet Explorer\MenuExt\&iSearch The Web

It seems some of the HKEY_USERS ones dissapear after
deleting the first ones.

Reboot and ... Ta da!

ingresman · Oct 12, 2005

thanks guys I have a busy evening ahead, I document how I get on

victor39 · Oct 22, 2005

what kinda books or classes do you guys take to learn how to read the registry, and clean it of spyware?? I want to learn how to do this..

electronicsfreak · Oct 22, 2005

Well ive just learned from old trial and error and just being curious. Like this isnt the safest way but how I go about removing something I find the name of the virus file or spyware file and search in registry for anything with its exact name of it in it. Have to be careful though when editing registry for deleting a wrong key can crash windows.

2ffat · Oct 24, 2005

Victor39,
[tab]You might want to start new thread with this question. It's a good one.

When I first ran into trouble with spy-/ad-ware, I ran Hi-JackThis on two machines, one with the problem and one without. I tried to get a "clean" machine of the same make/model as the infected one. I also picked one out that "should" have been running the same programs.

Next, I picked out entries that didn't match. From there I tracked down on the Internet those programs listed on the mismatching entries. I deleted anything that was listed as spy-/ad-ware or that looked "fishy."

James P. Cottingham
-----------------------------------------
[sup]I'm number 1,229!
I'm number 1,229![/sup]

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

isearch.spyware

ingresman

IS-IT--Management

electronicsfreak

Technical User

pechenegs

MIS

erikhertzel

MIS

ingresman

IS-IT--Management

victor39

Technical User

electronicsfreak

Technical User

2ffat

Programmer

Part and Inventory Search

Sponsor