Hidden malware

I've found two pieces of malware on my system. I try to use msconfig to
remove them from the auto-startup, but they absolutely absolutely
***ABSOLUTELY*** force the comp to write them right back in on rebooting and
start up when the computer does.

The files are called desktop.exe (Desktop Search) and ffisearch.exe.
Msconfig shows them as being in a folder called C:\WINDOWS\ISRVS. But this
folder does not show up on "My Computer" and it does not show up on Windows
Search/Find. It must be hidden somehow to avoid detection and removal. Norton
Antivirus 2005 fails to remove them but specifically lists them as
spyware/malware.

Does anyone know how to remove these files, and the folder they're in?

Thanks,
AMG

"Alan M. Goldfarb" <AlanMGoldfarb@discussions.microsoft.com> wrote in
message news:626BEAD6-D00E-45DD-81E2-1AC6ADF1DD74@microsoft.com...
> I've found two pieces of malware on my system. I try to use msconfig to
> remove them from the auto-startup, but they absolutely absolutely
> ***ABSOLUTELY*** force the comp to write them right back in on rebooting
> and
> start up when the computer does.
>
> The files are called desktop.exe (Desktop Search) and ffisearch.exe.
> Msconfig shows them as being in a folder called C:\WINDOWS\ISRVS. But this
> folder does not show up on "My Computer" and it does not show up on
> Windows
> Search/Find. It must be hidden somehow to avoid detection and removal.
> Norton
> Antivirus 2005 fails to remove them but specifically lists them as
> spyware/malware.
>
> Does anyone know how to remove these files, and the folder they're in?
>

I spent a few hours yesterday removing this for a customer. It required more
than a normal scan for spyware. I too could not see this folder, even in
safe mode with view hidden and system files turned on. Make sure system
restore is disabled and you have Spybot Search and Destroy and Adaware SE
installed and up to date. Reboot into safe mode, log on as administrator and
do a full system scan with both programs, you must then logout and login (in
safe mode) as each of the users on the computer and scan again. When
finished reboot into safe mode, login as administrator, and scan again. At
this point see if you can find the C:\WINDOWS\ISRVS folder and delete it
(note: it is set as a hidden system folder). I could see it but not delete
it at this point. During each of the previous scans it had been detected and
some parts of it removed. My next step was to reboot in normal mode and do a
full system scan with Microsoft antispyware (note: MS antispyware had
identified it before but was not able to block it or remove it) At this
point I was able to block it from starting up using the advanced
tools/system explorers. After rebooting again Microsoft antispyware was able
to remove some more of it. I was then able to boot into safe mode and delete
the folder. After this all of the programs were used to remove remnants in
the registry and a couple more files with random names hidden in various
folders. I think it's gone now :-)

I don't know if all these steps were necessary but it does seem to be a
stubborn SOB to remove. It seems to be a new variant. I have easily used
Spybot and Adaware to remove it in the past.

Kerry

This is embarrassing, but how do I disable system restore, and boot into safe
mode?

AMG

"Kerry Brown" wrote:

> "Alan M. Goldfarb" <AlanMGoldfarb@discussions.microsoft.com> wrote in
> message news:626BEAD6-D00E-45DD-81E2-1AC6ADF1DD74@microsoft.com...
> > I've found two pieces of malware on my system. I try to use msconfig to
> > remove them from the auto-startup, but they absolutely absolutely
> > ***ABSOLUTELY*** force the comp to write them right back in on rebooting
> > and
> > start up when the computer does.
> >
> > The files are called desktop.exe (Desktop Search) and ffisearch.exe.
> > Msconfig shows them as being in a folder called C:\WINDOWS\ISRVS. But this
> > folder does not show up on "My Computer" and it does not show up on
> > Windows
> > Search/Find. It must be hidden somehow to avoid detection and removal.
> > Norton
> > Antivirus 2005 fails to remove them but specifically lists them as
> > spyware/malware.
> >
> > Does anyone know how to remove these files, and the folder they're in?
> >
>
> I spent a few hours yesterday removing this for a customer. It required more
> than a normal scan for spyware. I too could not see this folder, even in
> safe mode with view hidden and system files turned on. Make sure system
> restore is disabled and you have Spybot Search and Destroy and Adaware SE
> installed and up to date. Reboot into safe mode, log on as administrator and
> do a full system scan with both programs, you must then logout and login (in
> safe mode) as each of the users on the computer and scan again. When
> finished reboot into safe mode, login as administrator, and scan again. At
> this point see if you can find the C:\WINDOWS\ISRVS folder and delete it
> (note: it is set as a hidden system folder). I could see it but not delete
> it at this point. During each of the previous scans it had been detected and
> some parts of it removed. My next step was to reboot in normal mode and do a
> full system scan with Microsoft antispyware (note: MS antispyware had
> identified it before but was not able to block it or remove it) At this
> point I was able to block it from starting up using the advanced
> tools/system explorers. After rebooting again Microsoft antispyware was able
> to remove some more of it. I was then able to boot into safe mode and delete
> the folder. After this all of the programs were used to remove remnants in
> the registry and a couple more files with random names hidden in various
> folders. I think it's gone now :-)
>
> I don't know if all these steps were necessary but it does seem to be a
> stubborn SOB to remove. It seems to be a new variant. I have easily used
> Spybot and Adaware to remove it in the past.
>
> Kerry
>
>
>

"Alan M. Goldfarb" <AlanMGoldfarb@discussions.microsoft.com> wrote in
message news:7F0E98BE-AF01-4448-848A-9C5CE986CC08@microsoft.com...
> This is embarrassing, but how do I disable system restore, and boot into
> safe
> mode?
>

No question is embarrassing. Not asking when you don't know is embarrassing.

To disable system restore:

Right click on "My Computer" and pick "Properties" from the menu. Click on
the "System Restore" Tab at the top of the window. Put a check in the box
"Turn off System Restore" Make sure when you are finished with everything to
turn it back on.

To boot into safe mode:

Restart your computer. When you see something on the screen press and
release the F8 key about once a second. Eventually you should get a menu
with several choices one of which is "Safe Mode"
Use the cursor keys to highlight "Safe Mode" and press the Enter key. Some
motherboards use the F8 key to bring up a menu of which device to boot from.
If you get this menu just pick the hard drive and continue, then keep
pressing the F8 key to get to the "Safe Mode" menu. It sometimes takes a few
tries to get the timing right. If Windows restarts normally just keep
trying.

Good luck, Kerry

From: "Alan M. Goldfarb" <AlanMGoldfarb@discussions.microsoft.com>

| I've found two pieces of malware on my system. I try to use msconfig to
| remove them from the auto-startup, but they absolutely absolutely
| ***ABSOLUTELY*** force the comp to write them right back in on rebooting and
| start up when the computer does.
|
| The files are called desktop.exe (Desktop Search) and ffisearch.exe.
| Msconfig shows them as being in a folder called C:\WINDOWS\ISRVS. But this
| folder does not show up on "My Computer" and it does not show up on Windows
| Search/Find. It must be hidden somehow to avoid detection and removal. Norton
| Antivirus 2005 fails to remove them but specifically lists them as
| spyware/malware.
|
| Does anyone know how to remove these files, and the folder they're in?
|
| Thanks,
| AMG



Dump the contents of the IE Temporary Internet Folder cache (TIF)

start --> settings --> control panel --> internet options --> delete files

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt484.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adaware with the latest definitions.
3) Disable System Restore
http://vil.nai.com/vil/SystemHelpDo...eSysRestore.htm
4) Reboot your PC into Safe Mode and shutdown as many applications as possible
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) Create a new Restore point

* * Please report your results ! * *

--
Dave
http://www.claymania.com/removal-trojan-adware.html

In news:%23a1kuYZJFHA.2716@TK2MSFTNGP15.phx.gbl,
Kerry Brown <kerry@kdbNOSPAMsystems.c*o*m> had this to say:

My reply is at the bottom of your sent message:

> I don't know if all these steps were necessary but it does seem to be
> a stubborn SOB to remove. It seems to be a new variant. I have easily
> used Spybot and Adaware to remove it in the past.
>
> Kerry

Kerry, that was a nice description. I thought I'd tell you that. Well
written and documented, thank you. I hope that other people will read your
post.

Galen
--
Signature changed for a moment of silence.
Rest well Alex and we'll see you on the other side.

"Galen" <galennews@gmail.com> wrote in message
news:OcEi6uvJFHA.4012@TK2MSFTNGP09.phx.gbl...
> Kerry, that was a nice description. I thought I'd tell you that. Well
> written and documented, thank you. I hope that other people will read your
> post.
>
> Galen
> --
> Signature changed for a moment of silence.
> Rest well Alex and we'll see you on the other side.
>

Thanks, Kerry