spware C:\WINDOWS\isrvs\desktop.exe


B

bobc

MS spware finds the spyware and kills it but it keeps
coming back when you re-boot. any ideas how to permanently
delete it?

iSearch.DesktopSearch Spyware more information...
Details: Removes the users access to use Windows Search
and replaces it with C:\WINDOWS\isrvs\desktop.exe.
Status: Ignored
High threat - High-risk items have a large potential for
harm, such as loss of computer control, and should be
removed unless knowingly installed.

Infected files detected
c:\windows\isrvs\msdbhk.dll
C:\WINDOWS\isrvs\desktop.exe
c:\windows\isrvs\ffisearch.exe
c:\windows\isrvs\isearch.xpi
c:\windows\isrvs\sysupd.dll
c:\w! indows\isrvs\mfiltis.dll
c:\windows\isrvs\edmond.exe
c:\windows\system32\drivers\delprot.sys

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Run Desktop Search
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/h
tml sctpf
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{950238FB-C706-
4791-8674-4D429F85897E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/h
tml
HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html
HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html sctpf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Run Desktop Search
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Run ffis
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{950238FB-C706-
4791-8674-4D429F85897E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/h
tml
HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Ru! n Desktop Search
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur
rentVersion\Run Desktop Search
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delpro
t
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delpro
t Type 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delpro
t Start 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delpro
t ErrorControl 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delpro
t ImagePath \SystemRoot\system32\drivers\delprot.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delpro
t DisplayName delprot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Run Desktop Search
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Run ffis
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Run Desktop Search
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Run ffis
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{950238FB-C706-
4791-8674-4D429F85897E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/h
tml
! HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html
 
Ad

Advertisements

S

Steve Dodson [MSFT]

Boot into safemode and run a deep scan a few times. It sometimes takes a few
runs to uncover the layers of spyware on your system. If that still does not
work, please submit a suspected spyware report under the tools menu so we
can investigate.

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
 
G

Guest

Steve - thanks for your help. Booting in safemode and
doing a full scan cleared the error for good. Thanks!
-----Original Message-----
Boot into safemode and run a deep scan a few times. It sometimes takes a few
runs to uncover the layers of spyware on your system. If that still does not
work, please submit a suspected spyware report under the tools menu so we
can investigate.

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
bobc said:
MS spware finds the spyware and kills it but it keeps
coming back when you re-boot. any ideas how to permanently
delete it?

iSearch.DesktopSearch Spyware more information...
Details: Removes the users access to use Windows Search
and replaces it with C:\WINDOWS\isrvs\desktop.exe.
Status: Ignored
High threat - High-risk items have a large potential for
harm, such as loss of computer control, and should be
removed unless knowingly installed.

Infected files detected
c:\windows\isrvs\msdbhk.dll
C:\WINDOWS\isrvs\desktop.exe
c:\windows\isrvs\ffisearch.exe
c:\windows\isrvs\isearch.xpi
c:\windows\isrvs\sysupd.dll
c:\w! indows\isrvs\mfiltis.dll
c:\windows\isrvs\edmond.exe
c:\windows\system32\drivers\delprot.sys

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
o
n\Run Desktop Search
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/
h
tml sctpf
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{950238FB- C706-
4791-8674-4D429F85897E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/
h
tml
HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html
HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html sctpf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
o
n\Run Desktop Search
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
o
n\Run ffis
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{950238FB- C706-
4791-8674-4D429F85897E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/
hHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
o
n\Ru! n Desktop Search
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur
rentVersion\Run Desktop Search
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delpr
oHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delpr
o
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delpr
o
t Start 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delpr
o
t ErrorControl 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delpr
o
t ImagePath \SystemRoot\system32\drivers\delprot.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delpr
o
t DisplayName delprot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
o
n\Run Desktop Search
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
o
n\Run ffis
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
o
n\Run Desktop Search
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
o
n\Run ffis
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{950238FB- C706-
4791-8674-4D429F85897E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/
h
tml
! HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html


.
 
Ad

Advertisements

S

Steve Wechsler [MVP]

Check Automatic Updates, System Restore, and the Windows Firewall to see
if they've been disabled or the options greyed out.
Do a scan of the system with the installed antivirus program in Safe
Mode, also.
The infection you dealt with has a tendency to affect Explorer.exe in
addition to the what was mentioned previously.

Steve Wechsler (akaMowGreen)
MS-MVP 2004-2005
Windows Server - Software Distribution
Windows - Security

.................. In memory of our dear friend, Alex Nichol ............
............................ 1935- 2005 ...............................


Steve - thanks for your help. Booting in safemode and
doing a full scan cleared the error for good. Thanks!
-----Original Message-----
Boot into safemode and run a deep scan a few times. It

sometimes takes a few
runs to uncover the layers of spyware on your system. If

that still does not
work, please submit a suspected spyware report under the

tools menu so we
can investigate.

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

confers no rights.
Use of included script samples are subject to the terms

specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all

responses to this
message are best directed to the newsgroup/thread from

which they
originated.

permanently

for

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
o

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/
h

C706-


HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/
h

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
o

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
o

C706-


HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/
h


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
o

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delpr
o


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delpr
o

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delpr
o

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delpr
o

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delpr
o

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delpr
o

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
o

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
o

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
o

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
o

C706-


HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/
h



.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top