Hidden malware

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I've found two pieces of malware on my system. I try to use msconfig to
remove them from the auto-startup, but they absolutely absolutely
***ABSOLUTELY*** force the comp to write them right back in on rebooting and
start up when the computer does.

The files are called desktop.exe (Desktop Search) and ffisearch.exe.
Msconfig shows them as being in a folder called C:\WINDOWS\ISRVS. But this
folder does not show up on "My Computer" and it does not show up on Windows
Search/Find. It must be hidden somehow to avoid detection and removal. Norton
Antivirus 2005 fails to remove them but specifically lists them as
spyware/malware.

Does anyone know how to remove these files, and the folder they're in?

Thanks,
AMG
 
Alan M. Goldfarb said:
I've found two pieces of malware on my system. I try to use msconfig to
remove them from the auto-startup, but they absolutely absolutely
***ABSOLUTELY*** force the comp to write them right back in on rebooting
and
start up when the computer does.

The files are called desktop.exe (Desktop Search) and ffisearch.exe.
Msconfig shows them as being in a folder called C:\WINDOWS\ISRVS. But this
folder does not show up on "My Computer" and it does not show up on
Windows
Search/Find. It must be hidden somehow to avoid detection and removal.
Norton
Antivirus 2005 fails to remove them but specifically lists them as
spyware/malware.

Does anyone know how to remove these files, and the folder they're in?
Click to expand...

I spent a few hours yesterday removing this for a customer. It required more
than a normal scan for spyware. I too could not see this folder, even in
safe mode with view hidden and system files turned on. Make sure system
restore is disabled and you have Spybot Search and Destroy and Adaware SE
installed and up to date. Reboot into safe mode, log on as administrator and
do a full system scan with both programs, you must then logout and login (in
safe mode) as each of the users on the computer and scan again. When
finished reboot into safe mode, login as administrator, and scan again. At
this point see if you can find the C:\WINDOWS\ISRVS folder and delete it
(note: it is set as a hidden system folder). I could see it but not delete
it at this point. During each of the previous scans it had been detected and
some parts of it removed. My next step was to reboot in normal mode and do a
full system scan with Microsoft antispyware (note: MS antispyware had
identified it before but was not able to block it or remove it) At this
point I was able to block it from starting up using the advanced
tools/system explorers. After rebooting again Microsoft antispyware was able
to remove some more of it. I was then able to boot into safe mode and delete
the folder. After this all of the programs were used to remove remnants in
the registry and a couple more files with random names hidden in various
folders. I think it's gone now :-)

I don't know if all these steps were necessary but it does seem to be a
stubborn SOB to remove. It seems to be a new variant. I have easily used
Spybot and Adaware to remove it in the past.

Kerry
 
Alan M. Goldfarb said:
This is embarrassing, but how do I disable system restore, and boot into
safe
mode?
Click to expand...

No question is embarrassing. Not asking when you don't know is embarrassing.

To disable system restore:

Right click on "My Computer" and pick "Properties" from the menu. Click on
the "System Restore" Tab at the top of the window. Put a check in the box
"Turn off System Restore" Make sure when you are finished with everything to
turn it back on.

To boot into safe mode:

Restart your computer. When you see something on the screen press and
release the F8 key about once a second. Eventually you should get a menu
with several choices one of which is "Safe Mode"
Use the cursor keys to highlight "Safe Mode" and press the Enter key. Some
motherboards use the F8 key to bring up a menu of which device to boot from.
If you get this menu just pick the hard drive and continue, then keep
pressing the F8 key to get to the "Safe Mode" menu. It sometimes takes a few
tries to get the timing right. If Windows restarts normally just keep
trying.

Good luck, Kerry
 
From: "Alan M. Goldfarb" <[email protected]>

| I've found two pieces of malware on my system. I try to use msconfig to
| remove them from the auto-startup, but they absolutely absolutely
| ***ABSOLUTELY*** force the comp to write them right back in on rebooting and
| start up when the computer does.
|
| The files are called desktop.exe (Desktop Search) and ffisearch.exe.
| Msconfig shows them as being in a folder called C:\WINDOWS\ISRVS. But this
| folder does not show up on "My Computer" and it does not show up on Windows
| Search/Find. It must be hidden somehow to avoid detection and removal. Norton
| Antivirus 2005 fails to remove them but specifically lists them as
| spyware/malware.
|
| Does anyone know how to remove these files, and the folder they're in?
|
| Thanks,
| AMG



Dump the contents of the IE Temporary Internet Folder cache (TIF)

start --> settings --> control panel --> internet options --> delete files

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt484.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adaware with the latest definitions.
3) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode and shutdown as many applications as possible
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) Create a new Restore point

* * Please report your results ! * *
 
In Kerry Brown <[email protected]*o*m> had this to say:

My reply is at the bottom of your sent message:
I don't know if all these steps were necessary but it does seem to be
a stubborn SOB to remove. It seems to be a new variant. I have easily
used Spybot and Adaware to remove it in the past.

Kerry
Click to expand...

Kerry, that was a nice description. I thought I'd tell you that. Well
written and documented, thank you. I hope that other people will read your
post.

Galen
 
Galen said:
Kerry, that was a nice description. I thought I'd tell you that. Well
written and documented, thank you. I hope that other people will read your
post.

Galen
Click to expand...

Thanks, Kerry
 
Back
Top