Saturday, August 27, 2005

ISearchTech.SideFind Update (08-27-05)

A couple of recent comments appended to Virtual Grub Street's "How to Remove ISearchTech.SideFind" inform me that SpyBot S&D is no longer able to remove the newer versions of ISearchTech.SideFind or ISearchTech's Your Site Bar. A preliminary check around the net verifies that the following message is received when the SpyBot S&D 1.4 (most recent version) scan is run:



ISearchTech.SideFind: Settings (Registry key, fixing
failed)HKEY_LOCAL_MACHINE\SOFTWARE\ISTbar

ISearchTech.YSB: Settings (Registry key, fixing
failed)HKEY_LOCAL_MACHINE\SOFTWARE\YourSiteBar


It is clear that ISearchTech is becoming the King Kong of the adware/malware world. The first place a user might wish to check, in his search for answers is this Computing.net post, which lists a number of approaches that failed:


http://computing.net/security/wwwboard/forum/16387.html

This should save time.

An approach that seems to have worked, is to combine Pocket KillBox with Panda scans and the Rand1038 registry search tool available at the Tom Coyote site (http://tomcoyote.org/rand1038/vbscript/RegScan.zip). This is an exceptional piece of work by LonnyRJones at Net-Integration. The thread in question can be found here: http://forums.net-integration.net/index.php?showtopic=32253. It addresses a serious multiple infection, two components of which are ISearchTech's SideFind and YourSiteBar, and I will not be able to sit down with it an to melt it down into a simpler format for a while. Other duties call.

Warning! The infected machine, in the thread, is a Windows 2000 machine. For 2000/Nt machines it may be necessary to follow these instructions from the N-I thread:



Download and install pserv.cpl: http://p-nand-q.com/e/pserv.html


start the tool, it will have made a shortucut, in the windows control panel called "Services & Devices".

You need to be carefull and always double check. On its toolbar go display>display devices>find this item > HexadecimaRepresentation)

Doublecheck you have the correct device, by ensureing it is pointing to C:\WINNT\Edit.exe

Rick click on it in the context menue choose delete.
Close Pserve CPL

Download System Security Suite. http://www.igorshpak.net/
If that site is unavailable use this link please
http://forums.subratam.org/index.php?act=A...e=post&id=25013
Extract it from the zip file and run setup.exe after the install you can delete setup.exe and the downloaded zip file Start the program Check all the boxes under the 'Items to Clear' (except perhaps cookies) tab and click 'Clear Selected Items'. You will be prompted to reboot, do so or the job doesnt get done.


The file "HexadecimaRepresentation" is an indication of the W32/Sdbot-AAY worm (a backdoor downloader) and I have not yet had the time to trace which of the multiple infections it is associated with. It is not clear what equivalent steps are necessary in order to remove the infection for other versions of windows.

If the user is not particularly experienced, it would perhaps be wiser to contact Net-Integration and to ask for step-by-step guidance. Be prepared to download a range of free software in order to meet N-I's prereqs and to get rid of the infection.

Another promising shorthand approach should be to run the the Rand1038 registry search tool and delete all registry entries for ISearchTech and then to do Spybot (off-line) and Panda Active-X scans.




Also See:

1 comment:

lisagonzo61361515 said...

i thought your blog was cool and i think you may like this cool Website. now just Click Here