ISearchTech.PowerScan - I can't get rid of this malware!!

[imported_Matts]

I've tried every spyware tool and none can fix or delete this off my pc. it comes up as ISearchTech.PowerScan. I went into Registry Editor and tried to delete it but it doesn't work. It always reappears again when I run a spyware tool. Anyone can help?

 

[mechBgon]

1) What exact antispyware tools have you tried?

2) Did you disable System Restore?

3) What version and service pack of Windows do you have?

4) What brand and version of antivirus software do you have?

5) Do you have a router or not

6) Do you have firewall software or not

 

[imported_Matts]

spyware doctore, adaware, spybot
i haven't disable system restore
i have free avg, i do have pc-cillin 2005 but haven't installed yet
no router
zonealarm free firewall

 

[mechBgon]

Ok, I'm going to type up a suggested plan of attack, will take me a while. Take a snack break 😀

 

[imported_Matts]

i was lucky enough to download some search toolbar by accident which containted nearly 200 spyware. only 2 remain and it's both ISearchTech.PowerScan.

 

[imported_Matts]

 

[imported_Matts]

thanks for trying to help me out. i'm running macafee Stinger right now. hopefully that'll work. I doubt it though.

 

[abaez]

Did you try the stickied thread about removing spyware at the top of this forum?

 

[mechBgon]

1) download these files:

• 30-day trial of Kaspersky Antivirus Personal 5.0, way better than AVG at detecting some types of threats you're probably up against here.
• the updates_X folder from Kaspersky's FTP site, this is their SuperSecure database (thanks Raincity for showing how to do this)
• Microsoft AntiSpyware Beta
• WinSockFix, keep this handy in case your Internet connection fails when you rip out the badware.
• HijackThis

2) Disable System Restore.

3) Install the Microsoft Antispyware Beta and update it, but don't scan yet.

4) Please follow this carefully:

• Click Start > Run > services.msc to fire up the Windows Services panel, it looks like this picture.
• Click the Status header until the Started ones are all on top.
• Slide open the Name and Description headers enough to show the names and descriptions, like in my picture.
• Get screenshots of those and post them somewhere, you can sign up at http://pics.bbzzdd.com if you need somewhere to host them. And post links to the pictures so I can scope them out, looking for rogue services here.

5) Also post a HijackThis logfile here, the text from it.

6) Install the Kaspersky Antivirus, set its real-time and on-demand scanners to Maximum, go to the Configure Updater panel and choose to update from a local folder. Use the update_x folder you got from Kaspersky's FTP site. Don't get hasty and launch a Kaspersky scan just yet.

7) Once I can look at your HijackThis log and your Services list and see if there's any bad services to kill, then you can note down what you'll want to kill and go on to the next stuff.

8) Restart the computer in Safe Mode. Open Task Manager and try to kill all the processes one by one except for Explorer.exe. If you're not allowed, don't let it bug you, but try.

9) In Safe Mode, run HijackThis and kill whatever we decided needed killing.

10) In Safe Mode still, run an exhaustive Kaspersky antivirus scan and deal with anything it finds.

11) While you're in Safe Mode, you can also run AdAware and Spybot for good measure.

12) Whatever directory that search bar thing lives in, maybe C:\Program Files\SearchBar or whatever, make that exact folder again. Right-click it, choose Properties > Security, and remove all permissions by anyone. :evil:

13) Empty your C:\Windows\Prefetch directory completely and also your Temporary Internet Files.

14) Unplug your network cable or turn off your modem or WAP.

15) Right-click My Computer, choose Manage, go down to Local Users & Groups > Users, and right-click each user account and give it a strong password such as Matts@AT to keep the spyware from pulling a no-brainer exploit of the Admin powers.

16) Reboot into Normal Mode and fire off a full-version Microsoft AntiSpyware scan. Deal with everything it finds, go down the list and make sure it's all set to Remove.

17) Do another HijackThis log and post it.



Hope you've got the patience for all that, it'll probably take you 6-8 hours 🙂 Otherwise, unplugging your network connection, reformatting the hard drive, and reinstalling Windows carefully could be faster 🙂

 

[imported_Matts]

ok, i'll try this now. thanks. will take me a little while though.

 

[imported_Matts]

i'm sorry. where do I download the update x folder to. does it matter where i put it?

 

[imported_Matts]

and do i have to download each file individually?

 

[mechBgon]

Originally posted by: Matts
i'm sorry. where do I download the update x folder to. does it matter where i put it?

Just remember where you put it, you could put it right in C:\ for easy remembering.

 

[imported_Matts]

wow, i started running kapersky anti-virus while waiting for a response and it found a bunch more. i have a trojan downloader called 1stBar as well which can't be deleted. this sucks. when the scan is done i'll do everything you said in order.

 

[imported_Matts]

ok, i think i'll put this off til friday. i really want to watch an anime dvd i just got. i'll post updates on friday and hopefully this will work out. thanks for the help mechBgon.

 

[mechBgon]

Originally posted by: Matts
wow, i started running kapersky anti-virus while waiting for a response and it found a bunch more. i have a trojan downloader called 1stBar as well which can't be deleted. this sucks. when the scan is done i'll do everything you said in order.

I bet that's ISTBar with a letter i and stands for ISearchTech. If there is a folder C:\Program Files\ISTsvc then that's probably one of its hideouts that you'll want to do the no-access trick on while you're in Safe Mode. If the folder already exists and is access-denied when the junk tries to reinstall, it's going to be 😕.

Ok, quiz time: what tool do you use if you kill the badware and then your Internet doesn't work anymore? ____________________ 🙂

 

[Malak]

I have removed Powerscan probably 3 times on 3 seperate machines just by using adaware and spybot S&D. But I think first you have to uninstall it, which you can do in add/remove programs. Then you run adaware and spybot, restart machine, and run them again.

 

[imported_Matts]

winsockfix

 

[imported_Matts]

it's already uninstalled. if it were that simple i would have removed it already.

 

[imported_Matts]

one last thing before i sign off tonight. what do i do with the .klc files in the update x folders. i click on them and the don't download like the .exe files

 

[mechBgon]

Just download the entire folder itself, and you'll get all the contents.

 

[mechBgon]

I have a slight addendum: after using the Configure Updater panel to choose "from a local folder" and directing it to the updates_x folder, now go out to the Protection tab and hit Update Now to make it actually follow through on the update.

 

[imported_Matts]

i can't download the whole folder. when i click on it it simply opens and i can't do it by right clicking either. i don't know how.

 

[mechBgon]

Huh, I just did... I clicked my link, the Kaspersky directory opened, I right-clicked the updates_x folder and chose Copy to folder... and saved it to my desktop. Well, if you're inside the folder, do CTRL A to select all the files, or drag a box around them all, then right-click-&-drag them onto the folder you want to save them to on your hard drive, perhaps.

If that's not working out, setting it to use the "From Internet, extended databases" would be next-best for your goals here.

 

[imported_Matts]

funny, i don't get copy to folder when I right click. you know i disabled system restore and ran every spyware and anti-virus program again and now my system seems to be clean. i wonder if it really is though.