IBIS toolbar scum won't stay deleted

[DustyB]

G'day all;

I'm running the MS Beta 1 AntiSpyWare tool. And it seems to do a pretty
good job of finding things.

In fact, it finds an IBIS toolbar hijacker entry in the registry--just about
every time I run it. I select to delete it, and it does get deleted. I can
watch that happening in the registry. However, a few moment later it's
back!

I'm certain something's starting it, but can't seem to pin down the culprit.
I've done the "HiJackThis!" route, but don't see anything in it that would
be worrisome... Also ran Ad-Aware & SpyBot R&D. Nothing seems to find it
except the MS AntiSpyWare module.

Any ideas out there?


DustyB
San Jose

 

[Menno Hershberger]

G'day all;

I'm running the MS Beta 1 AntiSpyWare tool. And it seems to do a
pretty good job of finding things.

In fact, it finds an IBIS toolbar hijacker entry in the registry--just
about every time I run it. I select to delete it, and it does get
deleted. I can watch that happening in the registry. However, a few
moment later it's back!

I'm certain something's starting it, but can't seem to pin down the
culprit. I've done the "HiJackThis!" route, but don't see anything in
it that would be worrisome... Also ran Ad-Aware & SpyBot R&D.
Nothing seems to find it except the MS AntiSpyWare module.

I suggest you subscribe to microsoft.private.security.spyware.general
Use newserver "privatenews.microsoft.com"
Login is "privatenews\spyware"
Password is "spyware"
That subject comes up a lot in there.
It's a newsgroup for beta testers.
If you're running it, then that's what you are.

 

[Kelly]

Hi Dusty,

This one is a bit tricky but not unsolvable.

In most cases without using third party, this takes three steps.

1. Start/Run/Regedit

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Gain the exact path.
Note: Save these two to regedit favorites.

2. Start/Run/Msconfig/Startup

Gain the exact path.

3. Follow the path via Windows Explorer.

Leave/have all three windows opened, now open the Task Manager.

Once knowing the exact path, end the process via the Task Manager, then
delete the entry via Windows Explorer. From there, delete the run command
from both regedit and msconfig. With regedit still open, hit F5. If it
replaces itself, you didn't do it in a timely manner or you didn't follow
the exact placement path.

Note: In some cases, depending, you will be allowed to rename the .exe via
safe mode and then delete.

--

All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com

 

[DustyB]

Tnx for the tip, "Menno". No help so far...but I'm ever hopeful...

DustyB

....

 

[David H. Lipman]

From: "DustyB" <[email protected]>

| Tnx for the tip, "Menno". No help so far...but I'm ever hopeful...
|
| DustyB

What version of Ad-aware was used ?

 

[DustyB]

Hello "Kelly" et. al,

....

1. Start/Run/Regedit

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Gain the exact path.
Note: Save these two to regedit favorites.

Tried several incantations of similar processes. There was always nothing
(or at least, nothing relevent) in those registry keys.

2. Start/Run/Msconfig/Startup

Gain the exact path.

3. Follow the path via Windows Explorer.

Leave/have all three windows opened, now open the Task Manager.

Once knowing the exact path, end the process via the Task Manager, then
delete the entry via Windows Explorer. From there, delete the run command
from both regedit and msconfig. With regedit still open, hit F5. If it
replaces itself, you didn't do it in a timely manner or you didn't follow
the exact placement path.

Note: In some cases, depending, you will be allowed to rename the .exe
via safe mode and then delete.

The problem is, that it's not running, and doesn't start until I do a
reboot.

However, I've solved the problem! Via a tip from another group on a related
matter in the MS group for experimental SW. I downloaded and ran
"CounterSpy" from Sunbelt Software. That found those registry entries, and
apparently the file that somehow got launched and caused them:
TBSSAVER.SCR.

I deleted them, and this morning's MSAS run found nada! So that wuz it...

Damn that took a lot of grief to find...

But what really puzzles me is *how* did I get that? I'm pretty careful, and
have both MSAS and eTrust running... Should'a been safe...but somehow it
got me.

Thanks again to all of the helpful replies, folks.

DustyB
San Jose
....

 

[DustyB]

G'day all; I thought I'd update you on my "progress".

1) Menno, your suggestion about the NG for MSAS info was a winner!

2) Although my query there didn't bear fruit, my reading of a similar
thread, there, did. And from that I resolved my issue. Thank you!

MSAS was finding the registry entries for an IBIS based or related toolbar
hijacker. But it apparently couldn't find the perp. In another thread I
found out about a tool from Sunbelt Software: CounterSpy. *That* worked!
It too found the IBIS registry entries. In addition, it nailed the file:
TBBSAVER.SCR.

That file was the culprit. While I still don't know just how that file did
its deed, I do know that now that it's gone, my problem is too. FWIW; while
I'm not 100% conversant in all possible files and such to be run, I know
most of 'em. But neither I nor "HiJackThis!" found it.

Finally, for "Dave", I run the most current version of Ad-Aware SE Pro (the
"pay for" version), and always update the signature files before I use it.
But thanks for asking...

So thanks again to all who responded for your help.


Best regards,
Dusty