MSAS keeps finding IBIS Tb hijacker

[Dusty]

G'day all;

Recently (think) I think I got nabbed by a Trojan(s). I was searching for
some spyware info, and my Google search string "found" what, by the words I
read, seemed to be a site with relevant info. I had just clicked on the
link as I was called away from my desk.

Upon my return, I found a screen full of some of the vilest porno I'd ever
seen (and no, I'm not some prude that can't stand the sight of a beautiful
body--esp. nude!).

I killed everything, and did the usual stuff; ran Ad-Aware, SpyBot R&D, and
did a full scan with both my eTrust suite and MSAS (1.0.501). Found lots of
stuff...but the recurring theme seems to be that MSAS finds IBIS toolbar
tracks in the registry. I select the "remove" option, and by watching via
RegEdit, I can see those entries being removed.

I reboot, and run the tools again (tried safemode as well) and voila! The
registry tracks are back.

I've looked up and checked all of the reputed IBIS killers, checked for all
of the .DLL's, .EXE's, and registry entries that were recommended for
removal...and found nada!

I'm fresh outta ideas. I wuz hopin' that somebody's got some new ones I can
borrow...


Regards,
DustyB
San Jose
Running XP Pro/SP2, auto updated daily, on a recent Dell box w/lots of RAM &
HDD

 

[Andre Da Costa]

Johns Solution:

First, uninstall the Web Search program and WinTools program from Add/Remove
Programs

1) Click on Start, Settings, Control Panel

2) Double click on Add/Remove Programs

3) Find "Web Search Toolbar" and "Win-Tools Easy Installer (By Web Search)"
in the list of installed programs and click on Change/Remove to uninstall
it.

During the uninstall process, you will be presented with several prompts to
guide you through uninstalling the product. Read these carefully to make
sure you are actually choosing to uninstall rather than keep the software.

** Note: I find it particularly funny that after the install, the company
actually pops up a screen telling you its not spyware and guiding you to buy
spyware removal software with what appears to be affiliate links that the
company would profit from. See a screenshot of this advertisement.

5) After rebooting the computer, run HijackThis and remove any of the
leftover lines shown above especially the following lines that do not seem
to be uninstalled completely.

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} -
C:\PROGRA~1\Toolbar\toolbar.dll

O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} -
http://download.websearch.com/Dnl/T_50024/QDow_AS2.cab

6) Next, open My Computer, Drive C, and double-click on the Program Files
folder

7) Right-click and delete the folder below if it still exists

a.. Toolbar

Also check for the presence of the C:\Program Files\Common Files\Wintools
directory. If this folder still remains you may have to follow the WinTools
uninstall procedure.

8) IBIS WebSearch (websearch.com) should now be completely uninstalled from
your computer.

 

[OldBoy]

And update to version 1.0.609

Gr. Jan

Johns Solution:

First, uninstall the Web Search program and WinTools program from
Add/Remove
Programs

1) Click on Start, Settings, Control Panel

2) Double click on Add/Remove Programs

3) Find "Web Search Toolbar" and "Win-Tools Easy Installer (By Web
Search)"
in the list of installed programs and click on Change/Remove to uninstall
it.

During the uninstall process, you will be presented with several prompts
to
guide you through uninstalling the product. Read these carefully to make
sure you are actually choosing to uninstall rather than keep the software.

** Note: I find it particularly funny that after the install, the company
actually pops up a screen telling you its not spyware and guiding you to
buy
spyware removal software with what appears to be affiliate links that the
company would profit from. See a screenshot of this advertisement.

5) After rebooting the computer, run HijackThis and remove any of the
leftover lines shown above especially the following lines that do not seem
to be uninstalled completely.

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} -
C:\PROGRA~1\Toolbar\toolbar.dll

O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} -
http://download.websearch.com/Dnl/T_50024/QDow_AS2.cab

6) Next, open My Computer, Drive C, and double-click on the Program Files
folder

7) Right-click and delete the folder below if it still exists

a.. Toolbar

Also check for the presence of the C:\Program Files\Common Files\Wintools
directory. If this folder still remains you may have to follow the
WinTools
uninstall procedure.

8) IBIS WebSearch (websearch.com) should now be completely uninstalled
from
your computer.

 

[plun]

Dusty expressed precisely :
and MSAS (1.0.501).

Latest MSAS is 1.509, please download newest version.

http://www.microsoft.com/athome/security/spyware/software/default.mspx

Microsoft AntiSpyware Version: 1.0.509
This version expires on: 2005-07-31
Spyware Definition Version: 5713 (2005-04-29 09:48:54) Latest def.

 

[Andre Da Costa]

Dusty, here is the direct download link:
http://download.microsoft.com/downl...-fca2f2c6f0cc/MicrosoftAntiSpywareInstall.exe

 

[Menno Hershberger]

And update to version 1.0.609

You mean 1.0.509 ?

 

[OldBoy]

You mean 1.0.509 ?

Yep! (Shame on me!)

Gr. Jan

 

[Dusty]

A big "Hello!" to Andre, "OldBoy", Menno, "plun", and the others that
replied. I can see I've come to a group of kindred spirits. Thanks all for
your help.

Johns Solution:

First, uninstall the Web Search program and WinTools program from
Add/Remove
Programs

I can't. I didn't install one. And there's nothing (that I could find) to
remove...

1) Click on Start, Settings, Control Panel

2) Double click on Add/Remove Programs

3) Find "Web Search Toolbar" and "Win-Tools Easy Installer (By Web
Search)"
in the list of installed programs and click on Change/Remove to uninstall
it.

No such entry. I can not execute the requested operations.

....

5) After rebooting the computer, run HijackThis and remove any of the
leftover lines shown above especially the following lines that do not seem
to be uninstalled completely.

BTDT; nothing out of the ordinary was found. Yes. Yes. I know. Something

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} -
C:\PROGRA~1\Toolbar\toolbar.dll

No such file/entry.

O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} -
http://download.websearch.com/Dnl/T_50024/QDow_AS2.cab

Could you check this link? I got a 404.

6) Next, open My Computer, Drive C, and double-click on the Program Files
folder

7) Right-click and delete the folder below if it still exists

a.. Toolbar

No such.

Also check for the presence of the C:\Program Files\Common Files\Wintools
directory. If this folder still remains you may have to follow the
WinTools
uninstall procedure.

8) IBIS WebSearch (websearch.com) should now be completely uninstalled
from
your computer.

Thanks for your tips. I only wish I could say that they helped. My guess
is that earlier runs of Ad-Aware, Spybot, etc. got the files and entries
you've listed, and I've got some hidden file(s) that I've not yet managed to
locate...

Okay! Problem solved! Thanks to the folks posting here, I gleaned a tip
from another thread that took care of things. I downloaded and ran,
"CounterSpy" from Sunbelt software. It caught what MSAS found, and the
others didn't.

MSAS found the registry tracks, but couldn't locate the file that apparently
caused 'em. The others didn't even find those. But "CounterSpy" nailed
those registry entries AND found: TBSSAVER.SCR. Apparently that was the
guy that caused those registry tracks.

Unlike the past few days, this morning the summary screen of my overnight
MSAS run showed a clean system! Yea! A big thank you goes to Sunbelt
Software. Right after this note goes off, I'm going to do an on-line
registration and purchase the copy of their tools. I'm puttin' those into
my first-line of defense tool set.

FWIW; besides my own machinations and careful checking of my machine, I had
run a few other programs; and to save their vendors embarrassment, I won't
mention them here. Several of them told me that they'd found all sorts of
spies and things, but they couldn't remove them unless I paid for them
first. BTDT; and been both a handful of $$'s lighter, and no better off.
Sunbelt Software didn't do that. Their eval version worked right
out-of-the-box. That's the way it should be. The rest should take note.

Anyway, does anybody know how to convey this info to MS in order to
incorporate it into MSAS? While it did well, it didn't find the source of
my problem. I'd like to be able to have my problem become a solution for
others. How best to do that?

Thanks again to all who responded. You've been a great help. I plan on
continuing to read here...as it's clear that there's a lot to be learned
amongst you all... BTW; I was sent here by an MVP in one of MS's support
groups. Kudos' to you all!


Later all,
Dusty