Antispyware Beta

[Guest]

I have two threats that Anti Spyware found but was unable to remove. They re
as follows: IBIS Toolbar Adware which is located in
c:/programfiles/toolbar/cursors and Huntbar located in my registry key
HKey_local_machine\software\btiein. When I do a cleaning with anti spyware
it says it is clean but then these threats reappear. Any solutions out there.

 

[Guest]

Hello Pastor;

Steps to take if you have spyware that is not removed by Microsoft Windows
AntiSpyware (beta)
1) Open up AntiSpyware
2) Click Tools at the top
3) Click "Submit a Suspected Spyware Report"
4) Fill out the form with as much detail so they can anªlyze quickly

By doing these steps before trying something new, you make the product better.

Generally, in a case where the item is identified, but not properly removed,
the next steps are:

1) Update both Microsoft Antispyware and your antivirus application.


2A)Have you tried Mcrosoft Antispyware, preferably while running in safe mode?


2B)Shut down the computer and turn off the power. Wait for at least 30
seconds, and then restart the computer in Safe mode or VGA mode.

Empty your IE cache and your other temporary file folders, eg: c:\temp,
c:\windows\temp or C:\Documents and Settings\<name>\Local Settings\Temp (the
path to your temp folder will change depending on your name) - sometimes
programmes can be hidden in there - watch out for mysterious *.exe files or
*.dll files in those fºlders.
http://www.mvps.org/winhelp2002/delcache.htm


3) Do full deep scans with Microsoft Antispyware. Repeat
scanning until a complete scan comes through clean. Ditto
with the antivirus.

This isn't guaranteed, but it works for a great many items
that at first appear not to be cleaned in normal mºde.

Also see
http://www.iamnotageek.com/a/370-p1.php

Good luck

Engel

 

[Guest]

Hi again;

This toolbar is also a search hijacker and BHO.

If you are running SP2, open IE--->Tools--->Manage Add-ons, and uncheck any
BHO's that you don't recºgnize.

You can also use the System Explorers in Microsoft Antispyware to look at
BHO's and block them--it also shows known and unknown fºr BHO's..
http://www.microsoft.com/windowsxp/using/web/sp2_addonmanager.mspx .

Read the help file in MSAS, you will find a lot of info regards BHO and more.

Good luck

Engel

 

[Andre Da Costa]

Andy wrote:
Hi

Sounds like you've tried most things,If the IBIS entires
are related to Wintools it can be a pain to remove all
the traces,Try running this fix tool from Symantec on any
account that is showing IBIS in safe mode also use MS
Antispy & Ccleaner, you could also clear the prefetch
folder(Goto start>Run>and type prefetch-delete the
contents of the folder incase its stored any info in
there)

Download to desktop and run in safe mode (reboot and keep
tapping F8 then choose safe mode)

http://securityresponse.symantec.com/avcenter/FxWebsch.exe


Heres the files and reg entries but this fix tool will
hopefully remove them all if any exist.


Check Add/remove screen for these and remove if found:

Toolbar
WinTools
WebOffer
Web Search Toolbar
Win-Tools Easy Installer

File names:

common.dll
IExploreSkins.exe
PIB.exe
WSG.exe
WSup.exe
WToolsA.exe
WToolsB.dll
WToolsS.exe
btiein.dll
websearch.exe
QDow_AS2.dll
setupex.exe
TBPS.exe
toolbar.dll


Files may be created in the following folders:


%SystemDrive%\Documents and Settings\All Users\Start
Menu\Programs\Web Search Tools

C:\Program Files\Common Files\Wintools

C:\Program Files\Toolbar

C:\Program Files\websearch



IBIS May create any of these registry entries(Its a very
long list)


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run

"TBPS" = ""
"WinTools" = ""
"OETool" = ""
"TB_setup"= ""


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\RunServicesOnce

"TBPS" = ""
"WinTools" = ""
"OETool" = ""
"TB_setup"= ""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\ModuleUsage

"%SystemDrive%/WINDOWS/Downloaded Program
Files/QDow_AS2.dll
\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}" = ""
"%SystemDrive%/WINDOWS/Downloaded Program
Files/QDow_AS2.dll
\.Owner" = "{87067F04-DE4C-4688-BC3C-4FCF39D609E7}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Installer\Folders

"%CommonProgramFiles%\MSIETS\" = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\SharedDLLs

"%Windir%\Downloaded Program Files\QDow_AS2.dll" = "1"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Connection
Wizard

"ShellNext" = "[path to file]"

HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main

"Search Bar" = "[Web site on the websearch.com or
huntbar.com domain]"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Main

"Search Bar" = "[Web site on the websearch.com or
huntbar.com domain]"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Main

"Search Bar" = "[Web site on the websearch.com or
huntbar.com domain]"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Main

"Start Page" = "[Web site on the websearch.com or
huntbar.com domain]"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Main

"Start Page" = "[Web site on the websearch.com or
huntbar.com domain]"


HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Search

"CustomizeSearch" = "res://%SystemDrive%\PROGRA~1
\Toolbar\toolbar.dll/sa"


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Search

"CustomizeSearch" = "res://%SystemDrive%\PROGRA~1
\Toolbar\toolbar.dll/sa"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Search

"SearchAssistant" = "[Web site on the websearch.com or
huntbar.com domain]"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Search

"SearchAssistant" = "[Web site on the websearch.com or
huntbar.com domain]"

KEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Toolbar\ShellBrowser

"{339BB23F-A864-48C0-A59F-29EA915965EC}" = ""

HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Toolbar\WebBrowser

"{339BB23F-A864-48C0-A59F-29EA915965EC}" = ""


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Toolbar

"{339BB23F-A864-48C0-A59F-29EA915965EC}" = ""


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Toolbar\WebBrowser

"{339BB23F-A864-48C0-A59F-29EA915965EC}" = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Toolbar

"{8A05273A-2EA5-42DE-AA75-59EA7D9D50D7}" = "00"
"{339BB23F-A864-48C0-A59F-29EA915965EC}" = "00"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\URLSearchHooks

"{8952A998-1E7E-4716-B23D-3DBE03910972}" = ""

HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\URLSearchHooks

"{8952A998-1E7E-4716-B23D-3DBE03910972}" = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Installer\UserData

"TUID" = ""
"WTInstallDate" = ""

HKEY_CLASSES_ROOT\CLSID\{0A68C5A2-64AE-4415-88A2-
6542304A4745}

HKEY_CLASSES_ROOT\CLSID\{310CC549-4541-46A9-940F-
52B342A6E682}

HKEY_CLASSES_ROOT\CLSID\{339BB23F-A864-48C0-A59F-
29EA915965EC}

HKEY_CLASSES_ROOT\CLSID\{69357D4E-BF4D-4651-91E9-
52ECD45A0128}

HKEY_CLASSES_ROOT\CLSID\{6E21F428-5617-47F7-AED8-
B2E1D8FBA711}

HKEY_CLASSES_ROOT\CLSID\{708BE496-E202-497B-BC31-
9CF47E3BF8D6}

HKEY_CLASSES_ROOT\CLSID\{87067F04-DE4C-4688-BC3C-
4FCF39D609E7}

HKEY_CLASSES_ROOT\CLSID\{87766247-311C-43B4-8499-
3D5FEC94A183}

HKEY_CLASSES_ROOT\CLSID\{8952A998-1E7E-4716-B23D-
3DBE03910972}

HKEY_CLASSES_ROOT\CLSID\{8A05273A-2EA5-42DE-AA75-
59EA7D9D50D7}

HKEY_CLASSES_ROOT\CLSID\{8B0FA130-0C3D-4CB1-AEB7-
2C29DA5509A3}

HKEY_CLASSES_ROOT\CLSID\{A8DEB4A5-D9EF-4D21-B4F6-
921475004E7D}

HKEY_CLASSES_ROOT\CLSID\{BBF122A7-8A4D-45B5-9E00-
0F68BC87C904}

HKEY_CLASSES_ROOT\CLSID\{CABCF5E7-0C79-4F1C-909D-
B9CF68FED746}

HKEY_CLASSES_ROOT\CLSID\{CAE0999F-78C5-49DC-9F30-
13142AAAABA4}

HKEY_CLASSES_ROOT\CLSID\{F1616B86-9288-489D-B71A-
0CCF2F1A89DA}

HKEY_CLASSES_ROOT\CLSID\{FB45C451-B0E9-4407-BB6A-
9361013F3E9A}

HKEY_CLASSES_ROOT\CLSID\{FF76A5DA-6158-4439-99FF-
EDC1B3FE100C}

HKEY_CLASSES_ROOT\TypeLib\{37AC49E3-E906-4BD8-AE83-
D0F7FB48FD17}

HKEY_CLASSES_ROOT\TypeLib\{8992B6CA-B8C9-4AED-BF89-
0A17F6296A06}

HKEY_CLASSES_ROOT\TypeLib\{B23B3ADD-84B1-414A-92B9-
0CABE5A781F4}

HKEY_CLASSES_ROOT\TypeLib\{D8BD4DED-5BB2-4D4E-9A6A-
F10244FED7D6}

HKEY_CLASSES_ROOT\TypeLib\{DB9A4E78-35DF-4A54-B6C5-
C5190CEAF949}

HKEY_CLASSES_ROOT\Interface\{234F09FB-FE89-4C6D-9203-
31832FC051C3}

HKEY_CLASSES_ROOT\Interface\{365B9A54-E613-46E5-9DB1-
4F91A9DE80BD}

HKEY_CLASSES_ROOT\Interface\{618BE527-B7F5-417C-BC51-
98FDC2D6DE61}

HKEY_CLASSES_ROOT\Interface\{66C22569-F05C-4A70-A142-
763B337E1002}

HKEY_CLASSES_ROOT\Interface\{7B8BD940-B1EF-460C-85A2-
9ACAAF7F9303}

HKEY_CLASSES_ROOT\Interface\{99AA88D1-D9D3-410A-BE9E-
044F94C183DA}

HKEY_CLASSES_ROOT\Interface\{BD6F129A-08DB-4CC5-A75A-
F2AB79E55B6E}

HKEY_CLASSES_ROOT\Interface\{D1951679-1D52-43FC-9585-
0737143585F5}

HKEY_CLASSES_ROOT\Interface\{F273D4EA-2025-4410-8408-
251A0CD46BE7}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Explorer\Browser Helper Objects\{0A68C5A2-64AE-4415-88A2-
6542304A4745}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Explorer\Browser Helper Objects\{87766247-311C-43B4-8499-
3D5FEC94A183}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Explorer\Browser Helper Objects\{8952A998-1E7E-4716-B23D-
3DBE03910972}

HKEY_CLASSES_ROOT\Installer\Features\CA2E4A17C7EE67447B98D
93D8144E0D0

HKEY_CLASSES_ROOT\Installer\Products\CA2E4A17C7EE67447B98D
93D8144E0D0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\Features
\CA2E4A17C7EE67447B98D93D8144E0D0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\Products
\CA2E4A17C7EE67447B98D93D8144E0D0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\UpgradeCode
s
\53E709BA426171644AFC9A3F08B933A7

HKEY_CLASSES_ROOT\Installer\UpgradeCodes
\53E709BA426171644AFC9A3F08B933A7

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database
\Distribution Units\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Installer\Components\C3D2CDB9A41E452EA544AB5033418FCB

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Installer\Features\CA2E4A17C7EE67447B98D93D8144E0D0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Installer\Products\CA2E4A17C7EE67447B98D93D8144E0D0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Installer\UpgradeCodes\53E709BA426171644AFC9A3F08B933A7

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Installer\UserData\S-1-5-18
\Components\C3D2CDB9A41E452EA544AB5033418FCB

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Installer\UserData\S-1-5-18
\Products\CA2E4A17C7EE67447B98D93D8144E0D0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Uninstall\{71A4E2AC-EE7C-4476-B789-9DD318440E0D}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio
n\Setup\RC

HKEY_CURRENT_USER\SOFTWARE\MSIETS

HKEY_CURRENT_USER\SOFTWARE\Toolbar

HKEY_CURRENT_USER\SOFTWARE\Toolbar\Files\SVC

HKEY_CURRENT_USER\SOFTWARE\Toolbar\Files\TBR

HKEY_CURRENT_USER\SOFTWARE\Toolbar\PlugIns\COMMON

HKEY_CURRENT_USER\Software\WinTools

HKEY_CLASSES_ROOT\Common.Buttons\Clsid

HKEY_CLASSES_ROOT\PROTOCOLS\Handler\tpro

HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space

Handler\res\toolbar.ResProtocol

HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space

Handler\res\WToolsB.ResProtocol

HKEY_CLASSES_ROOT\Radio.RadioPlayer

HKEY_CLASSES_ROOT\TBPS.PluginConfig

HKEY_CLASSES_ROOT\TBPS.PluginDown

HKEY_CLASSES_ROOT\TBPS.PluginEvents

HKEY_CLASSES_ROOT\TBPS.PluginInst

HKEY_CLASSES_ROOT\TBPS.PluginServer

HKEY_CLASSES_ROOT\TBPS.ToolbarScript

HKEY_CLASSES_ROOT\toolbar.IToolbarScriptClass

HKEY_CLASSES_ROOT\toolbar.ResProtocol

HKEY_CLASSES_ROOT\WSG.WSGObj

HKEY_CLASSES_ROOT\WToolsB.ResProtocol

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Installer\UserData\STO
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Uninstall\TTOOL_UNINSTALL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Uninstall\WinTools

HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar

HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar\Files\COMMON

HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar\Files\SVC

HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar\Files\TBR

HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar\PlugIns\COMMON

HKEY_LOCAL_MACHINE\SOFTWARE\WinTools

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGA
CY_TBPSSVC

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGA
CY_WINTOOLSSVC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run\websearch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Main\CustomizeSearch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Main\SearchAssistant

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26E8361F-BCE7-
4F75-A347-98C88B418322}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{63B78BC1-A711-
4D46-AD2F-C581AC420D41}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26E8361F-
BCE7-4F75-A347-98C88B418321}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BTIEINScriptConfigProj
..BTIEINScriptConfig

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Explorer\Browser Helper Objects\{63B78BC1-A711-4D46-
AD2F-C581AC420D41}

HKEY_LOCAL_MACHINE\SOFTWARE\BTIEIN

HKEY_CURRENT_USER\Software\BTIEIN

Hope that helps

Andy
--
Andre
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

 

[Guest]

If the only hit for Huntbar is located in the registry, then you should be
safe since it isn't finding any listings for the program other than in the
registry. Items in the registry DO NOT necessarily mean your system is
infected with that item, unless it also detects the program itself.

As for IBIS, you can also try using Add or Remove Programs (Start > Settings

Control Panel > Add or Remove Programs). The reason that you are having

difficulty removing IBIS Toolbar is that it uses registered .dll files, and
using any means other than manual removal or an uninstaller will likely fail.
In short, any antispyware app will have difficulty removing these types of
infections since they can't unregister these components, only an unistaller
or the user can.

Alan