IBIS keeps coming back

[Nocturnal]

OK I have a spyware dilemma. Basically this isn't my computer; I do this
for a living. I'm trying to remove the spyware without having to format and
reinstall Windows if at all possible.



I'm working on a computer running Windows XP Home with SP2 with five user
accounts (all administrator accounts).



I removed the hard drive and put it into an enclosure and hooked it up to my
computer. I ran Norton AV and Panda Software ActiveScan. After removing
all viruses I hooked the hard drive back up to the computer. I went in and
installed Ad-Aware, MS Anti-Spyware, Spybot Search and Destroy, Avast AV and
CCleaner. I did all the updates and I started with the first account,
scanned it with the programs, removed whatever spyware there was, rebooted.
I didn't keep track of what I was doing and probably skipped a few accounts
and went into them randomly to try and remove the spyware.



In a nutshell, the HJT log is clean, there are no viruses on the computer
anymore. However, Microsoft Anti-Spyware is still saying upon random
reboots that IBIS toolbar wants to install itself. Also, Microsoft
Anti-Spyware catches something trying to lower the security zone settings
for internet explorer.



I currently do not have the HJT log but I know for a fact it is clean. I'm
wondering, how in the world does IBIS keep coming back? Is it through the
registry? I removed ALL temp files from every single user's account so it
can't be through there.



If it is the registry, I'm wondering where it is located.



Is there such thing as a hidden registry key unviewable by even
administrators of said computer?

 

[Dave Neve]

Hi

For the registry problem, normally you just have to do a search and erase
any reference to IBIS.

Some keys are in red and are not accessible but you can make 'take
possession' of them (not sure of the terminology on English systems).

Good luck

Dave Neve

 

[AndyManchesta]

Hi

Sounds like you've tried most things,If the IBIS entires
are related to Wintools it can be a pain to remove all
the traces,Try running this fix tool from Symantec on any
account that is showing IBIS in safe mode also use MS
Antispy & Ccleaner, you could also clear the prefetch
folder(Goto start>Run>and type prefetch-delete the
contents of the folder incase its stored any info in
there)

Download to desktop and run in safe mode (reboot and keep
tapping F8 then choose safe mode)

http://securityresponse.symantec.com/avcenter/FxWebsch.exe


Heres the files and reg entries but this fix tool will
hopefully remove them all if any exist.


Check Add/remove screen for these and remove if found:

Toolbar
WinTools
WebOffer
Web Search Toolbar
Win-Tools Easy Installer

File names:

common.dll
IExploreSkins.exe
PIB.exe
WSG.exe
WSup.exe
WToolsA.exe
WToolsB.dll
WToolsS.exe
btiein.dll
websearch.exe
QDow_AS2.dll
setupex.exe
TBPS.exe
toolbar.dll


Files may be created in the following folders:


%SystemDrive%\Documents and Settings\All Users\Start
Menu\Programs\Web Search Tools

C:\Program Files\Common Files\Wintools

C:\Program Files\Toolbar

C:\Program Files\websearch



IBIS May create any of these registry entries(Its a very
long list)


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run

"TBPS" = ""
"WinTools" = ""
"OETool" = ""
"TB_setup"= ""


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\RunServicesOnce

"TBPS" = ""
"WinTools" = ""
"OETool" = ""
"TB_setup"= ""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\ModuleUsage

"%SystemDrive%/WINDOWS/Downloaded Program
Files/QDow_AS2.dll
\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}" = ""
"%SystemDrive%/WINDOWS/Downloaded Program
Files/QDow_AS2.dll
\.Owner" = "{87067F04-DE4C-4688-BC3C-4FCF39D609E7}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Installer\Folders

"%CommonProgramFiles%\MSIETS\" = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\SharedDLLs

"%Windir%\Downloaded Program Files\QDow_AS2.dll" = "1"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Connection
Wizard

"ShellNext" = "[path to file]"

HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main

"Search Bar" = "[Web site on the websearch.com or
huntbar.com domain]"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Main

"Search Bar" = "[Web site on the websearch.com or
huntbar.com domain]"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Main

"Search Bar" = "[Web site on the websearch.com or
huntbar.com domain]"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Main

"Start Page" = "[Web site on the websearch.com or
huntbar.com domain]"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Main

"Start Page" = "[Web site on the websearch.com or
huntbar.com domain]"


HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Search

"CustomizeSearch" = "res://%SystemDrive%\PROGRA~1
\Toolbar\toolbar.dll/sa"


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Search

"CustomizeSearch" = "res://%SystemDrive%\PROGRA~1
\Toolbar\toolbar.dll/sa"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Search

"SearchAssistant" = "[Web site on the websearch.com or
huntbar.com domain]"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Search

"SearchAssistant" = "[Web site on the websearch.com or
huntbar.com domain]"

KEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Toolbar\ShellBrowser

"{339BB23F-A864-48C0-A59F-29EA915965EC}" = ""

HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Toolbar\WebBrowser

"{339BB23F-A864-48C0-A59F-29EA915965EC}" = ""


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Toolbar

"{339BB23F-A864-48C0-A59F-29EA915965EC}" = ""


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Toolbar\WebBrowser

"{339BB23F-A864-48C0-A59F-29EA915965EC}" = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Toolbar

"{8A05273A-2EA5-42DE-AA75-59EA7D9D50D7}" = "00"
"{339BB23F-A864-48C0-A59F-29EA915965EC}" = "00"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\URLSearchHooks

"{8952A998-1E7E-4716-B23D-3DBE03910972}" = ""

HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\URLSearchHooks

"{8952A998-1E7E-4716-B23D-3DBE03910972}" = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Installer\UserData

"TUID" = ""
"WTInstallDate" = ""

HKEY_CLASSES_ROOT\CLSID\{0A68C5A2-64AE-4415-88A2-
6542304A4745}

HKEY_CLASSES_ROOT\CLSID\{310CC549-4541-46A9-940F-
52B342A6E682}

HKEY_CLASSES_ROOT\CLSID\{339BB23F-A864-48C0-A59F-
29EA915965EC}

HKEY_CLASSES_ROOT\CLSID\{69357D4E-BF4D-4651-91E9-
52ECD45A0128}

HKEY_CLASSES_ROOT\CLSID\{6E21F428-5617-47F7-AED8-
B2E1D8FBA711}

HKEY_CLASSES_ROOT\CLSID\{708BE496-E202-497B-BC31-
9CF47E3BF8D6}

HKEY_CLASSES_ROOT\CLSID\{87067F04-DE4C-4688-BC3C-
4FCF39D609E7}

HKEY_CLASSES_ROOT\CLSID\{87766247-311C-43B4-8499-
3D5FEC94A183}

HKEY_CLASSES_ROOT\CLSID\{8952A998-1E7E-4716-B23D-
3DBE03910972}

HKEY_CLASSES_ROOT\CLSID\{8A05273A-2EA5-42DE-AA75-
59EA7D9D50D7}

HKEY_CLASSES_ROOT\CLSID\{8B0FA130-0C3D-4CB1-AEB7-
2C29DA5509A3}

HKEY_CLASSES_ROOT\CLSID\{A8DEB4A5-D9EF-4D21-B4F6-
921475004E7D}

HKEY_CLASSES_ROOT\CLSID\{BBF122A7-8A4D-45B5-9E00-
0F68BC87C904}

HKEY_CLASSES_ROOT\CLSID\{CABCF5E7-0C79-4F1C-909D-
B9CF68FED746}

HKEY_CLASSES_ROOT\CLSID\{CAE0999F-78C5-49DC-9F30-
13142AAAABA4}

HKEY_CLASSES_ROOT\CLSID\{F1616B86-9288-489D-B71A-
0CCF2F1A89DA}

HKEY_CLASSES_ROOT\CLSID\{FB45C451-B0E9-4407-BB6A-
9361013F3E9A}

HKEY_CLASSES_ROOT\CLSID\{FF76A5DA-6158-4439-99FF-
EDC1B3FE100C}

HKEY_CLASSES_ROOT\TypeLib\{37AC49E3-E906-4BD8-AE83-
D0F7FB48FD17}

HKEY_CLASSES_ROOT\TypeLib\{8992B6CA-B8C9-4AED-BF89-
0A17F6296A06}

HKEY_CLASSES_ROOT\TypeLib\{B23B3ADD-84B1-414A-92B9-
0CABE5A781F4}

HKEY_CLASSES_ROOT\TypeLib\{D8BD4DED-5BB2-4D4E-9A6A-
F10244FED7D6}

HKEY_CLASSES_ROOT\TypeLib\{DB9A4E78-35DF-4A54-B6C5-
C5190CEAF949}

HKEY_CLASSES_ROOT\Interface\{234F09FB-FE89-4C6D-9203-
31832FC051C3}

HKEY_CLASSES_ROOT\Interface\{365B9A54-E613-46E5-9DB1-
4F91A9DE80BD}

HKEY_CLASSES_ROOT\Interface\{618BE527-B7F5-417C-BC51-
98FDC2D6DE61}

HKEY_CLASSES_ROOT\Interface\{66C22569-F05C-4A70-A142-
763B337E1002}

HKEY_CLASSES_ROOT\Interface\{7B8BD940-B1EF-460C-85A2-
9ACAAF7F9303}

HKEY_CLASSES_ROOT\Interface\{99AA88D1-D9D3-410A-BE9E-
044F94C183DA}

HKEY_CLASSES_ROOT\Interface\{BD6F129A-08DB-4CC5-A75A-
F2AB79E55B6E}

HKEY_CLASSES_ROOT\Interface\{D1951679-1D52-43FC-9585-
0737143585F5}

HKEY_CLASSES_ROOT\Interface\{F273D4EA-2025-4410-8408-
251A0CD46BE7}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Explorer\Browser Helper Objects\{0A68C5A2-64AE-4415-88A2-
6542304A4745}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Explorer\Browser Helper Objects\{87766247-311C-43B4-8499-
3D5FEC94A183}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Explorer\Browser Helper Objects\{8952A998-1E7E-4716-B23D-
3DBE03910972}

HKEY_CLASSES_ROOT\Installer\Features\CA2E4A17C7EE67447B98D
93D8144E0D0

HKEY_CLASSES_ROOT\Installer\Products\CA2E4A17C7EE67447B98D
93D8144E0D0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\Features
\CA2E4A17C7EE67447B98D93D8144E0D0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\Products
\CA2E4A17C7EE67447B98D93D8144E0D0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\UpgradeCode
s
\53E709BA426171644AFC9A3F08B933A7

HKEY_CLASSES_ROOT\Installer\UpgradeCodes
\53E709BA426171644AFC9A3F08B933A7

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database
\Distribution Units\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Installer\Components\C3D2CDB9A41E452EA544AB5033418FCB

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Installer\Features\CA2E4A17C7EE67447B98D93D8144E0D0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Installer\Products\CA2E4A17C7EE67447B98D93D8144E0D0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Installer\UpgradeCodes\53E709BA426171644AFC9A3F08B933A7

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Installer\UserData\S-1-5-18
\Components\C3D2CDB9A41E452EA544AB5033418FCB

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Installer\UserData\S-1-5-18
\Products\CA2E4A17C7EE67447B98D93D8144E0D0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Uninstall\{71A4E2AC-EE7C-4476-B789-9DD318440E0D}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio
n\Setup\RC

HKEY_CURRENT_USER\SOFTWARE\MSIETS

HKEY_CURRENT_USER\SOFTWARE\Toolbar

HKEY_CURRENT_USER\SOFTWARE\Toolbar\Files\SVC

HKEY_CURRENT_USER\SOFTWARE\Toolbar\Files\TBR

HKEY_CURRENT_USER\SOFTWARE\Toolbar\PlugIns\COMMON

HKEY_CURRENT_USER\Software\WinTools

HKEY_CLASSES_ROOT\Common.Buttons\Clsid

HKEY_CLASSES_ROOT\PROTOCOLS\Handler\tpro

HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space

Handler\res\toolbar.ResProtocol

HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space

Handler\res\WToolsB.ResProtocol

HKEY_CLASSES_ROOT\Radio.RadioPlayer

HKEY_CLASSES_ROOT\TBPS.PluginConfig

HKEY_CLASSES_ROOT\TBPS.PluginDown

HKEY_CLASSES_ROOT\TBPS.PluginEvents

HKEY_CLASSES_ROOT\TBPS.PluginInst

HKEY_CLASSES_ROOT\TBPS.PluginServer

HKEY_CLASSES_ROOT\TBPS.ToolbarScript

HKEY_CLASSES_ROOT\toolbar.IToolbarScriptClass

HKEY_CLASSES_ROOT\toolbar.ResProtocol

HKEY_CLASSES_ROOT\WSG.WSGObj

HKEY_CLASSES_ROOT\WToolsB.ResProtocol

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Installer\UserData\STO
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Uninstall\TTOOL_UNINSTALL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Uninstall\WinTools

HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar

HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar\Files\COMMON

HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar\Files\SVC

HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar\Files\TBR

HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar\PlugIns\COMMON

HKEY_LOCAL_MACHINE\SOFTWARE\WinTools

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGA
CY_TBPSSVC

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGA
CY_WINTOOLSSVC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run\websearch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Main\CustomizeSearch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Main\SearchAssistant

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26E8361F-BCE7-
4F75-A347-98C88B418322}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{63B78BC1-A711-
4D46-AD2F-C581AC420D41}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26E8361F-
BCE7-4F75-A347-98C88B418321}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BTIEINScriptConfigProj
..BTIEINScriptConfig

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Explorer\Browser Helper Objects\{63B78BC1-A711-4D46-
AD2F-C581AC420D41}

HKEY_LOCAL_MACHINE\SOFTWARE\BTIEIN

HKEY_CURRENT_USER\Software\BTIEIN





Hope that helps

Andy

 

[Andre Da Costa]

Here you go:
IBIS Removal help:
http://www.iamnotageek.com/a/370-p1.php
--
Andre
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm