AntiSpyware

[Dave]

The AntiSpyware beta version detected lots of problems.
However, everytime we switch users on our Windows XP
computer DLSearchBar attempts to re-install. Any clues
as to where the malware is that pushes the re-install
attempt. There doesn't appear to be anything unusual in
the registry "Run" keys.

 

[Bill Sanderson]

One way at this might be to restart in safe mode and do a scan logged in as
each user separately. I don't have a feel for the "best" scheme for
this--I'm not even sure I know enough about the architecture to make an
informed guess--for example--can something in "all users" have this effect?

 

[Ron Kinner]

Following "Registry keys to remove" info from

http://www3.ca.com/securityadvisor/pest/pest.aspx?
id=453090758


HKEY_CLASSES_ROOT\clsid\{0a8ce102-fa03-4612-9bee-
7fe5452f4cb1}
HKEY_CLASSES_ROOT\clsid\{0a8ce102-fa03-4612-9bee-
7fe5452f4cb1} search bar
HKEY_CLASSES_ROOT\clsid\{0a8ce102-fa03-4612-9bee-
7fe5452f4cb1}\inprocserver32 c:\windows\system32
\srchbar.dll
HKEY_CLASSES_ROOT\clsid\{0a8ce102-fa03-4612-9bee-
7fe5452f4cb1}\inprocserver32 threadingmodel apartment
HKEY_CLASSES_ROOT\clsid\{0a8ce102-fa03-4612-9bee-
7fe5452f4cb1}\progid searchbartoolbar.searchbar
HKEY_CLASSES_ROOT\clsid\{0a8ce102-fa03-4612-9bee-
7fe5452f4cb1}\typelib {7c9e9a74-1922-409e-ab46-
e48784336c3a}
HKEY_CLASSES_ROOT\clsid\{0a8ce102-fa03-4612-9bee-
7fe5452f4cb1}\version 2.0
HKEY_CLASSES_ROOT\searchbartoolbar.isubclass
HKEY_CLASSES_ROOT\searchbartoolbar.isubclass
searchbartoolbar.isubclass
HKEY_CLASSES_ROOT\searchbartoolbar.isubclass\clsid
{aa8c93e1-7e5f-497e-b67c-cc8fe2a40d3b}
HKEY_CLASSES_ROOT\searchbartoolbar.searchbar
HKEY_CLASSES_ROOT\searchbartoolbar.searchbar search bar
HKEY_CLASSES_ROOT\searchbartoolbar.searchbar\clsid
{0a8ce102-fa03-4612-9bee-7fe5452f4cb1}
HKEY_CURRENT_USER\software\e-ventures n.v.\search bar
HKEY_CURRENT_USER\software\e-ventures n.v.\search bar
blockpopups 1
HKEY_CURRENT_USER\software\e-ventures n.v.\search bar
updated 1/27/2005
HKEY_CURRENT_USER\software\microsoft\internet
explorer\toolbar {0a8ce102-fa03-4612-9bee-7fe5452f4cb1}
HKEY_LOCAL_MACHINE\\software\microsoft\windows\currentversi
on\uninstall\search bar uninstallstring c:\progra~1
\search~1\unwise.exe c:\progra~1\search~1\install.log
HKEY_LOCAL_MACHINE\software\microsoft\internet
explorer\toolbar {0a8ce102-fa03-4612-9bee-7fe5452f4cb1}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversio
n\uninstall\search bar displayname search bar

From this we can see that there is a dll file in System32
as well as a Program File folder. Wonder what the
install.log says?

Often you will get a reinstall from some other program
(Use msconfig to keep other stuff from loading and see if
you still get a detection) and sometimes I suspect it
hides in the prefetch.

It's a good idea to clean prefetch before you reboot after
running AntiSpy and removing stuff.

del /q c:\windows\prefetch\*.*

If it is really clever and gets itself installed in the
system32\dllcache then Xp will put it back automatically.

Ron Kinner MVP