Help! Every scan gives me only one item of spyware.

[Ed]

Each time time I run the deep scan (automatically), I get
IBIS Toolbar as the one item to remove. Yet other
spyware detectors finds tons of stuff.

Are my settings wrong?

Anyone who can help with this, thanks.

Ed

 

[Andre Da Costa]

Did you run a thorough scan in safe mode?

Some removal instructions from Andy Manchesta:
Hi

Sounds like you've tried most things,If the IBIS entires
are related to Wintools it can be a pain to remove all
the traces,Try running this fix tool from Symantec on any
account that is showing IBIS in safe mode also use MS
Antispy & Ccleaner, you could also clear the prefetch
folder(Goto start>Run>and type prefetch-delete the
contents of the folder incase its stored any info in
there)

Download to desktop and run in safe mode (reboot and keep
tapping F8 then choose safe mode)

http://securityresponse.symantec.com/avcenter/FxWebsch.exe


Heres the files and reg entries but this fix tool will
hopefully remove them all if any exist.


Check Add/remove screen for these and remove if found:

Toolbar
WinTools
WebOffer
Web Search Toolbar
Win-Tools Easy Installer

File names:

common.dll
IExploreSkins.exe
PIB.exe
WSG.exe
WSup.exe
WToolsA.exe
WToolsB.dll
WToolsS.exe
btiein.dll
websearch.exe
QDow_AS2.dll
setupex.exe
TBPS.exe
toolbar.dll


Files may be created in the following folders:


%SystemDrive%\Documents and Settings\All Users\Start
Menu\Programs\Web Search Tools

C:\Program Files\Common Files\Wintools

C:\Program Files\Toolbar

C:\Program Files\websearch



IBIS May create any of these registry entries(Its a very
long list)


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run

"TBPS" = ""
"WinTools" = ""
"OETool" = ""
"TB_setup"= ""


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\RunServicesOnce

"TBPS" = ""
"WinTools" = ""
"OETool" = ""
"TB_setup"= ""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\ModuleUsage

"%SystemDrive%/WINDOWS/Downloaded Program
Files/QDow_AS2.dll
\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}" = ""
"%SystemDrive%/WINDOWS/Downloaded Program
Files/QDow_AS2.dll
\.Owner" = "{87067F04-DE4C-4688-BC3C-4FCF39D609E7}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Installer\Folders

"%CommonProgramFiles%\MSIETS\" = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\SharedDLLs

"%Windir%\Downloaded Program Files\QDow_AS2.dll" = "1"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Connection
Wizard

"ShellNext" = "[path to file]"

HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main

"Search Bar" = "[Web site on the websearch.com or
huntbar.com domain]"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Main

"Search Bar" = "[Web site on the websearch.com or
huntbar.com domain]"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Main

"Search Bar" = "[Web site on the websearch.com or
huntbar.com domain]"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Main

"Start Page" = "[Web site on the websearch.com or
huntbar.com domain]"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Main

"Start Page" = "[Web site on the websearch.com or
huntbar.com domain]"


HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Search

"CustomizeSearch" = "res://%SystemDrive%\PROGRA~1
\Toolbar\toolbar.dll/sa"


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Search

"CustomizeSearch" = "res://%SystemDrive%\PROGRA~1
\Toolbar\toolbar.dll/sa"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Search

"SearchAssistant" = "[Web site on the websearch.com or
huntbar.com domain]"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Search

"SearchAssistant" = "[Web site on the websearch.com or
huntbar.com domain]"

KEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Toolbar\ShellBrowser

"{339BB23F-A864-48C0-A59F-29EA915965EC}" = ""

HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Toolbar\WebBrowser

"{339BB23F-A864-48C0-A59F-29EA915965EC}" = ""


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Toolbar

"{339BB23F-A864-48C0-A59F-29EA915965EC}" = ""


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Toolbar\WebBrowser

"{339BB23F-A864-48C0-A59F-29EA915965EC}" = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Toolbar

"{8A05273A-2EA5-42DE-AA75-59EA7D9D50D7}" = "00"
"{339BB23F-A864-48C0-A59F-29EA915965EC}" = "00"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\URLSearchHooks

"{8952A998-1E7E-4716-B23D-3DBE03910972}" = ""

HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\URLSearchHooks

"{8952A998-1E7E-4716-B23D-3DBE03910972}" = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Installer\UserData

"TUID" = ""
"WTInstallDate" = ""

HKEY_CLASSES_ROOT\CLSID\{0A68C5A2-64AE-4415-88A2-
6542304A4745}

HKEY_CLASSES_ROOT\CLSID\{310CC549-4541-46A9-940F-
52B342A6E682}

HKEY_CLASSES_ROOT\CLSID\{339BB23F-A864-48C0-A59F-
29EA915965EC}

HKEY_CLASSES_ROOT\CLSID\{69357D4E-BF4D-4651-91E9-
52ECD45A0128}

HKEY_CLASSES_ROOT\CLSID\{6E21F428-5617-47F7-AED8-
B2E1D8FBA711}

HKEY_CLASSES_ROOT\CLSID\{708BE496-E202-497B-BC31-
9CF47E3BF8D6}

HKEY_CLASSES_ROOT\CLSID\{87067F04-DE4C-4688-BC3C-
4FCF39D609E7}

HKEY_CLASSES_ROOT\CLSID\{87766247-311C-43B4-8499-
3D5FEC94A183}

HKEY_CLASSES_ROOT\CLSID\{8952A998-1E7E-4716-B23D-
3DBE03910972}

HKEY_CLASSES_ROOT\CLSID\{8A05273A-2EA5-42DE-AA75-
59EA7D9D50D7}

HKEY_CLASSES_ROOT\CLSID\{8B0FA130-0C3D-4CB1-AEB7-
2C29DA5509A3}

HKEY_CLASSES_ROOT\CLSID\{A8DEB4A5-D9EF-4D21-B4F6-
921475004E7D}

HKEY_CLASSES_ROOT\CLSID\{BBF122A7-8A4D-45B5-9E00-
0F68BC87C904}

HKEY_CLASSES_ROOT\CLSID\{CABCF5E7-0C79-4F1C-909D-
B9CF68FED746}

HKEY_CLASSES_ROOT\CLSID\{CAE0999F-78C5-49DC-9F30-
13142AAAABA4}

HKEY_CLASSES_ROOT\CLSID\{F1616B86-9288-489D-B71A-
0CCF2F1A89DA}

HKEY_CLASSES_ROOT\CLSID\{FB45C451-B0E9-4407-BB6A-
9361013F3E9A}

HKEY_CLASSES_ROOT\CLSID\{FF76A5DA-6158-4439-99FF-
EDC1B3FE100C}

HKEY_CLASSES_ROOT\TypeLib\{37AC49E3-E906-4BD8-AE83-
D0F7FB48FD17}

HKEY_CLASSES_ROOT\TypeLib\{8992B6CA-B8C9-4AED-BF89-
0A17F6296A06}

HKEY_CLASSES_ROOT\TypeLib\{B23B3ADD-84B1-414A-92B9-
0CABE5A781F4}

HKEY_CLASSES_ROOT\TypeLib\{D8BD4DED-5BB2-4D4E-9A6A-
F10244FED7D6}

HKEY_CLASSES_ROOT\TypeLib\{DB9A4E78-35DF-4A54-B6C5-
C5190CEAF949}

HKEY_CLASSES_ROOT\Interface\{234F09FB-FE89-4C6D-9203-
31832FC051C3}

HKEY_CLASSES_ROOT\Interface\{365B9A54-E613-46E5-9DB1-
4F91A9DE80BD}

HKEY_CLASSES_ROOT\Interface\{618BE527-B7F5-417C-BC51-
98FDC2D6DE61}

HKEY_CLASSES_ROOT\Interface\{66C22569-F05C-4A70-A142-
763B337E1002}

HKEY_CLASSES_ROOT\Interface\{7B8BD940-B1EF-460C-85A2-
9ACAAF7F9303}

HKEY_CLASSES_ROOT\Interface\{99AA88D1-D9D3-410A-BE9E-
044F94C183DA}

HKEY_CLASSES_ROOT\Interface\{BD6F129A-08DB-4CC5-A75A-
F2AB79E55B6E}

HKEY_CLASSES_ROOT\Interface\{D1951679-1D52-43FC-9585-
0737143585F5}

HKEY_CLASSES_ROOT\Interface\{F273D4EA-2025-4410-8408-
251A0CD46BE7}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Explorer\Browser Helper Objects\{0A68C5A2-64AE-4415-88A2-
6542304A4745}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Explorer\Browser Helper Objects\{87766247-311C-43B4-8499-
3D5FEC94A183}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Explorer\Browser Helper Objects\{8952A998-1E7E-4716-B23D-
3DBE03910972}

HKEY_CLASSES_ROOT\Installer\Features\CA2E4A17C7EE67447B98D
93D8144E0D0

HKEY_CLASSES_ROOT\Installer\Products\CA2E4A17C7EE67447B98D
93D8144E0D0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\Features
\CA2E4A17C7EE67447B98D93D8144E0D0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\Products
\CA2E4A17C7EE67447B98D93D8144E0D0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\UpgradeCode
s
\53E709BA426171644AFC9A3F08B933A7

HKEY_CLASSES_ROOT\Installer\UpgradeCodes
\53E709BA426171644AFC9A3F08B933A7

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database
\Distribution Units\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Installer\Components\C3D2CDB9A41E452EA544AB5033418FCB

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Installer\Features\CA2E4A17C7EE67447B98D93D8144E0D0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Installer\Products\CA2E4A17C7EE67447B98D93D8144E0D0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Installer\UpgradeCodes\53E709BA426171644AFC9A3F08B933A7

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Installer\UserData\S-1-5-18
\Components\C3D2CDB9A41E452EA544AB5033418FCB

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Installer\UserData\S-1-5-18
\Products\CA2E4A17C7EE67447B98D93D8144E0D0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Uninstall\{71A4E2AC-EE7C-4476-B789-9DD318440E0D}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio
n\Setup\RC

HKEY_CURRENT_USER\SOFTWARE\MSIETS

HKEY_CURRENT_USER\SOFTWARE\Toolbar

HKEY_CURRENT_USER\SOFTWARE\Toolbar\Files\SVC

HKEY_CURRENT_USER\SOFTWARE\Toolbar\Files\TBR

HKEY_CURRENT_USER\SOFTWARE\Toolbar\PlugIns\COMMON

HKEY_CURRENT_USER\Software\WinTools

HKEY_CLASSES_ROOT\Common.Buttons\Clsid

HKEY_CLASSES_ROOT\PROTOCOLS\Handler\tpro

HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space

Handler\res\toolbar.ResProtocol

HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space

Handler\res\WToolsB.ResProtocol

HKEY_CLASSES_ROOT\Radio.RadioPlayer

HKEY_CLASSES_ROOT\TBPS.PluginConfig

HKEY_CLASSES_ROOT\TBPS.PluginDown

HKEY_CLASSES_ROOT\TBPS.PluginEvents

HKEY_CLASSES_ROOT\TBPS.PluginInst

HKEY_CLASSES_ROOT\TBPS.PluginServer

HKEY_CLASSES_ROOT\TBPS.ToolbarScript

HKEY_CLASSES_ROOT\toolbar.IToolbarScriptClass

HKEY_CLASSES_ROOT\toolbar.ResProtocol

HKEY_CLASSES_ROOT\WSG.WSGObj

HKEY_CLASSES_ROOT\WToolsB.ResProtocol

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Installer\UserData\STO
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Uninstall\TTOOL_UNINSTALL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on
\Uninstall\WinTools

HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar

HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar\Files\COMMON

HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar\Files\SVC

HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar\Files\TBR

HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar\PlugIns\COMMON

HKEY_LOCAL_MACHINE\SOFTWARE\WinTools

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGA
CY_TBPSSVC

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGA
CY_WINTOOLSSVC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run\websearch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Main\CustomizeSearch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Main\SearchAssistant

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26E8361F-BCE7-
4F75-A347-98C88B418322}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{63B78BC1-A711-
4D46-AD2F-C581AC420D41}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26E8361F-
BCE7-4F75-A347-98C88B418321}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BTIEINScriptConfigProj
..BTIEINScriptConfig

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Explorer\Browser Helper Objects\{63B78BC1-A711-4D46-
AD2F-C581AC420D41}

HKEY_LOCAL_MACHINE\SOFTWARE\BTIEIN

HKEY_CURRENT_USER\Software\BTIEIN





Hope that helps

Andy
--
Andre
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

 

[AndyManchesta]

If Its IBIS then the symantec tool should work fine and
remove all the filenames listed if present. First check
your Add/Remove screen for Websearch or the names Andre
post

The problem with Wintools/IBIS is they have 3 .exe files
that interact to stop each other being deleted and one
part running as a windows service so Add/Remove would
make things easier to remove the main part of this.

Then try rebooting into safe mode (Reboot and tap F8 then
choose safe mode fom the list) and run the fix tool from
symantec if you wish then MS Antispy on a full system
scan and remove anything found then reboot back to normal
mode.

If other spyware scanners are finding malware and not
cookies then let us know what this is so we can deal with
them if they are not being removed.


Regards Andy

 

[AndyManchesta]

Hi Again ED,

Thanks for the scanner results,There's no problems here
except cookies and IBIS , I have posted a way to help
prevent these at the bottom of the page


spysweeper
----------

found websearch - This is IBIS/Wintools/Huntbar just a
different name

All the rest are cookies which MSAS doesn scan for and
most are harmless I know they describe them as spyware
cookies but they come from online ad's and even ad's
included in hotmail and other genuine sites , Spybots
protection would stop some of these on the immunize
feature page by enabling the Browser Helper feature and
choosing to block all bad pages silently.


Ewido
-----

Again Websearch and cookies


Adaware
-------

MRU Lists (Harmless and means "most recently used") not a
threat and cookies


I can understand how this looks but cookies are not a
problem and you cannot block all of them as then you will
have to sign into sites everytime you visit as the
cookies store the login info, Cookies like doubleclick
and valueclick come from hotmail ads and other online
advertisments which are included into sites


You can use Ccleaner to remove cookies if you want

http://www.ccleaner.com/ccdownload.asp

Or open a IE Window and goto tools on the top bar then
internet options and press delete cookies
of from this page goto the privacy tab and you can
restrict cookies

Spyware Blaster may also help you to stop some of these.

http://www.javacoolsoftware.com/spywareblaster.html


Regards

Andy