Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
HELP!!!
I am a novice computer user and desperately need help removing the IBIS Toolbar. I have used SpyBot S&D, Ad-aware 6, CW shredder, and SpywareBlaster.
I am posting here because I noticed a user giving someone else advice with the same problem. Both SpyBot S&D and Ad-aware give me the message that they have removed or fixed the problem, but when I scan again, to see if the IBIS toolbar, (what Ad-aware finds) or DSO Exploit (what SpyBot finds) are removed, they are still there. I am at the point where I need someone who knows what they're doing. I don't want to go into Hijack This and start fixing things. I do know that the IBIS toolbar is in the wintools folder, but it won't let me delete it. I have seen other people going into Safe mode to delete it, but I dont know how to do that.
Simone
Hi SEVARTS,
Ive had many issue removing the IBIS toolbar as well, so I dont have alot of helpful info about that, but as far as getting into safe mode to take a crack at it, what you would need to do is reboot your computer, and when the FIRST splash screen loads, hit repeatedly, or hold down the F8 key. That should bring you to a screen asking you what you want to boot to, and the very first, or top option, should be "Safe Mode". Choose that, and it should load your computer into safe mode, allowing you to run the spyware removal with minimal processes running in the background. Hope this helps!
~ Dont worry about failure. Worry about the chances you miss when you dont try ~
www.phonemonkey.org
0 
Are you using Ad-Aware 6.181, with the latest Reference file (as of this minute OR319), and do you have Ad-Aware set up for a Full Custom Scan? Full AAw Scan Settings
Then, when you run the scan, are you selecting the Custom Mode?
See if this helps.
Take care
0
Sev ... I have the same exact symptoms. And I've tried the same cleaners. I've even done it in safe mode. Nothing has worked for me either!
0
After you run AdAware with the customized settings as suggested, run HijackThis.
-Download from: http://mjc1.com/mirror/hjt/
-Create a folder for this program. Do not download to the Desktop or to removable media.
-Close down all open windows and double click on the HijackThis.exe file for the program to launch.
-Click on the Scan button. When the scan is done, a listing of all items found by HijackThis! is presented.
-Click on the Save Log button to keep a record of the items listed saved in NotePad.
-DO NOT use the FIX option of this program without knowing what to do!! There are items on the log that are required for the computer to operate effectively.
-Post the HJT log information for someone to check it.
0
Thanks everybody for the advice. Tonight I will make sure I am using Ad-aware with the most recent reference file, and with the proper settings. I do have Hijack This, and I will run it and then post it.
Simone
0
Thanks cannymum for the full AAw settings. That scan revealed ALOT of crap. I got rid of everything (67 items), but the IBIS toolbar is still there.
Here is my Hijack this scan.
Logfile of HijackThis v1.97.7
Scan saved at 11:13:00 PM, on 6/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.exe
C:\WINDOWS\System32\slpservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\slpmonx.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DIGStream\digstream.exe
C:\documents and settings\lil' jerry\local settings\temp\DiJp7.exe
C:\documents and settings\lil' jerry\local settings\temp\XQsJf2hj.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINDOWS\System32\senls.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\mims2.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\WINDOWS\Seiko\slpcap.exe
C:\Documents and Settings\Lil' Jerry\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchdirs.com/?aff=1020
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r1.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r1.attbi.com;localhost
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [zzzHPSETUP] F:\Setup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DiJp7] C:\documents and settings\lil' jerry\local settings\temp\DiJp7.exe
O4 - HKLM\..\Run: [XQsJf2hj] C:\documents and settings\lil' jerry\local settings\temp\XQsJf2hj.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [779T35O] senls.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\Adobe\America Online 8.0\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Mwq3RRi7U] mims2.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.exe
O4 - Global Startup: SmartCapture.lnk = C:\WINDOWS\Seiko\slpcap.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/148119a2571ca3/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {B3A5878E-5B4C-4D12-9156-4D7FD8D0AF6C} (Cltbuilder Class) - http://akamai.downloadv3.com/binaries/one2one/one2oneSvcEN.cabThanks again for the great help!!
Simone
0
Tried to post back some help for the HJT log, but was not allowed to.
Guess only certain individuals can do so, and I can understand why.
Hopefully, someone will come along.
Good luck.
0
Thanks FZWG, I have been doing my best to get rid of the IBIS toolbar, DSO exploit, and now People on Page.
Simone
0
Oh no!!!
BTW, one of the first things an expert is going to tell you is to place HijackThis! in its own folder. If it is in its own folder, the backup option to restore entries is available, if necessary.
Maybe establish a folder in C:\HijackThis
0
First run SpyBot in Search and Destroy mode. Select Delete checked items and allow SpyBot to run on next re-boot if it requests to do so.
Second: Run Ad-aware (with the latest definitions) and let it do the same.
Third: Reboot once more being sure to boot into "Safe Mode" (F8 at the first splash screen and select safe mode from the menu).
Finally: while in safe mode, start your favorite file manager (if that is Windows Exploder, so be it). Select the directory C:\Program Files \Common Files. In the right hand window you will see a directory named WinTools. This is where ibis resides. Delete this directory and all of it's contents. This should end your ibis experience. It seems to have worked for me.
I have been fighting this thing for 3 days now, but I think I have finally beaten it.
Good Luck, I hope it works foe you too.
0
YES!! I got rid of it. I followed the instructions found on PCHell.com, (Wintools Removal). I also used Ad-Aware6 and Spybot S&D.
The instructions were the same as what zoommb posted, except that I also went into Regedit and got rid of WinTools in the Run folder and in the Run Services folder.
I then used the Hijack This log, PacMan's startup list, and TonyK's BHO and Toolbar list to figure out what almost everything was in the log, and fix when necessary.
Make sure you empty the recycle bin when done.Simone
0
I'm going to try all this too, I have been fighting this since 11 AM. My computer seems to freeze after a few minutes. I know I have the IBIS toolbar, and that is what I am going to try to remove. Next question is: how did this get on my computer and what can I do to prevent it (or similar pests) happening again? I have a firewall and popup blockers. Any suggestions. Thanks to everyone!
0
after battling this b---tard for nearly 4 hours, i FINALLY found the solution to get rid of it once & for all. this is taken from kephyr.com & edited a little bit to battle some they didn't know about
Manual removal
Please follow the instructions below if you would like to remove Bubba.wintools manually. Please notice that you must follow the instructions very carefully and delete everything that is mentioned. In most cases the removal will fail if one single item is not deleted. If Bubba.wintools remains on your system after stepping through the removal instructions, please double-check by stepping through them again.
Start your computer in safe mode.
Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)
Browse to the key:
'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'
In the right pane, delete the value called 'WinTools', if it exists.
Delete 'HKEY_LOCAL_MACHINE\SOFTWARE \ Classes \ CLSID \ {87766247-311C-43B4-8499-3D5FEC94A183}', if it exists.
Delete 'HKEY_LOCAL_MACHINE\SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer\Browser Helper Objects \ {87766247-311C-43B4-8499-3D5FEC94A183}', if it exists.
Exit the registry editor.
Restart your computer in safe mode.
Start Windows Explorer and delete the directory:
%ProgramsDir%\Common files\WinTools\Note: %ProgramsDir% is a variable. By default, this is C:\Program Files.
0
Run Adaware first.
The use HijackThis.
http://www.spychecker.com/program/hijackthis.html
Run the program. Looks for lines that have websearch.com in them. Put the check mark next to them, I only found 2, and remove them.
Then reboot the pc and you should be fine. It then should not ask you to install the toolbar.
Run Adaware to make sure it is all gone also.
Good Luck!
0
I finally removed this toolbar. I had to piggyback Norton Systemworks with adaware6 tto do it.
First I opened task manager and stopped all Wintools Processes, then I opened c:\programs\common
and deleted the Wintools folder. Then ran norton one button check up, then cleansweep, then win doctor, then ran adaware. I rebooted ran adaware again and POOF it was gone.
The thing is you have to be thourough, this thing acts like a trogan, and it replicates it's self upon deletion. The one button check up removed the registry entry and that was the key to the removalCatch ya later when your hair is straighter
0
SUCCESS! I have started using a product called XOFTSPY by PARETOLOGIC. After running adaware and spybot to the point of each declaring me 'clean', I found a variety of other suspicious processes still running. xoftspy, though it costs $40, discovered a TON of other cookies, registry entries, and programs in my system folder which it cleaned all.
A couple of days later, a scan discovered this IBIS toolbar. xoftspy cleaned it with a simple click of the 'remove' button, and after rebooting it was still gone. This is the best program I've used yet.
TWO OTHER THINGS:
1) If anyone has used a program better than this, I would be very interested. Especially another program that is preventative in nature to prevent this stuff from being installed in the first place.
2) If anyone knows what the heck SMMO.exe is, why I keep getting it about once or twice a week, I would be very interested. The only reason I know it exists is ZoneAlarm detects its attempt to access the internet.
Emailing me directly would be greatly appreciated.
Thanks!
-Christian B.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
