Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Keep finding TIBS C and DLSearchbar in antispyware scans

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

still getting messages

Unread postby crey66 » March 28th, 2007, 11:40 am

The DLSearch TIBS C still come up in scans.
crey66
Regular Member
 
Posts: 18
Joined: March 19th, 2007, 11:26 am
Advertisement
Register to Remove

Unread postby Susan528 » March 29th, 2007, 8:40 am

What messages are you still receiving? If the messages are some of the same that you have already posted, can you copy and paste them in your reply (save you the effort of manually typing them in).
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Spy Catcher scan messages

Unread postby crey66 » March 29th, 2007, 10:57 am

The scan messages are the same as before. (Although there was a TeensSearchbar found in the last one). It won't let me copy and paste any of the text. About the best I could do is send you screen shots of the message windows. Can I do that? I so, how?
Thanks
crey66
Regular Member
 
Posts: 18
Joined: March 19th, 2007, 11:26 am

Screenshots of messages

Unread postby crey66 » March 29th, 2007, 11:25 am

crey66
Regular Member
 
Posts: 18
Joined: March 19th, 2007, 11:26 am

Unread postby Susan528 » March 29th, 2007, 2:09 pm

Hi crey66,

I am sorry about all the trouble. Please do the following Regscans (yes-again). I am wondering if there is a false positive, or the registry entries are not being permanently deleted? I was surprised that the Kapersky scan did not detect anything to begin with.

STEP 1.
======
Regscan

Please download RegScan.
Within RegScan.zip you will find the file regscan.vbs
You may have to allow this script to run or disable anti-spyware again in order for it to run.
A window will open titled RegFinder.vbs and you will see place to input search terms.
Please enter the search terms:
catalyst.httpclientctrl.1
After the search has completed a window titled Results.txt will open. Save it as results1.txt
Please copy the results and post(reply) back.

Please repeat the above for the following:
9ebb-11d2-b89c-00104b30757b
Save it as results2.txt

Disabletaskmgr
Save it as results3.txt

Please post all three results.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

New Regscans

Unread postby crey66 » March 30th, 2007, 3:32 pm

OK here they are:
Results1
Windows Registry Editor Version 5.00

; Regscan.vbs Version: 1.2 by rand1038

; 3/30/2007 3:04:49 PM
; Search Term(s) Used: "catalyst.httpclientctrl.1"
; 3 matches were found.
; The search took 32 seconds.


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Catalyst.HttpClientCtrl.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Catalyst.HttpClientCtrl.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDD6BA26-9EBB-11D2-B89C-00104B30757B}\ProgID]
@="Catalyst.HttpClientCtrl.1"

Results2
Windows Registry Editor Version 5.00

; Regscan.vbs Version: 1.2 by rand1038

; 3/30/2007 3:06:38 PM
; Search Term(s) Used: "9ebb-11d2-b89c-00104b30757b"
; 23 matches were found.
; The search took 30 seconds.


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Catalyst.HttpClientCtrl.1\CLSID]
@="{EDD6BA26-9EBB-11D2-B89C-00104B30757B}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDD6BA26-9EBB-11D2-B89C-00104B30757B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDD6BA26-9EBB-11D2-B89C-00104B30757B}\Control]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDD6BA26-9EBB-11D2-B89C-00104B30757B}\InprocServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDD6BA26-9EBB-11D2-B89C-00104B30757B}\MiscStatus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDD6BA26-9EBB-11D2-B89C-00104B30757B}\MiscStatus\1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDD6BA26-9EBB-11D2-B89C-00104B30757B}\ProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDD6BA26-9EBB-11D2-B89C-00104B30757B}\ToolboxBitmap32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDD6BA26-9EBB-11D2-B89C-00104B30757B}\TypeLib]
@="{EDD6BA23-9EBB-11D2-B89C-00104B30757B}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDD6BA26-9EBB-11D2-B89C-00104B30757B}\Version]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDD6BA27-9EBB-11D2-B89C-00104B30757B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDD6BA27-9EBB-11D2-B89C-00104B30757B}\InprocServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EDD6BA24-9EBB-11D2-B89C-00104B30757B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EDD6BA24-9EBB-11D2-B89C-00104B30757B}\ProxyStubClsid]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EDD6BA24-9EBB-11D2-B89C-00104B30757B}\ProxyStubClsid32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EDD6BA24-9EBB-11D2-B89C-00104B30757B}\TypeLib]
@="{EDD6BA23-9EBB-11D2-B89C-00104B30757B}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EDD6BA25-9EBB-11D2-B89C-00104B30757B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EDD6BA25-9EBB-11D2-B89C-00104B30757B}\ProxyStubClsid]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EDD6BA25-9EBB-11D2-B89C-00104B30757B}\ProxyStubClsid32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EDD6BA25-9EBB-11D2-B89C-00104B30757B}\TypeLib]
@="{EDD6BA23-9EBB-11D2-B89C-00104B30757B}"

Results3

Windows Registry Editor Version 5.00

; Regscan.vbs Version: 1.2 by rand1038

; 3/30/2007 3:24:24 PM
; Search Term(s) Used: "Disabletaskmgr"
; 4 matches were found.
; The search took 31 seconds.


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\S-1-5-21-2298280193-2707668222-3771886015-1003\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
"**del.DisableTaskMgr"=" "

[HKEY_USERS\S-1-5-21-2298280193-2707668222-3771886015-1003\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"disabletaskmgr"=dword:00000000

I hope these help. Thanks again for your tenacity.
crey66
Regular Member
 
Posts: 18
Joined: March 19th, 2007, 11:26 am

Unread postby Susan528 » March 31st, 2007, 5:23 pm

I have tried to find reputable application to take care of this. I found where SpySweeper will target this. Let's try it.

Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

If you are taken to the internet page, just close the page.

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Empty Recycle Bin

Reboot and "copy/paste" a new HJT log as well as the Results from Spy Sweeper file into this thread. Let me know if this helps!
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

New Scans

Unread postby crey66 » April 1st, 2007, 7:17 pm

Spy Sweeper

5:48 PM: Removal process completed. Elapsed time 00:00:11
5:48 PM: Quarantining All Traces: tacoda cookie
5:48 PM: Quarantining All Traces: adjuggler cookie
5:48 PM: Quarantining All Traces: overture cookie
5:48 PM: Quarantining All Traces: nextag cookie
5:48 PM: Quarantining All Traces: ic-live cookie
5:48 PM: Quarantining All Traces: go2net.com cookie
5:48 PM: Quarantining All Traces: freefind.com cookie
5:48 PM: Quarantining All Traces: did-it cookie
5:48 PM: Quarantining All Traces: coremetrics cookie
5:48 PM: Quarantining All Traces: about cookie
5:48 PM: Quarantining All Traces: adrevolver cookie
5:48 PM: Quarantining All Traces: specificclick.com cookie
5:48 PM: Quarantining All Traces: go.com cookie
5:47 PM: Removal process initiated
5:21 PM: Traces Found: 17
5:21 PM: Custom Sweep has completed. Elapsed time 00:26:04
5:21 PM: File Sweep Complete, Elapsed Time: 00:23:25
5:17 PM: Warning: SweepDirectories: Cannot find directory "f:". This directory was not added to the list of paths to be scanned.
5:17 PM: Warning: SweepDirectories: Cannot find directory "e:". This directory was not added to the list of paths to be scanned.
5:16 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\authentium\curtains150\prf\0ybip-jnwslr\{d2f5620d-8db3-427d-9356-04ab08b907cb}". The operation completed successfully
5:16 PM: Warning: Failed to open file "c:\documents and settings\owner\local settings\temporary internet files\content.ie5\ln372s1y\caa08daj.htm". The operation completed successfully
5:10 PM: ApplicationMinimized - EXIT
5:10 PM: ApplicationMinimized - EXIT
5:10 PM: ApplicationMinimized - ENTER
5:10 PM: ApplicationMinimized - ENTER
4:58 PM: Starting File Sweep
4:58 PM: Warning: SweepDirectories: Cannot find directory "a:". This directory was not added to the list of paths to be scanned.
4:58 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
4:58 PM: c:\documents and settings\owner\cookies\owner@wine.about[1].txt (ID = 2038)
4:58 PM: c:\documents and settings\owner\cookies\owner@tacoda[1].txt (ID = 6444)
4:58 PM: Found Spy Cookie: tacoda cookie
4:58 PM: c:\documents and settings\owner\cookies\owner@southernfood.about[1].txt (ID = 2038)
4:58 PM: c:\documents and settings\owner\cookies\owner@rotator.adjuggler[1].txt (ID = 2071)
4:58 PM: Found Spy Cookie: adjuggler cookie
4:58 PM: c:\documents and settings\owner\cookies\owner@overture[1].txt (ID = 3105)
4:58 PM: Found Spy Cookie: overture cookie
4:58 PM: c:\documents and settings\owner\cookies\owner@nextag[1].txt (ID = 5014)
4:58 PM: Found Spy Cookie: nextag cookie
4:58 PM: c:\documents and settings\owner\cookies\owner@ic-live[1].txt (ID = 2821)
4:58 PM: Found Spy Cookie: ic-live cookie
4:58 PM: c:\documents and settings\owner\cookies\owner@go[2].txt (ID = 2728)
4:58 PM: c:\documents and settings\owner\cookies\owner@go2net[1].txt (ID = 2730)
4:58 PM: Found Spy Cookie: go2net.com cookie
4:58 PM: c:\documents and settings\owner\cookies\owner@freefind[2].txt (ID = 2698)
4:58 PM: Found Spy Cookie: freefind.com cookie
4:58 PM: c:\documents and settings\owner\cookies\owner@did-it[1].txt (ID = 2523)
4:58 PM: Found Spy Cookie: did-it cookie
4:58 PM: c:\documents and settings\owner\cookies\owner@data.coremetrics[1].txt (ID = 2472)
4:58 PM: Found Spy Cookie: coremetrics cookie
4:58 PM: c:\documents and settings\owner\cookies\owner@busycooks.about[1].txt (ID = 2038)
4:58 PM: c:\documents and settings\owner\cookies\owner@baking.about[1].txt (ID = 2038)
4:58 PM: Found Spy Cookie: about cookie
4:58 PM: c:\documents and settings\owner\cookies\owner@adrevolver[1].txt (ID = 2088)
4:58 PM: Found Spy Cookie: adrevolver cookie
4:58 PM: c:\documents and settings\owner\cookies\owner@adopt.specificclick[1].txt (ID = 3400)
4:58 PM: Found Spy Cookie: specificclick.com cookie
4:58 PM: c:\documents and settings\owner\cookies\owner@abcnews.go[2].txt (ID = 2729)
4:58 PM: Found Spy Cookie: go.com cookie
4:58 PM: Starting Cookie Sweep
4:58 PM: Registry Sweep Complete, Elapsed Time:00:00:24
4:57 PM: Starting Registry Sweep
4:57 PM: Memory Sweep Complete, Elapsed Time: 00:02:05
4:55 PM: Starting Memory Sweep
4:55 PM: Start Custom Sweep
4:55 PM: Sweep initiated using definitions version 889
Keylogger: Off
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: Off
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
4:48 PM: Shield States
4:48 PM: Spyware Definitions: 889
4:48 PM: Spy Sweeper 5.3.2.2361 started
4:48 PM: Spy Sweeper 5.3.2.2361 started
4:48 PM: | Start of Session, Sunday, April 01, 2007 |
***************


HJT
Logfile of HijackThis v1.99.1
Scan saved at 7:09:57 PM, on 4/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Cox\Applications\app\Prism.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8.hpwis.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\AUserInit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll (file missing)
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/ ... /ct5_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/ ... porter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Still getting TIBS C and DL Searchbar in Spy Catcher
crey66
Regular Member
 
Posts: 18
Joined: March 19th, 2007, 11:26 am

Questions

Unread postby crey66 » April 2nd, 2007, 8:04 am

Hi,
I've been doing some reading too. Should I be doing scans and fixes in safe mode? And should I try to do anything with restore points?

Thanks
crey66
Regular Member
 
Posts: 18
Joined: March 19th, 2007, 11:26 am

Unread postby Susan528 » April 2nd, 2007, 10:54 am

I would not worry about restore points. When we clear up this problem, then we will clear the restore points. We have policy not to clear restore points until clear up the current infections and then we clear the restore points.

What I believe is happening is that the registry fixes occur but something is still present that creates it the registry entries again.

I have hunted for tools to automatically remove it. There is one by Enigma but that is the same company that produces SpyHunter which is considered rogue. I don't want to create more problems for you downloading other software.

http://www3.ca.com/securityadvisor/pest ... =453090758
http://www.symantec.com/en/uk/enterpris ... 99&tabid=3

These two links give information about files that may exist and need to be deleted.

112f.exe

%programfilesdir%\Search Bar

chat.dat
%systemdir%\home.dat
%systemdir%\pics.dat
ezines.dat
%systemdir%\videos.dat
%systemdir%\Cshtp32.ocx
paysites.dat
%systemdir%\AcsProxy.dll
AcsProxy.lib
IdentLibDll.dll
%programfilesdir%\Search Bar\UNWISE.EXE
%programfilesdir%\Search Bar\INSTALL.LOG

%System%\AcsProxy.lib
%System%\chat.dat
%System%\ezines.dat
%System%\home.dat
%System%\paysites.dat
%System%\pics.dat
%System%\srchbar.dll.manifest
%System%\videos.dat

If you could check and see if any of these files are present. Then we could work on deleting them. Please let me know what you find.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby crey66 » April 2nd, 2007, 4:33 pm

That first link (Pest patrol) is what my ISP software uses. I searhed all names and all I found was:
Cshtp32.ocx.
Nothing else.

Does that help?
crey66
Regular Member
 
Posts: 18
Joined: March 19th, 2007, 11:26 am

Unread postby Susan528 » April 2nd, 2007, 10:44 pm

Let's try this please:

Please download The Avenger by Swandog46 to the Desktop.
Click on Avenger.zip to open the file
Then, extract avenger.exe to the Desktop

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Code: Select all
Files to delete:
C:\WINDOWS\System32\Cshtp32.ocx

Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Catalyst.HttpClientCtrl.1 
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDD6BA26-9EBB-11D2-B89C-00104B30757B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDD6BA27-9EBB-11D2-B89C-00104B30757B} 
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EDD6BA24-9EBB-11D2-B89C-00104B30757B} 
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EDD6BA25-9EBB-11D2-B89C-00104B30757B} 



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.



Start The Avenger program by clicking its icon on the Desktop.
Under: Script file to execute, select: Input Script Manually
Now click on the Magnifying Glass icon
It opens a new window titled: View/edit script
Paste the text copied to clipboard into this window by pressing Ctrl+V.
Click Done

Next, click on the Green Light to begin the execution of the script
Answer Yes twice when prompted.

The Avenger automatically does following:
Restarts the computer.
On reboot, briefly opens a black command window on the Desktop. This is normal.

After the restart, it creates a log that opens with the results of Avenger’s actions.
This log is located at C:\avenger.txt

Please provide C:\avenger.txt in your reply.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Avenger

Unread postby crey66 » April 3rd, 2007, 8:05 am

OK I don't know if this worked right, because my antivirus flagged some things when it tried to run. But here's the log:

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: could not create zip file.
Error code: 0


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\sdqmyeck

*******************

Script file located at: \??\C:\Documents and Settings\dpltnisv.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\System32\Cshtp32.ocx deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Catalyst.HttpClientCtrl.1 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDD6BA26-9EBB-11D2-B89C-00104B30757B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDD6BA27-9EBB-11D2-B89C-00104B30757B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EDD6BA24-9EBB-11D2-B89C-00104B30757B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EDD6BA25-9EBB-11D2-B89C-00104B30757B} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
crey66
Regular Member
 
Posts: 18
Joined: March 19th, 2007, 11:26 am

Unread postby Susan528 » April 3rd, 2007, 8:24 am

It looks like it deleted those registry keys and the file.

Let me know if you are still getting the message from SpyCatcher. I am keeping my fingers crossed!
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Looks Clean

Unread postby crey66 » April 3rd, 2007, 2:53 pm

It looks like the Avenger did it! Two SpyCatcher scans and no DLSearchBar or TIBS C -- just some cookies come up. Thanks Alot! Anything else I need to do?
crey66
Regular Member
 
Posts: 18
Joined: March 19th, 2007, 11:26 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 289 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware