Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Oct 7th, 2008, 11:48am
   Mischel Internet Security Forum
   Malware
   Adware, Browser Hijackers and other Malware (Moderators: Helena, Gavin_Coe, Magnus)
   Adware.IBIS.Toolbar.100		 « Previous topic | Next topic »
Pages: 1 2  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Adware.IBIS.Toolbar.100  (Read 4104 times)
MadAxe
Senior Member
****





   


Gender: male
 Posts: 319
Adware.IBIS.Toolbar.100
« on: Oct 20th, 2004, 10:51am »		 Quote Quote  Modify Modify
A coworker asked me to help him with his laptop because it was running very slow.
 
Utilwin.exe was the main culpret, taking up anywhere from 60mb to 110mb of memory from the system and anywhere from 20% to 70% of the CPU resources. I tried deleting it from the task manager only to have it pop right back up. BLablabla and long story short, I disabled that one and freed up the major hog on his laptop. I installed TH evaluation, copied over the latest rulesets, and immediately THG popped 4 adware programs. I had it clean those then ran a full scan and started getting rid of suspicious keys and files that the scan found. One of them keeps popping back up;
 
HKLM\Software\Toolbar (matches Adware.IBIS.Toolbar.100)
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{name changes each time}
 
I don't know what is rewriting those keys. Any suggestions would be helpful.
« Last Edit: Oct 20th, 2004, 10:52am by MadAxe » IP Logged
Randy_Bell
Global Moderator
*****




TrojanHunter is the Best!

40416585 40416585   randybell_98   atmrover
WWW   Email

Gender: male
 Posts: 2883
Re: Adware.IBIS.Toolbar.100
« Reply #1 on: Oct 20th, 2004, 11:22am »		 Quote Quote  Modify Modify
TH may not be enough.  Scan your box with these free programs:
 
AdAware: http://www.lavasoftusa.com/software/adaware/
SpyBot S&D: http://www.safer-networking.org/en/download/
 
WebRoot's Spy Sweeper is also very good {but not free}.  One or more of these programs *may* require you to reboot in order to clean this crap off your system.  Sometimes it is loaded in memory and cannot be cleaned while the Windows GUI is still running.
 
Good Luck!  Hope you get that resource-eating mess off your system!  {These adware-spyware-malware authors ought to be shot, but that is a different topic}.  Wink
IP Logged
MadAxe
Senior Member
****





   


Gender: male
 Posts: 319
Re: Adware.IBIS.Toolbar.100
« Reply #2 on: Oct 20th, 2004, 11:33am »		 Quote Quote  Modify Modify
on Oct 20th, 2004, 11:22am, Randy_Bell wrote:

Good Luck!  Hope you get that resource-eating mess off your system!  {These adware-spyware-malware authors ought to be shot, but that is a different topic}.  Wink

 
It's not _MY_ system. I'm just doing the guy a favor. And yes, they should all be shot  Smiley
IP Logged
MadAxe
Senior Member
****





   


Gender: male
 Posts: 319
Re: Adware.IBIS.Toolbar.100
« Reply #3 on: Oct 20th, 2004, 11:57am »		 Quote Quote  Modify Modify
on Oct 20th, 2004, 11:22am, Randy_Bell wrote:
TH may not be enough.  Scan your box with these free programs:
 
AdAware: http://www.lavasoftusa.com/software/adaware/
SpyBot S&D: http://www.safer-networking.org/en/download/

 
The latest reflist from AdAware brought up 270 objects. Wow!  Shocked
 
He has SpyBot S&D 1.2 on there so I'm going to uninstall that one and put 1.3 on there and give it a whirl.
IP Logged
Aaron
Administrator
*****





   


Gender: male
 Posts: 286
Re: Adware.IBIS.Toolbar.100
« Reply #4 on: Oct 20th, 2004, 12:25pm »		 Quote Quote  Modify Modify
I wonder how many were just MRUs.
 
Please note the following on registry entries:  http://forum.misec.net/board/Malware/1097439057
IP Logged
Aaron Hulett | Trojan Analyst | Mischel Internet Security
MadAxe
Senior Member
****





   


Gender: male
 Posts: 319
Re: Adware.IBIS.Toolbar.100
« Reply #5 on: Oct 20th, 2004, 12:51pm »		 Quote Quote  Modify Modify
on Oct 20th, 2004, 12:25pm, Aaron wrote:
I wonder how many were just MRUs.
 
Please note the following on registry entries:  http://forum.misec.net/board/Malware/1097439057

 
MRU = Memory Resident "U"?
 
I've been removing all the registry entries on my own. Some of them, like utilwin.exe in the Run key, kept popping back up. I had to go into safe mode, create duplicate files and rename the old ones, change the permissions on those files so the system couldn't overwrite it then change the permissions on the run and runonce keys so the system couldn't write to it.
 
I've never seen a system infected this badly but it's been fun cleaning it out  Grin
IP Logged
Randy_Bell
Global Moderator
*****




TrojanHunter is the Best!

40416585 40416585   randybell_98   atmrover
WWW   Email

Gender: male
 Posts: 2883
Re: Adware.IBIS.Toolbar.100
« Reply #6 on: Oct 20th, 2004, 1:11pm »		 Quote Quote  Modify Modify
MRUs = Most Recently Used {lists}
 
Various programs keep track of the most recently used documents, zipfiles, etc. that you have opened.  SpyBot S&D refers to these as "usage tracks" but has usage tracking turned off by default in the settings.
IP Logged
Aaron
Administrator
*****





   


Gender: male
 Posts: 286
Re: Adware.IBIS.Toolbar.100
« Reply #7 on: Oct 20th, 2004, 1:14pm »		 Quote Quote  Modify Modify
Sounds like there's a "sleeper" process that watches for the removal of things from the main processes/files.  You may want to post a HijackThis log for review and send some files in so that proper definitions can be written and sent out to clean things up.
IP Logged
Aaron Hulett | Trojan Analyst | Mischel Internet Security
MadAxe
Senior Member
****





   


Gender: male
 Posts: 319
Re: Adware.IBIS.Toolbar.100
« Reply #8 on: Oct 20th, 2004, 1:25pm »		 Quote Quote  Modify Modify
I've cleaned out a bunch so far but things are changing up a bit. After multiple runs of AdAware it's picking up stuff that was supposed to have been cleaned. Same with Spyware S&D. TH even reported something new in the registry, a different adware, when I ran it again. I'm going through and running everything once while in safe mode. I've already manually checked the run entries in the registry and they're ok. I'll post my progress or post some files and reports if I get totally stumped.
IP Logged
MadAxe
Senior Member
****





   


Gender: male
 Posts: 319
Re: Adware.IBIS.Toolbar.100
« Reply #9 on: Oct 20th, 2004, 1:51pm »		 Quote Quote  Modify Modify
IBIS toolbar. That took up 37 entries on the last AdAware run. After I let it remove all that, I checked the registry and in the run key it had an executable in there pointing to that same directory; C:\Program Files\Toolbar
 
So....  I deleted the registry value and I changed the permissions on that folder to specifically deny system to do anything and gave everyone only one special permission; to delete the folder.
 
Also, I've run SpyBot S&D twice in a row. Both times it came up with DSO Exploit and lists 4 registry keys. The first time I let it delete them. The second time I ran it, without doing anything else, it popped up again.
 
All the keys are in HKU and end with \Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
 
I think I'm going to try some manual registry hacking now.
IP Logged
MadAxe
Senior Member
****





   


Gender: male
 Posts: 319
Re: Adware.IBIS.Toolbar.100
« Reply #10 on: Oct 20th, 2004, 1:56pm »		 Quote Quote  Modify Modify
\0\1004!=W=3
 
It's not in there.
 
They all have \0\1004 and they are string values rather than dword values like the rest of them.
 
I might try deleting them...
 
I'll give AdAware another spin and take a break  Cool
IP Logged
MadAxe
Senior Member
****





   


Gender: male
 Posts: 319
Re: Adware.IBIS.Toolbar.100
« Reply #11 on: Oct 20th, 2004, 2:11pm »		 Quote Quote  Modify Modify
AdAWare came up clean.
TH came up clean.
SpyBot S&D shows 4 registry keys that do not exist  Undecided
 
IP Logged
MadAxe
Senior Member
****





   


Gender: male
 Posts: 319
Re: Adware.IBIS.Toolbar.100
« Reply #12 on: Oct 20th, 2004, 2:20pm »		 Quote Quote  Modify Modify
I got a CWShredder tool off of the PCWorld website and ran it.
 
It found and removed:
CWS.Svchost32
CWS.Jksearch
IP Logged
MadAxe
Senior Member
****





   


Gender: male
 Posts: 319
Re: Adware.IBIS.Toolbar.100
« Reply #13 on: Oct 20th, 2004, 3:40pm »		 Quote Quote  Modify Modify
Ok it's still interesting here.
 
I checked my registry and compared it against those zone keys that SpyBoy was reporting. My 1004 was a dword and the infected laptop had it as a string. I deleted all those values and recreated them. SpyBot is reporting it clean now.
 
I ran TH again. This popped up on me yet again:
 
HKCR\ATLEvents.ATLEvents (matches Adware.VirtuMonde.102)
HKCR\ATLEvents.ATLEvents.1 (matches Adware.VirtuMonde.102)
 
Aaron, do you have any feedback on this particular one?
IP Logged
Randy_Bell
Global Moderator
*****




TrojanHunter is the Best!

40416585 40416585   randybell_98   atmrover
WWW   Email

Gender: male
 Posts: 2883
Re: Adware.IBIS.Toolbar.100
« Reply #14 on: Oct 20th, 2004, 5:43pm »		 Quote Quote  Modify Modify
CWS is a bear to clean.  I hope you got all of it .. Wink
IP Logged
Pages: 1 2  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register