IBIS...is it still there?

[heart]

This topic was started in Anti-Spyware Software forum here: http://www.landzdown.com/index.php?topic=3565.0

And was referred by GR@PH;<'S, w/ a request for an HJT log.
Here it is:

Logfile of HijackThis v1.99.1
Scan saved at 4:50:14 PM, on 12/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\YPAGER.EXE
C:\Program Files\CounterSpy\sunThreatEngine.exe
C:\Program Files\CounterSpy\SunProtectionServer.exe
C:\Program Files\CounterSpy\SunServer.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\Program Files\Spybot - Search & Destroy\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunServer] C:\Program Files\CounterSpy\sunserver.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/controls/ysftcntr/ysftcntr_current.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE :uhm:

[Die Hard]

heart  :)

Where does Counterspy find the IBIS entry ?

IBIS is related to "Huntbar" and could go under several names;  MSIETS , BTIEIN or Wintools to mention a few.

regards

Die Hard :)

[heart]

Die Hard
 
Here are the infected entries detected

HKEY_LOCAL_MACHINE\SYSTEM/ControlSet001\Enum\Root\LEGACY_TBPSSVC
"           "            "           "                "                "     "         "             "      \0000 Service TBPSSvc
                                                                                                              \0000 Legacy 1
                                                                                                              \0000ConfigFlags 0
                                                                                                              \0000 Class LegacyDriver
                                                                                                              \0000 ClassGUID {8ECC055D-047=11D1-A537-0000F8753D1}
                                                                                                              \0000DeviceDesc WebSearch Toolbar support NT service
HKEY_LOCAL\MACHINE\SYSTEM\CurrentControlSet\Root\LEGACY_TBPSSVC
"          "            "            "                 "                 "        "             "      \0000 Service TBPSSvc
                                                                                                         \0000 Legacy 1
                                                                                                         \0000 ConfigFlags 0
                                                                                                         \0000 Class LegacyDriver
                                                                                                         \0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753D1
                                                                                                         \0000 DeviceDesc WebSearch Toolbar support NT service

Heart

[Die Hard]

heart  :)

When the files are removed, those reg-keys would probably not cause any trouble.
However, keeping orphaned regkeys from spyware in the system is no joy either.

Here´s how you remove those keys:

First, make sure you are logged in as administrator, or on an account with admins priviliges.

1. Click (Windowskey+R) and type regedit>OK and in front of you is now the registry.

2. In the left panel , click the arrow (+) next to "My computer"

3. You will now have 5 subsections all starting with HKEY. Click the (+) next to these:
+ HKEY_LOCAL_MACHINE
+ SYSTEM
+ ControlSet001
+ Enum
   Root

4. We have to backup this section.   (never,ever make any changes in the registry without backing up)

5. This is how we backup:
a. When you come to "Root", click it once to highlight it.
b. Click "File" in the toolbar, next click "Export".
c. A new window will open, put the file under C:\ and save it as registry files and give it the name "controlSet001"
d. Make sure this is what it says in the field at the bottom of that window: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root

Under C:\ there should now be a light blue icon looking like a lot of cubes, called "controlSet001.reg". If this operation was successful go on with the next steps.

6. Right click on Root and choose "Permissions" . It will look like this, only that the image is in my own language : http://i18.photobucket.com/albums/b123/DieHard53/Behrigheter.jpg

7. When you have clicked "Permissions" another window will open:  http://i18.photobucket.com/albums/b123/DieHard53/behrigheter2.jpg
On top, highlight "All" and at the cursor checkmark "Allow" at "full permissions".

8. Now click the (+) next to "Root" and scroll down to LEGACY_TBPSSVC and right click upon it and choose "Delete".

9  Repeat step 6 and 7, but this time uncheck the permission boxes.

10. Now repeat step 2-9 with the other reg-key : (When backing up, give the file another name than the first. It´s not important what name you give it as long as you know which is which)
HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Root
LEGACY_TBPSSVC

If you are in doubt,please come back here for more assistance, do not take a chance .

Regards

Die Hard :)

[Ripley]

Die Hard,
ripely here.  Been talking to heart about the last recommendations you gave her...
back on Dec. 8th   :roll:
She's shaking in her boots over editing the registry, but will be making an attempt after making her backup.
The holiday activites have taken over "computer time," but heart will be getting you an update soon.