websearch/IBIS hijacked

My IE has been hijacked by websearch/IBIS. A company website, websearch.com, purports to offer an uninstaller, but it does not work. In addition to carefully following all of the steps outlined in the Major Geeks "How to" tutorial, including running each of the utilities/tools listed in step 4, I have repeatedly run Pest Patrol and SpySweeper in attempts to rid myself of this incredibly malicious and persistent malware. They identify but fail to eliminate the hijacker. In short, none of these solutions has worked.
I would be very grateful for advice on what to do next.

 

Hi Soame,

If you have run through all options in the Cleanup Tutorial (including the Online Scans) and still no joy, please send us a HijackThis Log. Be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99.1) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis ! Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99.1

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

PP

 

Thank you. The HJT log is attached.

 

Hi Soame,

Your HJT log doesn't look too bad. . .

Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now scan with HijackThis and Check the Boxes for the following:

O2 - BHO: (no name) - {A5F0A0B7-2555-EA01-A7DD-2A28B1006D77} - C:\Documents and Settings\Alice.AAA\Application Data\send sixth close\MANAGERKIND.exe
I would imagine that you don't recognize these two as legit and needed? If not, then FIX them!
O4 - HKLM\..\Run: [about size bib blue] C:\Documents and Settings\All Users.WINDOWS\Application Data\hope bat about size\itch second.exe

O15 - Trusted Zone: *.musicmatch.com (HKLM) --> You should keep things out of here for safety.

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab


Do not fix this one, but check to see if the file really is missing and repair if necessary.
O23 - Service: IomegaAccess - Unknown owner - C:\Program Files\Iomega\Tools_NT\iomegaaccess.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\Documents and Settings\Alice.AAA\Application Data\send sixth close\MANAGERKIND.exe --> You probably should remove the send sixth close Folder, unless you need it for some reason.

C:\Documents and Settings\All Users.WINDOWS\Application Data\hope bat about size\itch second.exe --> Same deal with hope bat about size Folder. Remove it if not needed.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits.

Best luck
PP

 

I followed all instructions. The toolbar does not appear when IE is launched, but both SpyBot and Pest Patrol still identify IBIS as present on the computer, and pin point the registry entry "HKEY_LOCAL_MACHINE\Software\BTIEN" as the location. I attempted to delete that file with regedit, but was blocked from doing so.

Attached is the new HJT log. I continue to be grateful for your assistance.

 

Hi Soame,

Your HJT Log looks clean. Are you experiencing any actual symptoms, or is it just that your scanners are triggering on thar orphaned regisrty entry?

You can try this to remove it - You will probably need to have Administrator Privileges to do the below.

Open regedit

Navigate to: HKEY_LOCAL_MACHINE\Software\BTIEN

and RightClick on it and select Delete. If that is not allowed, RightClick it and look on the list of options for “Permissions…. ” and select it. Now, where it says “Permissions for Administrators,” check the box for Full Clontrol and hit Apply and OK. Now RightClick BTIEN and try to delete it. See if that does the trick!

PP