Jump to content
khann

Adware.iwantsearchbar

Recommended Posts

Hello, My name is Keith and I am new here.

I am running SAS 5.6 2012 free version

My computer knowledge is low to middle level.

After downloading a program from a site I have always trusted I ended up having my IE home page changed and a toolbar added. I uninstalled the downloaded program and got rid of the toolbar, reset my IE home page but now when I run SAS I get an urgent message to remove "adware.iwantsearchbar" as well as several tracking cookies.

I have updated and run SAS several time with no luck. I have run it in the safe mode but every time I reboot and re try it is back again. I have updated and run Malaware bytes in the safe mode and it does not detect a problem, like wise with AVG and Spybot S&D.

I have also google searched and searched this forum for help.

The computer apears to have no problems with the way it runs I am just concerned about the security of my system.

I was going to try disableing system restore and running in the safe mode but got a little chicken when I got the Microsoft warning about loosing any restore points or the ability to restore the system.

Any suggestions would be helpful

Thank you

Share this post


Link to post
Share on other sites

No Bearshare, here is a copy of the scan log.

thank you

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 10/21/2012 at 09:39 PM

Application Version : 5.6.1012

Core Rules Database Version : 9446

Trace Rules Database Version: 7258

Scan type : Complete Scan

Total Scan Time : 00:43:43

Operating System Information

Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)

Administrator

Memory items scanned : 681

Memory threats detected : 0

Registry items scanned : 40020

Registry threats detected : 2

File items scanned : 64758

File threats detected : 14

Adware.Tracking Cookie

C:\Documents and Settings\Keith Hann\Cookies\KCUCEIRU.txt [ /atdmt.combing.com ]

C:\Documents and Settings\Keith Hann\Cookies\ODU00H0J.txt [ /atdmt.com ]

.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\KEITH HANN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\T4Q5JXRC.DEFAULT\COOKIES.SQLITE ]

.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\KEITH HANN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\T4Q5JXRC.DEFAULT\COOKIES.SQLITE ]

.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\KEITH HANN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\T4Q5JXRC.DEFAULT\COOKIES.SQLITE ]

.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\KEITH HANN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\T4Q5JXRC.DEFAULT\COOKIES.SQLITE ]

.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\KEITH HANN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\T4Q5JXRC.DEFAULT\COOKIES.SQLITE ]

.invitemedia.com [ C:\DOCUMENTS AND SETTINGS\KEITH HANN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\T4Q5JXRC.DEFAULT\COOKIES.SQLITE ]

.invitemedia.com [ C:\DOCUMENTS AND SETTINGS\KEITH HANN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\T4Q5JXRC.DEFAULT\COOKIES.SQLITE ]

.revsci.net [ C:\DOCUMENTS AND SETTINGS\KEITH HANN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\T4Q5JXRC.DEFAULT\COOKIES.SQLITE ]

.revsci.net [ C:\DOCUMENTS AND SETTINGS\KEITH HANN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\T4Q5JXRC.DEFAULT\COOKIES.SQLITE ]

.revsci.net [ C:\DOCUMENTS AND SETTINGS\KEITH HANN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\T4Q5JXRC.DEFAULT\COOKIES.SQLITE ]

.revsci.net [ C:\DOCUMENTS AND SETTINGS\KEITH HANN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\T4Q5JXRC.DEFAULT\COOKIES.SQLITE ]

.revsci.net [ C:\DOCUMENTS AND SETTINGS\KEITH HANN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\T4Q5JXRC.DEFAULT\COOKIES.SQLITE ]

Adware.IWantSearchBar

HKU\S-1-5-21-1935655697-362288127-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}

HKCR\CLSID\{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}

Share this post


Link to post
Share on other sites

I am running IE8.6001.18702IC

If we are talking about the two registry entries at the bottom, I can find the first one no problem.

The second one I expect reads , hotkey, class root, clsid, {0E1230F8-EA50-42A9-983C-D22ABC2EED3B}

I cannot find it manually, if I paste everything beginning with clsid into the reg search feature I can bring it up on the right hand side.

There apears to be no {0E1230... line in the clsid area.

I have never deleted a registry entry but I am willing to give it a try, and I do appreciate your patience, thanks again.

Share this post


Link to post
Share on other sites

Keith try this way.

First download CCleaner, then disconnect from internet and run the Reg cleaner portion of CCleaner by checking all of the boxes.

It will ask if you want to back up the Reg first, choose yes and save it to a New file on your desktop for now.

Anything it finds to be 'Fixed' (removed) allow.

Now Hold the Winkey+R and type "regedit" without quotes.

Look through the associated reg files HKEY_Users......

And HKEY_Classes_Root

Scroll down til you find CLISD (it will be there), look through the list(s) of entries til you find the one that matches (it's in there lurking).

When you find that entry Highlight the 'String' and right click, select Delete.

Now go to Control Panel and select ADD/Remove Programs, look for IE8 and select Uninstall

You will now be presented automatically with IE7 (don't worry), Restart the computer

Enter Regedit again and look for those previously deleted entries, if still there (or unsure) run SAS again.

If gone, reconnect to internet and select Control Panel --- Windows Updates

You will shortly be presented with the option to re-install IE8 (if you still want it).

Share this post


Link to post
Share on other sites

Thank you, I tried all of this and still have the issue. I was never able to find the HKCR string but it apears that the minute I delete a registry item it comes back anyway? As long as I rebooted in safe mode it apeared gone but when I rebooted normally it came back.

I also tried a virus sweeping regime that included Combofix, TDSS killer, Ccleaner Malawarebytes and Spybot, to no avail.

I was considering reinstalling the program as a last ditch effort before I re imaged. I should have read the reviews on download.com because they did warn about spyware during the download, it is just that I have never had a problem downloading software from that site.

Share this post


Link to post
Share on other sites

Go with the re-image as long as it's before the searchbar was installed, that would usually be my first choice to go with as most people don't know what you're talking about when you mention it, so Kudos to you for taking that backup option :)

I stopped using CNet full stop sometime before they had problems with their downloads being infected, they were supposed to have sorted that out, obviously not.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×