Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Clearing GOCYBERSEARCH toolbar - another SP.DLL 1

Status
Not open for further replies.
tyvek

tyvek

IS-IT--Management
Mar 17, 2002
6
US
There are at least three different variations of this takeover of IE's search. One of which, the GOCYBERSEARCH creates a toolbar in IE and can be difficult to remove. I just spent about an hour clearing it. Here's how, and what to look for. As always, playing with the registry can be dangerous. Please make sure you have a backup of your registry before making changes. If you're not sure how, let someone who can do it for you.

The first thing to do is remove the 'sp' or 'sps' entry from the registry. Find HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. There you will find a entry labeled "regedit -s sp.dll" delete that key.

Also search your hard drive for a file named sp.dll and rename it to sp.txt. If you open the file you will find it's actually a text registry import and will look something like:


REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer]
"SearchURL"="[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"=""Search Page"=""Search Bar"=""SearchURL"="[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"="[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer]
"SearchURL"="[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Main]
"Search Page"=""Default_Search_URL"=""Search Bar"="[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Search your registry for allcybersearch.com and delete the keys you see above. You can reinstall the MSN search with:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Search Page"=""Search Bar"="[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""="[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"=""CustomizeSearch"="
This particular hack not only replaces MSN for search, but also creates a toolbar in IE. To remove the tool bar, look for the this CATID: 00021494-0000-0000-C000-000000000046
This is the id for a vertical toolbar. Searching for this ID may return other toolbars. The GOCYBERSEARCH toolbar has an entry:

[HKEY_CLASSES_ROOT\CLSID\{69550BE2-9A78-11d2-BA91-00600827878D}\Instance\InitPropertyBag]
"Url"="file:///C:\\WINDOWS\\system\\tinybar.html"

Delete this key, delete the file it references ('tinybar.html') - you may want to check to be sure it's the HTML for the toolbar by opening it up in text mode.

This gives us the CLSID for this toolbar.. search for the CLSID - in this case it's:
69550BE2-9A78-11d2-BA91-00600827878D (yours may be different) and delete all references to it.

Next MOST IMPORTANT thing to do is send email to postmaster@gocybersearch.com and tripjaster@hotmail.com, the administrative contact for gocybersearch.com, and let them know exactly what you think of them.
 
Thanks. Some punk installed that for me via his ezboards.com id page. As an admin about to ban him from my boards - I checked out his profile, only to get this little surprise.

You've saved me a bunch of hassle and trouble, and I deeply appreciate it.
 
I went routing around tonight (this morning) to find what and where it came in.. wound up getting another. I tried to kill the popups as soon as they came in. I hit the wrong button (usually F4) but knew as soon as I did it. This one is EZSEARCH. I searched all files for the date/time it happened.. I found something interesting.. a file: setupapi.log has the following (amongst other things):

An unsigned or incorrectly signed file (c:\windows\temp\ixp000.tmp\q313675.inf) was installed. Error 0x800b0003: The form specified for the subject is not one supported or known by the specified trust provider.
Copying file C:\WINDOWS\TEMP\IXP000.TMP\url.dll to C:\WINDOWS\SYSTEM\url.dll.
An unsigned or incorrectly signed file (C:\WINDOWS\TEMP\IXP000.TMP\url.dll) was installed. Error 0x800b0003: The form specified for the subject is not one supported or known by the specified trust provider.
Copying file C:\WINDOWS\TEMP\IXP000.TMP\wininet.dll to C:\WINDOWS\SYSTEM\wininet.dll.
An unsigned or incorrectly signed file (C:\WINDOWS\TEMP\IXP000.TMP\wininet.dll) was installed. Error 0x800b0003: The form specified for the subject is not one supported or known by the specified trust provider.
Copying file C:\WINDOWS\TEMP\IXP000.TMP\urlmon.dll to C:\WINDOWS\SYSTEM\urlmon.dll.
An unsigned or incorrectly signed file (C:\WINDOWS\TEMP\IXP000.TMP\urlmon.dll) was installed. Error 0x800b0003: The form specified for the subject is not one supported or known by the specified trust provider.
Copying file C:\WINDOWS\TEMP\IXP000.TMP\shdocvw.dll to C:\WINDOWS\SYSTEM\shdocvw.dll.
An unsigned or incorrectly signed file (C:\WINDOWS\TEMP\IXP000.TMP\shdocvw.dll) was installed. Error 0x800b0003: The form specified for the subject is not one supported or known by the specified trust provider.
Copying file C:\WINDOWS\TEMP\IXP000.TMP\mshtml.dll to C:\WINDOWS\SYSTEM\mshtml.dll.
An unsigned or incorrectly signed file (C:\WINDOWS\TEMP\IXP000.TMP\mshtml.dll) was installed. Error 0x800b0003: The form specified for the subject is not one supported or known by the specified trust provider.
[2002/03/18 02:38:02 4290796443.1]
Munged cmdline: "C:\PROGRA~1\INTERN~1\iexplore.exe"
EXE name: C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
Copying file C:\WINDOWS\TEMP\ICD1.tmp\ezsearch.dll to C:\WINDOWS\SYSTEM\ezsearch.dll.
An unsigned or incorrectly signed file (C:\WINDOWS\TEMP\ICD1.tmp\ezsearch.dll) was installed. Error 0x800b0100: No signature was present in the subject.
[2002/03/18 02:38:02 4290796443.2]
Copying file C:\WINDOWS\TEMP\ICD1.tmp\ezSearch.inf to C:\WINDOWS\Downloaded Program Files\ezSearch.inf.
An unsigned or incorrectly signed file (C:\WINDOWS\TEMP\ICD1.tmp\ezSearch.inf) was installed. Error 0x800b0003: The form specified for the subject is not one supported or known by the specified trust provider.


This, at least, give me an idea what to look for.

Sure enough, the sp.dll is back in RUN, I'll need to recopy the files it overwrote and take out the registry info. This one is considerably more sophisicated. I'll see how it goes.
 
After looking a bit closer.. it appears that this one has an UNINSTALL. I still reinstalled the other DLLs -- you never know.. Don't know if the uninstall removes the sp.dll or not since I already removed it. It *did* leave the ezsearch.dll.

 
Just one more piece of info.. I found where the GOCYBERSEARCH can be removed.. they have an app.. it can be found:


I haven't tried it so I cannot say whether or not it works.
 
tyvek

Nice post, good "heads up", Thanks *
smitee
 
Status
Not open for further replies.

Similar threads

alexvidakovic
  • Locked
  • Question
help me to get rid of the ask search toolbar
Replies
1
Views
82
JustinEzequiel
JustinEzequiel
robmazco
  • Locked
  • Question
RDP toolbar?
Replies
2
Views
49
robmazco
robmazco
AndyGroom
  • Locked
  • Question
Transferring AutoComplete to another PC
Replies
2
Views
44
AndyGroom
AndyGroom
tahirmulani
  • Locked
  • Question
create a toolbar like google toolbar ?
Replies
1
Views
65
smah
smah
YerMom
  • Locked
  • Question
Configure IE Explorer to Always Run As Another User
Replies
11
Views
111
smah
smah

Part and Inventory Search

Sponsor

Back
Top