ITBarLayout Removal

[jall65]

I keep getting an registry change from spy-bot search and destroy that ITBarLayout has changed the registry..I have removed this crap from my registry value many many times and it still keeps coming back as soon as I open a new browser..I am running spy bot search and destroy pro, ad-ware pro, as well as windows defender...none of these catch it. It had to be somewhere else for it to keep changing the registry. I'M about to use this stupid thing as an start pile for underwater structure if i can't get this fixed...Please help. thanks
Jall65

 

[rwise]

Re: ITBarLayout Removal

try this
http://paretologic.com/xoftspy/lp/17/

 

[rwise]

Re: ITBarLayout Removal

also google gives lots of hits!

 

[jall65]

Re: ITBarLayout Removal

thanks ,rwise
I will give that xoftspy a try,
I did Google it and I have tried all of their recommendations with out any success...Im about to go crazy trying to get this thing off...

 

[vipzach]

Re: ITBarLayout Removal

Here is something you can try, you must do it in safemode though!! If you have another AV like norton, it will cause problems if not run in safe mode. Do you have an Anti-Virus program? Do you have hijack this? Sometimes you have to delete your restore files before you run these programs or the problems seem to keep coming back.

Please download, install, update and scan your system with the free version of Ewido Security Suite:
1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display "Update successful"), exit Ewido and boot into safe mode:

Restart your computer, and begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.


Now open Ewido, click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.

 

[jall65]

Re: ITBarLayout Removal

I've tried that vipzach and this thing is still there.. this is driving me crazy.. Yes I do have a.v. I have the avast pro 4.7 plus ad-ware pro and spybot search and destroy pro as well as windows defender and now including ewido. I can remove the registry values it and about 30 seconds later it floods both ad watch and windows defender...until it cant keep up denying it. then it changes my tool bar and slows computer down...Does anyone know where else this thing sits other than the registry files?It has to be in the computer for it to re assign the registry.

 

[vipzach]

Re: ITBarLayout Removal

Uninstall the ewido now, it is not a good idea to run to AV's at the same time. Do you have Hijack this? If so, run it in safe mode and post the log.

 

[vipzach]

Re: ITBarLayout Removal

found two more things for you!

Regmon v7.03
http://www.sysinternals.com/Utilities/Regmon.html
Note: If you use Regmon as soon as the program starts it will immediately start collecting registry entries, so I suggest that you review the following before using Regmon:
Start Regmon.exe
Immediately hit Ctrl+E or the click Blue Magnifying Glass symbol (second button from the left) to stop the data collection.
In the pull down Edit menu select Clear Display (Ctrl+X).
In the pull down Options menu select Filter/Highlight (Ctrl+L).
Make the following changes in the Regmon Filter window (see Note #1 below):
In the Include box type "ITBarLayout" (no quotes).
In the Exclude box type "TeaTimer" (no quotes).
Uncheck everything at the bottom of the Regmon Filter except "Log Writes".
Click OK.
Hit Ctrl+E or the click Blue Magnifying Glass (second button from the left) to start the data collection.
If you get a TeaTimer pop-up dialog which indicates that a change has take place, check Regmon and see if you trapped what is changing the ITBarLayout registry entry.

Note #1: The options used in the Regmon Filter window may have to be modified somewhat. I believe that options that I outlined will work, but because I don't have the problem I am not 100% sure.


It is also called tinybar

Manual removal: The toolbar is implemented as a page 'tinybar.html' or 'hb.html' inside the Windows System (or System32 in Windows NT/2000/XP) folder. Delete this file along with the registry file 'br.reg', 'br.dll' or 'hb.reg'.

To stop IE trying to load the page as a toolbar, open the registry (Start->Run->regedit) and delete the following keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars\{69550BE2-9A78-11d2-BA91-00600827878D}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{69550BE2-9A78-11d2-BA91-00600827878D}
HKEY_CLASSES_ROOT\CLSID\{69550BE2-9A78-11d2-BA91-00600827878D}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\>>> Search The Web <<<
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout
(In some variants of TinyBar, the classid starts with '69555BE2-...' instead of '69550BE2-...'.)

Finally use Internet Options->Programs->Reset Web Settings to remove its search page.

Hijacker removal
Before the settings can be restored you must remove the hijacker that is run on every restart. In the registry (Start->Run->regedit), find the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and remove any entries of the form 'regedit /s C:\Windows\System\sp.dll'. Then delete sp.dll (or sp.reg) in the System folder. Then use Reset Web Settings to get the normal search page back.

Denial of Service removal
Open the Windows folder and check the 'System' (on Windows 95/98/Me) or 'System32' (on Windows NT/2K/XP) folder for a file called 'atk.vbs'. If you have it, open the registry (Start->Run->regedit) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. There should be a value here, possibly called 'Messenger', pointing at the atk.vbs file. Remove it and restart the machine; you should then be able to delete the atk.vbs file.

 

[jall65]

Re: ITBarLayout Removal

Thanks so much vipzach for your time. I will try the above as soon as I post this

Here is the log for Hijack This.
Logfile of HijackThis v1.99.1
Scan saved at 3:39:15 PM, on 8/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\My Documents\downloads\programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6440
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6440
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Ad-Watch SE Professional.lnk = C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147878974531
O17 - HKLM\System\CCS\Services\Tcpip\..\{F99A6D4B-1B23-406E-A8BA-C0FA1B3FD8CE}: NameServer = 66.0.32.14,66.0.60.9
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

 

[Plainsman]

Re: ITBarLayout Removal

Have you run msconfig to see if the program runs at startup? If it does, it will be more difficult to remove.

Delete all files in any temp folders, cookies, temp internet files.

Look in C:\WINDOWS\Prefetch for the program as well.

As a last resort:

If your comfortable with the registry, do a search for runonce, right above that you'll see run. Open that up ansd see if the program is in there, if so delete it.
Modifing the registry wrong can result in the system FAILING. Do this at your own risk!

 

[jall65]

Re: ITBarLayout Removal

OK I switched to firefox anyways.. I have always liked it..I dont know why I keep going back to IE. nothing but crashes and problems with it anyway! Thanks Guys for you help and Im still going to remove that bug... but this browser is so much faster and better. It takes a days of misrey to get into this thick skull LOL