# [Resolved] HuntBar Removal



## Schnitzu (Jun 5, 2003)

Hi Guys.

I'm running XP and IEv6 on a Compaq Presario. My son uses the machine to go to gaming cheat sites for his Playstation, and to Kazaa. You guessed it -- lots of spyware. I have cleaned up most of it with Spybot and Adaware. But this HuntBar thing just won't go away. Spybot finds it, but can't remove it. Spybot even gives me the path in the registry where it found it. But I can't remove it manually either.

I noticed a lot of references to "Hijack This" in many of your threads on this topic. I downloaded it and ran it. The log file is pasted in this note. I see a couple of suspicious looking things, but I don't really know enough about what I am doing to attempt a clean-up myself. Please have a look and advise me.

I have one symptom in my browser which may (or not) be related. I can not set my home page. It always reverts to "about:blank"

Here is the log:

Logfile of HijackThis v1.94.0
Scan saved at 10:03:26 PM, on 6/4/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=search&LC=1009
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=2c00&s=consumer&LC=1009
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=searchbar&LC=1009
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://is1.websearch.com/huntsp.wbcrwl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=http=127.0.0.1:6711
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {dbbba37b-281d-4de9-9f94-798215797b63} - (no file)
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Home (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,56/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37679.5839930556
O17 - HKLM\System\CCS\Services\Tcpip\..\{188E1C2D-E995-4461-85BC-D019E8272C77}: Domain = sk.sympatico.ca
O17 - HKLM\System\CS1\Services\Tcpip\..\{188E1C2D-E995-4461-85BC-D019E8272C77}: Domain = sk.sympatico.ca

Thanks.


----------



## Rollin' Rog (Dec 9, 2000)

I'm not sure what Spybot is seeing but cannot remove. Perhaps it is this:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://is1.websearch.com/huntsp.wbcrwl/

O3 - Toolbar: (no name) - {dbbba37b-281d-4de9-9f94-798215797b63} - (no file)

I would close out Internet Explorer, check both those items in HijackThis and have it remove them.

Then go to the Control Panel > Internet applet (leave IE closed for now) and select Internet Options > Programs > Reset Web Settings.

Then reboot the computer and see if any or all of the problems have been resolved.

If Spybot is finding something else, try running it in Safe Mode and see if it can fix it. If that doesn't help, give us an exact copy/paste of what it is seeing.


----------



## Schnitzu (Jun 5, 2003)

I tried your suggestion, but it didn't work.

Here is exactly what SpyBot tells me:

"HuntBar: Global Settings HKEY_LOCAL_MACHINE\Software|BTIEIN"

When I hit the "Fix Problems" buton, SpyBot tries to fix it, but then says:

"Some problems couldn't be fixed. The reason could be that the associated files are still in use (in memory). This could be fixed after a restart.

"May SpyBot-S&D run on your next system restart?"

I answer "Yes" to the question. SpyBot runs at my next restart, but just goes through the same routine.

Thanks.


----------



## $teve (Oct 9, 2001)

dont know why s/b cant remove this.......but try this.

be sure to back up your registry before attempting this!

open a DOS command prompt window from start->programs->accessories, and enter these commands:

regsvr32 /u "C:\Program Files\Common Files\MSIETS\msiets.dll" 
regsvr32 /u "C:\Program Files\Common Files\MSIETS\msielink.dll" 

You will need to change the path 'C:\program files\common files' in the above commands if your program files are on a different drive......... or have a different name...... (eg. non-english windows installations). 

having done this you can restart the machine and delete the MSIETS folder along with the entry '{8A05273A-2EA5-42DE-AA75-59EA7D9D50D7}' inside 'downloaded program files' in the windows folder.......... you can also run 'regedit' and remove these entries from the registry to clean up if you like: 

HKEY_CURRENT_USER\Software\MSIETS 
HKEY_CURRENT_USER\Software\MSIETSLink 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet explorer\toolbar\{8A05273A-2EA5-42DE-AA75-59EA7D9D50D7} 

after removing the software you may want to delete the shortcuts it adds to the desktop......... start menu and favourites menu.... and set your search and home pages back to normal (see tools->internet Options->programs->reset web settings). 

let us know how you do.


----------



## Rollin' Rog (Dec 9, 2000)

You can also try manually deleting the registry entry yourself. Just run *regedit* and navigate to:

HKEY_LOCAL_MACHINE\Software|*BTIEIN*

Right click on the BTIEIN entry and select 'delete'


----------



## Schnitzu (Jun 5, 2003)

Hi Guys. I'm back again.

Steve, I had actually done all the stuff you suggested once before -- I found the same instructions when I did a google of the HunBar problem. Just to be safe, I tried it all again. I found nothing.

Rollin' Rog, I tried deleting the key using Regedit, and got an error.

The entire key actually looks like this:

HKEY-LOCAL-MACHINE\BTIEIN\BTIEIN\Taskcache

When I click on the "taskcashe" level, I get a message:

"Cannot open Taskcahe: Error while opening key"

When I try to delete it at an level in the tree, I get a message:

"Cannot delete: Error while deleting"

I'm tempted to let it alone, it doesn't seem to be doing any harm at the moment. But it bugs me. Everytime I run SpyBot, even in Safe mode, SpyBot finds it, but can't fix it.

Thanks for your help.


----------



## Rollin' Rog (Dec 9, 2000)

Have you followed the drill here:

http://www.doxdesk.com/parasite/HuntBar.html

It contains some dll unregistration specfic to the btein entry in addition to what Steve posted. Do the dll's remain on the system at all?

I suppose there's no harm in leaving it, but are you trying to delete it at the first *btein* folder level on the left? You want to get btein out of the registry. IE should be closed when you try it. You may even want to try Safe Mode.


----------



## Schnitzu (Jun 5, 2003)

Hi guys -- especially Rollin Rog. I have solved the problem. I really had not thought things through enough. And, there is no way you could have helped me because I failed to give you enough information about my environment. Here is the story.

I went to regedit, but instead of trying to delete the BTIEIN thing (which I pronounce in my head as BEATEN, because that is how I have been feeling about it), I looked at the 'privileges'. I noticed that my son was the "owner" of the thing, and that I only had read privileges. That was my clue. You see, I have set up XP with 3 profiles, one for my son, one for my spouse and one for me. I have been trying to do all the clean-up logged on as myself.

I logged on to my son's profile, did the regedit thing, and deleted the BTIEIN thing. It worked. I then ran SpyBot and Adaware under his profile. They found lots of crap. It appears that the bad guys can pollute my computer in anyones profile, but SpyBot and Adaware only clean up within the profile from which they are run. (I like to run both Spybot and Adaware because each finds crap that the other misses.)

I then logged on to my spouse's profile and ran Spybot and Adaware. Again, found lots of crap.

I then logged on to my own profile and ran them. They both came up clean.

So, the solution seems to be to clean up everything from within each profile you have defined on your machine. This might be helpful to know. I have noticed a number of threads from people who can not get rid of stuff that defies logic. Asking them if they have more than one profile might give some clues to the solution.

Now that I have cleaned up all the profiles I have defined on my machine, I have one final question. Is it worth while to run Hijack This from within each profile that I have, and share the logs with you for your comment?

Thanks. ... Schnitzu


----------



## Rollin' Rog (Dec 9, 2000)

Thanks for the update and going the extra mile to solve it on your own. Speaking for myself, at this end, that's one of the most difficult issues to 'see' as it isn't obvious from the start logs and most of us don't use profiles ourselves so it isn't clear how much that can affect the ability of a program like Spybot to work.

Feel free to post the Hijackthis scanlogs, it is quite possible there may be different entries for search, and start pages associated with them which often don't get targeted otherwise.


----------



## scrib38 (Jul 1, 2003)

I too had this problem where Spybot cleaned up everything but the BTIEIN key (on a Windows 2000 Pro machine). What worked well and most quickly for me was to temporarily elevate the problem user (the one logged in when HuntBar apparently installed itself) to administrator status, then run regedit to delete the otherwise undeletable key: 

HKEY_LOCAL_MACHINE\Software|BTIEIN

Re-ran Spybot as both user and administrator afterward just to ensure that everything was clean, and all was finally well. Unlike some of the others, this exploit was very noticeable in my situation--it had essentially bogged down the user's Internet Explorer to molasses.

Thanks for all the good advice here!

SW


----------



## flon_klar (Jul 3, 2003)

Hi everyone-

Just wanted to stick my head in for a second to thank Shnitzu for helping me out with the same problem. "Tufenuf" over at Computing.net found your thread for me after I had posted over there about my inability to delete the registry key for Huntbar. Shnitzu, your situation was pretty much identical to mine (gaming son, web-shopping wife), and it was your solution that saved me from going completely out of my mind! So thanks for your help, and for making me feel just a little bit wiser.


----------



## irishcoleen (Jul 3, 2003)

I just found this forum and what a gold mine! I also wanted to thank Shnitzu for helping me out with the same problem. Gaming son, shopping *husband* 
I was getting pretty desperate and I just couldn't figure out why I couldn't delete the silly thing using regedit or my spyware removal tool. Never would have thought of different profiles "owning" a registry entry.


----------



## err0r (Jul 15, 2003)

First, a big thanks to Tech Guys and all the people posting their solutions. I had this same problem and only after reading this thread did I solve it. Here are a few things I learned along the way..

I got huntbar from downloading and installing the google toolbar (I am 99.9% positive thats where it came from)

I removed the toolbar days ago (and left a nasty note for google) but these dang pop ups just kept coming. I actually have downloaded and installed Mozilla Firebird because it has built in pop up protection.. I have found I like it better, but I still am in the habit of hitting the big blue E. 

BTLINK was the causing the problems for me. I had some huntbar entries in my registry, and the new ad aware removed them but they kept coming back. I looked in Program Files > Common Files > but saw no BTIEN but I did see the BTLINK. I unregistered it, but it wouldnt let me delete it, so I rebooted, unreged again, then it deleted just fine. 

I searched the registry for BTLINK, BTIEN and HUNT and removed all associated entries. 

After all this it appears to be gone.. I will keep running ad aware daily for a week or so and see what happens. I may do a controlled test on a dummy machine installing the google toolbar to see if thats it before I start my boycott of them. 

Thanks for all your help!


----------



## $teve (Oct 9, 2001)

err0r...........nothing wrong with the google toolbar as long as you choose "install without advanced features"


----------



## err0r (Jul 15, 2003)

No where does it say that if you install google toolbars with the advanced features are you going to be subjected to pop ups.

I am reading the Advanced Features "Read ME" right now and NO WHERE does it state that they are installing a 3rd party piece of software that generates pop up ads. I would cut and paste the section but Google was kind enough to make it so that you can't right click on the window to copy.

Check out the agreement here.

I have no problem with the toolbar itself, but if your going to install something like this with it? 1. you better tell me up front and 2. you better have a way to remove it. If you remove google toolbar it does not go away.

It would have been nice to see a small mention of the huntbar somewhere.


----------



## Schnitzu (Jun 5, 2003)

Hi Err0r,

I am not convinced that the Google tool bar is responsible for Huntbar. I think my son downloaded it. That is why he was the "owner" of it, and I only had read permission.

I read somewhere that the Huntbar modifies the Google tool bar (and the Ask Jeeves tool bar) such that all the searches you do go through the Huntbar site. I don't know if that is true or not.

I had the google tool bar installed at the time I had the Huntbar problem. When I looked at its status (Tools,Internet Options, General, Settings, View Objects) it showed the status as "Damaged" (but it still worked). I uninstalled it and re-installed it and its status was "Installed" I did a little surfing, then went back and had a look again, and it was damaged again.

I then uninstalled the Google tool bar, and installed the Ask Jeeves tool bar. The same thing happened to it, they became damaged.

Since I have rid my machine of Huntbar, neither the Google tool bar nor the Ask Jeeves tool bar have become damaged.

That is why I think Google is not responsible for it. But the Google tool bar does appear to be affected by it.

Schnitzu


----------



## $teve (Oct 9, 2001)

any program(especially a free one)
offering ADVANCED FEATURES
has to be looked at more thoroughly nowadays.


----------

