Reply
New Visitor
Posts: 24
Registered: ‎10-11-2003

Help with Huntbar removal

I am having serious issues with getting the "Huntbar" spyware off my computer system. I've used Spybot, AD-aware and Spysweeper, but none of them can get rid of it fully. I made sure all of them are updated, with the newest upgrades but it's still not helping. I have looked into using the DOS command and finding the roots for where the files are suppose to exisist, but it just said that they already were deleted. This is three problems that happen when I boot my PC up:

A message comes up saying if you'd like to install the Huntbar tool bar.

Yahoo martial (messenger service, email, links) automatically install themselves at boot up for no reason at all

I get three different pop up ad's from microsoft when I'm not even online.

PLEASE, if you have any information on how to get rid of this I would be much appreciated. I admit I don't have a good tolerance on PC problems, as I'm not an expert in the field. Thank you for helping!
New Visitor
Posts: 24
Registered: ‎10-11-2003

Re: Help with Huntbar removal

Here are the running processes in the background, in case this helps:

NOPDB.exe
ATI2.evxx.exe
NPROTECT.exe
NAVAPSVC.exe
Lexpps.exe
CCEVTMGR.exe
Spoolsv.exe
LEXBCES.exe
Svchost.exe
Lsass.exe
Services.exe
Winlogon.exe
csrss.exe
msmsgs.exe
lxbbbmon.exe
ccapp.exe
smss.exe
system
System idle process
Bronze Star Contributor
Posts: 125
Registered: ‎08-19-2003

Re: Help with Huntbar removal

I had Huntbar also and I admit it was difficult to get rid of. This worked for me because I had to go thru all the variants to get rid of it once and for all. If you are not that experienced, please get some help with these instructions as there can be problems if you do not do this correctly, or maybe someone will come up with an easier way.
I hope this helps.

http://www.doxdesk.com/parasite/HuntBar.html
Recognized Contributor
johnd
Posts: 4,409
Registered: ‎06-30-2003

Re: Help with Huntbar removal

Download HijackThis, set it up in a permanent folder, run a scan and post the results here. Hopefully this will tell us something.



Geez. PestPatrol lists 9 variants of this bugger.

Pest Patrol Huntbar info
Message was edited by: JohnD
New Visitor
Posts: 24
Registered: ‎10-11-2003

Re: Help with Huntbar removal

Logfile of HijackThis v1.97.7
Scan saved at 6:47:51 PM, on 2/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Daniel Magelinski\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKCU\..\Run: C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Ali Baba Slots TM by pogo - http://temp35.pogo.com/applet/slots/alibaba-ob-assets.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://about.chatspace.com/Java/cfs40300.cab
O16 - DPF: Cribbage by pogo - http://crib.pogo.com/applet/cribbage/cribbage-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://domino.pogo.com/applet/domino/domino-ob-assets.cab
O16 - DPF: Euchre by pogo - http://euchre.pogo.com/applet/euchre/euchre-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://temp37.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbingo/superbingo-ob-assets.cab
O16 - DPF: Hammerhead Pool by pogo - http://pool02.pogo.com/applet/pool/pool-ob-assets.cab
O16 - DPF: Hearts by pogo - http://hearts.pogo.com/applet/hearts/hearts-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://temp40.pogo.com/applet/freecell/freecell-ob-assets.cab
O16 - DPF: Pebble Beach Golf by pogo - http://temp40.pogo.com/applet/pebble/pebble-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://poppit12.pogo.com/applet/poppit/poppit-ob-assets.cab
O16 - DPF: SciFi Slots by pogo - http://temp91.pogo.com/applet/slots/scifi-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://temp36.pogo.com/applet/sweettooth/sweettooth-ob-assets.cab
O16 - DPF: The Sims Pinball by pogo - http://simball02.pogo.com/applet/simball/simball-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet/peaks/peaks-ob-assets.cab
O16 - DPF: Tumble Bees by pogo - http://temp35.pogo.com/applet/jumbee/jumbee-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://turbo02.pogo.com/applet/turbo21/turbo21-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://whomp.pogo.com/applet/wordwhomp/wordwhomp-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet/worldclass/worldclass-ob-assets.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/wildgames/stx/install.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
Recognized Contributor
johnd
Posts: 4,409
Registered: ‎06-30-2003

Re: Help with Huntbar removal

Anon,

Please go to Settings at the top of the Forum page and assign yourself a Forum Name so we know you from the hundreds of other Anonymouses.

Also, please unzip the HijackThis executable into a permanent folder (such as "C:\Program Files\HijackThis"). When you "fix" any items, HijackThis will create backups in case you want to restore any changes you make. The temporary folder it is in now will disappear once you close the zip file.


I do not see anything in your running processes which looks suspicious. This has a good and bad thing. Nothing is running from your startups that would be causing your problems but something could be attached to your Windows Shell that starts when Windows initially boots. First, we can clean some things out which could be a problem or are left over from running anti-spyware programs. Close everything other than HJT and have HijackThis "fix" the following. Once they are fixed, reboot your system.

--> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

--> R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

--> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

--> R3 - Default URLSearchHook is missing

I am not sure about all those "red.client.." lines which seem to be associated with Yahoo. They are probably ok.

The "O16" section indicates Active-X downloads installed on your system. I dont know if you need all those. They could have been a source of some of your problems. You might want to consider getting rid of some of those, especially if they are not associated with Microsoft, Macromedia, Yahoo, etc. You can always reinstall them if you want to do this game again.

After you reboot your system, if there still is a problem, we can try to find something in the Registry which might point to the source of your problems.

Note: The toolbar.dll entry is associated with Huntbar. But we need to find what is causing it to be reinstalled eachtime.
Message was edited by: JohnD