Results 1 to 4 of 4

Thread: Huntbar

  1. #1
    Member ams2d's Avatar
    Join Date
    Aug 2001
    Location
    Indianapolis
    Posts
    58

    Huntbar

    When referring to programs executed, they were all executed in Safe Mode.

    I am working on cleaning up a friends computer and Spybot detected huntbar (HKEY_LOCAL_MACHINE\SOFTWARE\TOOLBAR key) but was not able to remove it.

    Ad Aware SE did not detect it but removed several other items.

    Mircosoft AS detected many more items however when it was scanning the registry it became stuck on HKEY_LOCAL_MACHINE\SOFTWARE\TOOLBAR\PLUGINS, kept eatting up memory and eventually locked up. So it was never able to finish when ever I ran it.

    Doing research on this item, the registry key mentioned above is linked to Huntbar but I have been unable to delete it. Using the same research, I have removed any offending items I found relating to this issue. But unable to remove the key ... even tried running Safe Mode with command prompt in case that would work.

    I also ran TweakNow RegCleaner and it could not identify deskpan.dll; fde.dll; cdooff.dll. I don't think those are related to this issue but unsure if I can remove it without causing any problems or if I even should remove it.

    Also here is the HijackThis log from that system:

    Logfile of HijackThis v1.99.1
    Scan saved at 8:55:26 AM, on 9/2/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~1.0C\AOL.EXE" -b
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

    So my question are:
    Those 3 dll files mentioned, is it safe to delete them? Is there a way to delete this registry key? Do I need to boot with something like Knoppix and try to remove that key?

    If more information is needed about the system let me know and I will post it after work today.

    Thanks!
    Wise men talk because they have something to say;
    fools, because they have to say something.
    Plato

  2. #2
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    This should help you out:

    http://www.doxdesk.com/parasite/HuntBar.html

    /edit

    The dlls you refer to are for intels graphics.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  3. #3
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    I had a similar incident with another piece of malware.

    Try this:

    Boot in Safe Mode and log in with an administrator account
    Open My Computer
    Select Tools > Folder Options >View Tab

    Uncheck Simple File Sharing, and Check Show All Files. Now, apply the settings

    Right Click C:\ and select Properties. Select Security Tab, and click the Advanced Button.

    Select Owner, and then the Account you are logged in with (even if it already says you are the owner)

    Check the box that says "Replace owner on subcontainers and objects", and apply the settings.

    Now open regedit and click on the key you want to delete.

    Select Edit > Permissions

    Select Advanced, then select the account you logged in with. Click Edit, and check all the allow boxes. Make sure at the top, under the account it says "This key and subkeys". Now click OK, Apply, etc. until you are back to regedit.

    Now refresh the screen and delete the key.
    Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.


  4. #4
    Member ams2d's Avatar
    Join Date
    Aug 2001
    Location
    Indianapolis
    Posts
    58
    Thank you both for the information and suggestions.

    I was able to remove the keys.
    Wise men talk because they have something to say;
    fools, because they have to say something.
    Plato

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •