Huntbar/BTIEIN - Techist - Tech Forum

Go Back   Techist - Tech Forum > Security | Computer, Devices, Software and Systems > Viruses, Spyware and Malware
Click Here to Login
Closed Thread
 
Thread Tools Display Modes
 
Old 03-04-2005, 07:57 PM   #1 (permalink)
Grandfather of Techist

¯\_(ツ)_/¯
 
Trotter's Avatar
 
Join Date: Jan 2005
Location: The South
Posts: 31,295
Default Huntbar/BTIEIN

I keep a clean machine. I scan religiously for viruses, adware, and spyware. And I take care of business...except for this.

I cannot get rid of Huntbar/BTIEIN. Oh, all of the stuff is gone, but I cannot get it out of my registry.

I go into RegEdit, and try to delete HKEY_LOCAL_MACHINE\SOFTWARE\BTIEIN and I get a message that says, "Cannot delete BTIEIN: Error while deleting key." I have tried everything I can think of. Safe mode, everything. I have eliminated everything else associated with it, but it keeps showing up on Spybot and AdAware (AdAware lists it as IBIS toolbar).

Anybody got any ideas?
__________________

__________________


My Rig: SABLE
Antec 300 Illusion / Antec EarthWatts EA650 650W / ASUS GeForce GTX 960 GTX960-DC2OC-2GD5
AMD FX 8320 x8 Black Edition / Gelid Tranquillo / MSI 970A-G43
Sandisk Ultra Plus 128GB / Samsung 840 120GB / WD Black 750GB / WD Green 1TB
2x4GB DDR3 1600 - 2x2GB DDR3 1600
Win10 Ent 64-bit - Mionix Naos 7000 Mouse - CM Storm QuickFire Rapid Mech Keyboard


R.I.P. Danny L. Trotter ... 14 Nov 1945 - 4 Sept 2009
Trotter is offline  
Old 03-04-2005, 10:10 PM   #2 (permalink)
Techie Beyond Description
 
Osiris's Avatar
 
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris
Default

Do you see Wintools anywhere like your taskmanager and c drive?
__________________

__________________
Osiris is offline  
Old 03-04-2005, 10:11 PM   #3 (permalink)
Techie Beyond Description
 
Osiris's Avatar
 
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris
Default

1) While online, download the popular HiJackThis program for Spywareinfo.com. You may want to read through the HiJackThis tutorial as well.

2) Reboot your computer into Safe Mode, you may want to also Turn off System Restore in Windows XP/ME as well to remove any backups of the files you are about to delete.

3) Remove the Startup Entries in the Registry

Click on Start, Run, Type REGEDIT and Click OK

Click the pluses(+) next to the following items
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion
Run

Right-Click on the file WinTools and click DELETE

Click the pluses(+) next to the following items
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion
RunServices

Right-Click on the file WinTools and click DELETE

Close REGEDIT
3) Run HiJackThis (while in Safe Mode) and Delete any entries relating to WinTools including

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183}- C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WINTOOLS\BTIEIN.DLL

Although the following entries should have been deleted in Step 2, delete these entries if they still exist.

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsS.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsS.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WSup.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WSup.exe

3) Delete the WinTools folder and all associated files

Open My Computer, Drive C, Program Files, Common Files
Right-click on the WinTools folder (if it exists) and Delete it
4) You should also delete or clean up your hosts file

Windows 95/98/Me c:\windows\hosts
Windows NT/2000/XP Pro c:\winnt\system32\drivers\etc\hosts
Windows XP Home c:\windows\system32\drivers\etc\hosts


5) Reboot the computer in Normal Mode and run HiJackThis again to test (Wintools should be gone)
__________________
Osiris is offline  
Old 03-04-2005, 10:49 PM   #4 (permalink)
Grandfather of Techist

¯\_(ツ)_/¯
 
Trotter's Avatar
 
Join Date: Jan 2005
Location: The South
Posts: 31,295
Default

No Wintools. And Huntbar only exists as this particular entry in my registry that I cannot delete.

I have already followed removal steps (three pages worth), but Spybot and AdAware had already taken care of business. But I want rid of this last remnant!

HKEY_LOCAL_MACHINE\SOFTWARE\BTIEIN

Then, I'll be happy once more.
__________________


My Rig: SABLE
Antec 300 Illusion / Antec EarthWatts EA650 650W / ASUS GeForce GTX 960 GTX960-DC2OC-2GD5
AMD FX 8320 x8 Black Edition / Gelid Tranquillo / MSI 970A-G43
Sandisk Ultra Plus 128GB / Samsung 840 120GB / WD Black 750GB / WD Green 1TB
2x4GB DDR3 1600 - 2x2GB DDR3 1600
Win10 Ent 64-bit - Mionix Naos 7000 Mouse - CM Storm QuickFire Rapid Mech Keyboard


R.I.P. Danny L. Trotter ... 14 Nov 1945 - 4 Sept 2009
Trotter is offline  
Old 03-04-2005, 11:26 PM   #5 (permalink)
Monster Techie
 
Join Date: Nov 2004
Posts: 1,343
Send a message via AIM to southernlady Send a message via Yahoo to southernlady
Default

Yes, read here: http://www.pchell.com/support/huntbar.shtml Liz
__________________
<font size=\"1\"><a href=\"http://www.prioritycomputers.net/\" target=\"_blank\">Priority Computers</a> | <a href=\"http://www.majorgeeks.com/download506.html\" target=\"_blank\">AdAware SE</a> | <a href=\"http://www.majorgeeks.com/download2471.html\" target=\"_blank\">SpyBot-Search & Destroy</a> | <a href=\"http://www.majorgeeks.com/download2859.html\" target=\"_blank\">SpywareBlaster</a> | <a href=\"http://www.majorgeeks.com/download3045.html\" target=\"_blank\">SpywareGuard</a> | <a href=\"http://www.majorgeeks.com/download3155.html\" target=\"_blank\">HijackThis</a> | <font color=\"red\"> <a href=\"http://www.stealingisillegal.com/\" target=\"_blank\">Stealing is illegal</font></a> <form action=\"http://www.theriddlehouse.com/random/tfsearch.php\" method=\"get\"><br />
<input type=\"text\" name=\"search\"> <input type=\"submit\" name=\"submit\" value=\"Search Tech-Forums!\"></form><font size=\"1\"><i>Powered by Emily!</i></font><br />
<br />
southernlady is offline  
Old 03-05-2005, 09:41 AM   #6 (permalink)
Techie Beyond Description
 
Osiris's Avatar
 
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris
Default

Removal
TrafficSyndicate offer two uninstaller files for HuntBar/TS, which have been reported not to work properly.

HuntBar/Side may put an entry called 'MSIETS' in the Control Panel's Add/Remove Programs option, which should remove this variant.

HuntBar/MSLink and HuntBar/BTLink have two entries in the Control Panel's Add/Remove Programs option, called 'Internet 404' and 'Tools for Internet Explorer'. Both entries (which also demand an internet connection to work) must be removed to get rid of these variants, but it will leave the files intact and still won't remove the MSIn or BTIn installer, which can reinstall the software automatically in the future.

HuntBar/SToolbar puts an entry called 'Search Toolbar' in Add/Remove Programs, which should work (though it requires an internet connection).

HuntBar/WinTools has an entry for 'Web Search Toolbar' along with at least one entry called 'Win-Tools Easy Installer', all of which need to be used to remove the software. An internet connection is needed to complete the uninstallation; you must also ignore the software's pleas to be allowed to continue (pay attention to the potentially confusing action buttons). During testing, the 'Easy Installer's did not always work, necessitating manual removal in this case.

Manual removal
WinTools variant
The WinTools variant cannot be removed in the normal desktop because each of the three processes, plus a BHO, keep each other alive when you try to stop them. So you will need to use Safe Mode.

To get to Safe Mode, press the F8 key just as Windows is about to boot. If you use a multiboot system, this is the point where the boot menu appears; if not, just keep tapping F8 as the machine boots until the menu appears.

Open the registry (click 'Start', choose 'Run', enter 'regedit') and find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion. Select the subkey 'Run' and delete the 'WinTools' entry on the right. If there is still a 'TB_setup' or 'TBPS' entry here, delete that too.

Next, select the subkey 'Explorer\Browser Helper Objects', delete the whole subkey with the name '{87766247-311C-43B4-8499-3D5FEC94A183}'. Finally, find the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es and delete the WinToolsSvc subkey. Reboot normally.

All variants
Open a DOS command prompt window (from Start->Programs->Accessories), and enter the following commands. For HuntBar/TS:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Common Files\MSIETS\msiets.dll"
For HuntBar/Side and HuntBar/MSLink, enter:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Common Files\MSIETS\msielink.dll"
For HuntBar/BTLink, enter:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Common Files\BTLINK\btlink.dll"
For HuntBar/MSIn, enter:

cd "%WinDir%\System"
regsvr32 /u msiein.dll
For HuntBar/BTIn, enter:

cd "%WinDir%\System"
regsvr32 /u btiein.dll
For HuntBar/SToolbar, enter:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Search Toolbar\SToolbar.dll"
For HuntBar/WinTools, enter:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Common Files\WinTools\WToolsB.dll"
regsvr32 /u "\Program Files\Common Files\WinTools\btiein.dll"
regsvr32 /u "\Program Files\Toolbar\toolbar.dll"
(Users of non-English verions of Windows will need to change 'Program Files' and 'Common Files' in the above commands to the name of the these folders in the language Windows was installed in.)

File deletion
Having done this you can reboot the machine and delete the HuntBar files. Open the 'Common Files' folder inside Program Files. For the TS, Side, MSLink variants, delete 'MSIETS'; for the BTLink variant delete 'BTLINK'; for the WinTools variant delete 'WinTools'.

Go back to the Program Files folder and delete 'Search Toolbar' (SToolbar variant) or 'Toolbar' (WinTools variant). Finally, open the System folder (inside the Windows folder, called 'System32' under Windows NT/2000/XP/2003) and delete 'msiein.dll' (MSIn variant) or 'btiein.dll' (BTIn variant).

Other traces
You can also open 'Downloaded Program Files' in the Windows folder and delete the entry '{8A05273A-2EA5-42DE-AA75-59EA7D9D50D7}', '{59450DB0-341D-4436-B380-B8377D8B6796}', '{D6E66235-7AA6-44ED-A06C-6F2033B1D993}' or '{26E8361F-BCE7-4F75-A347-98C88B418322}', if you received HuntBar through a drive-by download.

To clean up, you can also open the registry (click 'Start', choose 'Run', enter 'regedit') and delete any of the subkeys 'MSIETS', 'MSIEIN', 'MSLINK', 'BTIEIN', 'BTLINK', 'Search Toolbar' and 'WinTools' in the Software subkey of both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER.

For WinTools, you can also delete the keys inside HKEY_CLASSES_ROOT\CLSID with numbers {26E8361F-BCE7-4F75-A347-98C88B418322} and {87067F04-DE4C-4688-BC3C-4FCF39D609E7}. Inside HKEY_CLASSES_ROOT\PROTOCOLS, the Name-Space Handler\res\WToolsB.ResProtocol key can also go. Next, open Microsoft\Windows\CurrentVersion\Installer\UserDat a in HKEY_LOCAL_MACHINE\Software, and delete the 'AUI' and 'STO' subkeys, and the 'TUID' entry.

Finally (phew!) you may want to delete the shortcuts the HuntBar/Side and TS variants add to the desktop, start menu and favourites menu, and reset your search and home pages back to normal (Tools->Internet Options->Programs->Reset Web Settings).
__________________
Osiris is offline  
Old 03-06-2005, 12:10 AM   #7 (permalink)
Grandfather of Techist

¯\_(ツ)_/¯
 
Trotter's Avatar
 
Join Date: Jan 2005
Location: The South
Posts: 31,295
Default

Liz, that's where I got the instructions I used.
__________________


My Rig: SABLE
Antec 300 Illusion / Antec EarthWatts EA650 650W / ASUS GeForce GTX 960 GTX960-DC2OC-2GD5
AMD FX 8320 x8 Black Edition / Gelid Tranquillo / MSI 970A-G43
Sandisk Ultra Plus 128GB / Samsung 840 120GB / WD Black 750GB / WD Green 1TB
2x4GB DDR3 1600 - 2x2GB DDR3 1600
Win10 Ent 64-bit - Mionix Naos 7000 Mouse - CM Storm QuickFire Rapid Mech Keyboard


R.I.P. Danny L. Trotter ... 14 Nov 1945 - 4 Sept 2009
Trotter is offline  
Old 03-06-2005, 12:11 AM   #8 (permalink)
Grandfather of Techist

¯\_(ツ)_/¯
 
Trotter's Avatar
 
Join Date: Jan 2005
Location: The South
Posts: 31,295
Default

Monster,

Yeah. Did that. But the folder and one file refuse to budge from the registry.

Mmmm...dynamite, maybe?
__________________


My Rig: SABLE
Antec 300 Illusion / Antec EarthWatts EA650 650W / ASUS GeForce GTX 960 GTX960-DC2OC-2GD5
AMD FX 8320 x8 Black Edition / Gelid Tranquillo / MSI 970A-G43
Sandisk Ultra Plus 128GB / Samsung 840 120GB / WD Black 750GB / WD Green 1TB
2x4GB DDR3 1600 - 2x2GB DDR3 1600
Win10 Ent 64-bit - Mionix Naos 7000 Mouse - CM Storm QuickFire Rapid Mech Keyboard


R.I.P. Danny L. Trotter ... 14 Nov 1945 - 4 Sept 2009
Trotter is offline  
Old 03-26-2005, 08:19 PM   #9 (permalink)
Grandfather of Techist

¯\_(ツ)_/¯
 
Trotter's Avatar
 
Join Date: Jan 2005
Location: The South
Posts: 31,295
Default

Well, the entry is still there.

I download Microsoft's AntiSpyware, but it too fails to remove the stupid thing, as well as not even registering the IBIS toolbar that AdAware keeps telling me about.

Anybody got any new ideas? Shoot, I'd settle for some old ones...
__________________


My Rig: SABLE
Antec 300 Illusion / Antec EarthWatts EA650 650W / ASUS GeForce GTX 960 GTX960-DC2OC-2GD5
AMD FX 8320 x8 Black Edition / Gelid Tranquillo / MSI 970A-G43
Sandisk Ultra Plus 128GB / Samsung 840 120GB / WD Black 750GB / WD Green 1TB
2x4GB DDR3 1600 - 2x2GB DDR3 1600
Win10 Ent 64-bit - Mionix Naos 7000 Mouse - CM Storm QuickFire Rapid Mech Keyboard


R.I.P. Danny L. Trotter ... 14 Nov 1945 - 4 Sept 2009
Trotter is offline  
Old 03-26-2005, 08:46 PM   #10 (permalink)
ApM
Ultra Techie
 
Join Date: Jan 2005
Posts: 501
Send a message via AIM to ApM Send a message via Yahoo to ApM
Default

Try downloading Bazooka Checker, tells you step by step in great detail how to remove the problem. Check it out.
__________________

ApM is offline  
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 12:35 AM.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.