Parasite: HuntBar

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

HuntBar is a search-hijacker from Traffic Syndicate, with various additional features depending on version.

Variants

HuntBar/TS is the original version, controlled by the server dst.trafficsyndicate.com, also providing an IE toolbar with search features.

HuntBar/Side is an addition to HuntBar/TS which also pops open a search sidebar pointed at its own results when it detects you using search engines.

HuntBar/MSLink is a development of HuntBar/Side dropping the toolbar from HuntBar/TS and adding the ability to redirect you instantly when browing targeting web pages. This is typically used to hijack affiliate fees from merchant sites.

HuntBar/BTLink is an updated version of MSLink.

HuntBar/MSIn and HuntBar/BTIn are installer controls for both the MSLink and BTLink variants.

HuntBar/SToolbar also tries to hijack your homepage to WebSearch.com, and copies searches you make in known search engines to the search field in the toolbar as you type.

HuntBar/WinTools is the kitchen-sink release containing a BTIn BHO, an MSLink-style BHO targeted at the server as.adwave.com, and a multi-functional toolbar targeted at websearch.com, plus three executables running at startup including one hidden one and one running as a Windows service. These processes interact to stop each other from being killed, preventing removal of the software.

HuntBar/QDow is a small downloader ActiveX control used to load HuntBar/BTIn. HuntBar/QDow2 is an updated version used to load HuntBar/WinTools.

Also known as

IBIS Toolbar.

Distribution

Through ActiveX drive-by-download at affiliate sites, including pop-up advertising served by trafficsyndicate.com. The WinTools variant was also installed by the FavoriteMan and WildMedia parasites.

What it does

Advertising

May open search-keyword-targeted advertising when using search engines.

Privacy violation

HuntBar/WinTools sends the URL of each new site visited to its controlling server to fetch a rating for it. A full URL including query parts is sent (which can leak personally-identifiable information), and a unique ID is sent, which can be used to track long-term web browsing habits.

HuntBar/TS sends the domain name of the site being viewed, the domain name of any site previously being viewed and the title and any keywords in the current page to its controlling servers whenever a new site is viewed. It does this even if the toolbar is not turned on.

HuntBar/Side, MSLink, BTLink, SToolbar and WinTools send URLs and search terms used to its controlling servers with a unique ID allowing your search engine usage to be tracked.

Security issues

Yes. HuntBar/TS, MSIn, BTIn and WinTools can silently download and execute arbitrary code, as an update feature.

Stability problems

HuntBar/BTLink and SToolbar seems to cause IE to crash often on some setups with an ‘Exception E Access Violation’.

HuntBar/WinTools’s Windows Service may periodically go to 99% CPU usage, making the desktop very sluggish.

Removal

TrafficSyndicate offer two uninstaller files for HuntBar/TS, which have been reported not to work properly.

HuntBar/Side may put an entry called ‘MSIETS’ in the Control Panel’s Add/Remove Programs option, which should remove this variant.

HuntBar/MSLink and HuntBar/BTLink have two entries in the Control Panel’s Add/Remove Programs option, called ‘Internet 404’ and ‘Tools for Internet Explorer’. Both entries (which also demand an internet connection to work) must be removed to get rid of these variants, but it will leave the files intact and still won’t remove the MSIn or BTIn installer, which can reinstall the software automatically in the future.

HuntBar/SToolbar puts an entry called ‘Search Toolbar’ in Add/Remove Programs, which should work (though it requires an internet connection).

HuntBar/WinTools has an entry for ‘Web Search Toolbar’ along with at least one entry called ‘Win-Tools Easy Installer’, all of which need to be used to remove the software. An internet connection is needed to complete the uninstallation; you must also ignore the software’s pleas to be allowed to continue (pay attention to the potentially confusing action buttons). During testing, the ‘Easy Installer’s did not always work, necessitating manual removal in this case.

Manual removal

WinTools variant

The WinTools variant cannot be removed in the normal desktop because each of the three processes, plus a BHO, keep each other alive when you try to stop them. So you will need to use Safe Mode.

To get to Safe Mode, press the F8 key just as Windows is about to boot. If you use a multiboot system, this is the point where the boot menu appears; if not, just keep tapping F8 as the machine boots until the menu appears.

Open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion. Select the subkey ‘Run’ and delete the ‘WinTools’ entry on the right. If there is still a ‘TB_setup’ or ‘TBPS’ entry here, delete that too.

Next, select the subkey ‘Explorer\Browser Helper Objects’, delete the whole subkey with the name ‘{87766247-311C-43B4-8499-3D5FEC94A183}’. Finally, find the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and delete the WinToolsSvc subkey. Reboot normally.

All variants

Open a DOS command prompt window (from Start->Programs->Accessories), and enter the following commands. For HuntBar/TS:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Common Files\MSIETS\msiets.dll"

For HuntBar/Side and HuntBar/MSLink, enter:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Common Files\MSIETS\msielink.dll"

For HuntBar/BTLink, enter:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Common Files\BTLINK\btlink.dll"

For HuntBar/MSIn, enter:

cd "%WinDir%\System"
regsvr32 /u msiein.dll

For HuntBar/BTIn, enter:

cd "%WinDir%\System"
regsvr32 /u btiein.dll

For HuntBar/SToolbar, enter:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Search Toolbar\SToolbar.dll"

For HuntBar/WinTools, enter:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Common Files\WinTools\WToolsB.dll"
regsvr32 /u "\Program Files\Common Files\WinTools\btiein.dll"
regsvr32 /u "\Program Files\Toolbar\toolbar.dll"

(Users of non-English verions of Windows will need to change ‘Program Files’ and ‘Common Files’ in the above commands to the name of the these folders in the language Windows was installed in.)

File deletion

Having done this you can reboot the machine and delete the HuntBar files. Open the ‘Common Files’ folder inside Program Files. For the TS, Side, MSLink variants, delete ‘MSIETS’; for the BTLink variant delete ‘BTLINK’; for the WinTools variant delete ‘WinTools’.

Go back to the Program Files folder and delete ‘Search Toolbar’ (SToolbar variant) or ‘Toolbar’ (WinTools variant). Finally, open the System folder (inside the Windows folder, called ‘System32’ under Windows NT/2000/XP/2003) and delete ‘msiein.dll’ (MSIn variant) or ‘btiein.dll’ (BTIn variant).

Other traces

You can also open ‘Downloaded Program Files’ in the Windows folder and delete the entry ‘{8A05273A-2EA5-42DE-AA75-59EA7D9D50D7}’, ‘{59450DB0-341D-4436-B380-B8377D8B6796}’, ‘{D6E66235-7AA6-44ED-A06C-6F2033B1D993}’ or ‘{26E8361F-BCE7-4F75-A347-98C88B418322}’, if you received HuntBar through a drive-by download.

To clean up, you can also open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and delete any of the subkeys ‘MSIETS’, ‘MSIEIN’, ‘MSLINK’, ‘BTIEIN’, ‘BTLINK’, ‘Search Toolbar’ and ‘WinTools’ in the Software subkey of both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER.

For WinTools, you can also delete the keys inside HKEY_CLASSES_ROOT\CLSID with numbers {26E8361F-BCE7-4F75-A347-98C88B418322} and {87067F04-DE4C-4688-BC3C-4FCF39D609E7}. Inside HKEY_CLASSES_ROOT\PROTOCOLS, the Name-Space Handler\res\WToolsB.ResProtocol key can also go. Next, open Microsoft\Windows\CurrentVersion\Installer\UserData in HKEY_LOCAL_MACHINE\Software, and delete the ‘AUI’ and ‘STO’ subkeys, and the ‘TUID’ entry.

Finally (phew!) you may want to delete the shortcuts the HuntBar/Side and TS variants add to the desktop, start menu and favourites menu, and reset your search and home pages back to normal (Tools->Internet Options->Programs->Reset Web Settings).