IE protection for "Huntbar Variant" turns itself off

Discussion in 'SpywareBlaster & Other Forum' started by AmazingTed, Apr 28, 2005.

Thread Status:
Not open for further replies.
  1. AmazingTed

    AmazingTed Registered Member

    Joined:
    Apr 28, 2005
    Posts:
    3
    I use SpywareBlaster 3.3 and regularly perform manual updates. For reasons I cannot fathom, SB's protection for "Huntbar Variant" gets turned off. I re-enable protection and go on about my business but invariably, hours or days later, the protection is again turned off. I use other anti-spyware software and those programs do not indicate that Huntbar is present on my machine. Any clues as to why SB's protection for this particular pest will not stay on?
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Is that the only ActiveX CLSID showing un-protected ?
     
  3. AmazingTed

    AmazingTed Registered Member

    Joined:
    Apr 28, 2005
    Posts:
    3
    So far "Huntbar Variant" is the only item that has been exhibiting this behavior. All other items have remained protected once protection was enabled.
     
  4. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Hmmm....have you noticed any abnormalities....as if you might have un-knowingly picked up a Toolbar ?

    Do you notice any unknown folders in either....C:\Program Files\Common Files or C:\Program Files....that might reference Toolbar or Wintools ?
     
  5. AmazingTed

    AmazingTed Registered Member

    Joined:
    Apr 28, 2005
    Posts:
    3
    I have been using Firefox with an occasional relapse to IE when a particular site does not display properly. Neither browser seems to have any new toolbars although I have been using the Firefox extension "Stumbleupon" which operates as a toolbar.

    I searched my entire drive (system and hidden files included) for "toolbar" and "wintools" and found nothing suspicious.
     
  6. krism1usa1

    krism1usa1 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    2
    huntbar variant unchecks in SpyBlaster

    Dear Sirs,do you have any idea why the huntbar variant check box keeps unchecking itself ,its between no.138 and no.139 under [prevent the installation of activeX based spyware,dialers,etc.]There are 9 activeX codes between no.138 and no.139 with out numbers that is where the huntbar variant code remover is that keeps unchecking its check box every time I put a check mark by it or click the box [protect against checked items] .Is there something that can be done to prevent this problem in SpyBlaster?.Thanks for reading and any help,Dr.C.M..
     
  7. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Hey krism1usa1,

    I have merged your thread with an ongoing one. While we are not to far along in our discovery....feel free to add any info concerning your setup that might be of benefit in possibly determining the software program causing this.

    Regards,
    Bubba
     
  8. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Due to a recent thread here at Wilders that may relate to this matter....are either of you using a program called Pest Patrol ?

    This thread---> Websearch keeps re-installing

    Regards,
    Bubba
     
  9. Captnhook

    Captnhook Registered Member

    Joined:
    May 2, 2005
    Posts:
    6
    Location:
    New York
    I also am having SB's protection for "Huntbar Variant" deactivated. I have noticed it being turned off after I do a scan with Pest Patrol and delete the detected item (what Pest Patrol calls "Websearch ToolBar" which has the same location and registry key as SB's "Huntbar Variant"). Consecutive Pest Patrol scans come up empty but after I reactivate SpywareBlasters Protection it will suddenly reappear again in the following Pest Patrol scan.

    It is the only ActiveX CLSID showing un-protected in SpywareBlaster 3.3 (after I delete it with Pest Patrol).
    (It also shows up in the online scan from Pest Patrol http://home.ca.com/dr/v2/ec_main.en...lient=ComputerAssociates&sid=35715&CID=190325 )

    I have looked for other items associated with HuntBar/WebSearch mentioned on the Pest Patrol Website http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453074933 and have found none. There are no other abnormalities, files or folders I have been able to find nor any Toolbars on my browser. The only red flag I have gotten has been Pest Patrols detection.

    My Question is this: Is there anyway to determine if the Registry entry that is being detected is in fact the ActiveX Blocker CLSID that SpyWareBlaster installs in the Registry? Perhaps by reading it's Compatibility Flag which is 0x00000400 (1024).
    I only ask because I noted that same flag on Spywareguards block list http://64.233.179.104/search?q=cach...910972}&hl=en&start=2&ie=UTF-8&client=googlet .
    I'd appreciate any advice (do you think it is a false positive and to disregard it or should I be concerned?) from someone who might have understanding of ActiveX Blockers and registry entries and this issue. Thanks!
     
    Last edited: May 2, 2005
  10. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Not only is this an entry that both Spywareblaster and Spyware Guide have in their database....it's contained in others as well....Spybot and Spyware Doctor just to name 2 more. The entry placed in the registry is the same no matter which program places it there.
    As stated in a round about way before....disregard the False Positive by Pest Patrol....and do not be concerned.

    One's proof IMHO is simply.... "after I reactivate SpywareBlasters Protection it will suddenly reappear again in the following Pest Patrol scan."
     
  11. Captnhook

    Captnhook Registered Member

    Joined:
    May 2, 2005
    Posts:
    6
    Location:
    New York
    Thanks Bubba
    I found this article about manually tweaking Restrict ActiveX Applets in Internet Explorer http://www.winguides.com/registry/display.php/1188/ so that the control is never called on by Internet Explorer (kill bit).
    It discusses changing the value of the Compatibility Flags DWORD value to 0x400 (in hex) or 1024 (in decimal), exactly how the registry item being red flagged by Pest Patrol reads. So this definitely is a False Positive.
     
  12. CharlesDB

    CharlesDB Registered Member

    Joined:
    May 2, 2005
    Posts:
    4
    I get the same problem with the "hunter variant"and I can tell you that Pest Patrol does Not come up with a false positive. The spyware (WebToolbar))is loaded on your machine via a zip file and is then placed in the registry as denoted in Pest Patrol. You have to delete this manually. Pest Patrol doesn't do this despite claiming to delete it. Also, when you think Pest Patrol has deleted it, "Hunter variant" is disabled. The webtoolbar spyware, by the way, is downloaded with the spyware blaster program and someone needs to answer the question as to why an anti spyware program actually includes spyware. Personally, I've uninstalled the damn thing.
     
  13. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    You, sir, are categorically and 100% incorrect. Javacool has never put any such thing in his programs, and you might want to notice there are no .ZIp files int eh SpywareBlaster install. I request that you offer some evidence to support your slander.
     
  14. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    I can assure you that the official downloaded Spywareblaster program does not in no way shape or form install any spyware....whether it be this webtoolbar you mention or any other spyware. In the case of at least one poster to this thread with this problem....Pest Patrol has presented a False positive....and we await comment by the other two posters to this thread of their findings.

    Hopefully you will not give up on such a valuable program....and be convinced somehow that a)there is no adware\spyware being installed by the official Spywareblaster program and b)that Pest Patrol is indeed reporting a False positive as it concerns this thread :doubt:
     
  15. CharlesDB

    CharlesDB Registered Member

    Joined:
    May 2, 2005
    Posts:
    4
    I wouldn't dream of slandering anyone. I've no motives; I know what I have seen on my machine. That is after uninstalling and reinstalling the program twice. I run Pest Patrol. It comes up with WebSearch Toolbar. I delete it; but then find that "Hunter Variant" has been disabled. I then search the registry and find (as reported by Pest Patrol)HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\activex compatability\8952a998-1e7e-4716-b23d-3dbe03910972)
    WebSearch Toolbar
    Having deleted that, I find the Zip file on my machine and delete it also. Since then, no problems. I REPEAT. I have installed uninstalled and reinstalled the program twice and PEst Patrol has reported this correctly in my registry both times. I am always happy to apologise if I am wrong; but I don't think I am. I tell you what though. I'll delete the installation program and download a new one from your site and tell you what happens. And instead of getting angry, why don't you investigate your end. Maybe something's gone wrong which you need to know about.
     
  16. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    In order to be on the same page....you do realize that is a valid ActiveX CLSID entry placed there by Spywareblaster in order to block the Huntbar Variant(Websearch ToolBar) from being installed on a users machine o_O
     
  17. CharlesDB

    CharlesDB Registered Member

    Joined:
    May 2, 2005
    Posts:
    4
    Well, Pest Patrol has this as Spyware, so maybe you should contact them and put them right. You say this is valid. Pest Patrol say it's not. What are we, the average users supposed to think? Me, I'm playing safe and will not use your software until your two organisations can agree. I look forward to your joint Press Release.
     
  18. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    There is no organization to speak of here - Javacool is an individual - one man. As we have stated - this is an entry made by SWB to prevent said malware from being installed. This is a Pest Patrol false positive issue - not a SWB issue. send the file to Pest Patrol support and they will inform you. No further investigation needs to be done here as the registry key you have quoted here is a "blocking" entry as Bubba already stated.
     
  19. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    As has been stated in this thread, this is a Pest Patrol issue. (Nothing has gone wrong on our end.)

    Pest Patrol is indentifying a legitimate entry in the registry, placed there by SpywareBlaster to block the installation of a potentially unwanted program (Huntbar), as something malicious - which it obviously is not.

    As much as I try to ensure that other companies fix their false-positives and bugs, I can't babysit them through the whole process. False-positives have become a rather significant issue with spyware-removal applications recently (which SpywareBlaster is not - it's a preventative application), so you should always double-check any detections that seem odd with a scan from another spyware-removal application.

    I would hope you reconsider your stance on my software, but using it is, as always, your choice. :)

    Best regards,

    -Javacool
     
  20. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    You can think what you want....We as volunteers with in-depth knowledge of not only this program but the ActiveX kill bit function that Microsoft instituted many moons ago....simply convey to users like yourself what the problem is. What you do with that info concerning your Pest Patrol program is your business....not mine. I suggest you do what a lot of users do and report it to Pest Patrol so that they can be aware of their False positive....or....take the info we have attempted to share with you and await an update to Pest Patrols database after a concerned user reports this problem for you.
     
  21. Captnhook

    Captnhook Registered Member

    Joined:
    May 2, 2005
    Posts:
    6
    Location:
    New York
    Firstly thanks for the help Bubba and THANK YOU Javacool for a great program!

    I contacted Computer Associates (Pest Patrol) earlier this morning to inform them of this false positive and I would suggest that others having similar experiences do likewise.
    They state on their website that there are unfortunately instances of false positives with their detection software and they even provide an "exclusion" list in Pest Patrol in order to handle such things until problems can be remedied.
    Unfortunately Pest Patrol's free online scan also shows this false positive and could mislead many people who also use these kill bit programs (i.e. SpywareBlaster, Spyware Doctor, etc) into thinking their machines are compromised and into making unnecessary purchases of Pest Patrol. :doubt:
    I can understand CharlesDB's confusion and frustration with regards to the Registry entry. Not everyone has the time or the patience to weed through all the technical aspects of what a kill bit is and just how it works. I have to admit I was pretty ignorant until I did my homework thanks to this false positive but forums such as this and others with the help and advice they offer have turned out to be a tremendous blessing. Thanks!

    I believe the problem with most of these false positives arises when scans are simply done of the basic registry CLSID and do not check the entries data value of the Compatibility Flags.

    I have a question for you Javacool; do most if not all registry kill bit entries Compatibility Flags DWORD value show up as 0x00000400 (1024)?
    Lastly would you happen to know what an infected PC's registry Compatibility Flags DWORD value entry for the Huntbar Variant would be?

    Thanks again.

    PS. CharlesDB you never mentioned where this "zip" file that you deleted was located on your machine and what it's name was.
    I would suggest in the future that you not delete or manually tamper with anything on your machine that you are not 100% sure about and have not thoughly researched and/or checked out with a technically trained person. The damage you might end up doing could be worse than any virus or malware could ever do.
     
    Last edited: May 3, 2005
  22. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    That hits the nail on the head....and not checking the data value is why False positives are also found from time to time for Restricted Site entries when scanning with Spyware\Adware cleaning programs.

    The below link is an explanation from the Microsoft Knowledgebase in regards to the setting of an ActiveX kill bit....which was the beginning for programs such as Spywareblaster, Spybot's ActiveX Immunization, Spyware Guides block list....etc.

    This MSKB---> How to stop an ActiveX control from running in Internet Explorer
     
  23. CharlesDB

    CharlesDB Registered Member

    Joined:
    May 2, 2005
    Posts:
    4
    I am just a rank amateur and I apologise if some of my comments were unjustified and have caused upset. I have also traced the Zip file to Pest Patrol which seems to be created as a quaranteen file. So an apology is due here too. However, I have also done some research on WebSearch Toolbar "Changes Browser settings, hides from user, stays resident in background. Released April 18th 2005 - Hijacker." So what am I, a mere consumer, supposed to think, when this appears on a Pest Patrol scan and disappears when the program is uninstalled? You say it's a false positive. Maybe it is - but what good is that to me, as an explanation? Translated this seems to mean "trust us." Trust? On the Internet? The reason I came onto this forum in the first place was because worryingly "Hunter variant" kept disabling. There seem to be various technical explanations on this thread about this and the "false positive" which mean nothing to me. So the best thing I can do, is to wish you all luck and say goodbye. Because frankly I don't have the technical knowledge for the certainty I need to use the program. Whatever you think of my comments, come out of your technical bubble. See things from the point of view of an ordinary consumer and I think you will understand these comments have some validity.
     
  24. bkmanns

    bkmanns Registered Member

    Joined:
    May 2, 2005
    Posts:
    5
    Have a look at my thread (Enable all protection) where I am undergoing a similar problem with "restricted sites". And in my case it's more than just one item.
    But I have to agree--I am a novice also (An ordinary customer!) and I sort of have to rely on things working right out of the box. Most of this is far too technical for me as well, and unless any fix is simple "hammer and screwdriver", I'll only make things worse (as Cptnhook suggests) if I attempt any fancy cures. I wish it were otherwise, but unfortunatey none of this stuff is simple.
    So we'll see how my little situaton progresses--
     
Loading...
Thread Status:
Not open for further replies.