Strange Virus that can`t be found

[Jeff]

Hi,

Has anyone come across Hbinst.exe from their virus scan?
I have Nortons Anti-virus 2004, its updated and keep
detecting hbinst.exe and can`t delete it. I have done a
web search about it and did everything they suggested, but
to no avail, its still shows up when Nortons does a scan.
I have searched my whole computer and cannot find this so
call file. Do you think its a bug in NAV. I also when to
some online virus checking sites and they didn`t find
anything. I have Spybot S&D, SpyGuard, SpyBlaster,
PestPatrol, and GuardBar running on this computer, also on
two other computers. The other computers NAV do not
detect this. Thanks for any possible answers.

 

[eagle]

http://www.liutilities.com/products/wintaskspro/processlibrary/hbinst/
just info

and there may be something in the temp files of a download
or hijack that may at some point download the rest of
'''''''hotbar''''''
so beware.
and is the guardbar install giving any strange quirks? just
the forums have it listed as questionable if it actually
does anything good.
and try ad-aware at lavasoftusa.com spybot has become
version 1.3

 

[Carl G]

Does norton say where the virus is hideing ?
It may be hidden in your system restore files which are unacessiable to
virus scanners.
Have to turn off system restore and reboot the pc, that will delete all
restore points.
Then go back to system restore and turn it back on and create a restore
point.
That procedure is for only if that is where the virus is.
Hope this helps

 

[Jeff]

Hi,

Thanks for replying.. I have tried that and no go, NAV
doesn`t say where it is, the logs don`t even record it,
except for the error logs. The other two system has no
problem.

Jeff

 

[Jeff]

Hi,

GuardBar hasn`t given me any problems, it actually stopped
some spyware from installing and I like its Popup blocker
better than a few I have used in the past. I have it
installed on 4 systesm, 3 at home and my work system. no
problems at all.

Jeff

 

[PA Bear]

Dealing with Trojans & Hijackware

A. Trojans

1. Check in at Windows Update and install all critical updates & reboot.

2. Download and run Stinger (http://vil.nai.com/vil/stinger/); then...

3. Update your virus definitions, enable Show Hidden Files
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
and then run a full system scan in Safe Mode
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
with nothing else running in background. Note the files identified and
removed then find the corresponding page for the file at your AV maker's
online support pages (e.g.,
http://securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html)
and follow *all* Removal steps, including editing the Registry if directed.

WinXP Only (WinME similar): If this scan finds anything, create a new
Restore Point then:

Disk Cleanup > More options > Delete all but the most recent Restore
Point.

B. Hijackware

Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm

CoolWebSearch Chronicles
http://www.spywareinfo.com/~merijn/cwschronicles.html

Run these tools in the following order with nothing else running in
background:

1. CWShredder v1.59.1 (no updates available currently; fix all found)

2. Ad-Aware SE (reconfigure per Post #2 in
http://aumha.org/forum/viewtopic.php?t=5877; fix all found)

3. Spybot (RTFM but generally fix everything in red)

Important: You must seek updates for Ad-Aware, Spybot, etc., before each and
every use, even "right out of the box". But even they can't catch
everything, 24/7. When all else fails, HijackThis
(http://forum.aumha.org/downloads/hijackthis.zip) is the preferred tool to
use. It will help you to both identify and remove any hijackware/spyware.
**Post your files to http://forums.spywareinfo.com/ or
http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.**

[Alternate download pages for many of the above tools may be found at
http://aumha.org/a/parasite.htm.]

So How Did I Get Infected Anyway?
http://boards.cexx.org/viewtopic.php?t=957

--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

Are You Ready for WinXP SP2?
http://www.microsoft.com/athome/security/protect/default.aspx

WinXP SP2 Release Notes
http://support.microsoft.com/default.aspx?scid=kb;en-us;835935

AumHa Forums
http://forum.aumha.org

 

[Kelly]

Hi Jeff,

hbinst - hbinst.exe - Process Information
Process File: hbinst or hbinst.exe
Process Name: HBINST
Description: Installer for a program called "HotBar". Hotbar enhances the
surfing experience offering a variety of innovative and fresh skins for the
browser while providing users worldwide access to various services. These
programs gather information on your browsing habits and transmit it back to
HotBar.
Company: Hotbar.com Inc
System Process: No
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): Yes
Common Errors: N/A

Removal process:
http://www.2-spyware.com/file-hbinst-exe.html

 

[Jeff]

Hi PA Bear,

All my virus defs are up to date, all my spyware soft are
also up to date, windows updates are all up to date. I`ve
run various programs and nothing sees it except for NAV.
It won`t tell where it is and it can`t delete it. I have
done an extensive search throughout my system and
nothing. Its almost acting like Spybot S&D that can`t get
past the DSO Exploit. I have run several online scans as
well as my NAV. I haven`t installed any hotbars and I
rarely web browse with this computer, I use my other comps
to web browse. Besides my system AV, my ISP also provides
AV checking. Just can`t seem to find where this adware is
hiding.

Jeff

-----Original Message-----
Dealing with Trojans & Hijackware

A. Trojans

1. Check in at Windows Update and install all critical updates & reboot.

2. Download and run Stinger

(http://vil.nai.com/vil/stinger/); then...

3. Update your virus definitions, enable Show Hidden Files
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2
002092715262339)
and then run a full system scan in Safe Mode
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2
001052409420406)
with nothing else running in background. Note the files identified and
removed then find the corresponding page for the file at your AV maker's
online support pages (e.g.,
http://securityresponse.symantec.com/avcenter/venc/data/ad ware.winfavorites.html)
and follow *all* Removal steps, including editing the Registry if directed.

WinXP Only (WinME similar): If this scan finds anything, create a new
Restore Point then:

Disk Cleanup > More options > Delete all but the most recent Restore
Point.

B. Hijackware

Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm

CoolWebSearch Chronicles
http://www.spywareinfo.com/~merijn/cwschronicles.html

Run these tools in the following order with nothing else running in
background:

1. CWShredder v1.59.1 (no updates available currently; fix all found)

2. Ad-Aware SE (reconfigure per Post #2 in
http://aumha.org/forum/viewtopic.php?t=5877; fix all found)

3. Spybot (RTFM but generally fix everything in red)

Important: You must seek updates for Ad-Aware, Spybot, etc., before each and
every use, even "right out of the box". But even they can't catch
everything, 24/7. When all else fails, HijackThis
(http://forum.aumha.org/downloads/hijackthis.zip) is the preferred tool to
use. It will help you to both identify and remove any hijackware/spyware.
**Post your files to http://forums.spywareinfo.com/ or
http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.**

[Alternate download pages for many of the above tools may be found at
http://aumha.org/a/parasite.htm.]

So How Did I Get Infected Anyway?
http://boards.cexx.org/viewtopic.php?t=957

--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

Are You Ready for WinXP SP2?
http://www.microsoft.com/athome/security/protect/default.a spx

WinXP SP2 Release Notes
http://support.microsoft.com/default.aspx?scid=kb;en- us;835935

AumHa Forums
http://forum.aumha.org

Hi,

Has anyone come across Hbinst.exe from their virus scan?
I have Nortons Anti-virus 2004, its updated and keep
detecting hbinst.exe and can`t delete it. I have done a
web search about it and did everything they suggested, but
to no avail, its still shows up when Nortons does a scan.
I have searched my whole computer and cannot find this so
call file. Do you think its a bug in NAV. I also when to
some online virus checking sites and they didn`t find
anything. I have Spybot S&D, SpyGuard, SpyBlaster,
PestPatrol, and GuardBar running on this computer, also on
two other computers. The other computers NAV do not
detect this. Thanks for any possible answers.

.

 

[PA Bear]

Hey there, Jeff.

What/how, exactly, does NAV report HBINST.EXE during a scan? Post the
verbatim "report" here.

Now, not to be pedantic but...

Did you run NAV per http://aumha.org/forum/viewtopic.php?t=5878?

Hbinst.exe is very much associated with Hotbar (e.g.,
http://www.liutilities.com/products/wintaskspro/processlibrary/hbinst/ and
http://snipurl.com/8y5h) though the current instances of HBINST.EXE may have
been a "drive by" install from another hijacker or Trojan (cf.
http://snipurl.com/8y5p). (Do you or did you ever have a P2P file sharing
app installed, like <spit> Kazaa or <spit again> BearShare? Do others have
Remote Access to your machine via, say, an Instant Messenger?)

Are you running Ad-aware SE? Do you have the most recent download of 1.04
reffile installed (there have been 3 so far! Long story)? Have you
reconfigured Ad-aware per http://aumha.org/forum/viewtopic.php?t=5877? Have
you run Ad-aware in Safe Mode?

Are you running Spybot v1.3 with Detection Update 30 Aug-04 installed? Have
you ever open Spybot to its Immunize tab and immunized against all listed
items? Have you run Spybot in Safe Mode?

Have you downloaded HijackThis v1.98.2, enabled 'Show Hidden Files', booted
into Safe Mode and then run HijackThis, saving your log and posting it to an
appropriate forum *and* been given the All Clear by one or more of the
"pros"?

If you can't say Yes to all of the above, your system cannot be said to be
clean.
--
~PA Bear
"2,600+ posts about Hijackware/Trojans in past 12 months alone & counting!"

Hi PA Bear,

All my virus defs are up to date, all my spyware soft are
also up to date, windows updates are all up to date. I`ve
run various programs and nothing sees it except for NAV.
It won`t tell where it is and it can`t delete it. I have
done an extensive search throughout my system and
nothing. Its almost acting like Spybot S&D that can`t get
past the DSO Exploit. I have run several online scans as
well as my NAV. I haven`t installed any hotbars and I
rarely web browse with this computer, I use my other comps
to web browse. Besides my system AV, my ISP also provides
AV checking. Just can`t seem to find where this adware is
hiding.

Jeff

-----Original Message-----
Dealing with Trojans & Hijackware

A. Trojans

1. Check in at Windows Update and install all critical updates & reboot.

2. Download and run Stinger

(http://vil.nai.com/vil/stinger/); then...

3. Update your virus definitions, enable Show Hidden Files
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2
002092715262339)
and then run a full system scan in Safe Mode
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2
001052409420406)
with nothing else running in background. Note the files identified and
removed then find the corresponding page for the file at your AV maker's
online support pages (e.g.,
http://securityresponse.symantec.com/avcenter/venc/data/ad
ware.winfavorites.html) and follow *all* Removal steps, including editing
the Registry if directed.

WinXP Only (WinME similar): If this scan finds anything, create a new
Restore Point then:

Disk Cleanup > More options > Delete all but the most recent Restore
Point.

B. Hijackware

Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm

CoolWebSearch Chronicles
http://www.spywareinfo.com/~merijn/cwschronicles.html

Run these tools in the following order with nothing else running in
background:

1. CWShredder v1.59.1 (no updates available currently; fix all found)

2. Ad-Aware SE (reconfigure per Post #2 in
http://aumha.org/forum/viewtopic.php?t=5877; fix all found)

3. Spybot (RTFM but generally fix everything in red)

Important: You must seek updates for Ad-Aware, Spybot, etc., before each
and every use, even "right out of the box". But even they can't catch
everything, 24/7. When all else fails, HijackThis
(http://forum.aumha.org/downloads/hijackthis.zip) is the preferred tool
to
use. It will help you to both identify and remove any
hijackware/spyware.
**Post your files to http://forums.spywareinfo.com/ or
http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not
here.**

[Alternate download pages for many of the above tools may be found at
http://aumha.org/a/parasite.htm.]

So How Did I Get Infected Anyway?
http://boards.cexx.org/viewtopic.php?t=957

--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

Are You Ready for WinXP SP2?
http://www.microsoft.com/athome/security/protect/default.a spx

WinXP SP2 Release Notes
http://support.microsoft.com/default.aspx?scid=kb;en- us;835935

AumHa Forums
http://forum.aumha.org

Hi,

Has anyone come across Hbinst.exe from their virus scan?
I have Nortons Anti-virus 2004, its updated and keep
detecting hbinst.exe and can`t delete it. I have done a
web search about it and did everything they suggested, but
to no avail, its still shows up when Nortons does a scan.
I have searched my whole computer and cannot find this so
call file. Do you think its a bug in NAV. I also when to
some online virus checking sites and they didn`t find
anything. I have Spybot S&D, SpyGuard, SpyBlaster,
PestPatrol, and GuardBar running on this computer, also on
two other computers. The other computers NAV do not
detect this. Thanks for any possible answers.

.

 

[Kelly]

Hi Jeff,

The exact path will be listed either via Ad-Aware or Spybot. Post it here.
In the meantime, run Doug's Startup Programs Tracker and take a look at the
log file.
http://www.kellys-korner-xp.com/xp_u.htm#xp_util

Hi PA Bear,

All my virus defs are up to date, all my spyware soft are
also up to date, windows updates are all up to date. I`ve
run various programs and nothing sees it except for NAV.
It won`t tell where it is and it can`t delete it. I have
done an extensive search throughout my system and
nothing. Its almost acting like Spybot S&D that can`t get
past the DSO Exploit. I have run several online scans as
well as my NAV. I haven`t installed any hotbars and I
rarely web browse with this computer, I use my other comps
to web browse. Besides my system AV, my ISP also provides
AV checking. Just can`t seem to find where this adware is
hiding.

Jeff

-----Original Message-----
Dealing with Trojans & Hijackware

A. Trojans

1. Check in at Windows Update and install all critical updates & reboot.

2. Download and run Stinger

(http://vil.nai.com/vil/stinger/); then...

3. Update your virus definitions, enable Show Hidden Files
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2
002092715262339)
and then run a full system scan in Safe Mode
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2
001052409420406)
with nothing else running in background. Note the files identified and
removed then find the corresponding page for the file at your AV maker's
online support pages (e.g.,
http://securityresponse.symantec.com/avcenter/venc/data/ad ware.winfavorites.html)
and follow *all* Removal steps, including editing the Registry if directed.

WinXP Only (WinME similar): If this scan finds anything, create a new
Restore Point then:

Disk Cleanup > More options > Delete all but the most recent Restore
Point.

B. Hijackware

Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm

CoolWebSearch Chronicles
http://www.spywareinfo.com/~merijn/cwschronicles.html

Run these tools in the following order with nothing else running in
background:

1. CWShredder v1.59.1 (no updates available currently; fix all found)

2. Ad-Aware SE (reconfigure per Post #2 in
http://aumha.org/forum/viewtopic.php?t=5877; fix all found)

3. Spybot (RTFM but generally fix everything in red)

Important: You must seek updates for Ad-Aware, Spybot, etc., before each and
every use, even "right out of the box". But even they can't catch
everything, 24/7. When all else fails, HijackThis
(http://forum.aumha.org/downloads/hijackthis.zip) is the preferred tool to
use. It will help you to both identify and remove any hijackware/spyware.
**Post your files to http://forums.spywareinfo.com/ or
http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.**

[Alternate download pages for many of the above tools may be found at
http://aumha.org/a/parasite.htm.]

So How Did I Get Infected Anyway?
http://boards.cexx.org/viewtopic.php?t=957

--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

Are You Ready for WinXP SP2?
http://www.microsoft.com/athome/security/protect/default.a spx

WinXP SP2 Release Notes
http://support.microsoft.com/default.aspx?scid=kb;en- us;835935

AumHa Forums
http://forum.aumha.org

Hi,

Has anyone come across Hbinst.exe from their virus scan?
I have Nortons Anti-virus 2004, its updated and keep
detecting hbinst.exe and can`t delete it. I have done a
web search about it and did everything they suggested, but
to no avail, its still shows up when Nortons does a scan.
I have searched my whole computer and cannot find this so
call file. Do you think its a bug in NAV. I also when to
some online virus checking sites and they didn`t find
anything. I have Spybot S&D, SpyGuard, SpyBlaster,
PestPatrol, and GuardBar running on this computer, also on
two other computers. The other computers NAV do not
detect this. Thanks for any possible answers.

.