Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.



Windows 7: Browser Hijacker Deskbar

20 Mar 2010   #1
whs

Microsoft Community Contributor Award Recipient

Vista, Windows7, Mint Mate, Zorin, Windows 8
 
 
Browser Hijacker Deskbar

I have this nasty Browser Hijacker Deskbar on my system. Neither MSE nor Malwarebytes would even find it, but SAS finds it all the time. SAS quarenteened and deleted it at least 8 times, but every time I reboot, the bugger is back again. I looked on the web and there were a few hints for XP, but nothing useful for Windows 7. Would anybody know how to deal with this bugger.
Here is what SAS shows:


My System SpecsSystem Spec
.

20 Mar 2010   #2

Windows 7 Enterprise 64-bit
 
 

Looking around, these are all the registry keys I could find related for it. It's notable that the installer for it is "C:\WINDOWS\SYSTEM32\WIZARD.EXE". These reg keys may or may not exist in your case.

Quote:
Adware.HBHelper
HKLM\Software\Classes\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}
HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}
HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}
HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\InprocServer32
HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\InprocServer32#ThreadingModel
HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\ProgID
HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\Programmable
HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\TypeLib
HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\VersionIndependentProgID
C:\WINDOWS\SYSTEM32\SEARCH\WIZARD.DLL
HKLM\Software\Classes\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32#ThreadingModel
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Programmable
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\TypeLib
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CDD839E-255C-415D-9927-3AF98318D15B}
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{BFB5F154-9212-46F3-B547-AC6106030A54}
HKCR\XBTB01994.XBTB01994.3
HKCR\XBTB01994.XBTB01994
HKCR\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}
HKU\S-1-5-21-1606980848-57989841-682003330-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{BFB5F154-9212-46F3-B547-AC6106030A54}
C:\WINDOWS\SYSTEM32\SEARCH\TBHELPER.DLL

Adware.Tracking Cookie
C:\Documents and Settings\localadmin\Cookies\localadmin@f2.bestmanage[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@revsci[2].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@f5.bestmanage[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@overture[2].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@go.winantispyware[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@go.drivecleaner[3].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@amaena[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@findwhat[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@67.15.239[5].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@go.winantivirus[4].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@ar.atwola[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@go.winantivirus[2].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@klik.klikadvertising[2].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@ads.web.aol[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@www.googleadservices[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@winantispyware[2].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@2o7[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@atwola[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@adult-web.freehostia[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@f3.bestmanage[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@go.winantivirus[3].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@f6.bestmanage[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@www.winantivirus[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@www.winantispyware[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@67.15.239[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@e-2dj6wbk4wgajodp.stats.esomniture[2].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@67.15.239[4].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@f1.bestmanage[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@drivecleaner[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@go.drivecleaner[2].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@go.winantispyware[3].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@goclick[2].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@winantivirus[2].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@stats.privacyprotector[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@67.15.239[2].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@stats1.reliablestats[1].txt

Registry Cleaner Trial
HKCR\Install.Install
HKCR\Install.Install\CLSID
HKCR\Install.Install\CurVer
HKCR\Install.Install.1
HKCR\Install.Install.1\CLSID
HKU\S-1-5-21-1606980848-57989841-682003330-1006\Software\SoftwareOnline.com
HKU\S-1-5-21-1606980848-57989841-682003330-1006\Software\Microsoft\Windows\CurrentVersion\Run#Registry Cleaner [ "C:\Program Files\Registry Cleaner Trial\Regclean.exe" -startminimize ]

Adware.MediaMotor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/safe.tlb
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/safe.tlb#.Owner
C:\WINDOWS\Downloaded Program Files\amm06.inf
C:\WINDOWS\System32\safe.tlb

Browser Hijacker.Deskbar
HKCR\Toolbar3.XBTB01994
HKCR\Toolbar3.XBTB01994\CLSID
HKCR\Toolbar3.XBTB01994\CurVer
HKCR\Toolbar3.XBTB01994.1
HKCR\Toolbar3.XBTB01994.1\CLSID
HKU\S-1-5-21-1606980848-57989841-682003330-1006\Software\XBTB01994
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XBTB01994.XBTB0199 4Toolbar
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XBTB01994.XBTB0199 4Toolbar#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XBTB01994.XBTB0199 4Toolbar#UninstallString
C:\SYSTEM VOLUME INFORMATION\_RESTORE{99F924F0-F72C-49BC-B462-F7ED3DB7F23D}\RP488\A0108180.DLL

Desktop Hijacker.AboutYourPrivacy
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad# msole [ {30B5F444-4ACB-44D0-B73C-921BBDE22937} ]
C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\IMAGES\CAPT.GIF.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\IMAGES\DANGER.JPG.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\IMAGES\DOWN.GIF.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\INDEX.HTM.VIR

Trojan.ZenoSearch
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AOL\C_AMERICA ONLINE 9.0B\OPTCLEAN.EXE

Trojan.Downloader-Gen/Win
C:\SYSTEM VOLUME INFORMATION\_RESTORE{99F924F0-F72C-49BC-B462-F7ED3DB7F23D}\RP488\A0108169.EXE

Trojan.Downloader-Gen/AVP
C:\SYSTEM VOLUME INFORMATION\_RESTORE{99F924F0-F72C-49BC-B462-F7ED3DB7F23D}\RP492\A0108709.EXE

Desktop Hijacker.AboutYourPrivacy-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{99F924F0-F72C-49BC-B462-F7ED3DB7F23D}\RP492\A0108711.EXE

Trojan.Net-MSV/VPS-G
C:\SYSTEM VOLUME INFORMATION\_RESTORE{99F924F0-F72C-49BC-B462-F7ED3DB7F23D}\RP492\A0108720.DLL

Browser Hijacker.Deskbar/Installer
C:\WINDOWS\SYSTEM32\FAVORITES\WIZARD.EXE

Trojan.Unknown Origin
C:\WINDOWS\TEMPF.TXT
My System SpecsSystem Spec
20 Mar 2010   #3
whs

Microsoft Community Contributor Award Recipient

Vista, Windows7, Mint Mate, Zorin, Windows 8
 
 

Quote:
It's notable that the installer for it is "C:\WINDOWS\SYSTEM32\WIZARD.EXE".
I was trying to find the installer there, but there is no WIZARD.exe in System32. I was hoping that if I deleted the installer, I could keep it from regenerating itself.
My System SpecsSystem Spec
.


20 Mar 2010   #4

Windows 7 Enterprise 64-bit
 
 

Sorry, try here: C:\WINDOWS\SYSTEM32\FAVORITES\WIZARD.EXE
My System SpecsSystem Spec
20 Mar 2010   #5
whs

Microsoft Community Contributor Award Recipient

Vista, Windows7, Mint Mate, Zorin, Windows 8
 
 

No Favorites in System32 either
My System SpecsSystem Spec
20 Mar 2010   #6
whs

Microsoft Community Contributor Award Recipient

Vista, Windows7, Mint Mate, Zorin, Windows 8
 
 

Since I could not get rid of the bugger, I set the system back to an image of 4 weeks ago. That fixed it.
My System SpecsSystem Spec
20 Mar 2010   #7

64-bit Windows 8.1 Pro
 
 

Dont ya just love image backups??
My System SpecsSystem Spec
20 Mar 2010   #8

Windows 7 Ultimate (x64) SP1
 
 

I'm not surprised MSE failed but MalwareBytes? Hate to ask but you did update the definitions before scanning right?
My System SpecsSystem Spec
20 Mar 2010   #9

Windows 7 Enterprise 64-bit
 
 

Yeah, I was gonna ask the same. Did you update your definitions? Also, delete any backups more recent than the one you used since the virus could have been backed up in them (system restore points).
My System SpecsSystem Spec
20 Mar 2010   #10
wee

XP/W7/Lucid/Arch
 
 

Quote   Quote: Originally Posted by whs View Post
Since I could not get rid of the bugger, I set the system back to an image of 4 weeks ago. That fixed it.
Noticing the Ubuntu and Fedora on the systems you use I'm surprised you would put up with a reoccurring problem like this. It is good that you had an earlier image, until I saw that you had this I just wondered why don't you just reinstall it.
My System SpecsSystem Spec
Reply

 Browser Hijacker Deskbar





Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 04:40 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33