Windows 7 - Browser Hijacker Deskbar

whs · 03-20-2010

I have this nasty Browser Hijacker Deskbar on my system. Neither MSE nor Malwarebytes would even find it, but SAS finds it all the time. SAS quarenteened and deleted it at least 8 times, but every time I reboot, the bugger is back again. I looked on the web and there were a few hints for XP, but nothing useful for Windows 7. Would anybody know how to deal with this bugger.
Here is what SAS shows:

Product FRED · 03-20-2010

Looking around, these are all the registry keys I could find related for it. It's notable that the installer for it is "C:\WINDOWS\SYSTEM32\WIZARD.EXE". These reg keys may or may not exist in your case.

Quote:

Adware.HBHelper
HKLM\Software\Classes\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}
HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}
HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}
HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\InprocServer32
HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\InprocServer32#ThreadingModel
HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\ProgID
HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\Programmable
HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\TypeLib
HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\VersionIndependentProgID
C:\WINDOWS\SYSTEM32\SEARCH\WIZARD.DLL
HKLM\Software\Classes\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32#ThreadingModel
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Programmable
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\TypeLib
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CDD839E-255C-415D-9927-3AF98318D15B}
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{BFB5F154-9212-46F3-B547-AC6106030A54}
HKCR\XBTB01994.XBTB01994.3
HKCR\XBTB01994.XBTB01994
HKCR\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}
HKU\S-1-5-21-1606980848-57989841-682003330-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{BFB5F154-9212-46F3-B547-AC6106030A54}
C:\WINDOWS\SYSTEM32\SEARCH\TBHELPER.DLL

Adware.Tracking Cookie
C:\Documents and Settings\localadmin\Cookies\localadmin@f2.bestmanage[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@revsci[2].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@f5.bestmanage[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@overture[2].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@go.winantispyware[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@go.drivecleaner[3].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@amaena[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@findwhat[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@67.15.239[5].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@go.winantivirus[4].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@ar.atwola[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@go.winantivirus[2].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@klik.klikadvertising[2].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@ads.web.aol[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@www.googleadservices[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@winantispyware[2].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@2o7[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@atwola[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@adult-web.freehostia[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@f3.bestmanage[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@go.winantivirus[3].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@f6.bestmanage[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@www.winantivirus[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@www.winantispyware[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@67.15.239[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@e-2dj6wbk4wgajodp.stats.esomniture[2].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@67.15.239[4].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@f1.bestmanage[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@drivecleaner[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@go.drivecleaner[2].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@go.winantispyware[3].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@goclick[2].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@winantivirus[2].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@stats.privacyprotector[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@67.15.239[2].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@stats1.reliablestats[1].txt

Registry Cleaner Trial
HKCR\Install.Install
HKCR\Install.Install\CLSID
HKCR\Install.Install\CurVer
HKCR\Install.Install.1
HKCR\Install.Install.1\CLSID
HKU\S-1-5-21-1606980848-57989841-682003330-1006\Software\SoftwareOnline.com
HKU\S-1-5-21-1606980848-57989841-682003330-1006\Software\Microsoft\Windows\CurrentVersion\Run#Registry Cleaner [ "C:\Program Files\Registry Cleaner Trial\Regclean.exe" -startminimize ]

Adware.MediaMotor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/safe.tlb
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/safe.tlb#.Owner
C:\WINDOWS\Downloaded Program Files\amm06.inf
C:\WINDOWS\System32\safe.tlb

Browser Hijacker.Deskbar
HKCR\Toolbar3.XBTB01994
HKCR\Toolbar3.XBTB01994\CLSID
HKCR\Toolbar3.XBTB01994\CurVer
HKCR\Toolbar3.XBTB01994.1
HKCR\Toolbar3.XBTB01994.1\CLSID
HKU\S-1-5-21-1606980848-57989841-682003330-1006\Software\XBTB01994
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XBTB01994.XBTB0199 4Toolbar
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XBTB01994.XBTB0199 4Toolbar#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XBTB01994.XBTB0199 4Toolbar#UninstallString
C:\SYSTEM VOLUME INFORMATION\_RESTORE{99F924F0-F72C-49BC-B462-F7ED3DB7F23D}\RP488\A0108180.DLL

Desktop Hijacker.AboutYourPrivacy
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad# msole [ {30B5F444-4ACB-44D0-B73C-921BBDE22937} ]
C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\IMAGES\CAPT.GIF.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\IMAGES\DANGER.JPG.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\IMAGES\DOWN.GIF.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\INDEX.HTM.VIR

Trojan.ZenoSearch
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AOL\C_AMERICA ONLINE 9.0B\OPTCLEAN.EXE

Trojan.Downloader-Gen/Win
C:\SYSTEM VOLUME INFORMATION\_RESTORE{99F924F0-F72C-49BC-B462-F7ED3DB7F23D}\RP488\A0108169.EXE

Trojan.Downloader-Gen/AVP
C:\SYSTEM VOLUME INFORMATION\_RESTORE{99F924F0-F72C-49BC-B462-F7ED3DB7F23D}\RP492\A0108709.EXE

Desktop Hijacker.AboutYourPrivacy-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{99F924F0-F72C-49BC-B462-F7ED3DB7F23D}\RP492\A0108711.EXE

Trojan.Net-MSV/VPS-G
C:\SYSTEM VOLUME INFORMATION\_RESTORE{99F924F0-F72C-49BC-B462-F7ED3DB7F23D}\RP492\A0108720.DLL

Browser Hijacker.Deskbar/Installer
C:\WINDOWS\SYSTEM32\FAVORITES\WIZARD.EXE

Trojan.Unknown Origin
C:\WINDOWS\TEMPF.TXT

whs · 03-20-2010

Quote:

It's notable that the installer for it is "C:\WINDOWS\SYSTEM32\WIZARD.EXE".

I was trying to find the installer there, but there is no WIZARD.exe in System32. I was hoping that if I deleted the installer, I could keep it from regenerating itself.

Product FRED · 03-20-2010

Sorry, try here: C:\WINDOWS\SYSTEM32\FAVORITES\WIZARD.EXE

whs · 03-20-2010

No Favorites in System32 either

whs · 03-20-2010

Since I could not get rid of the bugger, I set the system back to an image of 4 weeks ago. That fixed it.

Tews · 03-20-2010

Dont ya just love image backups??

tw33k · 03-20-2010

I'm not surprised MSE failed but MalwareBytes? Hate to ask but you did update the definitions before scanning right?

Product FRED · 03-20-2010

Yeah, I was gonna ask the same. Did you update your definitions? Also, delete any backups more recent than the one you used since the virus could have been backed up in them (system restore points).

wee · 03-20-2010

Quote: Originally Posted by whs

Since I could not get rid of the bugger, I set the system back to an image of 4 weeks ago. That fixed it.

Noticing the Ubuntu and Fedora on the systems you use I'm surprised you would put up with a reoccurring problem like this. It is good that you had an earlier image, until I saw that you had this I just wondered why don't you just reinstall it.

Windows 7 - Browser Hijacker Deskbar

Browser Hijacker Deskbar problems?