 | |
| |
| 20 Mar 2010 | #1 |
| | Browser Hijacker Deskbar I have this nasty Browser Hijacker Deskbar on my system. Neither MSE nor Malwarebytes would even find it, but SAS finds it all the time. SAS quarenteened and deleted it at least 8 times, but every time I reboot, the bugger is back again. I looked on the web and there were a few hints for XP, but nothing useful for Windows 7. Would anybody know how to deal with this bugger. Here is what SAS shows:  |
My System Specs | |
| 20 Mar 2010 | #2 |
| | Looking around, these are all the registry keys I could find related for it. It's notable that the installer for it is "C:\WINDOWS\SYSTEM32\WIZARD.EXE". These reg keys may or may not exist in your case. Quote: Adware.HBHelper HKLM\Software\Classes\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B} HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B} HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B} HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\InprocServer32 HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\InprocServer32#ThreadingModel HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\ProgID HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\Programmable HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\TypeLib HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\VersionIndependentProgID C:\WINDOWS\SYSTEM32\SEARCH\WIZARD.DLL HKLM\Software\Classes\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54} HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54} HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54} HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32 HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32#ThreadingModel HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Programmable HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\TypeLib HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CDD839E-255C-415D-9927-3AF98318D15B} HKLM\Software\Microsoft\Internet Explorer\Toolbar#{BFB5F154-9212-46F3-B547-AC6106030A54} HKCR\XBTB01994.XBTB01994.3 HKCR\XBTB01994.XBTB01994 HKCR\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10} HKU\S-1-5-21-1606980848-57989841-682003330-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{BFB5F154-9212-46F3-B547-AC6106030A54} C:\WINDOWS\SYSTEM32\SEARCH\TBHELPER.DLL Adware.Tracking Cookie C:\Documents and Settings\localadmin\Cookies\localadmin@f2.bestmanage[1].txt C:\Documents and Settings\localadmin\Cookies\localadmin@revsci[2].txt C:\Documents and Settings\localadmin\Cookies\localadmin@f5.bestmanage[1].txt C:\Documents and Settings\localadmin\Cookies\localadmin@overture[2].txt C:\Documents and Settings\localadmin\Cookies\localadmin@go.winantispyware[1].txt C:\Documents and Settings\localadmin\Cookies\localadmin@go.drivecleaner[3].txt C:\Documents and Settings\localadmin\Cookies\localadmin@amaena[1].txt C:\Documents and Settings\localadmin\Cookies\localadmin@findwhat[1].txt C:\Documents and Settings\localadmin\Cookies\localadmin@67.15.239[5].txt C:\Documents and Settings\localadmin\Cookies\localadmin@go.winantivirus[4].txt C:\Documents and Settings\localadmin\Cookies\localadmin@ar.atwola[1].txt C:\Documents and Settings\localadmin\Cookies\localadmin@go.winantivirus[2].txt C:\Documents and Settings\localadmin\Cookies\localadmin@klik.klikadvertising[2].txt C:\Documents and Settings\localadmin\Cookies\localadmin@ads.web.aol[1].txt C:\Documents and Settings\localadmin\Cookies\localadmin@www.googleadservices[1].txt C:\Documents and Settings\localadmin\Cookies\localadmin@winantispyware[2].txt C:\Documents and Settings\localadmin\Cookies\localadmin@2o7[1].txt C:\Documents and Settings\localadmin\Cookies\localadmin@atwola[1].txt C:\Documents and Settings\localadmin\Cookies\localadmin@adult-web.freehostia[1].txt C:\Documents and Settings\localadmin\Cookies\localadmin@f3.bestmanage[1].txt C:\Documents and Settings\localadmin\Cookies\localadmin@go.winantivirus[3].txt C:\Documents and Settings\localadmin\Cookies\localadmin@f6.bestmanage[1].txt C:\Documents and Settings\localadmin\Cookies\localadmin@www.winantivirus[1].txt C:\Documents and Settings\localadmin\Cookies\localadmin@www.winantispyware[1].txt C:\Documents and Settings\localadmin\Cookies\localadmin@67.15.239[1].txt C:\Documents and Settings\localadmin\Cookies\localadmin@e-2dj6wbk4wgajodp.stats.esomniture[2].txt C:\Documents and Settings\localadmin\Cookies\localadmin@67.15.239[4].txt C:\Documents and Settings\localadmin\Cookies\localadmin@f1.bestmanage[1].txt C:\Documents and Settings\localadmin\Cookies\localadmin@drivecleaner[1].txt C:\Documents and Settings\localadmin\Cookies\localadmin@go.drivecleaner[2].txt C:\Documents and Settings\localadmin\Cookies\localadmin@go.winantispyware[3].txt C:\Documents and Settings\localadmin\Cookies\localadmin@goclick[2].txt C:\Documents and Settings\localadmin\Cookies\localadmin@winantivirus[2].txt C:\Documents and Settings\localadmin\Cookies\localadmin@stats.privacyprotector[1].txt C:\Documents and Settings\localadmin\Cookies\localadmin@67.15.239[2].txt C:\Documents and Settings\localadmin\Cookies\localadmin@stats1.reliablestats[1].txt Registry Cleaner Trial HKCR\Install.Install HKCR\Install.Install\CLSID HKCR\Install.Install\CurVer HKCR\Install.Install.1 HKCR\Install.Install.1\CLSID HKU\S-1-5-21-1606980848-57989841-682003330-1006\Software\SoftwareOnline.com HKU\S-1-5-21-1606980848-57989841-682003330-1006\Software\Microsoft\Windows\CurrentVersion\Run#Registry Cleaner [ "C:\Program Files\Registry Cleaner Trial\Regclean.exe" -startminimize ] Adware.MediaMotor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/safe.tlb HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/safe.tlb#.Owner C:\WINDOWS\Downloaded Program Files\amm06.inf C:\WINDOWS\System32\safe.tlb Browser Hijacker.Deskbar HKCR\Toolbar3.XBTB01994 HKCR\Toolbar3.XBTB01994\CLSID HKCR\Toolbar3.XBTB01994\CurVer HKCR\Toolbar3.XBTB01994.1 HKCR\Toolbar3.XBTB01994.1\CLSID HKU\S-1-5-21-1606980848-57989841-682003330-1006\Software\XBTB01994 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XBTB01994.XBTB0199 4Toolbar HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XBTB01994.XBTB0199 4Toolbar#DisplayName HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XBTB01994.XBTB0199 4Toolbar#UninstallString C:\SYSTEM VOLUME INFORMATION\_RESTORE{99F924F0-F72C-49BC-B462-F7ED3DB7F23D}\RP488\A0108180.DLL Desktop Hijacker.AboutYourPrivacy HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad# msole [ {30B5F444-4ACB-44D0-B73C-921BBDE22937} ] C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\IMAGES\CAPT.GIF.VIR C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\IMAGES\DANGER.JPG.VIR C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\IMAGES\DOWN.GIF.VIR C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\INDEX.HTM.VIR Trojan.ZenoSearch C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AOL\C_AMERICA ONLINE 9.0B\OPTCLEAN.EXE Trojan.Downloader-Gen/Win C:\SYSTEM VOLUME INFORMATION\_RESTORE{99F924F0-F72C-49BC-B462-F7ED3DB7F23D}\RP488\A0108169.EXE Trojan.Downloader-Gen/AVP C:\SYSTEM VOLUME INFORMATION\_RESTORE{99F924F0-F72C-49BC-B462-F7ED3DB7F23D}\RP492\A0108709.EXE Desktop Hijacker.AboutYourPrivacy-Installer C:\SYSTEM VOLUME INFORMATION\_RESTORE{99F924F0-F72C-49BC-B462-F7ED3DB7F23D}\RP492\A0108711.EXE Trojan.Net-MSV/VPS-G C:\SYSTEM VOLUME INFORMATION\_RESTORE{99F924F0-F72C-49BC-B462-F7ED3DB7F23D}\RP492\A0108720.DLL Browser Hijacker.Deskbar/Installer C:\WINDOWS\SYSTEM32\FAVORITES\WIZARD.EXE Trojan.Unknown Origin C:\WINDOWS\TEMPF.TXT |
| My System Specs |
| 20 Mar 2010 | #3 |
| | Quote: It's notable that the installer for it is "C:\WINDOWS\SYSTEM32\WIZARD.EXE". |
| My System Specs |
| . |
| |
| 20 Mar 2010 | #4 |
| | Sorry, try here: C:\WINDOWS\SYSTEM32\FAVORITES\WIZARD.EXE |
| My System Specs |
| 20 Mar 2010 | #5 |
| | No Favorites in System32 either |
| My System Specs |
| 20 Mar 2010 | #6 |
| | Since I could not get rid of the bugger, I set the system back to an image of 4 weeks ago. That fixed it. |
| My System Specs |
| 20 Mar 2010 | #7 |
| | Dont ya just love image backups?? |
| My System Specs |
| 20 Mar 2010 | #8 |
| | I'm not surprised MSE failed but MalwareBytes? Hate to ask but you did update the definitions before scanning right? |
| My System Specs |
| 20 Mar 2010 | #9 |
| | Yeah, I was gonna ask the same. Did you update your definitions? Also, delete any backups more recent than the one you used since the virus could have been backed up in them (system restore points). |
| My System Specs |
| 20 Mar 2010 | #10 |
| | 
Quote: Originally Posted by whs  Since I could not get rid of the bugger, I set the system back to an image of 4 weeks ago. That fixed it. |
| My System Specs |
 |
Browser Hijacker Deskbar problems?
| Thread Tools | |
| Similar help and support threads for: Browser Hijacker Deskbar | ||||
| Thread | Forum | |||
 How do I get rid of web browser hijacker | System Security | |||
| Recovering the right click options of deskbar elements | Customization | |||
| locations of my deskbar content popping up & grouped ... | Customization | |||
| mrcleanpc.com hijacker? | System Security | |||
| How would you remove Search Engine Hijacker | System Security | |||
All times are GMT -5. The time now is 10:19 PM.
