Browser Hijacker Deskbar

Page 1 of 3 123 LastLast

  1. whs
    Posts : 26,210
    Vista, Windows7, Mint Mate, Zorin, Windows 8
       New #1

    Browser Hijacker Deskbar


    I have this nasty Browser Hijacker Deskbar on my system. Neither MSE nor Malwarebytes would even find it, but SAS finds it all the time. SAS quarenteened and deleted it at least 8 times, but every time I reboot, the bugger is back again. I looked on the web and there were a few hints for XP, but nothing useful for Win7. Would anybody know how to deal with this bugger.
    Here is what SAS shows:
      My Computer
    Quote Quote

  3. Product FRED
    Posts : 1,083
    Windows 7 Enterprise 64-bit
       New #2

    Looking around, these are all the registry keys I could find related for it. It's notable that the installer for it is "C:\WINDOWS\SYSTEM32\WIZARD.EXE". These reg keys may or may not exist in your case.

    Adware.HBHelper
    HKLM\Software\Classes\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}
    HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}
    HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}
    HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\InprocServer32
    HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\InprocServer32#ThreadingModel
    HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\ProgID
    HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\Programmable
    HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\TypeLib
    HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\VersionIndependentProgID
    C:\WINDOWS\SYSTEM32\SEARCH\WIZARD.DLL
    HKLM\Software\Classes\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}
    HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}
    HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}
    HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories
    HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
    HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
    HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32
    HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32#ThreadingModel
    HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID
    HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Programmable
    HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\TypeLib
    HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CDD839E-255C-415D-9927-3AF98318D15B}
    HKLM\Software\Microsoft\Internet Explorer\Toolbar#{BFB5F154-9212-46F3-B547-AC6106030A54}
    HKCR\XBTB01994.XBTB01994.3
    HKCR\XBTB01994.XBTB01994
    HKCR\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}
    HKU\S-1-5-21-1606980848-57989841-682003330-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{BFB5F154-9212-46F3-B547-AC6106030A54}
    C:\WINDOWS\SYSTEM32\SEARCH\TBHELPER.DLL

    Adware.Tracking Cookie
    C:\Documents and Settings\localadmin\Cookies\localadmin@f2.bestmanage[1].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@revsci[2].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@f5.bestmanage[1].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@overture[2].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@go.winantispyware[1].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@go.drivecleaner[3].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@amaena[1].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@findwhat[1].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@67.15.239[5].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@go.winantivirus[4].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@ar.atwola[1].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@go.winantivirus[2].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@klik.klikadvertising[2].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@ads.web.aol[1].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@www.googleadservices[1].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@winantispyware[2].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@2o7[1].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@atwola[1].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@adult-web.freehostia[1].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@f3.bestmanage[1].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@go.winantivirus[3].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@f6.bestmanage[1].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@www.winantivirus[1].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@www.winantispyware[1].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@67.15.239[1].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@e-2dj6wbk4wgajodp.stats.esomniture[2].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@67.15.239[4].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@f1.bestmanage[1].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@drivecleaner[1].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@go.drivecleaner[2].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@go.winantispyware[3].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@goclick[2].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@winantivirus[2].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@stats.privacyprotector[1].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@67.15.239[2].txt
    C:\Documents and Settings\localadmin\Cookies\localadmin@stats1.reliablestats[1].txt

    Registry Cleaner Trial
    HKCR\Install.Install
    HKCR\Install.Install\CLSID
    HKCR\Install.Install\CurVer
    HKCR\Install.Install.1
    HKCR\Install.Install.1\CLSID
    HKU\S-1-5-21-1606980848-57989841-682003330-1006\Software\SoftwareOnline.com
    HKU\S-1-5-21-1606980848-57989841-682003330-1006\Software\Microsoft\Windows\CurrentVersion\Run#Registry Cleaner [ "C:\Program Files\Registry Cleaner Trial\Regclean.exe" -startminimize ]

    Adware.MediaMotor
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/safe.tlb
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/safe.tlb#.Owner
    C:\WINDOWS\Downloaded Program Files\amm06.inf
    C:\WINDOWS\System32\safe.tlb

    Browser Hijacker.Deskbar
    HKCR\Toolbar3.XBTB01994
    HKCR\Toolbar3.XBTB01994\CLSID
    HKCR\Toolbar3.XBTB01994\CurVer
    HKCR\Toolbar3.XBTB01994.1
    HKCR\Toolbar3.XBTB01994.1\CLSID
    HKU\S-1-5-21-1606980848-57989841-682003330-1006\Software\XBTB01994
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XBTB01994.XBTB0199 4Toolbar
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XBTB01994.XBTB0199 4Toolbar#DisplayName
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XBTB01994.XBTB0199 4Toolbar#UninstallString
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{99F924F0-F72C-49BC-B462-F7ED3DB7F23D}\RP488\A0108180.DLL

    Desktop Hijacker.AboutYourPrivacy
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad# msole [ {30B5F444-4ACB-44D0-B73C-921BBDE22937} ]
    C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\IMAGES\CAPT.GIF.VIR
    C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\IMAGES\DANGER.JPG.VIR
    C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\IMAGES\DOWN.GIF.VIR
    C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\INDEX.HTM.VIR

    Trojan.ZenoSearch
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AOL\C_AMERICA ONLINE 9.0B\OPTCLEAN.EXE

    Trojan.Downloader-Gen/Win
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{99F924F0-F72C-49BC-B462-F7ED3DB7F23D}\RP488\A0108169.EXE

    Trojan.Downloader-Gen/AVP
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{99F924F0-F72C-49BC-B462-F7ED3DB7F23D}\RP492\A0108709.EXE

    Desktop Hijacker.AboutYourPrivacy-Installer
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{99F924F0-F72C-49BC-B462-F7ED3DB7F23D}\RP492\A0108711.EXE

    Trojan.Net-MSV/VPS-G
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{99F924F0-F72C-49BC-B462-F7ED3DB7F23D}\RP492\A0108720.DLL

    Browser Hijacker.Deskbar/Installer
    C:\WINDOWS\SYSTEM32\FAVORITES\WIZARD.EXE

    Trojan.Unknown Origin
    C:\WINDOWS\TEMPF.TXT
      My Computer
    Quote Quote

  4. whs
    Posts : 26,210
    Vista, Windows7, Mint Mate, Zorin, Windows 8
    Thread Starter
       New #3

    It's notable that the installer for it is "C:\WINDOWS\SYSTEM32\WIZARD.EXE".
    I was trying to find the installer there, but there is no WIZARD.exe in System32. I was hoping that if I deleted the installer, I could keep it from regenerating itself.
      My Computer
    Quote Quote

  6. Product FRED
    Posts : 1,083
    Windows 7 Enterprise 64-bit
       New #4

    Sorry, try here: C:\WINDOWS\SYSTEM32\FAVORITES\WIZARD.EXE
      My Computer
    Quote Quote

  7. whs
    Posts : 26,210
    Vista, Windows7, Mint Mate, Zorin, Windows 8
    Thread Starter
       New #5

    No Favorites in System32 either
      My Computer
    Quote Quote

  8. whs
    Posts : 26,210
    Vista, Windows7, Mint Mate, Zorin, Windows 8
    Thread Starter
       New #6

    Since I could not get rid of the bugger, I set the system back to an image of 4 weeks ago. That fixed it.
      My Computer
    Quote Quote

  10. Tews
    Posts : 11,840
    64-bit Windows 8.1 Pro
       New #7

    Dont ya just love image backups??
      My Computer
    Quote Quote

  11. tw33k
    Posts : 3,028
    Windows 7 Ultimate (x64) SP1
       New #8

    I'm not surprised MSE failed but MalwareBytes? Hate to ask but you did update the definitions before scanning right?
      My Computer
    Quote Quote

  12. Product FRED
    Posts : 1,083
    Windows 7 Enterprise 64-bit
       New #9

    Yeah, I was gonna ask the same. Did you update your definitions? Also, delete any backups more recent than the one you used since the virus could have been backed up in them (system restore points).
      My Computer
    Quote Quote

  13. wee
    Posts : 101
    XP/W7/Lucid/Arch
       New #10

    whs said:
    Since I could not get rid of the bugger, I set the system back to an image of 4 weeks ago. That fixed it.
    Noticing the Ubuntu and Fedora on the systems you use I'm surprised you would put up with a reoccurring problem like this. It is good that you had an earlier image, until I saw that you had this I just wondered why don't you just reinstall it.
      My Computer
    Quote Quote

 
Page 1 of 3 123 LastLast

  Related Discussions
I tried to download a program from Cnet, but did not pay enough attention and I got the searchfusion.com in IE 10 and the conduit.com in Google. While I managed to get back to my start urls, I have been told that I should remove those search bars from the registry. I used Malwarebytes, Superanti...
I think I may have some weird search hijacker that needs dealing with. ALL my Google, Amazon, eBay, other search engine etc search results show junk unrelated information even for the most basic searches. not necessarily spam results but more like that NONE of my searches are known information....
Hi I have Mystart by incrediMail hijacker web browser on in/on my computer, I have used CCleaner and malwarebytes programs to no effect, No malicious items were found. following is the Hijackthis log for your perusal All help is appreciated
Windows 7 shows something like that: http://www.lisisoft.com/imglisi/8/Utilities/144909screenshot_taskbarexecutive.jpg very similar, i think it's an explorer behavior .. . & i want to get rid of it definitely, any suggestion ?
mrcleanpc.com hijacker?
in System Security

I searched the forums and cannot find anyone having this specific issue. I am relatively new to win7 and a novice by all means. I have recently acquired a browser 'hijacker' that tries to send me to www.mrcleanpc.com rather than my intended destination. It never makes it to that site it just...
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 05:10.
Find Us