Browser Hijacker Deskbar

[whs]

I have this nasty Browser Hijacker Deskbar on my system. Neither MSE nor Malwarebytes would even find it, but SAS finds it all the time. SAS quarenteened and deleted it at least 8 times, but every time I reboot, the bugger is back again. I looked on the web and there were a few hints for XP, but nothing useful for Win7. Would anybody know how to deal with this bugger.
Here is what SAS shows:

 

[Product FRED]

Looking around, these are all the registry keys I could find related for it. It's notable that the installer for it is "C:\WINDOWS\SYSTEM32\WIZARD.EXE". These reg keys may or may not exist in your case.

Adware.HBHelper
HKLM\Software\Classes\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}
HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}
HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}
HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\InprocServer32
HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\InprocServer32#ThreadingModel
HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\ProgID
HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\Programmable
HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\TypeLib
HKCR\CLSID\{5CDD839E-255C-415D-9927-3AF98318D15B}\VersionIndependentProgID
C:\WINDOWS\SYSTEM32\SEARCH\WIZARD.DLL
HKLM\Software\Classes\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32#ThreadingModel
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Programmable
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\TypeLib
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CDD839E-255C-415D-9927-3AF98318D15B}
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{BFB5F154-9212-46F3-B547-AC6106030A54}
HKCR\XBTB01994.XBTB01994.3
HKCR\XBTB01994.XBTB01994
HKCR\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}
HKU\S-1-5-21-1606980848-57989841-682003330-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{BFB5F154-9212-46F3-B547-AC6106030A54}
C:\WINDOWS\SYSTEM32\SEARCH\TBHELPER.DLL

Adware.Tracking Cookie
C:\Documents and Settings\localadmin\Cookies\[email protected][1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@revsci[2].txt
C:\Documents and Settings\localadmin\Cookies\[email protected][1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@overture[2].txt
C:\Documents and Settings\localadmin\Cookies\[email protected][1].txt
C:\Documents and Settings\localadmin\Cookies\[email protected][3].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@amaena[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@findwhat[1].txt
C:\Documents and Settings\localadmin\Cookies\[email protected][5].txt
C:\Documents and Settings\localadmin\Cookies\[email protected][4].txt
C:\Documents and Settings\localadmin\Cookies\[email protected][1].txt
C:\Documents and Settings\localadmin\Cookies\[email protected][2].txt
C:\Documents and Settings\localadmin\Cookies\[email protected][2].txt
C:\Documents and Settings\localadmin\Cookies\[email protected][1].txt
C:\Documents and Settings\localadmin\Cookies\[email protected][1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@winantispyware[2].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@2o7[1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@atwola[1].txt
C:\Documents and Settings\localadmin\Cookies\[email protected][1].txt
C:\Documents and Settings\localadmin\Cookies\[email protected][1].txt
C:\Documents and Settings\localadmin\Cookies\[email protected][3].txt
C:\Documents and Settings\localadmin\Cookies\[email protected][1].txt
C:\Documents and Settings\localadmin\Cookies\[email protected][1].txt
C:\Documents and Settings\localadmin\Cookies\[email protected][1].txt
C:\Documents and Settings\localadmin\Cookies\[email protected][1].txt
C:\Documents and Settings\localadmin\Cookies\[email protected][2].txt
C:\Documents and Settings\localadmin\Cookies\[email protected][4].txt
C:\Documents and Settings\localadmin\Cookies\[email protected][1].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@drivecleaner[1].txt
C:\Documents and Settings\localadmin\Cookies\[email protected][2].txt
C:\Documents and Settings\localadmin\Cookies\[email protected][3].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@goclick[2].txt
C:\Documents and Settings\localadmin\Cookies\localadmin@winantivirus[2].txt
C:\Documents and Settings\localadmin\Cookies\[email protected][1].txt
C:\Documents and Settings\localadmin\Cookies\[email protected][2].txt
C:\Documents and Settings\localadmin\Cookies\[email protected][1].txt

Registry Cleaner Trial
HKCR\Install.Install
HKCR\Install.Install\CLSID
HKCR\Install.Install\CurVer
HKCR\Install.Install.1
HKCR\Install.Install.1\CLSID
HKU\S-1-5-21-1606980848-57989841-682003330-1006\Software\SoftwareOnline.com
HKU\S-1-5-21-1606980848-57989841-682003330-1006\Software\Microsoft\Windows\CurrentVersion\Run#Registry Cleaner [ "C:\Program Files\Registry Cleaner Trial\Regclean.exe" -startminimize ]

Adware.MediaMotor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/safe.tlb
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/safe.tlb#.Owner
C:\WINDOWS\Downloaded Program Files\amm06.inf
C:\WINDOWS\System32\safe.tlb

Browser Hijacker.Deskbar
HKCR\Toolbar3.XBTB01994
HKCR\Toolbar3.XBTB01994\CLSID
HKCR\Toolbar3.XBTB01994\CurVer
HKCR\Toolbar3.XBTB01994.1
HKCR\Toolbar3.XBTB01994.1\CLSID
HKU\S-1-5-21-1606980848-57989841-682003330-1006\Software\XBTB01994
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XBTB01994.XBTB0199 4Toolbar
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XBTB01994.XBTB0199 4Toolbar#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XBTB01994.XBTB0199 4Toolbar#UninstallString
C:\SYSTEM VOLUME INFORMATION\_RESTORE{99F924F0-F72C-49BC-B462-F7ED3DB7F23D}\RP488\A0108180.DLL

Desktop Hijacker.AboutYourPrivacy
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad# msole [ {30B5F444-4ACB-44D0-B73C-921BBDE22937} ]
C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\IMAGES\CAPT.GIF.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\IMAGES\DANGER.JPG.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\IMAGES\DOWN.GIF.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\INDEX.HTM.VIR

Trojan.ZenoSearch
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AOL\C_AMERICA ONLINE 9.0B\OPTCLEAN.EXE

Trojan.Downloader-Gen/Win
C:\SYSTEM VOLUME INFORMATION\_RESTORE{99F924F0-F72C-49BC-B462-F7ED3DB7F23D}\RP488\A0108169.EXE

Trojan.Downloader-Gen/AVP
C:\SYSTEM VOLUME INFORMATION\_RESTORE{99F924F0-F72C-49BC-B462-F7ED3DB7F23D}\RP492\A0108709.EXE

Desktop Hijacker.AboutYourPrivacy-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{99F924F0-F72C-49BC-B462-F7ED3DB7F23D}\RP492\A0108711.EXE

Trojan.Net-MSV/VPS-G
C:\SYSTEM VOLUME INFORMATION\_RESTORE{99F924F0-F72C-49BC-B462-F7ED3DB7F23D}\RP492\A0108720.DLL

Browser Hijacker.Deskbar/Installer
C:\WINDOWS\SYSTEM32\FAVORITES\WIZARD.EXE

Trojan.Unknown Origin
C:\WINDOWS\TEMPF.TXT

 

[whs]

It's notable that the installer for it is "C:\WINDOWS\SYSTEM32\WIZARD.EXE".

I was trying to find the installer there, but there is no WIZARD.exe in System32. I was hoping that if I deleted the installer, I could keep it from regenerating itself.

 

[Product FRED]

Sorry, try here: C:\WINDOWS\SYSTEM32\FAVORITES\WIZARD.EXE

 

[whs]

No Favorites in System32 either

 

[whs]

Since I could not get rid of the bugger, I set the system back to an image of 4 weeks ago. That fixed it.

 

[Tews]

Dont ya just love image backups??

 

[tw33k]

I'm not surprised MSE failed but MalwareBytes? Hate to ask but you did update the definitions before scanning right?

 

[Product FRED]

Yeah, I was gonna ask the same. Did you update your definitions? Also, delete any backups more recent than the one you used since the virus could have been backed up in them (system restore points).

 

[wee]

Since I could not get rid of the bugger, I set the system back to an image of 4 weeks ago. That fixed it.

Noticing the Ubuntu and Fedora on the systems you use I'm surprised you would put up with a reoccurring problem like this. It is good that you had an earlier image, until I saw that you had this I just wondered why don't you just reinstall it.

 

[whs]

Dont ya just love image backups??

Absolutely, imaging is the only way to go. And do it frequently.

PS: Of course I upated the Malwarebytes definitions. I always do with all scanners.

 

[whs]

Yeah, I was gonna ask the same. Did you update your definitions? Also, delete any backups more recent than the one you used since the virus could have been backed up in them (system restore points).

Fred, I don't use restore points (shadows) - only images. I am on a SSD and space is scarce.

 

[malexous]

I'm not surprised MSE failed but MalwareBytes? Hate to ask but you did update the definitions before scanning right?

Is there any particular reason why Malwarebytes should have caught it? It may be very good but it is no god.

Malware Research Group

 

[Jaxryley]

I'm not surprised MSE failed but MalwareBytes? Hate to ask but you did update the definitions before scanning right?

Is there any particular reason why Malwarebytes should have caught it? It may be very good but it is no god.

If it hasn't been seen by or uploaded to any AV/AM vendors then it won't be in their database to detect/remove.

You could try Combofix to get this one sorted but it is an awfully powerful removal tool and one that I usually use as a last resort.

 

[whs]

I'm not surprised MSE failed but MalwareBytes? Hate to ask but you did update the definitions before scanning right?

Is there any particular reason why Malwarebytes should have caught it? It may be very good but it is no god.

If it hasn't been seen by or uploaded to any AV/AM vendors then it won't be in their database to detect/remove.

You could try Combofix to get this one sorted but it is an awfully powerful removal tool and one that I usually use as a last resort.

Thanks for the tip, but I solved it by restoring an earlier image.

 

[Johnson]

Is there any particular reason why Malwarebytes should have caught it? It may be very good but it is no god.

If it hasn't been seen by or uploaded to any AV/AM vendors then it won't be in their database to detect/remove.

You could try Combofix to get this one sorted but it is an awfully powerful removal tool and one that I usually use as a last resort.

Thanks for the tip, but I solved it by restoring an earlier image.

I would do the same as whs - try to deal with the malware to see what works/what doesn't and then restore an image whether I thought that it was successfully dealt with or not.

 

[malexous]

I'm not surprised MSE failed but MalwareBytes? Hate to ask but you did update the definitions before scanning right?

Is there any particular reason why Malwarebytes should have caught it? It may be very good but it is no god.

If it hasn't been seen by or uploaded to any AV/AM vendors then it won't be in their database to detect/remove.

Malwarebytes, according to whs, did not find it. Surely there are lots of malware out there that Malwarebytes won't detect, therefore, I don't see why tw33k is surprised.

 

[Product FRED]

No AV/AS is 100% accurate. It's impossible to be when there are new threats emerging every minute of every day. Your best defense is your mind. Use it wisely.

 

[whs]

After running for about 10 hours with the restored system I ran SAS again and am pleased with the result.

 

[Jacee]

This entry is classified as malware, spyware, adware, or other potentially unwanted software.

If the description states that it is malware, you should immediately run a trusted anti-virus and anti-spyware tool.


Item Details
Type: BHOCLSID: {5CDD839E-255C-415D-9927-3AF98318D15B}Name: XBTB01994Filename: wizard.dllDescription: SearchWizard, a stealth installed Softomate Toolbar variant, detected by Kaspersky antivirus as AdWare.Win32.Softomate.ah