Wallpaper hijacked!

[przero]

One of our machines at work has had the wallpaper hijacked. It's a blank tan page. When you right click in the page, the drop box shows it as a web page. The machine has Bargain Buddy and a URL.Catcher, that no spyware removal tools can fix. I all can find is that explorer.exe was modified, but I can't fix it. Any ideas?

 

[amdskip]

Display properties in control panel -> Desktop -> Customize Desktop -> Web tab

That should get you started. Try installing and running Microsoft AntiSpyware too

 

[mechBgon]

Also, what antivirus software are you guys using? Brand and version, that would be interesting to know.

Big picture: if the machine has BargainBuddy on it, someone's overdue to be shorn of their Administrator/Power-User status. Make 'em a Restricted User.

 

[przero]

MS AntiSpyware will not start. And the reg keys will not delete.

 

[przero]

Norton anti-virus.

 

[mechBgon]

Nuke the box and reinstall Windows, it'll save you time in the long run. Make sure whoever it was, they never have a Power-User or Administrator-class account again. What antivirus products are you using?

edit: oh, Norton. What version? Can I suggest something different or do you have like a site license for it or something?

 

[WiseOldDude]

run your spyware removal tools in safe mode

 

[przero]

Ran adaware, spybot, hijack this, etc. in safe mode. Bargain Buddy won't leave.

 

[WiseOldDude]

Google remove bargain buddy and you will find many sources spelling out step by step procedures to remove this adware from your system.

 

[przero]

I did. No success yet. They all use the premise of deleting the reg keys and they re-appear. And the URL.Catcher reg keys CANNOT be deleted. There are NO processes running other than normal MS processes.

 

[mechBgon]

Like I said, blow away the compromised Windows installation. You'd be done by now

If you want to keep fighting, look in your Windows Services for services with Started status that are related to the malware. Also, I suggest uninstalling Norton for now, and install a 30-day trial version of Kaspersky: http://www.kaspersky.com/trials Based on my de-spywaring episode with my little sister's system, it's better than Norton and even McAfee.

Also, take the drive out of the affected system, put it in a different system as a slave, install Kaspersky and Microsoft AntiSpyware, and scan in the other system where the bugs can't fight back. Use Maximum on the on-access and on-demand scanners in Kaspersky, and click "Configure Updater" and set it to use Extended Databases.