Recently, Chrome started redirecting me to http://api.mybrowserbar.com/cgi/errors.cgi?{etcetera} (“Oops! This page appears broken. DNS Error - Server cannot be found.”) when I enter a bad domain name. IE Explorer and Firefox still behave as before.
What is this “mybrowserbar”?
Googling for “mybrowserbar.com” I see a claim that it is malicious (with “root kit” etc. !) and that I should remove it (following instructions!). With my luck, it would be the removal process that is malicious.
I hate packages that install without my request, and would be happy to remove this one, if I were sure the removal wouldn’t be do more harm than good.
These days, malware pretty much HAS to ask your permission to install - something you clicked in all innocence was a trap. Didn’t you think it was unusual that the link didn’t take you to Scarlett Johannson’s dressing room web cam?
Ideally, you’d download a removal tool (or find removal instructions) on a computer that is known to be clean (free of malware or viruses), and run the tool or follow the instructions on the infected computer.
However, my experience has been that undesired browser toolbars are more like spam than viruses or trojans: annoying, but not intentionally difficult to remove.
If it were me, I’d just download an anti-malware app in one of the other browsers and let it remove the toolbar. This would also tell me how severe the infection is. If the major anti-malware sites are blocked (or redirect to some ad site) on the infected machine I switch to full decon mode and focus on saving any necessary documents and files (i.e. game saves, music and video files, possibly uninstalling or deauthorizing drm-locked apps and such) prepratory to doing a full wipe and reinstall.
About the time that HackTool:Win32/Keygen was discovered, ESET Nod32 Antivirus 5 popped up to report a Potential threat:
Win32/Toolbar.Widgi at c:\Program Files (x86)\Search.con Toolbar\WidgiHelper.exe
“Event occurred during an attempt … by … SpyHunter4.exe.”
I reconnected to Internet as instructed; clicked Fix when instructed only to be told that a Credit Card number would be necessary to actually Fix the detected threats! (I don’t even have a card I use on Internet.)
I clicked Fix on the error reported by ESET Nod32 Antivirus 5.
… But Chrome still redirects to api.mybrowserbar.com.
I’ve decided to remove both
{HackTool:Win32/Keygen} Patch.exe
and
{Softonic Search/Toolbar} softonic.com:Preferences
Typing “HackTool:Win32/Keygen removal” into Google I see an almost useless Youtube, and several sites described as easy instructions … but clicking on them gives an ESET Malware page warning. The procedures apparently begin by booting into Safe Network mode; I’ll try to understand the whole procedure and do that later.
Meanwhile I’ve downloaded and run Malwarebytes Anti-Malware 1.70.0.1100 and RKill.exe, to no apparent avail.
I’ll try removing Softonic Search/Toolbar for a while – maybe that’s easier than removing HackTool:Win32/Keygen.
Actually, there are exploits that only involve getting you to browse to an infected web page - no user interaction is required. See this month’s Microsoft security bulletin.
The original symptom turned out to be easy to fix. Chrome had a Search Bar add-on that could be disabled and deleted. (Firefox had a similar add-on that wasn’t enabled.) I deleted these add-ons and also located the Search Bar program in Control-Panel–>Programs and Features and uninstalled it there. My original complaint, about api.mybrowser.com, went away as soon as I disabled that add-on. I should be happy I was too ignorant to just do this first, as I wouldn’t have learned about these other Trojans.
I rebooted and reran SpyHunter 4 Quick scan (the free version detects even though it doesn’t delete) and (eventually*) it found two threats (other than Cookies and Adverts):
{Softonic Search/Toolbar} softonic.com:Web Data (badness 3)
I’d assumed that the “Search/Toolbar” was what I’d deleted, but now it gets two hits instead of one.
{HackTool:Win32/Keygen} Patch.exe is missing now, despite that AFAIK the only change was the removal of the add-ons.
Despite that Hacktool didn’t show up in this quick scan, I still may try to follow the instructions at
(Despite being only the unregistered demo, Spyware 4 is very aggressive, alerting me to every execution, etc., so I’ve disabled it.)
I’ve abbreviated this report. Even the quick scan seems to check every file (I’ve over 500,000) so takes a while. I slept for several hours during one scan, awoke to a dark screen – though the white ON light was on. Pushed buttons for a while without response, finally forced power-off.
One final post to bring closure to the thread. None of the afore-mentioned threats are reported by Spyhunter anymore! They were eventually destroyed with minimal effort.
I wish such tools reported absolute file path names when relevant, but guessing that “Preferences” and “Web Data” might be file names, I found them in one of Chrome’s subfolders and decided to use Chrome’s Clear Browsing Data option. The Softonic threat reports went away! I checked this with Full Scan; it still reported HackTool:Win32/Keygen (apparently “Quick scan” missed that), but I looked for a “Patch.exe”, found it in “Program Files (x86)/Rovio/Angry Birds Space/” (presumably some game my son had downloaded); I de-installed that; took the residue to the Trash Can (de-install did not remove Patch.exe); and Spyhunter 4’s Full Scan now found only cookies etc. with badness score 1. Happiness!
I wonder if the Chrome cache did not have the Softonic Trojan at all, but just some signature. (I once had Fujacks virus; disabled it manually while mentioning its signatures in a text file as note to myself; that text file kept showing up as “infected.”)
Anyway, after a few hours of detour for me, my system might be clean. I post in case the story has interest or instructive value.
(I don’t even have a card I use on Internet.)