Browser Hijackers

The scum lords are at it again ... this time hijacking your browsers (usually just Microsoft Internet Explorer).

Basically, the hijackers modify the browser's home page and default search page. The primary "fix" is to never use Microsoft Internet Explorer ... but then the scum lords win. I prefer to simply beat them and then tell everyone else how to do the same.

Some of these don't truly qualify as "malicious" because it is possible to intentionally install their crap via some web page and they have "licenses" (that you "must accept") that state fairly explicitly that YOU give them permission to hijack your system.

....

Then some program sneaks into your computer via some backdoor and installs the parasite. Now the virus checkers can not determine whether you explicitly allowed this crap on your system ... or if it was an illegal hijack.

The bottom line - frustrated users and billions of dollars in damage (mostly lost productivity while trying to get rid of this crap).

Damage to Your System

There are basically 3 types of damage

New infected files: Normally these are *.exe, *.reg, and *.html files
Replaced system files: In one case, notepad.exe was replaced by a different file ... same name, of course. Several other files are common targets.
Registry modifications: This is where most of the damage is done. Most Browser Hijackers affect the Internet Explorer settings.

Combined, these changes can be used to install an ActiveX component. Once that happens, the parasite has complete control of your entire system.

I have my system configured to prompt me before running ANY ActiveX component - I deny access to all of them except the Adobe Acrobat (pdf) reader. I can live without flash and quicktime ... but a parasite can destroy my system. Its just not worth it.

Relevant Registry Entries

These are some of the registry keys used to hijack your system.

This entry modifies the registry each time the computer is booted. The payload is in xyz.reg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 SystemSearch = REGEDIT.EXE -s C:/WINDOWS/xyz.reg

These allow the parasite to open all pages in a form so that it can place advertisements on all pages regardless of the site you are visiting. It also allows the parasite to remap requests to another site

If you want information on one brand of camera, it may automatically display information on a completely different brand
It might redirect all search engine requests to the scum lord's search engine
It might prohibit you from downloading software to remove the parasite

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes
 www = http://www.xyz.com/cgi-bin?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
 default = http://www.xyz.com/cgi-bin?

This just changes your start page

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
 Start Page = http://www.xyz.com/

This controls the search page.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
 Search Page = http://www.xyz.com/

Normally, the blank page is read from the resource area of a dll. Modifying this key changes the page displayed when your default page is about:blank.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs
 blank = Could be almost anything

This value controls what is displayed when a site is not found - some parasites modify it to display a search page.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs
 NavigationFailure = Could be almost anything

Default (Correct) Values

Almost any related registry entry can be used to attack your system. These are some default values you may need to restore your system. If you need another that's not here, then you will need a second machine to check it.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix

  default =   http://

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes

  ftp     =    ftp://
  gopher  = gopher://
  home    =   http://
  mosaic  =   http://
  www     =   http://

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs
 blank              = res://mshtml.dll/blank.htm
 NavigationCanceled = res://shdoclc.dll/navcancl.htm
 NavigationFailure  = res://shdoclc.dll/navcancl.htm

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
 Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

Tools

There are many tools to help remove Browser Hijackers - but the "virus checkers" don't do this.

Most spyware and adware removers will find some Browser Hijackers. No one program removes all parasites.

These 3 are free

One stop shopping is provided at spychecker.

Spybot and Ad-aware will also inoculate your system against future attacks ... but that does not always work. The scum lords are always working on new ways infect your system.

Trouble Shooting an Infection

Sometimes the tools don't fix the problem. In that case, you've got to do it yourself. This is how I do it.

Files Executed on System Boot

Check all the files executed when the system boots - most parasites are found in the 2 run keys - HKCU (Current user) and HKLM (Local machine). I use google to check exe's I'm not familiar with. When I've located a suspicious file, I examine its contents with notepad.exe - if it contains a url to the parasite's web site you know you've got a live one.

Modifying Registry Keys

Normally, I don't delete keys - too dangerous and too hard to undo - instead I "comment them out". For instance

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
 Default_Search_URL =  http://www.xyz.com/

would be changed to

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
 xx Default_Search_URL rlc 7-01-04 = http://www.xyz.com/

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
 Default_Search_URL =  xxx http://www.xyz.com/   rlc 7-01-04

In the first case, the xxx makes the key invisible, in the second, the key is found but the data does not make sense. In both cases, my initials and date tell me that I changed the key and when I did it.

In some cases, it makes more sense to fix the problem.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 Systray = C:\WINDOWS\system32\a.exe

was changed to the original

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 Systray = C:\WINDOWS\system32\systray.exe

C:\WINDOWS\setupapi.log

Microsoft keeps track of certain (not all) updates in

C:\WINDOWS\setupapi.log

The relevant entries are normally at the bottom of the file. (The most recent entries are there.) This example is from the Notepad virus.

[2004/04/19 16:13:34 2896.1]
#-198 Command line processed: "C:\Program Files\Internet Explorer\IEXPLORE.EXE" 
#-024 Copying file "c:\windows\temp\g1.exe" to "C:\WINDOWS\Downloaded Program Files\g1.exe".
#E361 An unsigned or incorrectly signed file "c:\windows\temp\g1.exe" will be installed 
        (Policy=Ignore). Error 0x800b0100: No signature was present in the subject.

In this case g1.exe was the virus (parasite) - it was found in 2 directories and executed on system boot via one of the registry run keys.

Related Files

Once you've found a suspicious file, use Agent Ransack to search for other files with the same date time stamp. Those created within about 10 minutes are usually related.

If you know the url(s), you can use Agent Ransack to search for other files containing the same string(s).

Related Registry Entries

Search the registry for all suspicious filenames and urls.

about:blank

Instead of changing your default page, some hijackers change the page about:blank points to. Via the registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs
 blank = res://mshtml.dll/blank.htm

about:blank points to a resource in mshtml.dll. (This can be seen using Resource Hacker - free.)

A parasite can replace this string with any valid url.

Other values under the AboutURLs key can also be modified. Be sure to check them all.

CWShredder and HijackThis do not remove this type of infection.

References

IE Vulnerability Flagged - this explains how MSHTML can be used to install viruses on a computer. It may be partially related to the notepad.exe problem because the pages I found with
also contain
jethomepage is a search engine scam/parasite associated with Asher Nahmias - one of the people associated with the Notepad virus. These are not the only two associated with him. Too bad US law can't get him in Israel. At a minimum, he should be charged with vandalism.

Author: Robert Clemenzi