Basically, the hijackers modify the browser's home page and default search page. The primary "fix" is to never use Microsoft Internet Explorer ... but then the scum lords win. I prefer to simply beat them and then tell everyone else how to do the same.
Some of these don't truly qualify as "malicious" because it is possible to intentionally install their crap via some web page and they have "licenses" (that you "must accept") that state fairly explicitly that YOU give them permission to hijack your system.
....Then some program sneaks into your computer via some backdoor and installs the parasite. Now the virus checkers can not determine whether you explicitly allowed this crap on your system ... or if it was an illegal hijack.
The bottom line - frustrated users and billions of dollars in damage (mostly lost productivity while trying to get rid of this crap).
Damage to Your System
I have my system configured to prompt me before running ANY ActiveX component - I deny access to all of them except the Adobe Acrobat (pdf) reader. I can live without flash and quicktime ... but a parasite can destroy my system. Its just not worth it.
Relevant Registry Entries
This entry modifies the registry each time the computer is booted. The payload is in xyz.reg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemSearch = REGEDIT.EXE -s C:/WINDOWS/xyz.regThese allow the parasite to open all pages in a form so that it can place advertisements on all pages regardless of the site you are visiting. It also allows the parasite to remap requests to another site
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes www = http://www.xyz.com/cgi-bin? HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix default = http://www.xyz.com/cgi-bin?This just changes your start page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Start Page = http://www.xyz.com/This controls the search page.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Search Page = http://www.xyz.com/Normally, the blank page is read from the resource area of a dll. Modifying this key changes the page displayed when your default page is about:blank.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs blank = Could be almost anythingThis value controls what is displayed when a site is not found - some parasites modify it to display a search page.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs NavigationFailure = Could be almost anything
Default (Correct) Values
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix default = http:// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes ftp = ftp:// gopher = gopher:// home = http:// mosaic = http:// www = http:// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs blank = res://mshtml.dll/blank.htm NavigationCanceled = res://shdoclc.dll/navcancl.htm NavigationFailure = res://shdoclc.dll/navcancl.htm HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Tools
Most spyware and adware removers will find some Browser Hijackers. No one program removes all parasites.
These 3 are free
One stop shopping is provided at spychecker.
Spybot and Ad-aware will also inoculate your system against future attacks ... but that does not always work. The scum lords are always working on new ways infect your system.
Trouble Shooting an Infection
Check all the files executed when the system boots - most parasites are found in the 2 run keys - HKCU (Current user) and HKLM (Local machine). I use google to check exe's I'm not familiar with. When I've located a suspicious file, I examine its contents with notepad.exe - if it contains a url to the parasite's web site you know you've got a live one.
Normally, I don't delete keys - too dangerous and too hard to undo - instead I "comment them out". For instance
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Default_Search_URL = http://www.xyz.com/would be changed to
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main xx Default_Search_URL rlc 7-01-04 = http://www.xyz.com/or
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Default_Search_URL = xxx http://www.xyz.com/ rlc 7-01-04In the first case, the xxx makes the key invisible, in the second, the key is found but the data does not make sense. In both cases, my initials and date tell me that I changed the key and when I did it.
In some cases, it makes more sense to fix the problem.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Systray = C:\WINDOWS\system32\a.exewas changed to the original
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Systray = C:\WINDOWS\system32\systray.exe
C:\WINDOWS\setupapi.log
C:\WINDOWS\setupapi.logThe relevant entries are normally at the bottom of the file. (The most recent entries are there.) This example is from the Notepad virus.
[2004/04/19 16:13:34 2896.1] #-198 Command line processed: "C:\Program Files\Internet Explorer\IEXPLORE.EXE" #-024 Copying file "c:\windows\temp\g1.exe" to "C:\WINDOWS\Downloaded Program Files\g1.exe". #E361 An unsigned or incorrectly signed file "c:\windows\temp\g1.exe" will be installed (Policy=Ignore). Error 0x800b0100: No signature was present in the subject.In this case g1.exe was the virus (parasite) - it was found in 2 directories and executed on system boot via one of the registry run keys.
Related Files
If you know the url(s), you can use Agent Ransack to search for other files containing the same string(s).
Related Registry Entries
about:blank
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs blank = res://mshtml.dll/blank.htmabout:blank points to a resource in mshtml.dll. (This can be seen using Resource Hacker - free.)
A parasite can replace this string with any valid url.
Other values under the AboutURLs key can also be modified. Be sure to check them all.
CWShredder and HijackThis do not remove this type of infection.