Browser Hijackers

The scum lords are at it again ... this time hijacking your browsers (usually just Microsoft Internet Explorer).

Basically, the hijackers modify the browser's home page and default search page. The primary "fix" is to never use Microsoft Internet Explorer ... but then the scum lords win. I prefer to simply beat them and then tell everyone else how to do the same.

Some of these don't truly qualify as "malicious" because it is possible to intentionally install their crap via some web page and they have "licenses" (that you "must accept") that state fairly explicitly that YOU give them permission to hijack your system.

Then some program sneaks into your computer via some backdoor and installs the parasite. Now the virus checkers can not determine whether you explicitly allowed this crap on your system ... or if it was an illegal hijack.

The bottom line - frustrated users and billions of dollars in damage (mostly lost productivity while trying to get rid of this crap).

Damage | Registry | Tools
Trouble Shooting an Infection - Files Executed on System Boot | Modifying Registry Keys | setupapi.log
Related Files | Related Registry Entries
about:blank | References


Damage to Your System

There are basically 3 types of damage Combined, these changes can be used to install an ActiveX component. Once that happens, the parasite has complete control of your entire system.

I have my system configured to prompt me before running ANY ActiveX component - I deny access to all of them except the Adobe Acrobat (pdf) reader. I can live without flash and quicktime ... but a parasite can destroy my system. Its just not worth it.


Relevant Registry Entries

These are some of the registry keys used to hijack your system.

This entry modifies the registry each time the computer is booted. The payload is in xyz.reg

These allow the parasite to open all pages in a form so that it can place advertisements on all pages regardless of the site you are visiting. It also allows the parasite to remap requests to another site This just changes your start page This controls the search page. Normally, the blank page is read from the resource area of a dll. Modifying this key changes the page displayed when your default page is about:blank. This value controls what is displayed when a site is not found - some parasites modify it to display a search page.


Default (Correct) Values

Almost any related registry entry can be used to attack your system. These are some default values you may need to restore your system. If you need another that's not here, then you will need a second machine to check it.


Tools

There are many tools to help remove Browser Hijackers - but the "virus checkers" don't do this.

Most spyware and adware removers will find some Browser Hijackers. No one program removes all parasites.

These 3 are free

One stop shopping is provided at spychecker.

Spybot and Ad-aware will also inoculate your system against future attacks ... but that does not always work. The scum lords are always working on new ways infect your system.


Trouble Shooting an Infection

Sometimes the tools don't fix the problem. In that case, you've got to do it yourself. This is how I do it.


Files Executed on System Boot

Check all the files executed when the system boots - most parasites are found in the 2 run keys - HKCU (Current user) and HKLM (Local machine). I use google to check exe's I'm not familiar with. When I've located a suspicious file, I examine its contents with notepad.exe - if it contains a url to the parasite's web site you know you've got a live one.


Modifying Registry Keys

Normally, I don't delete keys - too dangerous and too hard to undo - instead I "comment them out". For instance

would be changed to or In the first case, the xxx makes the key invisible, in the second, the key is found but the data does not make sense. In both cases, my initials and date tell me that I changed the key and when I did it.

In some cases, it makes more sense to fix the problem.

was changed to the original


C:\WINDOWS\setupapi.log

Microsoft keeps track of certain (not all) updates in The relevant entries are normally at the bottom of the file. (The most recent entries are there.) This example is from the Notepad virus. In this case g1.exe was the virus (parasite) - it was found in 2 directories and executed on system boot via one of the registry run keys.


Related Files

Once you've found a suspicious file, use Agent Ransack to search for other files with the same date time stamp. Those created within about 10 minutes are usually related.

If you know the url(s), you can use Agent Ransack to search for other files containing the same string(s).


Related Registry Entries

Search the registry for all suspicious filenames and urls.


about:blank

Instead of changing your default page, some hijackers change the page about:blank points to. Via the registry about:blank points to a resource in mshtml.dll. (This can be seen using Resource Hacker - free.)

A parasite can replace this string with any valid url.

Other values under the AboutURLs key can also be modified. Be sure to check them all.

CWShredder and HijackThis do not remove this type of infection.


References


Author: Robert Clemenzi
URL: http:// mc-computing.com / Parasites / BrowserHijackers.html