Introduction: Browser Hijacked - You Are Locked Out From Using It (Win7)

By
About: I like to improve myself and things I find :) Learning new things every day is next to impossible but I still try - only a working brain can work. I have no special sector to cover, electronics, electrical stu…

Update 15/03/2017: Added extra info for a new type of hijack.
Yesterday I followed a Google search and when I followed one of the provided links I was greeted with a very nasty surprise.
A pop up came over the browser tab informing that Windows has found a Koobface infection and that I should call the provided +1-800 number to get the Microsoft report, quoting a reference number.
The next claim was that all access was blocked to protect me.
Just check this Google image search for examples of how it looks when you got hijacked.

So let me provide some basic guidance that works to get you going again.

Now if you do a Google search for Koobface you get thausands of results, none are of much help ;)
But in my case it was just another scam hoax like the FBI virus, only difference: Really none of the Malware or virus protectors even register anything once in the system.
So as an unsuspecting user trying to fix the problem you might run into the same bottleneck.

I am not going into massive details here as variations of this malware can be found all over the web.
All I want to point out is that my infected website (and no, I am not naming it so you can try ;) ) managed to not only block my browser (good to have another one) but also left some unwanted changes in the system files behind.
Imagine you try to fix the problem, reboot during the process and your user profiles are gone!
Windows informed me that a temporary user profile is used and to fix this I have to log off and log on again with the right account.
No need to say that this was to no avail.
So how to really fix it?

First off: You should install malware protection before it happened and not only after the system is compromised ;)
I installed the free version of Malwarebytes anti malware - but other providers offer similar.
Whatever you use make sure the browser protection is activated - also check this for your anti virus software.
In my case Chrome was limited and as such I started it without any extensions or plugins active - this prevents the changes from the malware to become active in the browser again.
Now thanks to no extensions and plugins active Malwarebytes blocked the access to the suspicious website still trying to block me out.
All other tabs were fine, so no problems in this department anymore.
As all happened within the browser enviroment all that was left is to clear the temp files and browsing history - but this is just an additional thing and not required to just get going safely again unless you decide to visit the infected website again.
But how to get my user account settings back?
Having no emails, no bookmarks or login details left in all internet related things is a pain!
The most obvious "solution" that you will through Microsoft or some help forums/blogs would be to use a good system restore point, so I did to no avail.
For this problem the real solution is as simple as misleadingly offered through the MS support pages.
The official suggestion is to start Regedit with admin rights,
go to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

and check the entries.
In those entries you will find the normal admin account, some networking accounts and all user accounts.
MS now tells you to delete all entries the the added ending bak.
In my case this was both the admin and my private account.
Be aware that if you do this al your settings will be still lost as Windows will create a new user with the same name and all installed programs but no personal settings!
If you simply remove the bak ending and restart your old account will be restored properly.
Now if you want to make sure all evidence of the malware is removed from vital areas revert back to the last known good system restore point - if all works fine and your restore point is quite all forget it if you installed a lot in the meantime.
Last check is to update your malware and virus programs and to perform a full system scan.

Step 1: Variations of the Problem

The FBI virus in various versions will also try to block you out of the system entirely.
If that happened use a different device and search for some tools for the FBI virus.
Most providers of anti virus software will also offer a free malware removal tool, this should be your first try if you can still use the system enough to start a program.
Sometimes the best solution here is to start in safe mode and to use those programs in this limited enviroment.
Not all (older) computer will give you USB access when Windows is running in safe mode, here you have to try to get the file(s) on your hard drive somehow.

Other hoaxes or hijackers will simply put a forced window on top of your browser and blocking all access to what is under it.
If you can still access your browser menus you can try to disable all extensions and plugins and then restart the browser.
Now close the offending tab and re-activate only those extensions and plugins you know, need and use.

In a lot of cases these hijackers offer solutions, like paying for the removal, offering an expensive number to call and even bitcoin accounts you have to pay into with the reference number quoted.
Whatever temptations you might feel: Never click on anything and never call or pay!
Clicking on "Ok", "Close" or simiar bottuns usually only gives the malware permission to do even more damage.

Step 2: Other Ways of Fixing Hijack Problems

If you have no vital bookmarks or previously opened tabs you need the most simple option is to delete ;)
You browser history, recent tabs and all is stored in your user profile or within the applications settings.
This means if you remove or rename those folders the malware is often unable to function.
Downside is that you are back to a virgin browser / email client.

As long as you still have another browser that works you have the alternative to use this browser to download the current installation files for the affected browser.
Delete the broken one through the system control panel and then install the downloaded one.
When asked if you want to import anything like settings, bookmarks or history say no to this to prevent the malware to become active again.

Last but not least there is a real backup.
I am only mentioning this as everyone knows what a backup is good for but basically noone cares enough to keep current backups.
Even if you only have a weekly backup routine it means you have a full system backup that is free of problems.
Unless you have serious reasons to need what changed in this time you should make use of it!
A full disk backup is prefered over simple Windows backups as they often won't include required files to replace infected ones.
In any case you should double check your personal documents, downloads, pics, videos and such before putting the backup on!
Unless you save those by default on a different drive all files created or change since the backup will be gone!
If in doubt manually copy them onto an external drive or USB stick prior to installing your backup.

Step 3: How to Prevent These Infections?

A good anti virus solution will not always include a browser protection.
Also, in many cases messed browser settings are no concern to them.
Only way to be sure is to use dedicated browser protection, many anti virus programs offer this free for home users.
On top of this it is good to have a dedicated malware scanner running that also blocks access to websites with offending code.
Malwarebytes Anti Ransomware, Malwarebytes Anti Malware, SUPERAntiSpyware and of course popup blocker are a good and free starting point.
If you personal files and usability of laptop/PC is of real value to you please consider investing a good paid version.
Most anti virus programs come in versions (paid) with full online and email protection, some like Avira also offer most of it for free if you are a private user.
Of course not using your Windows with admin rights will also block a lot of harmful code from doing serious damge ;)
IMHO the best way of preventing problems still is using the brain and eyes before clicking onto anything.
And I don't mean the obvious pop ups offering you freebies or some weird survey offering you 100 bucks for a few minutes of your time.
Sometimes the obvious is hidden where you won't expect it as too many similar "offers" show on the screen.
If you ever used some free filehosting service to download a file you wanted you might know what I mean LOL
There is a massive DOWNLOAD button but in reality it is an ad or link to some spam site, the real download link is often quite small and unsuspicious looking - often it only appears after time has run down or after entering/solving a captcha.
But even simple search results through Google and other search engines can get you into big trouble.
IMHO about 60% of results shown are nothing then ads and totally useless websites that offer nothing you actually expected.
Just check what you get when searching for "fix windows registry" - unless you really know your way around the web you spend more time finding a useful link in the result that to fix the actual problem LOL
This is even more true if you try to download something for free that is not available for free.
You know stuff like movies, music, ebooks or programs.
As a rule of thumb you can say that when trying to use the net for illegal things you chance increase by 80% to land yourself some nasty problems unless you are well protected and know how to spot bad websites and links.
Ever landed on endless amounts of survey sites or tried to subscribe to some free service just to find out you got spammed again? ;)
So think and look before you click!
If something looks to good to be true you can be almost certain it is best not to click on it!
However if you got fooled and clicked anyway: Don't click on more rubbish to "fix" what popped up.

One of the best ways to stay really safe on the net would be to use a so called sanbox.
Sandboxie for example allow you to run the browser in a protected enviroment - even if really nasty malware hits you it won't harm you, just delete the sandbox and start over.

Step 4: 2017 and They Are Getting Even More Annoying

Despite all the fixes and protections I suggested they got me again last night.
First let me state how it happens and why I don't go into too many details:
Was on a legit computer magazine website and attempted a free and legit download for a program they offered there.
The link went to the website of the creators of said program but not without creating a popup first.
You know the usual stuff you often see asking if they can get your location info.
As usual I clicked on "No" and realised right away it was not a legit popup but a hijacker - my browser froze with even more blocking popups demending money from me to fix it.
At this point some of my protections finally kicked in and informed that an attempt to encrypt my user data was prevented - what a relief to see that popping up!!!
But the damage was done...
I limit the info and ways to fix for a good reason.
The thing is dangerous and fast and I think only prevention is a good option, so please pay special attention to that!

If my browsers are all protected so far only Chrome was affected and I was still able o use Firefox as normal, well at least as long as I did not have to open new sessions, only the existing ones still worked.
With the encryption warning I already knew it might be very serious so I decided to get going:

Confirming the damages done to the system:
To start off I followed my own advise, got a cold beer, relaxed and confirmed; NO PANIC!! ;)
Half way through the can I finally started digging throgh the logs the Malware protection created.
Some years ago hijackers created botnets by writing a new MBR onto the hard drive creating unlimited access to everything.
A similar thing happened here :(
According to what I was able to understand from the logs my MBR was replaced despite the active protection and in such a way that the original could not be restored by the protection - WTF???
Additionally about 80 registry keys had been altered, but this was prevented from being imported into my registry - at least here the Antivirus blocked the attempt.
I beleive this was only possible because the computer was still running without a reboot that activated the infected MBR - if you already rebooted at this point all might be lost!!
And of course the damn thing altered several things in my browser configurations and settings.
One major concern were the encrypted download that happened and that I was unable to trace, neither with an IP nor where they ended up on my computer.

First analyse:
Right now I was certain I got a really bad boy.
Without the active Malware protection the system would have been lost for sure - and this a massive concern if you consider how perfectly the hijacker was disguised as a location request.
I could not dare a reboot of any kind without risking to activate the infected MBR.
That left me with the only thing I could do at this point: Fixing my Windows as good as I could, more about that further down.
But I used the logs to contact the magazie website and they took down all ads right away to have it checked.

Attempting to fix what made it onto my hard drive:
I ran several Malware checks and some virus checks as well, een online ones just to be sure.
Next was an intergity check with Windows tools as suggested in the MS knowledgebase - pretty much useless if you ask me if there was a reboot because then all infected system files will appear legit to the MS tool.
But this time it turned out the ATAPI driver was replaced with an unsigned one and the log confirmed it happened at the time of the hijack - BINGO!
So with an activated MBR this driver would have taken over the entire system.
I did not even attempt to perform an autopsy on the driver or MBR as they will be encypted anyway.
While trying to replace the ATAPI driver I noticed there was a .bak file of identical name - hmmm, should they be really soooo nice?
Problem was the date of the file was way earlier, about 2 month....
Sorting by date showed quite a few more drivers with .bak files of the exact same moment.
All of them copies of the uninfected files.
I can only assume that some software I ran at that time did this but no clue why or which one it was.
Anyway, I checked for all files created or changed when the hijack happened and found a bunch of encrypted files in a temp folder, they were deleted.

Not last and not least but my infected browser....
As I am a lazy guy I like to get the windows and tabs I last used back when I start my browser.
I find it easier than clicking on a long list of bookmarks.
Downside of this comes with now having an "infected" tab in my open session that I can't access or close.
And if you know Chrome than you know several open sessions with some tabs will cause mahem at the next start if you try to close them forcefully through the Task Manager.
Sadly that meant the fix had to wait for the next reboot...

Time to reboot....
Using a Windows install on a USB stick I had a safe working enviroment.
The infected MBR was replaced with the MS original. from the stick.
Now let's hope nothing else was done to gain control over the system during boot.
Using another USB stick with some tools in a PE enviroment I did some more virus and malware scans.
Here some more files were found in temp folders that had suspicios in the discription, so they were deleted.
No matter what else I tried I could not find anything wrong.
Windows was now started in SAFE MODE - no networking.
All appeared normal and fine so I used the last system restore point, only two weeks old and I did not install anything vital apart from Windows updates.
Ran all malware and virus checks again and came out clear.

Last reboot and final fixes...
After booting up in normal mode and with full networking it was time to cure chrome.
In the last session and current session files I looked for the website in question.
Replaced a few characters in the string for the address.
I was not sure how Chrome would handle the cached content and did not want to delete it manually.
But a click on the shortcut showed Chrome just takes the changes I made to the address and complains it does not work :)


PREVENTION!!!
I have never seen anything this nasty trying to hijack my browser.
Encrypting files is really nasty stuff and although I would not have lost much as I don't use the Windows default folders for anything important, it still can be bad.
With the MBR activated the system would have been encrypted even more making a full cure very hard.
And this time for once I used a well known website which had nothing to do with the infection as they had no control about the content inside the ads showing up...
Which means it really could happen to anyone of us at any time - quite scary if you think about it too much.
As my protections failed to fully safe my sorry a... I have to admit defeat and I don't like this.
But not all hope is lost for those with a real demand in security on a home or small business level.
Above that you would have an IT team to take care of things.
For some the next long bit might be boring and technical but at this stage it is the only way I know to make sure the damage can be fully prevented.

Medium level security with slight hassles:
Install popup blockers but be fair and exclude your favourite website like Instructables - this will prevent most of the ads with possible infections to reach you.
Create regular system restore points after a full virus and malware scan.
Have a USB stick with a Windows install or repair system at hand - check the net there are plenty of them ready to go available.
DO NOT allow your browser to restore the last session(s) when you do a restart.
With this feature off and always starting with a blank page or favourite website and infected tab in your browser won't survive a restart.
This might change if the idiots behind get even nastier and change those settings as well.
Install the safe browsing addons from your virus software and use the safe search fuction for web searches if available in your package.
Make a copy of the driver folder in Windows and keep it on a USB stick - unless you failed to include new drivers when you change something this backup will give you clean files if things go as bad as in my case.
I strongly recommend it.
Downside of all this is a slight delay in your browsing experience as the virus software will perform checks on the search results and websites before they get on your screen.
The faster your connection the less you will notice this.

High level security for those who have important things to do:
Check for a Sandbox with web support, like Sandboxie for example.
Do all browser work that goes outside your network in a sandboxed enviroment - if in doubt only use trusted websites in a normal browser session.
For the normal browser work still apply everything for the above medium security suggestions.
In return you can rest assured that even the most nasty hijacker won't get into your system.
Downside is that not all websites will fully work as easy as before and the slight delay for the virus checks as above.
For example downloads would end up in the sandbox but not your working enviroment.
You need to copy them out of the sandbox and into a normal folder of your liking and at your own risk - once you take things out of the sandbox you are responsible to protect yourself!
If set very strict it will also be impossible to upload files the easy way, you first have to copy them into the sandbox.
I know a lot of hassle but you get a lot of safety in return.

Top level for things in the darker parts of the WWW or those paranoid enough that their daily backups still might not be enough:
Option one...
Install a virtual machine just for the web browsing and email side of things.
Depending on your skills and needs it can anything from Linux over XP to Android or Win10.
I would keep it simple though...
Ensure the virtual machine is fully setup to fit into your existing system while not allowing uncontrolled access to files outside.
This mean whenever something running in the virtual machine wants to access your real world system or drives you need give manual permission to allow it.
In most cases everything will happen in stay inside the virtual enviroment.
Only when you need downloaded files sync your emails and so on you will need to pay attention on proper checks.
I suggest to use malware and antivirus packages in your virtual enviroment to check all files meant to enter your real system.
Once your virtual machine is fully configured and working freeze it.
That mean create a full copy of it to replace the first one in case it gets a serious infection.
A quick copy is far easier than installing all from scratch and putting your backups on again.
Option two:
For the paranoid people there is only one easy way to keep your computer free of any possible infection coming in from your browser.
Don't use it!
Same fore Email!
I don't have to mention "social media"? Do I?
On a company level this means the user only has access to certain websites and all contect would be filtered through secure servers.
Basically what you would expect from a browser for your toddler to keep the kid from seeing adult content.
For personal use it means you would either use a system on a USB stick for your Emails and browsing or use a tablet/seperate computer.
Let's asume the worst case I think possible on a normal user level.
You have expensive software and maybe 3D printers or Laser cutters and like everything a bit custom.
If on top you also study or work from home you will have a high demand for keeping your system operational at all times.
Did I mention proper backups/drive cloning on a regular base? ;)
But seriously, if you need your computer more than anything then keep it away from the internet in terms of browsing and Emails, especially downloads from the grey zone.
And old Pc or laptop can be used as a simple file server, same for a Raspberry for those tinkering around.
Use a tablet or dedicated computer for all browsing and Email needs including downloads, gaming, streaming and so on.
Keep your work computer free!
Exchange all files you download for the work computer through the file server or download them onto it directly.
Perform a proper malware and virus check on all files meant to enter your work computer!
Ban all software you don't fully trust on your work computer from gaining free access through your firewall.
Set for manual permission so you can check what they want and where the connection is meant to go.
Do not get lazy on your work computer and think "Oh I just want to check something on Google and can't be bothered to use the sandbox..."