The days when you could install some software by just clicking the Next button like a madman are long gone. Back in the days, software programs were simple, you would download their setup, install it, and happily use it afterwards. Today, installing a piece of software is the most attention demanding thing in the world, you have to carefully read every step, make sure you opt out of all the additional programs/malware/toolbars/atomic bombs they are trying to shovel on your throat (what, you don’t believe me? try downloading and installing java, you are in for an extra toolbar in your favorite browser).
In most of the cases, even if you accidentally install one of these extra goodies, you can uninstall them via the windows uninstaller, or from the browsers extension page. However, I stumbled upon a browser extension which actively refused my efforts to make it go away.
- My browser start page was always http://istart.webssearches.com
- Starting the browser in incognito mode was no longer possible
- When trying to start the browser in incognito mode, it would always open a new tab pointing to http://istart.webssearches.com
- Some websites started displaying obtrusive ads, sometime overlaying the content of the page
- Went through the browser extension page and removed the Quick Start extension (as it was the only one I didn’t knew)
- Went through the windows uninstaller but couldn’t find any suspicious programs (some people were able to find a program called RSHP which when uninstalled fixes the issue)
- Went to the browser settings and reset the start page and search provider
After this first round of countermeasures, I managed to get rid of the initial http://istart.webssearches.com browser page, however opening an incognito window would still open a new tab pointed to http://istart.webssearches.com. The obtrusive ads were still showing up, thus I concluded my job was not done.
Second wave of countermeasures:
At this point I tried all the easy ways out of the problem, and it was time to dive a little bit deeper.
Started Process Monitor and pointed it to the chrome.exe processes. After scanning through the generated activity, I encountered something out of the ordinary:
SearchProtect32.dll is being loaded into memory, and since I don’t use protection when I search, I figured this is a promising lead to follow. Going to the C:\Program Files (x86)\SupTab I could find a file called RSHP.exe, now I was convinced I found the criminal.
Why does it get loaded into memory?
Started looking around the LoadImage operation to get some context, and I found a registry query for AppInit_DLLs, opening the registry value I found it contains “C:\PROGRA~2\SupTab\SEARCH~1.DLL“. This is what causes the SearchProtect32.dll to be loaded, but, why?
After doing some reading about AppInit_DLLs everything made sense. The official Microsoft description for AppInit_DLLs states: “All the DLLs that are specified in this value are loaded by each Microsoft Windows-based application that is running in the current log on session“, wait, what have I just read? cannot comprehend…
Why would you provide such a functionality, why call it AppInit_DLLs when you can more intuitively call it MalwareWithoutBorders or PleaseInsertPathToMalware?
Relax they said, “Typically, only the Administrators group and the LocalSystem account have write access to the key that contains the AppInit_DLLs value. “, BUT, what if I told you that most installer software requires administrator privileges to run??
Searched for some more documentation and found this description of the whole process.
At this point, my mind is blown and I just want to get this over with, and this is what I’ve done:
- Disabled dll loading by setting LoadAppInit_DLLs to 0 (zero)
- Required the potentially future loaded dlls to be signed with a digital certificate, by creating a value of type DWORD, naming it RequireSignedAppInit_DLLs and set it to 1 (one)
- Cleared the value of AppInit_DLLs
- I did this with a bitter taste in my mouth, as I know that any program running under admin privileges (e.g.: malware installer) can change them as they desire, rendering my efforts futile
- Removed the C:\Program Files (x86)\SupTab directory
- Of course I couldn’t remove the SupTab directory as the damn dll is contained in … … probably most of the processes I have running at the moment (thanks M$), therefore I had to schedule the deletion of the file on the next boot (I used this to schedule the deletion, you can read more about removing locked files here).
Who is responsible for this great peace of software you might ask, as it turns out, all the files were digitally signed and here’s a print screen of the digital signature information
If you feel like writing an email to firstname.lastname@example.org and thank the very author of this rubbish piece of software, I won’t judge…