[Update] Video Saver PUP Blocks Search Provider changes

[Update] Video Saver PUP Blocks Search Provider changes

A potentially unwanted program (PUP) called Video Saver, belonging to the Neobar family of browser hijackers, has been found to use a different trick to “convince” their victims to use their search engine “Search with us!”.

It will show the victims a prompt to let them know there are restrictions in effect on their computer and to contact their system administrator when they try to alter their search engine settings for Internet Explorer.

SearchWithUs

This application will install its own search engine as the default search engine. This is not unusual for hijackers, however, it also disables the users ability to make any other changes to the list of search engines. It does this by setting a registry value.

Policykey

[HKEY_CURRENT_USERSoftwarePoliciesMicrosoftInternet ExplorerInfodeliveryRestrictions]    “UsePolicySearchProvidersOnly”=dword:00000001

This value is normally set by using the Group Policy Editor.

Although the user is given the “option” to set Video Saver’s search engine as the default during the install, declining the offer by unchecking the option doesn’t prevent the modifications from being made regardless.

Search

Fixing the restriction

There are two ways of removing this restriction if you have administrator rights on the affected machine. The first being to change or remove the registry value. We advise that you always make a backup if you make changes to the registry manually, since any accidental modifications could have serious ramifications to how your operating system runs.

The second (and preferred) way is by using the “Group Policy Editor”. You can start the “Group Policy Editor” by opening the “Run” dialog box (Winkey + R) >  then type and run the ‘gpedit.msc’ command, this will start the “Local Group Policy Editor”.

PolicySetting

Once inside the policy editor, navigate to “Administrative Templates” > “Windows Components” > “Internet Explorer” and find “Restrict search providers to specific list”. (Tip: you can organize the settings in alphabetical order by clicking on the “Setting” bar at the top of the list. That makes the setting you are looking for easier to find. ) Next right-click the “Restrict search providers to specific list” and choose “Edit”.

Policychange

In the resulting form select the “Disabled” option and click “Apply” (make sure Internet explorer is closed when you do this or the change may not take effect immediately). Click “Ok” to close the form and close the “Local Group Policy Editor”. When you run Internet Explorer again, you should be able to access and manipulate the “Search Providers” settings again. Effectively this will change the registry value to 0.

Other characteristics of Video Saver

Video Saver browser hijackers are pretty invasive. Given the chance they do make a lot of changes on your system. This PUP uses services and Scheduled Tasks to present the user with advertisements. Video Saver has also been known to install extensions for Internet Explorer, Chrome, Firefox and Opera.

It is also capable of changing the search provider for these browsers. Detailed reports can be found in the removal guides for Version 1.1.1.2 & Version 3.0.3 of this browser hijacker on our forums.

The uninstall entry of the PUP points to ‘gigabase(dot)ru’ which seems completely unrelated at the moment, but has a reputation as being associated with search hijackers. The “updater tasks” seem to contact ‘bestgue(dot)ru’ which is confirmed malicious by VirusTotal.

protection1

Detection

The installer and the files dropped by Video Saver are detected by Malwarebytes Anti-Malware as PUP.Optional.NeoBar and PUP.Optional.VideoSaver.

It’s advised to use the setting ‘Treat PUP detections as Malware’ in order to remove these threats and others like it, automatically. It is not necessary to remove the restrictions in the registry before you run a scan.

Malwarebytes Anti-Malware can remove the “Search with us!” search engine even with the restrictions in place. It will however not remove the restriction itself since we have no way of knowing if the restriction wasn’t really set by a system administrator, so please follow this guide to remove that aspect.

Update

As of now (database v2015.10.16.05), Malwarebytes Anti-Malware removes this block if there is reason to assume the policy was set by VideoSaver/Neobar.

Pieter Arntz

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.