Intercept windows browser system messages

0

1

I appear to have a process or application that sends messages to the OS which cause the browser to pop up with the default page. This can happen dozens of times in a few seconds, but otherwise seems rare. This happens even when now browsers are running, for instance on a clean boot.

I've performed the usual security/adware/malware scans, and uninstalled broswer add ons and plugins. I've removed my chosen browser, only to have those messages cause IE to load up.

I've uninstalled all the programs I installed after this issue started occurring. I've also looked at the process list to see if there are any suspect processes running.

At this point I suspect the only way I'll be able to determine the source of these system calls is to intercept the message itself.

Is there an easy way to do this? I'd need to find out what process is sending the messages.

This is on a windows 7x64 installation.

Adam Davis

Posted 2013-04-18T16:58:09.640

Reputation: 4 327

1

Have you tried using ComboFix to remove unwanted programs?

– Konrad Gadzina – 2013-04-18T17:22:35.673

@KonradGadzina No, Spybot Search and Destroy is what I used. Is it likely that ComboFix will find something Spybot misses? – Adam Davis – 2013-04-18T17:28:40.863

1I've used Spybot long time ago, so I can't compare, but ComboFix was great helping me to cleanup when needed. ^^ Just give it a try, who knows. – Konrad Gadzina – 2013-04-18T17:46:54.453

@AdamDavis It is certain that ComboFix will find things Spybot misses. – Aaron Miller – 2013-04-18T17:54:55.337

Combofix did not resolve the problem. – Adam Davis – 2013-04-18T21:33:30.337

Try MBAM (MalwareBytes) as well. – Karan – 2013-04-19T00:21:04.297

Answers

0

Solution:

Apparently there was an additional keyboard attached to this computer, and it has media keys, one of which was getting pressed just enough that desktop vibration would make the contact.

So if this is happening to you, remove all your USB devices just in case some joker attached a USB hub or long uSB cable and hid a pranked keyboard under your desk.

I ended up using Process Monitor and looking at the log immediately prior to the launch of the default browser. I noticed that Explorer.exe was looking up keys in the registry that have to do with buttons on multimedia keyboards (for instance you might have a keyboard with an internet button).

So a key similar to HKLM/software/microsoft/windows/currenversion/explorer/appkey/7 will usually have "association" set to "http". Setting that to "" disables the internet multimedia key.

I don't have a keyboard with that key, but I made the change anyway, as it seems that some process is sending that keypress to the system.

The random windows are no longer popping up, though I'm going to let the system run overnight just in case.

Still means I haven't found the root cause (who is sending that keypress?) but I've found a workaround.

Adam Davis

Posted 2013-04-18T16:58:09.640

Reputation: 4 327

On a completely unrelated note, anyone know of any good pranks to pull on coworkers? I need something really, really good... – Adam Davis – 2013-05-16T15:07:29.947

Asked: 2013-04-18T16:58:09.640

Viewed: 96 times

Active: 2013-05-16T15:06:35.303