Topics covered

Part I:
Part II (here):
Part III:
Related links:

Internet Explorer 6 hijacking Part II: Home and Blank Pages

Go back to Part I on previous page: Internet Options menu

Topics on this page:

IE6 homepage hijacking

IE6 homepage locking

Hijack objects reappearing on reboot

IE6 blank (local) page hijacking

Lock your own homepage

Go to: Part III: Window Title, Search and Local Pages


IE6 homepage hijacking

Please read the introduction in Part I first. Homepage (start page) hijacking is now fairly commonly seen in IE6 especially if you are lax in IE security.

Note: if it is a version or variant of CoolWebSearch then you can get more information here as it is very hard to remove. You need the CoolWebShredder tool. The about:blank page has now been used too as part of CoolWebSearch. For other hijacked home sites you should search on the internet (especially this site) for more up to date specific fix. You usually find answers in forums or ask in forums. This is a general guide which should work in the vast majority of cases of hijacks other than CoolWebSearch or about:blank page hijacks. Read this Lavasoft article too about Ad-aware and about:blank.

The registry key which would normally let you change your home (start) page is in the HKCU hive (Fig. 5). It also has entries for the local page, search page and window title (see Part III). This key is most commonly used for hijacking but there are other possible places which I will refer to below so you need to look for all the possible entries.

HKCU\Software\Microsoft\Internet Explorer\Main
Start Page
REG_SZ = <yourhomepageURL>

HKCU registry key

Fig. 5. HKCU Start Page registry key.


If the Internet Options' address box is not greyed out, you can open regedit and correct the data or run HijackThis (or here), tick the entry (R0 in the figure) and clicked Fix checked (Fig. 6).

HijackThis window showing Start page

Fig. 6. HijackThis scan log showing the HKCU Start Page key.


or run Browser Hijack Blaster, click the Start Protection button: it protects the home and other pages; once activated it changes to Stop Protection (Fig. 7).

Browser Hijack Blaster window

Fig. 7. Browser Hijack Blaster main window.


Other keys for home page hijacking

It is possible to add the following key as hijack object or customisation; this is not present by default:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

There are two other entries in the HKLM key and the default value data should remain the same whether you have customised your home page or not; these are further targets for customisation or hijacking.

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main


(The above values are all in one line.)

In Windows XP Pro's Group Policy editor, Local Computer Policy, User Configuration, Internet Explorer maintenance, URLs, Important URLs, Customize Home page URLs, you can enter your custom URL in the Home page URL box (Fig. 8).

This changes both the HKCU\....\Main\Start Page and the HKLM\....\Main\Default Page URL with the customised URL. Interestingly this change within the Group Policy editor will override the home page restriction set by another Group Policy setting which is discussed below. You can reset your home page here.

Customise home page URL

Fig. 8. Group Policy: Customize Home page URL.



IE Home page locking

If your homepage is locked, the Address box in IE's Internet Options is greyed out thus preventing you from resetting it (Fig. 9). If it is hijacked with about:blank to direct to a search page, it is a variant of CoolWebSearch: read my note at the beginning.

IE Internet Options

Fig. 9. Internet Options Home page Address bar.


Normally you can reset the home page because there is no policy in the registry but if it is present then it will deny you permission:

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel

In the control panel key, setting the Homepage value to (1) would lock the home page and make the homepage setting greyed out in the IE Internet Options box (Fig. 10).

HKCU Control Panel key

Fig. 10. HKCU Control Panel key which locks the homepage.


You need to reset it to (0) or delete the Control Panel, Homepage subkey. You can also reset this in Window XP Pro's Group Policy Editor:

User Configuration\Administrative Templates\Windows Components\Internet Explorer: Disable changing homepage settings.

Choosing Not Configured would delete the Control Panel, Homepage entry; choosing Disabled would reset the value data to (1). It is possible (although not touched by the Group Policy editor) for the HKLM policy key to be a target of hijacking so it's worth checking it too.

Or if you don't want to do it yourself, copy and paste all the text between (but not including) the lines, save in Notepad somewhere on your computer as Unlock.reg (or any name you like) and double-click to run it; or just download and run the unlock homepage file (unzip and run it).

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel] "Homepage"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel] "Homepage"=dword:00000000

Or run HijackThis to remove the Control Panel entry in the registry, tick the entry and click Fix checked (Fig. 4 in the previous page).


Hijack objects reappearing on reboot

Often the browser hijack object reappears on reboot because it runs on start up. In that case go to Windows Task Manager and stop all non essential running processes or go to Safe Mode, run HijackThis again and look carefully for other suspicious entries especially the startup entries (see Part III for details). If in doubt, do a Startup List (available in the Config button, Misc Tools, Generate StartupList log) and examine the contents carefully or ask other experts in a forum. Also scan for spyware (with Ad-aware and Spybot Search and Destroy) and for Trojans with a trojan scanner.


IE6 blank (local) page hijacking

Read my note on about:blank at the beginning of this article.

The blank page (if you do not specify a home page in Internet Options) can sometimes be hijacked with a cascading style sheet (css) or another html page: look for this entry in the registry editor or HijackThis (see Fig. 9 above); the default is:

HKCU\Software\Microsoft\Internet Explorer\Main
Local Page
REG_EXPAND_SZ: %SystemRoot%\System32\blank.htm

(or: C:\Windows\System32\blank.htm or whatever your drive letter is)

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
Local Page
REG_EXPAND_SZ = %SystemRoot%\System32\blank.htm

There is no blank.htm file in the System32 folder but there is one in C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\ so it is not clear why the default setting points to a different location.


Lock your own IE home page

You can actually lock it yourself by resetting the above homepage value to (1); or use the Group Policy editor or download and run the lock homepage file (unzip and run it). Check that the homepage setting box is indeed greyed out with your desired URL (Fig. 7 above). Remember that HijackThis will show this entry but if you've set it yourself you can ignore it.

This tactic only stops the desktop user from resetting the home page in the Internet Options; it does not prevent scripts from doing so. You should increase your internet zone security settings (refer to my article on this). Also refer to Part III for a summary of the approach and the registry keys.


Go to TOP

Go to Part III: Window Title, Search and Local Pages


Copyright © 2003 by Kilian. All my articles including graphics are provided "as is" without warranties of any kind. I hereby disclaim all warranties with regard to the information provided. In no event shall I be liable for any damage of any kind whatsoever resulting from the information. The articles are provided in good faith and after some degree of verification but they may contain technical or typographical errors. Links to other web resources may be changed at any time and are beyond the control of the author. Articles may be added, removed, edited or improved at any time. No support is provided by the author.

This is not an official support page for HijackThis or other products mentioned. All the products mentioned are trademarks of their companies. Edit the registry at your own risk and back up first.

Last updated 23 June 2004