Internet Explorer 6 hijacking Part III: Window Title, Search Pages
and miscellaneous entries
Go to Part I: Internet Options menu
Go to Part II: Home and blank pages
Topics on this page:
IE Window Title
IE Search Page and about:blank hijack
Summary
Entries affecting the user
Entries affecting the local computer
Miscellaneous entries:
The registry key for IE Window Title (the text which is displayed on
the top bar of your IE window after the webpage title) is:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Window Title
REG_SZ =
This value name is absent by default but IE will display Microsoft
Internet Explorer. You can customise it by adding the name and value
or it is branded by a company
or it can be hijacked with a website title. It is conceivable that an
entry in the corresponding HKLM registry key have the same effect but
I've not seen it.
You can use the Group Policy editor to customise your window title
in:
User Configuration\Windows Settings\Internet Explorer Maintenance\
Browser User Interface
Browser Title
Setting this external branding restriction in Windows XP Professional's Group Policy may stop
it from being changed:
User Configuration\Administrative Templates\Windows Components\Internet
Explorer\
Disable external branding of internet Explorer:
Enabled
The registry key is:
HKEY_CURRENT_USER\Software\Policies\
Microsoft\Internet Explorer\Restrictions
NoExternalBranding
REG_DWORD: (1)
about:blank hijack
If the IE search page or the home page is hijacked with
about:blank to direct to a search page, it could be a virus or a variant of
CoolWebSearch: read the following note.
Note: if it is a version or variant of CoolWebSearch then you
can get more information here
as it is very hard to remove.
You need the CoolWebShredder tool. The about:blank page
has now been used too as part of CoolWebSearch. For other hijacked home sites you
should search on the internet
(especially this site) for more
up to date specific fix. You usually find answers in forums or ask in
forums. This is a general guide which should work in
the vast majority of cases of hijacks other than CoolWebSearch or
about:blank page hijacks.
Some about:blank viruses enter a hidden value data entry in this registry key (as
well as non-hidden DLLs in system32 folder); normally there should be no
data:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
REG_SZ:
Other search page hijacks
The search page links to the search engine that you choose. The default
keys are:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Search Page
REG_SZ = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
You can use Windows XP Professional's Group Policy editor to customise it in:
User Configuration\Windows Settings\Internet Explorer Maintenance\URLS
Important URLs
Setting this restriction in the Group Policy may lock it:
User Configuration\Administrative Templates\
Windows Components\Internet
Explorer\
Search: Disable Search Customization: Enabled
The registry keys are:
HKEY_CURRENT_USER\Software\Policies\
Microsoft\Internet Explorer\Restrictions
NoSearchCustomization
REG_DWORD (1)
It is possible to add the following subkey as hijack object or customisation;
this is not present by default:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Default_Search_URL
REG_SZ =
The following default keys should remain unchanged after customisation
for the user (which changes the HKCU key only) but can be hijacked too.
HKEY_LOCAL_MACHINE\Software\Microsoft\
Internet Explorer\Main
Default_Search_URL
REG_SZ = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=_
iesearch
Search Page
REG_SZ = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=_
iesearch
It is possible to hijack or customise search here; these are not
necessarily present
by default:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Search
CustomizeSearch
REG_SZ =
SearchAssistant
REG_SZ =
Default_Search_URL
REG_SZ =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\SearchUrl
(Default)
REG_SZ =
These subkeys are present by default and their values are:
HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\URLSearchHooks
Default
REG_SZ =
{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
REG_SZ =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\URL\DefaultPrefix
Default
REG_SZ = http://
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\URL\Prefixes
home
REG_SZ = http://
www
REG_SZ = http://
***For a specific home page or toolbar hijacking, search in Google first
as there may well be a specific fix. Refer to my note for CoolWebSearch
above.***
General approach:
1. Reset the home page in the IE, Tools, Internet Options, General
page, Address bar, or Use Default or Blank.
If the bar is greyed out then go to step (5). If the hijacked home
page reappears on reboot, carry on below. If the home page is locked,
go to step (5). For toolbar hijacking, refer to the registry entries
in the sections below.
For search page, use the Group Policy editor, or go to step (9).
2. In Task Manager, stop (End process) all non-essential running tasks.
Find and delete any suspicious processes. Or go to Safe Mode and proceed
to step (3). VERY IMPORTANT as otherwise
they may not be eradicated.
3. Go through the registry manually to remove offending items. Try
the Group Policy Editor in Windows XP Professional to reset the home and search pages.
4. Scan and remove viruses, worms, Trojans, spyware, adware thoroughly.
5. If the home page is locked, unlock it in the registry or Group
Policy Editor.
6. If regedit is locked or "operation cancelled", unlock it first with the Group Policy Editor
or other means (refer to my articles on this).
7. Disable autostart entries: search in the HKCU and HKLM Run registry
keys and the Windows user (under your name) and All Users startup folders
and delete any offending items.
8. Optional but advisable - delete all junk:
Windows temp files, IE temporary internet files, Typed URL list, cookies
and history.
9. If the above fails, try System Restore, restore from NTBackup,
ASR (XP Professional) or
Ghost and other software (e.g. Browser Hijack Blaster). The Startup
List generated in HijackThis gives you a detailed analysis of all the
startup hijack objects.
Afterwards, once you have cleaned up, to prevent it from happening again:
10. Lock your homepage (does not stop scripts from running).
11. Custom increase the IE security settings to higher than Medium
(default) level or high (refer to my IE security article).
Microsoft now recommends increasing IE security level to HIGH (link).
VERY IMPORTANT
12. Install all the critical Microsoft Windows and IE security patches.
VERY IMPORTANT
13. Use another browser that does not use the IE core and thus more
secure, e.g. Netscape/Mozilla/Firefox.
STRONGLY RECOMMENDED
14. Use the Sun Java VM instead of the outdated and
vulnerable Microsoft Java VM. If you insist on using the latter, at
least update to the latest build 3810 (no more is expected to be
released).
The registry keys
As you may realise by now, the two registry keys for the current user
and local machine contain entries for the IE start page, search page,
local page and the HKCU key only has an optional entry for window title.
HijackThis will find these keys and Browser Hijack Blaster will also
protect the home, search and local (default) pages (see Part II). The
entries which direct IE to MSN can be removed if you wish.
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Local Page
REG_EXPAND_SZ = %SystemRoot%\System32\blank.htm
Search Page
REG_SZ = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=_
iesearch
Start Page
REG_SZ =
(Most likely you would have customised this. The default
is the same as in HKLM key for the link to MSN.)
Window title
REG_SZ =
(This is absent by default.)
The other default settings are in the HKLM registry hive:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Internet Explorer\Main
Default_Page_URL
REG_SZ = http://www.microsoft.com/isapi/_
redir.dll?prd=ie&pver=6&ar=msnhome
(The path is one line.)
Default_Search_URL
REG_SZ = http://www.microsoft.com/isapi/_
redir.dll?prd=ie&ar=iesearch
Local Page
REG_EXPAND_SZ =
%SystemRoot%\System32\blank.htm
Search Page
REG_SZ = http://www.microsoft.com/isapi/
redir.dll?prd=ie&ar=iesearch
Start Page
REG_SZ=
http://www.microsoft.com/isapi/redir.dll?prd=
{SUB_PRD}&clcid=(SUB_CLSID}&pver=_
{SUB_PVER}&ar=home
(The path is one line.)
The following list of possible hijack object location is not exhaustive
but is well worth checking. These changes can also be customised (branded)
by the user or a company or the targets of viruses and Trojans. This
list will be updated as necessary.
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\WinOldApp
NoRealMode
Disabled
This is subkey not found in Win XP by default; it may be for old programmes
or Windows versions and is the target for the JS_Offensive
Trojan. Delete it if found.
Look through these start up registry keys methodically. You probably won't have
them all; most are legacy keys and the keys with Policies are only
created by Group Policy. The following keys are listed in the order of
execution. The RunOnce, RunOnceEx and RunServicesOnce keys contain items
which are meant to execute once only.
There're at least six HKLM and six HKCU registry keys responsible for
startup items.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
and:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnceEx
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
Apart from registry startup keys, other possible locations for
startup items include:
- Per Computer logon scripts
- Per Computer scheduled tasks
- Per User logon scripts
- Per User scheduled tasks
- All Users' Startup folder (usually in C:\Documents and
Settings\All Users\Start Menu\Programs\Startup)
- Individual user's Startup folder (usually in P:\Documents and
Settings\<username>\Start Menu\Programs\Startup)
Also check these suspicious entries in the registry entries:
Iexplore.exe
Internal
Internat.exe
Internet.url
ScanRegistry
TaskMonitor
SystemTray
LoadPowerProfile
regedit -s (or: regedit.exe -s)
any .bat, .dll, .hta, .exe, .js, .jse, .vbe, .vbs, .wsc, .wsf and .wsh
entries
Delete any of the above names and values. Note that internat.exe is
a file normally used for language input in older versions of Windows
but it can be infected. The regedit -s entry is highly suspicious as
it edits the registry silently on boot up.
In Explorer, look also in the Startup Folders in the user folder and
All Users folder, both under the Start Menu, Programs.
You can also disable startup programs and processes in Windows XP's
msconfig or other startup manager (e.g. Startup
Control Panel) but it would be preferable to delete the offending
entries at their source rather than just disabling them from execution.
***NEW*** Some hijackers now use dynamic link libraries (DLLs)
which starts up and
load in memory. This is very hard to detect and remove unless you know
what to look for and how to stop it and un-register it. You might want
to try deleting it in Safe Mode, or use some tools such as Killbox and
Sysinternal's
Process Explorer to trace what other files are involved.
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\MenuExt
Any subkey under MenuExt would appear in the IE right click menu: e.g.
download managers like Download Accelerator Plus and FlashGet. The commands
are shortcuts linked to html files or programme flags. Sometimes these
are not removed during programme un-installation and can be manually
cleaned up.
Setting this restriction in Windows XP Pro's Group Policy would disable
it:
User Configuration\Administrative Templates\Windows Components\Internet
Explorer\Browser menus
Disable Context menu: Enabled
The registry key is:
HKEY_CURRENT_USER\Software\Policies\
Microsoft\Internet Explorer\Restrictions
NoBrowserContextMenu
REG_DWORD (1)
Toolbar icon, button, extra toolbar, search assistant
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Extensions
{a long alphanumeric globally unique identifier (CLSID GUID) number}
Any {CLSID GUID} entry would be an add-on icon/button/toolbar/search
assistant (more details here).
If you find it here you also need to look elsewhere searching the same
GUID number in the registry (more details here):
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Explorer
Bars\{Hijack Object's CLSID GUID}
BarSize =
HKEY_CLASSES_ROOT\CLSID\{Hijack Object's CLSID
GUID} (Default) = Menu Text String
InProcServer32
(Default) = DLL Pathname ThreadingModel=Apartment
Instance, CLSID
(Default) = {4D5C8C2A-D075-11D0-B416-00C04FB90376}
Instance, InitPropertyBag
Url = an HTML File
The HKEY_CLASSES_ROOT key is mapped to the HKEY_LOCAL_MACHINE\SOFTWARE\Classes
key and a CLSID
is a GUID that identifies a COM class object that is registered. So
you'll find the same entries in both keys.
An example of CLSID GUID from a porn site can be found here.
This is related to the Alexa toolbar (more details here).
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Extensions\cmdmapping\
{9d74677a-e227-40fb-9511-f7e92ea4083a}
There are many others which you can search (using the above key) on
the internet if you don't know what they are.
The toolbar can also be customised via Windows XP Pro's Group Policy
editor:
User Configuration, Windows Settings, Internet Explorer Maintenance,
Browser User Interface: Browser Toolbar Customizations.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Extensions
Subkeys here add toolbar extensions.
This subkey is the Alexa toolbar and the 'Tools'/'Show Related
Links' menu item:
{c95fe080-8f5d-11d2-a20b-00aa003c157a}
These subkeys in GUID are installed by the JS.Fortnight.D
Trojan:
{0B5F1910-F111-11d2-BB9E-00C04F7956B1} to
{0B5F1910-F111-11d2-BB9E-00C04F7956B5}
Toolbar background
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Toolbar
BackBitmap
REG_SZ
The BackBitmap points to an image file for adding a toolbar background;
the same can be done also using third party programmes like TweakXP.
The changes affects both IE, Outlook Express and Windows Explorer.
Toolbar and button customisation can be disabled in the Group Policy
Editor:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer:
NoBandCustomize
NoToolbarCustomize
Toolbar logo
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Toolbar
BrandBitmap
REG_SZ
BrandLeadIn
REG_DWORD
SmBrandBitmap
REG_SZ
SmBrandLeadIn
REG_DWORD
SmBrandHeight
REG_DWORD
Either setting would add a large or small animated logo in the top
right corner of IE, OE and Explorer while the programme is busy. The
graphic file needs to be a bitmap as vertical filmstrip of 38 or 22
(or any other size as long as it's smaller than the large image) pixels
times the number of frames in pixels.
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Toolbar
for per user setting (above) or per computer setting (below):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet
Explorer\Main
BigBitmap
REG_SZ
SmallBitmap
REG_SZ
Either setting would add a large or small non-animated logo which appears
while the programme is idle. The path points of a bitmap file of say
38x38 or 22x22 pixels.
This can also be done via TweakUI version 2.10 or the Group Policy
editor:
User Configuration\Windows Settings\Internet Explorer Maintenance\Browser
User Interface
Custom Logo
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\SearchUrl
provider
There is no default value data so anything here is customised or hijacked.
It is used by the JS.Fortnight.D
Trojan to redirect the search to the Trojan's website. You can customise
your alternative search engine here.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Search
CustomizeSearch
SearchAssistant
These are also used by the JS.Fortnight.D
Trojan to redirect the search. Reset the data to About:blank if
you find any entries you don't want. You can also customise your alternative
search engine here to Google, for example.
***NEW*** Unfortunately the About:blank can also masquerade a
search page hijack and may be part of CoolWebSearch.
Sometimes when you delete the IE history some internet addresses remain
in the address bar (this not the same as autocomplete or IE history);
here you need to delete the entries in the registry:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\TypedURLs
Delete the data on the right pane, leaving only the default name.
You can write a script file (bat or vbs) to clean the list regularly.
It is possible to prevent IE from storing this list, as part of disabling
personalised menu, by setting a registry policy (source)
but this would also affect other programmes that use personalised menus.
HKEY_CURRENT_USER\Software\Microsoft\
Windows\
CurrentVersion\Policies\Explorer\
NoInstrumentation
REG_DWORD = (1)
This can also be done in Windows XP Pro's Group Policy editor:
User Configuration\Administrative Templates\Start Menu and Taskbar
Turn off user tracking
Setting the following registry key is designed to prevent the drop-down
menu of the Address bar from displaying the typed URLs when you start
typing a URL. It displays an empty drop-down menu. But this would prevent
the Start, Run dialogue's menu from displaying anything too.
HKEY_CURRENT_USER\Software\Microsoft\
Windows\
CurrentVersion\policies\Explorer
NoRecentDocsMenu
REG_BINARY = (01)
The hosts file may contain entries to redirect your search or as part
of spyware. If you find suspicious hosts files in your system, e.g.
in Windows\Help\ it should not be there. Check the contents of the hosts
file in the Windows\system32\drivers\etc folder. This file is
altered by some recent worm infections.
For some IE add-ons (e.g. search bars which you install intentionally
or as hijack objects) there might be an entry in the Control Panel,
Add or Remove Programs list so it is worth looking there first.
This is covered in detail here
where there is a tool CWShredder to remove it. The author there says
this hijack object is updated frequently so be sure to download the
latest CWShredder. Note also that this might be associated with Trojans
that exploit the ByteCode Verifier Vulnerability of the Microsoft Java
VM in versions older than Build 5.0.3810. Therefore use the Sun Java
VM instead.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Winlogon
LegalNoticeCaption
LegalNoticeText
This is strictly speaking not in IE but comes up before Windows logon.
If the entries are present in the registry a window appears during boot
up before the logon (Welcome) screen with a caption title and text.
You have to click OK to proceed to the logon screen. Sometimes this
is used by companies to display their information but can also be a
target for hijacking. This can be set using Xteq System XSetup.
Go to TOP
Reference
Browser
extensions
Internet
Explorer Branding
about:blank virus
Copyright © 2003-2004 by Kilian. All my articles including
graphics are provided "as is" without warranties of any kind.
I hereby disclaim all warranties with regard to the information provided.
In no event shall I be liable for any damage of any kind whatsoever
resulting from the information. The articles are provided in good faith
and after some degree of verification but they may contain technical
or typographical errors. Links to other web resources may be changed
at any time and are beyond the control of the author. Articles may be
added, removed, edited or improved at any time. No support is provided
by the author.
This is not an official support page for HijackThis or other
products mentioned. All the products mentioned are trademarks of their
companies. Edit the registry at your own risk and back up first.
Last updated 13 Nov 2005
|