What is Search page database ?

Hi,

One friend of mine has the following problem. When typing an incomplete url, he get a completely different site, with something like target="_blank">http://ok-search.com/?search=www.anothersite.com, exactly as if he typed www.anothersite.com

Is it what is called the Search page in Browser Hijack Blaster ? How to change it ?

BTW, Home page is "about:blank" for me, but what is Default page ? Where are all those databases in the registry ?

Thanks in advance.

Yinda

 

Hi Yinda,

Are you any good at reading reg files?
This is one that restores everything to windows default:

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="http://g.msn.com/0SEENUS/SAOS01"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""="http://home.microsoft.com/access/autosearch.asp?p=%s"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="http://search.msn.com/spbasic.htm"
"Use Custom Search URL"= dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

Thanks to Tony and FAL

To use it, copy everything in bold to notepad, save it as IEFIX.reg and doubleclick it.
You will be prompted if you want to add it to the registry.

Regards,

Pieter

 

Here is an excerpt from a regfix file that shows the normal location and default for various search page keys:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="http://g.msn.com/0SEENUS/SAOS01"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""="http://home.microsoft.com/access/autosearch.asp?p=%s"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="http://search.msn.com/spbasic.htm"
"Use Custom Search URL"= dword:00000000

It sounds like your friend has been hijacked. To find out what has been changed, I suggest using HijackThis, a diagnostic tool. On this page:

» HijackThis - Instructions

... you will find instructions that explain how to use the program. You can download HijackThis here:

» HijackThis - Download

Unpack the .zip file and run the HijackThis.exe program. Click the Scan button to scan your system, then click the Save log button to save a copy of the log it generates. The file Hijackthis.log will be created. At this point, do NOT check any items in the list, and do NOT click the Fix checked button. (Most of the items listed in your log will be normal and legitimate.) Copy and paste the contents of HijackThis.log into a message and post it in this thread. Then we can review the log and make some recommendations ...

(Edit) Oops, too slow on the default list ...

 

Hi,

Many thanks to both of you. I'll first see what is actually in my/his registry and then fix the problem with him.

Thanks again.

Yinda

 

Be aware that often these hijackings include other changes, some of which may re-hijack the search page settings each time you reboot or re-open your browser. That's why I suggested a review of a HijackThis log ...

 

I have checked my own registry which looks normal. But I could not join my friend as he is on holidays now. I'll ask him to consider HijackThis log and/or use Spybot S&D or Ad-aware to locate the culprit.

Thanks again.

 

Hi,

This is to tell you that I passed the search page keys to my friend, so that he could fix the problem.

Thanks again to all of you.

Yinda