What is Search page database ?

Discussion in 'SpywareBlaster & Other Forum' started by Yinda, Jul 13, 2003.

Thread Status:
Not open for further replies.
  1. Yinda

    Yinda Registered Member

    Joined:
    Nov 17, 2002
    Posts:
    78
    Hi,

    One friend of mine has the following problem. When typing an incomplete url, he get a completely different site, with something like target="_blank">http://ok-search.com/?search=www.anothersite.com, exactly as if he typed www.anothersite.com

    Is it what is called the Search page in Browser Hijack Blaster ? How to change it ?

    BTW, Home page is "about:blank" for me, but what is Default page ? Where are all those databases in the registry ?

    Thanks in advance.

    Yinda
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Yinda,

    Are you any good at reading reg files?
    This is one that restores everything to windows default:

    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
    "SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
    "CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
    "Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
    "Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
    "Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
    "Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
    "Search Bar"="http://g.msn.com/0SEENUS/SAOS01"

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
    ""="http://home.microsoft.com/access/autosearch.asp?p=%s"

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
    "Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
    "Search Bar"="http://search.msn.com/spbasic.htm"
    "Use Custom Search URL"= dword:00000000

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
    @="http://"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
    "ftp"="ftp://"
    "gopher"="gopher://"
    "home"="http://"
    "mosaic"="http://"
    "www"="http://"


    Thanks to Tony and FAL

    To use it, copy everything in bold to notepad, save it as IEFIX.reg and doubleclick it.
    You will be prompted if you want to add it to the registry.

    Regards,

    Pieter
     
  3. Reverend Ike

    Reverend Ike Registered Member

    Joined:
    Jun 15, 2003
    Posts:
    25
    Location:
    Sacramento, CA
    Here is an excerpt from a regfix file that shows the normal location and default for various search page keys:

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
    "SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
    "CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
    "Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
    "Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
    "Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
    "Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
    "Search Bar"="http://g.msn.com/0SEENUS/SAOS01"

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
    ""="http://home.microsoft.com/access/autosearch.asp?p=%s"

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
    "Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
    "Search Bar"="http://search.msn.com/spbasic.htm"
    "Use Custom Search URL"= dword:00000000

    It sounds like your friend has been hijacked. To find out what has been changed, I suggest using HijackThis, a diagnostic tool. On this page:

    » HijackThis - Instructions

    ... you will find instructions that explain how to use the program. You can download HijackThis here:

    » HijackThis - Download

    Unpack the .zip file and run the HijackThis.exe program. Click the Scan button to scan your system, then click the Save log button to save a copy of the log it generates. The file Hijackthis.log will be created. At this point, do NOT check any items in the list, and do NOT click the Fix checked button. (Most of the items listed in your log will be normal and legitimate.) Copy and paste the contents of HijackThis.log into a message and post it in this thread. Then we can review the log and make some recommendations ...

    (Edit) Oops, too slow on the default list ... :)
     
  4. Yinda

    Yinda Registered Member

    Joined:
    Nov 17, 2002
    Posts:
    78
    Hi,

    Many thanks to both of you. I'll first see what is actually in my/his registry and then fix the problem with him.

    Thanks again.

    Yinda
     
  5. Reverend Ike

    Reverend Ike Registered Member

    Joined:
    Jun 15, 2003
    Posts:
    25
    Location:
    Sacramento, CA
    Be aware that often these hijackings include other changes, some of which may re-hijack the search page settings each time you reboot or re-open your browser. That's why I suggested a review of a HijackThis log ...
     
  6. Yinda

    Yinda Registered Member

    Joined:
    Nov 17, 2002
    Posts:
    78
    I have checked my own registry which looks normal. But I could not join my friend as he is on holidays now. I'll ask him to consider HijackThis log and/or use Spybot S&D or Ad-aware to locate the culprit.

    Thanks again.
     
  7. Yinda

    Yinda Registered Member

    Joined:
    Nov 17, 2002
    Posts:
    78
    Hi,

    This is to tell you that I passed the search page keys to my friend, so that he could fix the problem.

    Thanks again to all of you.

    Yinda
     
Thread Status:
Not open for further replies.