Ever wondered why your browser's homepage has changed, although you didn't do it.

If that is the case, here is the answer: Startpage trojans


Startpage trojans are programs designed to change the browsers homepage on a machine without the consent of the user.

It is designed by the malware authors to take control of your browser startpage.


Starpage trojans are silent killers.

They are not those kind of programs that will harm your computer immediately. But if ignored, you could be in trouble.


Once a machine is infected with Start page trojans, you will be redirected to a different home page(website). 

Generally the websites to which it redirects are malicious websites and they will further install/download harmful contents on to your machine.


The trojan will look for vulnerabilities in your browser and start to exploit it. Your desktop images might be changed, the system may become slow.

Irrespective of your consent, you also see lot of toolbars being installed. Some of the software/programs already installed might not work properly

There is also a possibility that your sensitive information can be stolen as after redirecting to  the malicious website, it might even install a keylogger.


Users tend to set their homepage usually to Google/Yahoo/MSN or they either leave it blank.

homepage IE.JPG


But if the startpage trojan has changed your home page, it will look like the following

homepage changed IE.JPG


You might have just removed it from there and typed in Google/Yahoo, but the next time you open your browser and the same old story unfolds again.

This is because the Starpage trojan changes quite a few registry keys in your machine and these keys are the ones which redirect the browser to the malicious website every time you open the browser.


Some of the registry keys which are changed are mentioned below:


    * HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Page" 

    * HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page"

    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Default_Search_URL"

    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Search Bar"

    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Search Page"

    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Start Page"

    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search "(Default)"

    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search "CustomizeSearch"

    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search "SearchAssistant"

    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl "(Default)"

    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\URL\DefaultPrefix   "(Default)"

    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\URL\Prefixes "www"




Now if you are thinking how did I get infected, these might be some of the reasons:


1. You might have downloaded a freeware application or a software

from an untusted source.

2. You might have opened a link from an e-mail attachment that your friend sent it to you.

3. Your Internet security settings and surfing habits are a bit lax.

4. You might have downloaded a legitimae application and this malicious code or program is bundled into it.

It is a very common practice to bind malicious codes/program to legitimate applictions and host it on the Internet.

5. You might not be using a trusted anti-malware/anti virus software.

6. You might not have updated your PC's firewall, or the antivirus tool.

7. You might be using an older version of your browser.


Tips to prevent from getting affected


1. Cultivate a safe web browsing habit.

2. Visit only trusted sites.

3. Scan any email attachments which you receive.

4. Download free ware applications from reputed sites

5. Update your PC's security settings/AV tool/browser etc


What next if you are already infected:


You have an option of deleting these registry values manually or scanning your machine with a good AV software like McAfee with the latest engine and DATs. Modifications made to the system registry will be successfully removed if using the proper Engine and DAT versons.