Hijack.StartPage

This is the generic detection for hijackers that change the target’s internet settings by changing one of the registry values:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Internet Settings AutoConfigURL

or

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Internet Settings AutoConfigURL

They do this by pointing them to a remote WPAD.dat file that the affected machine downloads and then use the instructions in the file to configure various browser settings such as proxy settings.

Is the detection for hijackers that alter (or add) the registry values

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Policies\Explorer
ForceClassicControlPanel

or

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\Policies\Explorer
ForceClassicControlPanel

If the registry value is set to “1”, the system’s user can not change the control panel display mode.

This is the generic detection for hijackers that alter the hosts file on the affected system. More information about the hosts file and reasons top change it can be found in our blogpost “Hosts file hijacks“

This is the generic description for hijackers that alter the registry values

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\Policies\SystemShell

or

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Policies\System
Shell

It does this to point to one of their own files, which will then be run automatically when the system starts running Windows.

This detection points out an unwanted value for UserInit under the registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.