Yet another little IE annoyance
May 18, 2009 8:48 PM   Subscribe

How is Apparitions (Media) infecting my IE window title?

This is harmless, as far as I can tell, but I've been annoyed by it often enough now to make it worth my while wasting an AskMe question on.

I work on school computers in Victoria, Australia. In two separate schools, at various times over the last five years, I have occasionally seen Internet Explorer's window title changed to "Microsoft Internet Explorer provided by Apparitions (Media)". Outlook Express's window title is similarly affected. Searching the registry for "Apparitions" results in exactly two matches - the IE and OE window title strings. Deleting these restores the default window labels. As far as I can tell, there is no actual malware running on any of these computers - just the bogus window titles.

Unusually, Googling that window title doesn't get me reports of similar things happening to other people.

Have any of you ever seen this specific window title hijack before, and if so, have you managed to track down the software or website responsible?

Apparition (not Apparitions) Media has a website and does indeed appear to be an up-itself marketing organization. I'm prepared to believe this is their fault. But embedded in what product that Victorian school staff or students might be using?
posted by flabdablet to Computers & Internet (11 answers total)
 
You can easily alter the IE title using the Group Policy Editor in Windows.
posted by matthewr at 8:52 PM on May 18, 2009


Response by poster: I already know how to fix this: delete the window title registry keys, either by hand or using a GPO. That's not my problem. I want to know what's doing it, just so I can send those responsible a nastygram.
posted by flabdablet at 8:55 PM on May 18, 2009


Try RegMon or Process Monitor. Start 'er up, clear out IE's title bar reg keys, set up a filter for a keyword like "Apparitions" and then sit back and wait for the offending program, whatever it is, to access your registry. The program will continually sniff activity and post a detailed log entry whenever a match for your filter is triggered. You can also use a program such as Spyware Terminator (freeware), which, set up correctly, has shield technology which can tell you when something trips a wire (goes for your registry, tries to edit your hosts file etc).

Finally, you might want to try HijackThis, a very popular free tool which shows you certain items in your system which could be cause for concern. It isn't a realtime monitor per se, but might turn up something that shouldn't be on your system, such as a rogue BHO or toolbar or startup item that you don't know about, which is causing this recurrence.

What this strongly smells like, to me, is spy- or malware of some sort. That reg key is usually inserted as a one-off if you get IE on a setup disk from eg your ISP or something (Internet Explorer provided by Telstra Bigpond). IMO, for it to keep coming back could mean one of two things - spy/malware or else some sort of recurring distribution of IE. You wouldn't happen to be running something like Citrix across those systems?
posted by cyniczny at 11:12 PM on May 18, 2009


Wait—does it 'keep coming back'? From what you've written, flabdablet, it sounds like it's not coming back.

And if it isn't coming back—and there wasn't any malware to begin with—I'd suggest that this is something a lot more mundane. Microsoft actually recommends this (search in page for "provided by") in their manual on customization; it's something that ISPs and IT companies do constantly. Is it possible that the school had IT or network service previously through a company with that name?
posted by koeselitz at 11:27 PM on May 18, 2009


I think you might have misinterpreted the situation, cyniczny.

flabdablet: are you seeing these changed titles appear again after you delete them? That's not how I read your post, though cyniczny got that impression.

And, assuming they go away when you remove them from the registry, why do you care? Surely the explanation is that, at some time in the past, Apparitions did some IT work for the school in question, or that the school installed from a disk or other setup system copied from a place where Apparitions had done some work. They probably have no idea it's even happening. It's not hurting anyone. It's probably just a mistake.
posted by AmbroseChapel at 11:29 PM on May 18, 2009


Response by poster: No, they don't come back.

or that the school installed from a disk or other setup system copied from a place where Apparitions had done some work

That's my assumption. I'm trying to find out if anybody has any idea what Victorian-school-appropriate disc or website might be responsible.

As far as I know, which is actually pretty far, nobody called Apparitions (Media) has any defensible right to be fscking with the school's browser window titles. The fact that this very question is now higher in Google's ranking than any professional listing for any organization called Apparitions (Media) suggests that this is some tinpot little backyard operator and I want to find out who they are so that I can yarg on them for being cluelessly irritating.

It's not hurting anyone

It's hurt me - first time I saw this, it took a fair bit of wasted time to convince myself that no active malware was involved.wouldn't be bothered.
posted by flabdablet at 1:26 AM on May 19, 2009


Response by poster: for it to keep coming back could mean one of two things - spy/malware or else some sort of recurring distribution of IE. You wouldn't happen to be running something like Citrix across those systems?

My thinking also. I'm convinced by now that it isn't malware per se. I think it's some resource the teaching staff are using while I'm not watching them. I would very much like to know if it's a website, or a CD, or what.

No Citrix.

Also, my current school uses Firefox as its primary web browser, and Firefox is not affected; the only time I ever notice this is after firing up IE inside a teacher's Windows account, which is occasionally necessary to rule out Firefox incompatibility as the source of assorted educational website misbehavior.
posted by flabdablet at 1:30 AM on May 19, 2009


Response by poster: Just to clarify: it's when I fire up IE that I notice that Apparitions has apparated. I don't believe that simply firing up IE is enough to make Apparitions apparate. I'm pretty sure it's something the teacher concerned has used between the last time I cleaned up their window title and the next time I happened to fire up their IE, and I'm quite curious about exactly what.
posted by flabdablet at 1:39 AM on May 19, 2009


Response by poster: cyniczny, I can't really leave Procmon running on every school computer all the time (quite apart from the sheer volume of logs the thing produces) but you've given me an idea all the same. What I can do is set up a scheduled task that runs once per minute and saves a list of running tasks, then disables itself if it detects browser title fsckage. Thanks - I'll do that.
posted by flabdablet at 1:47 AM on May 19, 2009


You misunderstood.. this would only be on a single computer. Remember, if you set up a filter it won't log anything except entries that contain your trigger word or phrase. And it would only be on one computer - since it sounds likely to recur (right?) If you're really concerned about it you can set permissions on the registry key(s) in question to forcibly stop this from happening.. rightclick on any key in regedit and select Permissions.

However, I may have misunderstood for some reason - I guess I just assumed that since this has happened a lot to you, often enough for you to post an AskMefi question, that it somehow kept coming back despite your reg key fixes. You also mention "teacher" - in the singular? Do individual teachers get to use multiple machines at that site? DID I misunderstand with the whole recurring thing?

If I were you, I wouldn't permission off the key. I always like to get to the bottom of stuff like this. If they're using some program that kicks in the title change that would be strange - that key should only be modified if something actually installs IE on a system, not if some separate program just runs and is subsequently exited. Then again, if you DID permission it off it might flush a teacher to your department crying about how their Apparitions Media internet porn download tool is no longer working. Etc. (sips peppermint tea)

Doing a Google search for "apparition spyware" yielded some disconcerting results, including this one. You might have cause for concern.

Post back your results, I'm quite curious to see what you find. It's probably something lame and harmless, though.
posted by cyniczny at 11:15 PM on May 22, 2009


Response by poster: Remember, if you set up a filter it won't log anything except entries that contain your trigger word or phrase.

Last time I used Procmon, it seemed to log everything - tens of thousands of events - and all the filter did was limit which entries were displayed. Also, since I have no way to predict which workstation I'm going to see this on next, I'd have to leave it running all the time on all of them, and I don't really want to inflict the possible weirdnesses associated with that on my users. But I probably will install something lightweight that monitors that particular registry key.

I guess I just assumed that since this has happened a lot to you, often enough for you to post an AskMefi question, that it somehow kept coming back despite your reg key fixes.

The occurrence that prompted the question was about the tenth time I've seen this happen in about six years of working on school computers. It's rare, but persistent.

You also mention "teacher" - in the singular? Do individual teachers get to use multiple machines at that site? DID I misunderstand with the whole recurring thing?

Individual teachers get to use multiple machines at both the schools I've seen this thing appear in, and it's shown up on machines in two separate schools; it's not just one Typhoid Mary teacher doing it. It will be some Victorian education related package, I'm sure.

And every computer that it's happened on did already have IE and OE installed already, which is why I'm kind of irritated by this; there should be no call for any app to be reinstalling them. I think it's just some lame advertising outfit doing it to annoy people like me :-)
posted by flabdablet at 3:22 AM on May 23, 2009


« Older Seville or Cordoba?   |   timestamp in ichat? Newer »
This thread is closed to new comments.