My father-in-law -- a computer novice -- recently telephoned me for help changing his Internet Explorer home page. After I walked him through the usual technique, he explained that a Windows Permission Error was preventing him from making the change. I asked him a few more questions and soon realised that, at some point in the past, a pornographic Web site had hijacked his IE. Every time he opened IE, the browser went straight to this pornographic site. Worse yet, the modification prevented him from changing the home page.
A three-hour battle ensued during which we tackled some serious registry edits and a malicious group policy. Eventually we were able to return control of IE to my father-in-law and remove the offending application. Here's how we did it.
One size doesn't fit all
It's a sad truth that malicious individuals can hijack a Web browser in a variety of ways. And since there is no standard hijacking technique, there is no standard repair technique. If your browser is hijacked, a significant chance exists that the repairs that worked for my father-in-law will not work for you. I will therefore cover several repair techniques.
Begin with a thorough scan
When faced with an IE hijacking, you should first scan the computer for viruses, Trojans, adware, and spyware. It's highly likely that one of these items is the hijacker. Until you ensure that your computer is free from these parasites, you’ll only be treating the symptoms rather than the actual problem.
Unfortunately, I have yet to discover a single program that effectively scans for every potential form of spyware, adware, virus, and Trojan. I therefore recommend using several different programs. I know it's time consuming to download all these utilities and perform a separate full-system scan with each, but this is a critical step in the troubleshooting process.
Scan for viruses first. My antivirus program of choice is ViRobot Expert from Hauri. Although Hauri is a relative unknown in the United States, it has been a leading antivirus program in Asia for many years. ViRobot Expert will completely repair the damage from many viruses that Norton and McAfee will only quarantine or delete. In fact, my father-in-law was running McAfee -- with the latest updates. I asked him to uninstall McAfee and install the free trial version of ViRobot Expert. ViRobot Expert instantly caught four viruses that McAfee had missed. Another reason I recommend using ViRobot for this particular problem is that ViRobot Expert not only scans for viruses, but also scans for common hacker tools.
Now that the system is virus free, it's time to scan for adware with a utility such as PestPatrol (which also removes spyware) or my personal favourite, which is Ad-aware from Lavasoft. After you have scanned for adware, I recommend scanning the system for spyware with a spyware removal tool, such as SpyBot-Search & Destroy from PepiMK Software or, my favourite, BPS SpyWare/Adware Remover from Bullet Proof Soft.
After you have scanned the system for virus, adware, and spyware, reboot and try to change IE's home page. If you're still unable to do so, then it's likely the hijacker has modified the Windows registry or configured a malicious group policy.
Before we begin
Warning: The following section involves editing your system registry. Using the Windows Registry Editor incorrectly can cause serious problems requiring the reinstallation of your operating system and may lead to the loss of data. TechRepublic does not and will not support problems that arise from editing your registry. Use the Registry Editor and the following directions at your own risk.
Clean the registry
When a program hijacks IE by modifying the registry on a Windows NT/2000/XP system, the change often impacts only the current user. This is because many users don't have local administrative privileges and can only modify the HKEY_CURRENT_USER portion of the registry, not the HKEY_LOCAL_MACHINE portion. If the user has local administrative privileges or the machine is running Windows 9x/Me (which won't protect the registry), the change could be applied to all of the users on the system, depending on hijacker's level of sophistication.
With this in mind, log on as the person who's having the problem and open the Registry Editor. Then, navigate through the registry tree to:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel
Check for the existence of keys named ResetWebSettings or HomePage. If such keys exist, delete them.
Next, navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Verify that the information stored in the Default_Page_URL key and Start Page key is correct. If these keys contain values that reflect an undesirable startup page, double-click on the key to open its dialog box and then replace the existing value with an appropriate one.
There are two more registry entries you should check, but you'll need to ensure you have the proper permissions before doing so. As I mentioned before, if you're using Windows 9x/Me, any user can modify the registry, but if you're using Windows NT/2000/XP you'll need local administrative privileges.
Navigate to the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
As before, check the Default_Page_URL and the Start Page keys for inappropriate values and change the values if necessary. Next, navigate to:
HKEY_USERS\Default\Software\Microsoft\Internet Explorer\Main
Once again, check the Default_Page_URL and the Start Page keys for inappropriate values, and change them as necessary.
Check for malicious policies
Another method IE hijackers can use to prevent you from fixing their handiwork is to change the system’s policies. Normally, you shouldn’t have to worry about this with Windows NT, 2000, or XP. With those systems, I've never heard of a browser hijacking that involved a modification of a group policy. If you're running Windows 9x/Me, however, it’s very possible that an unauthorised policy may have been placed on your system.
6%
1%
Probably the best advice I think would be to remove all the spyware/malware as described and install a browser such as firefox www.mozilla.org and then become immune to most if not all of these common attacks.