Recover from an Internet Explorer hijacking with these tips

by Brien M. Posey MCSE | Feb 20, 2003 8:00:00 AM

Tags: Spyware, Spyware, adware & malware, Viruses and worms, Cyberthreats, Web browsers, SECURITY, Microsoft Internet Explorer, Brien M. Posey MCSE, Sfath

Takeaway: Examine how one machine had its IE installation hijacked and get some tips that can fix this type of problem.

This week in the Technical Q&A, I found an interesting post from member Sfath. "I have a client that every time he opens IE, it defaults to a porn site," Sfath wrote. To troubleshoot this problem our troubled tech has already tried deleting all temp files, downloaded program files, and mysterious links. Sfath has also tried editing the registry to no avail. "When the page opens it continually generates different porn pages and basically locks up the computer," Sfath wrote. "It also removes Norton AntiVirus." Let's examine what could be causing Sfath's problems.

Assuming that Sfath has already checked IE's home page setting, the problem Sfath describes is often related to either hidden software that’s manipulating Internet Explorer or a registry entry. Let's review some of the advice other members and myself offer on troubleshooting both potential problems.

The usual suspects
If hidden software is the culprit, the machine is most likely infected with a virus, Trojan, spyware, or adware. I don’t want to waste space getting into a discussion of the differences between these mechanisms, but I will say that I have seen malicious Web sites use all four, and sometimes combinations of the four, to push their Web content onto your system. The scary thing is that depending on which mechanisms are being used, the infected computer could be transmitting sensitive, personal information to the owner of the porn site.

I recommend starting with a full virus scan using a quality antivirus product such as Norton AntiVirus, McAfee VirusScan, Trend Micro's OfficeScan, Grisoft Inc’s AVG AntiVirus, or my current favorite, ViRobot from Hauri. ViRobot will remove viruses, Trojans, spyware, and some adware. A good freeware utility for removing adware recommended by TechRepublic members Soulrider and DKlippert is Ad-aware from Lavasoft. TheChas, who also believes spyware may be the culprit, recommends Sfath check out Start Page Guard from Piotr J. Walczak. Member Cglrcng suggests that Sfath "also check the connections tab in Internet Options for an 'XXX Auto Dialer', remove the connection if present or he [Sfath's client] could be in for a real shock when the telephone bill arrives."

---

Word of warning
The following section explains techniques for editing your system registry. Using the Windows Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system and could cause you to lose data. TechRepublic does not and will not support problems that arise from editing your registry. Use the Registry Editor and the following directions at your own risk.

---

Check the registry
If the problem persists after scanning for malicious code or hidden software, the Windows registry should be your next target. Initially, I recommend navigating through the registry to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft. Look at the Internet Account Manager\Import folder and its subkeys. The existing subkeys will differ from machine to machine. Normally, they will link to various Internet components, such as IE, Eudora, and Netscape. Look for and delete anything suspicious.

Next, check out the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Account Manager\Preconfigured key. Again, what exists will differ from machine to machine. Some of the more common (and harmless) subkeys are Active Directory GC, Bigfoot, Verisign, and WhoWhere. Look for anything suspicious and delete it. You can identify a suspicious entry because beneath the subkey you'll find a link to a malicious Web site in the LDAP URL key.

Then, check the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Domains key. In a default Windows XP installation, there will be an entry for Hotmail.com, but nothing else. Delete anything that links to a potentially malicious Web site.

Finally, go to a healthy machine that’s running the same operating system and the same version of Internet Explorer (including service packs). Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer registry key. Right-click on the key and select the Export command from the shortcut menu. This will export the various Internet Explorer registry entries to a text file. Copy this text file to the infected machine, open the Registry Editor, and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer. At this point, select the Import command from the Registry Editor’s File menu. Follow the prompts to import your text file. This will reset all of the Internet Explorer related registry entries, and should return Internet Explorer to working order.

Reinstall Internet Explorer
The tips I've listed should solve Sfath's problem. If they don't, it could be that the malicious software has overwritten a DLL file somewhere in the system. In such a case, reinstalling IE will probably be the only hope. Check out Microsoft Knowledge Base article 318378 for information on reinstalling IE.

Print/View all Posts Comments on this article

HTTP borne virus angela.loomis@... | 02/19/03

Protection with LavaSoft AdWatch jezter~ | 02/19/03

Switch Browsers blarman | 02/19/03

Mozilla & pop-ups M_P_Rudas@... | 02/20/03

Another Mozilla alternative;) Phoenix NI70 | 02/20/03

So Does IE warhog73 | 02/23/03

IE isn't so bad ryulus@... | 02/25/03

Mozilla still needs work gutausse@... | 09/09/04

Block that crap already! JPElectron | 06/24/03

Use Spybot - Search&Destroy pos308@... | 10/21/03

Spybot fixed my client's problem cyberjunkie21 | 10/21/03

Spybot is SUPERB Shepps | 01/15/04

Internet Explorer.exe problem jacob56@... | 02/04/04

Hijacking I.Z. | 10/28/03

mmc mandai75@... | 11/28/03

explorer hijacking met-com@... | 01/15/04

hijack of IE met-com@... | 01/15/04

Homepage hijacking dfacer | 01/15/04

Netscape?? jasonrpittman@... | 01/30/04

Fix IE browser hijack barnz@... | 06/22/04

I can solve the problem pchookup@... | 07/09/04

Fix that worked for my client don.allen@... | 02/20/03

fix from pc world worked for friend jeturner | 02/21/03

Another fix jsamuelson | 11/24/03

Be careful with this one! black-jack | 11/24/03

Ad-ware is Lame!! piotroski@... | 02/20/03

Aware vs Spy Bot giwan1259 | 02/21/03

Alexa..... stuart_at_oz | 09/14/03

Spybot & Alexa bigmoose | 10/25/03

null sbrager@... | 09/01/04

Have to agree... TechinCA | 02/21/03

Don't forget--reset IE security settings mikelee@... | 02/20/03

But... JE55E | 02/20/03

You have spyware/hijackers on board phulbelly@... | 02/20/03

Agree SpyBot is better Davieglas | 02/20/03

Apples and Oranges - AwAware and Spybot cps@... | 07/19/04

works for me PKA | 01/15/04

I like what I see, but how about.. robhill83849@... | 02/20/03

Another Tool Nabil Mish | 02/20/03

Plugins thilliard@... | 02/20/03

Another way kirm | 02/20/03

The basics Litox | 02/20/03

Network or dialup? snyderd@... | 02/20/03

Gladiator Trojan Detection Programme Davieglas | 02/20/03

Be careful with Gladiator richy999@... | 02/21/03

Free Spyware beats Ad-Aware Davieglas | 02/20/03

Spybot desk23 | 02/20/03

"...the Emperor has no clothes..." mooseman1 | 02/20/03

The real source of the problem Considerthesource | 02/20/03

Let Microsoft pay for it joelmones1@... | 02/21/03

Agreed reef2 | 02/23/03

HOSTS file entries Allmedia.JDA | 02/20/03

Editing is better black-jack | 11/24/03

Don't forget Java Scripts prodmanagr | 02/20/03

other sneaks lucaso | 02/23/03

Browser Helper Objects red_wolf@... | 02/21/03

Grisoft jo_D | 02/21/03

good old grisoft better than norton and mickadie@... | 02/24/03

Absolutely! Guapo | 10/21/03

AVG-Where is it? needinfo | 10/22/03

avg PKA | 11/24/03

IE Hi jack franka@... | 02/23/03

bad sites piotrk@... | 02/23/03

Great tool - just not free paige@... | 02/23/03

Great tool - just not free paige@... | 02/23/03

User Self Inflicted Wounds. dsteckham | 02/23/03

Spywareinfo.com NickNielsen | 02/23/03

IE hijacking jpenuel@... | 02/24/03

Poor Administration Allows This SublimeDaze | 02/24/03

on the job training coyoteNM | 09/13/03

Windows XP restore point MsTech007 | 02/25/03

XP Restore points - Warning barney66 | 10/21/03

Home is where I am. dkennedy@... | 02/25/03

Hijackthis jroc777@... | 09/12/03

2 Step Solution red_wolf@... | 10/10/03

Cut to the chase bparker@... | 10/21/03

Another thing to consider: mehill30@... | 10/27/03

Remove MS-Java from Dell computers curtisr | 01/15/04

Spoof of Logon.exe tylhan | 01/26/04

RE: Fight an Internet Explorer hijacking with these tips simon_kpc@... | 12/07/07