Accrington Web - View Single Post

Bazf · 27-11-2004, 22:44

Step-by-step: Reclaiming a hijacked Internet Explorer

Note: These instructions involve editing the registry and other advanced techniques. Do not attempt these procedures without making proper backups (read Backing Up and Restoring the Windows Registry to learn how) and don’t attempt them at all if you’re not familiar with registry editing.

If you’ve been hijacked, you can reclaim your browser with a bit of work.

If your Control Panel’s Internet Options have been disabled, get them back by locating the file control.ini (use Start -> Find/Search to locate it). Open control.ini in Notepad and look for the lines:

[don’t load]
inetcpl.cpl=yes

Delete the second of these two lines, close and save the file and reboot your computer. (Click the image below to see a full-sized image.)

Close any open Internet Explorer windows.

a. Click Start -> Run, type regedit and click OK to open the Registry Editor.

b. Navigate to:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Inte rnet Explorer

If you find sub-folders called restricted or control panel, delete them. Check for the same sub-folders in:

HKEY_LOCAL_MACHINE\ Software\Policies\Microsoft\Internet Explorer

and delete them, too, if they exist. Then close Regedit.

If your search pages have been redirected, re-establish the defaults:

a. Open the Registry Editor and navigate to:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

Change the Search Page value to:

http://home.microsoft.com/access/allinone.asp

and, if it exists, change the Search Bar value to:

http://search.msn.com/spbasic.htm

b. Navigate to:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL

and change the default value to:

http://home.microsoft.com/access/autosearch.asp?p=%s

c. Navigate to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search

Change the SearchAssistant value to:

http://ie.search.msn.com/{SUB_RFC1766**/srchasst/srchasst.htm

and change the CustomizeSearch value to:

http://ie.search.msn.com/{SUB_RFC1766**/srchasst/srchcust.htm

Reset your home page to your chosen page:<LI type=a value=1>In Internet Explorer, choose Internet Options from the Tools Menu and, on the General tab, type in your preferred home page. <LI type=a>Do a search for any files with the extension HTA. If you find any such files, open each in turn in Notepad and see whether they contain a reference to the site which has hijacked your browser. Delete any HTA files which contain such a reference.
Locate the file HOSTS (it has no file extension) and open it in Notepad. Once again, look for any reference to the hijacking site. If you find any references, delete the lines containing those references.

Use BHODemon to control which Browser Helper Objects (BHOs) are loaded when you open your browser. When you run the program, it will let you know which BHOs are being loaded. Usually, you should see nothing more than Acrobat Reader (Acroiehelper.ocx) and perhaps an anti-virus helper, such as Norton’s NavShExt.dll. If BHODemon reports any other BHOs, click the Details button and then More Details to check the source. If you’re suspicious of any BHO, disable it.

a. Click Start -> Run -> msconfig and check the programs under the Startup tab. If you find an entry which contains regedit.exe /s disable it, and disable other programs you know to be suspicious.

b. Still in msconfig, click the System.Ini tab and click the + beside [boot] to expand the section. Look for a line reading shell=explorer.exe. The line should read exactly that; delete any following commands, but make sure you leave shell=explorer.exe intact.

Note: If you’re using Windows NT, 2000 or XP, this information is contained in the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

which should contain the value explorer.exe.

c. Click OK to exit from msconfig and reboot your system.

27-11-2004, 22:44	#12
Bazf Senior Member+ Join Date: Feb 2004 Posts: 2,252 Liked: 1 times Rep Power: 58	Re: IE homepage hijacked Step-by-step: Reclaiming a hijacked Internet Explorer Note: These instructions involve editing the registry and other advanced techniques. Do not attempt these procedures without making proper backups (read Backing Up and Restoring the Windows Registry to learn how) and don’t attempt them at all if you’re not familiar with registry editing. If you’ve been hijacked, you can reclaim your browser with a bit of work. If your Control Panel’s Internet Options have been disabled, get them back by locating the file control.ini (use Start -> Find/Search to locate it). Open control.ini in Notepad and look for the lines: [don’t load] inetcpl.cpl=yes Delete the second of these two lines, close and save the file and reboot your computer. (Click the image below to see a full-sized image.) Close any open Internet Explorer windows. a. Click Start -> Run, type regedit and click OK to open the Registry Editor. b. Navigate to: HKEY_CURRENT_USER\Software\Policies\Microsoft\Inte rnet Explorer If you find sub-folders called restricted or control panel, delete them. Check for the same sub-folders in: HKEY_LOCAL_MACHINE\ Software\Policies\Microsoft\Internet Explorer and delete them, too, if they exist. Then close Regedit. If your search pages have been redirected, re-establish the defaults: a. Open the Registry Editor and navigate to: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Change the Search Page value to: http://home.microsoft.com/access/allinone.asp and, if it exists, change the Search Bar value to: http://search.msn.com/spbasic.htm b. Navigate to: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL and change the default value to: http://home.microsoft.com/access/autosearch.asp?p=%s c. Navigate to: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search Change the SearchAssistant value to: http://ie.search.msn.com/{SUB_RFC1766/srchasst/srchasst.htm and change the CustomizeSearch value to: http://ie.search.msn.com/{SUB_RFC1766/srchasst/srchcust.htm Reset your home page to your chosen page:<LI type=a value=1>In Internet Explorer, choose Internet Options from the Tools Menu and, on the General tab, type in your preferred home page. <LI type=a>Do a search for any files with the extension HTA. If you find any such files, open each in turn in Notepad and see whether they contain a reference to the site which has hijacked your browser. Delete any HTA files which contain such a reference. Locate the file HOSTS (it has no file extension) and open it in Notepad. Once again, look for any reference to the hijacking site. If you find any references, delete the lines containing those references. Use BHODemon to control which Browser Helper Objects (BHOs) are loaded when you open your browser. When you run the program, it will let you know which BHOs are being loaded. Usually, you should see nothing more than Acrobat Reader (Acroiehelper.ocx) and perhaps an anti-virus helper, such as Norton’s NavShExt.dll. If BHODemon reports any other BHOs, click the Details button and then More Details to check the source. If you’re suspicious of any BHO, disable it. a. Click Start -> Run -> msconfig and check the programs under the Startup tab. If you find an entry which contains regedit.exe /s disable it, and disable other programs you know to be suspicious. b. Still in msconfig, click the System.Ini tab and click the + beside [boot] to expand the section. Look for a line reading shell=explorer.exe. The line should read exactly that; delete any following commands, but make sure you leave shell=explorer.exe intact. Note: If you’re using Windows NT, 2000 or XP, this information is contained in the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell which should contain the value explorer.exe. c. Click OK to exit from msconfig and reboot your system. __________________