Recover from an Internet Explorer hijacking with these tips

Examine how one machine had its IE installation hijacked and get some tips that can fix this type of problem.

This week in the Technical Q&A, I found an interesting post from member Sfath. "I have a client that every time he opens IE, it defaults to a porn site," Sfath wrote. To troubleshoot this problem our troubled tech has already tried deleting all temp files, downloaded program files, and mysterious links. Sfath has also tried editing the registry to no avail. "When the page opens it continually generates different porn pages and basically locks up the computer," Sfath wrote. "It also removes Norton AntiVirus." Let's examine what could be causing Sfath's problems.

Assuming that Sfath has already checked IE's home page setting, the problem Sfath describes is often related to either hidden software that’s manipulating Internet Explorer or a registry entry. Let's review some of the advice other members and myself offer on troubleshooting both potential problems.

The usual suspects
If hidden software is the culprit, the machine is most likely infected with a virus, Trojan, spyware, or adware. I don’t want to waste space getting into a discussion of the differences between these mechanisms, but I will say that I have seen malicious Web sites use all four, and sometimes combinations of the four, to push their Web content onto your system. The scary thing is that depending on which mechanisms are being used, the infected computer could be transmitting sensitive, personal information to the owner of the porn site.

I recommend starting with a full virus scan using a quality antivirus product such as Norton AntiVirus, McAfee VirusScan, Trend Micro's OfficeScan, Grisoft Inc’s AVG AntiVirus, or my current favorite, ViRobot from Hauri. ViRobot will remove viruses, Trojans, spyware, and some adware. A good freeware utility for removing adware recommended by TechRepublic members Soulrider and DKlippert is Ad-aware from Lavasoft. TheChas, who also believes spyware may be the culprit, recommends Sfath check out Start Page Guard from Piotr J. Walczak. Member Cglrcng suggests that Sfath "also check the connections tab in Internet Options for an 'XXX Auto Dialer', remove the connection if present or he [Sfath's client] could be in for a real shock when the telephone bill arrives."

Word of warning
The following section explains techniques for editing your system registry. Using the Windows Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system and could cause you to lose data. TechRepublic does not and will not support problems that arise from editing your registry. Use the Registry Editor and the following directions at your own risk.

Check the registry
If the problem persists after scanning for malicious code or hidden software, the Windows registry should be your next target. Initially, I recommend navigating through the registry to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft. Look at the Internet Account Manager\Import folder and its subkeys. The existing subkeys will differ from machine to machine. Normally, they will link to various Internet components, such as IE, Eudora, and Netscape. Look for and delete anything suspicious.

Next, check out the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Account Manager\Preconfigured key. Again, what exists will differ from machine to machine. Some of the more common (and harmless) subkeys are Active Directory GC, Bigfoot, Verisign, and WhoWhere. Look for anything suspicious and delete it. You can identify a suspicious entry because beneath the subkey you'll find a link to a malicious Web site in the LDAP URL key.

Then, check the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Domains key. In a default Windows XP installation, there will be an entry for, but nothing else. Delete anything that links to a potentially malicious Web site.

Finally, go to a healthy machine that’s running the same operating system and the same version of Internet Explorer (including service packs). Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer registry key. Right-click on the key and select the Export command from the shortcut menu. This will export the various Internet Explorer registry entries to a text file. Copy this text file to the infected machine, open the Registry Editor, and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer. At this point, select the Import command from the Registry Editor’s File menu. Follow the prompts to import your text file. This will reset all of the Internet Explorer related registry entries, and should return Internet Explorer to working order.

Reinstall Internet Explorer
The tips I've listed should solve Sfath's problem. If they don't, it could be that the malicious software has overwritten a DLL file somewhere in the system. In such a case, reinstalling IE will probably be the only hope. Check out Microsoft Knowledge Base article 318378 for information on reinstalling IE.

Editor's Picks