Security

Take back control after Internet Explorer is hijacked

Remove malicious code and regain control over Internet Explorer.

My father-in-law—a computer novice—recently telephoned me for help changing his Internet Explorer home page. After I walked him through the usual technique, he explained that a Windows Permission Error was preventing him from making the change. I asked him a few more questions and soon realized that, at some point in the past, a pornographic Web site had hijacked his IE. Every time he opened IE, the browser went straight to this pornographic site. Worse yet, the modification prevented him from changing the home page.

A three-hour battle ensued during which we tackled some serious registry edits and a malicious group policy. Eventually we were able to return control of IE to my father-in-law and remove the offending application. Here's how we did it.

One size doesn't fit all
It's a sad truth that malicious individuals can hijack a Web browser in a variety of ways. And since there is no standard hijacking technique, there is no standard repair technique. If your browser is hijacked, a significant chance exists that the repairs that worked for my father-in-law will not work for you. I will therefore cover several repair techniques.

Begin with a thorough scan
When faced with an IE hijacking, you should first scan the computer for viruses, Trojans, adware, and spyware. It's highly likely that one of these items is the hijacker. Until you ensure that your computer is free from these parasites, you’ll only be treating the symptoms rather than the actual problem.

Unfortunately, I have yet to discover a single program that effectively scans for every potential form of spyware, adware, virus, and Trojan. I therefore recommend using several different programs. I know it's time consuming to download all these utilities and perform a separate full-system scan with each, but this is a critical step in the troubleshooting process.

Scan for viruses first. My antivirus program of choice is ViRobot Expert from Hauri. Although Hauri is a relative unknown in the United States, it has been a leading antivirus program in Asia for many years. ViRobot Expert will completely repair the damage from many viruses that Norton and McAfee will only quarantine or delete. In fact, my father-in-law was running McAfee—with the latest updates. I asked him to uninstall McAfee and install the free trial version of ViRobot Expert. ViRobot Expert instantly caught four viruses that McAfee had missed. Another reason I recommend using ViRobot for this particular problem is that ViRobot Expert not only scans for viruses, but also scans for common hacker tools.

Now that the system is virus free, it's time to scan for adware with a utility such as PestPatrol (which also removes spyware) or my personal favorite, which is Ad-aware from Lavasoft. After you have scanned for adware, I recommend scanning the system for spyware with a spyware removal tool, such as SpyBot-Search & Destroy from PepiMK Software or, my favorite, BPS SpyWare/Adware Remover from Bullet Proof Soft.

After you have scanned the system for virus, adware, and spyware, reboot and try to change IE's home page. If you're still unable to do so, then it's likely the hijacker has modified the Windows registry or configured a malicious group policy.

Before we begin
Warning: The following section involves editing your system registry. Using the Windows Registry Editor incorrectly can cause serious problems requiring the reinstallation of your operating system and may lead to the loss of data. TechRepublic does not and will not support problems that arise from editing your registry. Use the Registry Editor and the following directions at your own risk.

Clean the registry
When a program hijacks IE by modifying the registry on a Windows NT/2000/XP system, the change often impacts only the current user. This is because many users don't have local administrative privileges and can only modify the HKEY_CURRENT_USER portion of the registry, not the HKEY_LOCAL_MACHINE portion. If the user has local administrative privileges or the machine is running Windows 9x/Me (which won't protect the registry), the change could be applied to all of the users on the system, depending on hijacker's level of sophistication.

With this in mind, log on as the person who's having the problem and open the Registry Editor. Then, navigate through the registry tree to:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel

Check for the existence of keys named ResetWebSettings or HomePage. If such keys exist, delete them.

Next, navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

Verify that the information stored in the Default_Page_URL key and Start Page key is correct. If these keys contain values that reflect an undesirable startup page, double-click on the key to open its dialog box and then replace the existing value with an appropriate one.

There are two more registry entries you should check, but you'll need to ensure you have the proper permissions before doing so. As I mentioned before, if you're using Windows 9x/Me, any user can modify the registry, but if you're using Windows NT/2000/XP you'll need local administrative privileges.

Navigate to the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main

As before, check the Default_Page_URL and the Start Page keys for inappropriate values and change the values if necessary. Next, navigate to:
HKEY_USERS\Default\Software\Microsoft\Internet Explorer\Main

Once again, check the Default_Page_URL and the Start Page keys for inappropriate values, and change them as necessary.

Check for malicious policies
Another method IE hijackers can use to prevent you from fixing their handiwork is to change the system’s policies. Normally, you shouldn’t have to worry about this with Windows NT, 2000, or XP. With those systems, I've never heard of a browser hijacking that involved a modification of a group policy. If you're running Windows 9x/Me, however, it’s very possible that an unauthorized policy may have been placed on your system.

To determine if this is the case, search the hard drive for files with a POL extension. If such files exist, they may or may not be malicious. I recommend booting the system into MS-DOS mode and renaming the policy file with an extension of PCY instead of POL. This will disable the policy without deleting it.

Now, boot Windows normally and play around to see what effect, if any, disabling the policy has. If you're suddenly able to edit IE's home page, then it’s probably safe to assume that the policy was malicious and didn’t belong on the system. If this is the case, go ahead and delete the policy file.

On the other hand, if you're still unable to edit IE's home page and unable to perform some normal tasks, the policy is probably legitimate and you should reenable it. You can do this by booting the system into MS-DOS mode again and renaming the policy file so that it once again has the POL extension.

Hijack This!
By now, you're probably wondering which technique I used to fix my father-in-law’s problem. I used a really cool freeware utility called HijackThis, shown in Figure A, which you can download here. This utility scans the Windows registry and hard drive for IE settings that have been modified. If modifications are found, each modification is listed, and you may then choose which modifications to keep and which to remove.

Figure A
Here is the HijackThis main window before a scan has been run.


Once HijackThis is open, click the Scan button to start a new scan. Once the scan is complete, a list of modifications will be displayed, as shown in Figure B.

Figure B
Here are the HijackThis scan results.


When the scan is complete, you can select the suspicious entries and either click the Fix Checked button to remove them or click the Info On Selected Item button to learn more about each one—you'll need to highlight each entry individually, as shown in Figure C.

Figure C
This entry shows the current IE start page.


I found using HijackThis to be extremely effective, but it’s not for the novice. I strongly recommend backing up your Windows installation before running HijackThis because it's easy to accidentally damage Internet Explorer. For example, ViRobot Expert, the antivirus product I mentioned earlier, integrates itself into Internet Explorer and Outlook. If you had ViRobot Expert installed and then used HijackThis to remove all IE modifications, you would be removing ViRobot Expert's IE component, thus weakening your security.

StartupList: Another handy HijackThis tool
Integrated into HijackThis, StartupList generates a list of every application that starts automatically when Windows boots. This list is more in-depth than the one provided by Msconfig, but doesn't provide a GUI or a means to control whether programs start or not.

To run StartupList, click the Config button from the HijackThis main window. Then click the Misc Tools button. Click the Generate StartupList log button, then click Yes. The list is saved as a text file with the name startuplist.txt in the directory where HijackThis is located. HijackThis automatically opens the text file with Notepad, as shown in Figure D.

Figure D
StartupList displays the applications that are automatically started when Windows boots.


Preventing reinfection
If all goes well, by now you've been able to reclaim your Web browser. If not, you may have to reinstall Windows. Simply reinstalling Internet Explorer or upgrading it to a newer version doesn’t usually get rid of the problem (believe me, I’ve tried). Once you do get Internet Explorer back under your control, there are several basic steps that you can take toward preventing this problem from occurring in the future.

If you're using an always-on connection, such as through a DSL or cable modem, use a good personal firewall. Use reputable antivirus software and keep it current. Do not run, save, or download programs that you don’t trust.

Regularly delete all temporary Internet files and cookies from your browser’s cache. It’s possible that IE cached the malicious code, so you’ll want to make certain that it’s gone for good from your system. Make sure that you have all of the latest security patches in place, especially for Windows, IE, and Outlook.

Still another way to prevent the problem from happening again is to use a freeware utility called Browser Hijack Blaster. This program constantly monitors Internet Explorer for modifications. If a modification is attempted, Browser Hijack Blaster alerts you to the impending modification and asks if you want to allow it or prevent it from happening. Browser Hijack Blaster is compatible with Windows 9x/Me/NT/2000/XP.
0 comments