Check for malicious policies
Another method IE hijackers can use to prevent you from fixing their handiwork is to change the system's policies. Normally, you shouldn't have to worry about this with Windows NT, 2000 or XP. With those systems, I've never heard of a browser hijacking that involved a modification of a group policy. If you're running Windows 9x/Me, however, it's very possible that an unauthorised policy may have been placed on your system.
To determine if this is the case, search the hard drive for files with a POL extension. If such files exist, they may or may not be malicious. I recommend booting the system into MS-DOS mode and renaming the policy file with an extension of PCY instead of POL. This will disable the policy without deleting it.
Now, boot Windows normally and play around to see what effect, if any, disabling the policy has. If you're suddenly able to edit IE's home page, then it's probably safe to assume that the policy was malicious and didn't belong on the system. If this is the case, go ahead and delete the policy file.
On the other hand, if you're still unable to edit IE's home page and unable to perform some normal tasks, the policy is probably legitimate and you should reenable it. You can do this by booting the system into MS-DOS mode again and renaming the policy file so that it once again has the POL extension.
Hijack This!
By now, you're probably wondering which technique I used to fix my father-in-law's problem. I used a really cool freeware utility called HijackThis, shown in Figure A, which you can download here. This utility scans the Windows registry and hard drive for IE settings that have been modified. If modifications are found, each modification is listed, and you may then choose which modifications to keep and which to remove.
Figure A
Here is the HijackThis main window before a scan has been run.
Once HijackThis is open, click the Scan button to start a new scan. Once the scan is complete, a list of modifications will be displayed, as shown in Figure B.
Figure B
Here are the HijackThis scan results.
When the scan is complete, you can select the suspicious entries and either click the Fix Checked button to remove them or click the Info On Selected Item button to learn more about each one—you'll need to highlight each entry individually, as shown in Figure C.
Figure C
This entry shows the current IE start page.
I found using HijackThis to be extremely effective, but it's not for the novice. I strongly recommend backing up your Windows installation before running HijackThis because it's easy to accidentally damage Internet Explorer. For example, ViRobot Expert, the antivirus product I mentioned earlier, integrates itself into Internet Explorer and Outlook. If you had ViRobot Expert installed and then used HijackThis to remove all IE modifications, you would be removing ViRobot Expert's IE component, thus weakening your security.
StartupList: Another handy HijackThis tool
Integrated into HijackThis, StartupList generates a list of every application that starts automatically when Windows boots. This list is more in-depth than the one provided by Msconfig, but doesn't provide a GUI or a means to control whether programs start or not.
To run StartupList, click the Config button from the HijackThis main window. Then click the Misc Tools button. Click the Generate StartupList log button, then click Yes. The list is saved as a text file with the name startuplist.txt in the directory where HijackThis is located. HijackThis automatically opens the text file with Notepad, as shown in Figure D.
Figure D
StartupList displays the applications that are automatically started when Windows boots.
Preventing reinfection
If all goes well, by now you've been able to reclaim your Web browser. If not, you may have to reinstall Windows. Simply reinstalling Internet Explorer or upgrading it to a newer version doesn't usually get rid of the problem (believe me, I've tried). Once you do get Internet Explorer back under your control, there are several basic steps that you can take toward preventing this problem from occurring in the future.
If you're using an always-on connection, such as through DSL or a cable modem, use a good personal firewall. Use reputable antivirus software and keep it current. Do not run, save, or download programs that you don't trust.
Regularly delete all temporary Internet files and cookies from your browser's cache. It's possible that IE cached the malicious code, so you'll want to make certain that it's gone for good from your system. Make sure that you have all of the latest security patches in place, especially for Windows, IE (and/or other browsers you may be using), and Outlook.
Still another way to prevent the problem from happening again is to use a freeware utility called Browser Hijack Blaster. This program constantly monitors Internet Explorer for modifications. If a modification is attempted, Browser Hijack Blaster alerts you to the impending modification and asks if you want to allow it or prevent it from happening. Browser Hijack Blaster is compatible with Windows 9x/Me/NT/2000/XP.
Talkback
For heavens sake, why don't you just install Firefox? Its a better browser and it is not one tenth as vulnerable to hacks.
Microsoft fanatics bewilder me. They will stick with that corporation's software, no matter how bad it gets and no matter how much better the alternatives are.
Proof that Windows really IS easy to use! And has a low TCO as well. Splendid. I would recommend this article even to a novice user.
HijackThis and SpySweeper not mentioned!
ZDNet publishes an article about Browser Hijacking and omits mentoining HijackThis? Please visit :
http://www.google.com/search?q=hijackthis (search the web for "HijackThis")
http://www.hijackthis.de/index.php?langselect=english (program's page)
http://www.spywareinfo.com/~merijn/index.html (author's page)
ZDNet also omitted SpySweeper. Beware, there seems to have 2 competitors under that same "SpySweeper" name:
http://www.spysweeper.com/
http://www.webroot.com/products/spysweeper/
Paris, Thu 4 Nov 2004 15:17:10 +0100
No need to visit porn to get infected. ZDNet is misleading when making people think they are at no risk as long as they don't visit porn sites.
Whatever you visit (or don't), the spammers (and other malevolent people) will always get you anyway if you are in their target list - and they won't if you are not, whatever and how much you can visit porn or financial sites or anything else.
So, be warned: spam (as well as financial thefts and any other malevolent actions) don't depend on your behavior on the net - they actually depend on your race or political orientation. And those actions will always be hidden behind benign pretexts (as visiting porn sites, or eBay, or else, or even without any pretext if they don't find one).
I know repeating this is utterly dangerous - and will be denigrated first. But if taking no risk, we are buying short term limited relief at the expense of sure troubles for everyone some time later.
Paris, Thu 4 Nov 2004 15:51:50 +0100
Excellent piece of information.. Interestingly enough, my Father in Law had the very same problem - being hijacked by a pornographic site - what is it with Fathers in Law?! This article has helped me clean his system up once and for all ..Many thanx.
Hijack This is mentioned, in detail and with screenshots, from page 3 of this article onwards...
If you read articles before flaming them, you might actually be listened to rather than have scorn poured upon you.
The article also doesn't mention Zerospyware which is one of the top rated anti spyware applications on the market.
http://www.fbmsoftware.com/
i am currently using PANDA's version of anti virus program..it seems to do the job better then norton/mcaafee. but i have a question about using mozzilla/firefox..i hear they're gr8 programs...but i presently use IE and OE for my browser/email..if i download mozzilla/firefox....how do i prevent having to go back and delete emails in the OE programm?