Hijacked browser? Fix it!

Computer Security, General

(This is part of the anti-spyware FAQ on TechnologyTips.com.)

Here’s a series of steps you can take to use Hijack This to fix a browser hijack.

(Thanks to my good friend RT for teaching me this, providing the notes this was based on, and allowing me to pass this on to you.)

BEFORE YOU START
Download and install Hijack This from www.downloads.com.

Step 1: THE SAFETY STUFF
Back up your documents and create a system restore point.

Step 2: CHECK FOR SUSPICIOUS STARTUP ITEMS.
You can use Hijack This to clean out hijacked items from Microsoft’s Internet Explorer (hijacks are redirections caused by to spyware), but they will return if the executable program causing it is not also removed.

  1. Click on Start > Run, and type msconfig and click OK.
  2. Select the Startup tab.
  3. Uncheck any items you don’t recognize, but be careful — many legitimate programs will appear here, too.
    Most spyware will load from this area. If you’re unsure whether a particular item is legitimate or not, do a Google search on the .exe file name that loads. The only caveat here is that some spyware .exe files get a randomly generated name, so a search will not identify those.
    You can look in the Command column to see the name of the .exe file itself. If you cannot see the entire name, stretch the column.
    By the way, it IS safe to uncheck everything here, as a test anyway – nothing critical to Windows loads here. So, if in doubt, it is OK to uncheck something.
  4. Apply the changes, and restart Windows.

Step 3: RUN HIJACK THIS.

  1. Run the tool, and select Scan.
  2. Look mostly at the R0, R1, and 02 entries. This relates to the hijack, and represents changes to your default browser settings for your home page or search page.
  3. Have a look at the addresses for these entries. If you find any that are different from your preferences, check the box next to each one.
  4. Click on >Fix Checked and confirm.
    This process cleans out the modified (hijacked) entries. You can also define what Hijack This uses by clicking the Config button (lower right), but this is not required.

Step 4: DOUBLE-CHECK YOUR HOME PAGE AND RUN A TEST.
One problem is that if the IE home page isn’t cleared, you’ll be “re-hijacked” next time you launch Internet Explorer. This is because that particular page is the source of the problem. (It may try to load an ActiveX control).
Hijack This may have already reset your home page in Step 3, but double-check it before starting IE:

  1. Go to Control Panel, then Internet Options.
  2. Change your home page on the General tab.
  3. Browse the Internet, reboot your machine, and test over the next little while.

If the hijack stays away, you’ve successfully cleared it. One of the Startup items you disabled in Step 2 might still be the cause, so …

Step 5: PERMANENTLY DELETE THE CAUSE.
Now we need to find the Startup item that is causing this, if any. Recall that, in Step 2, we disabled some suspicious startup items. One, or several, of them may be triggering the hijack.
Also note that we’ve been testing the machine with the Startup items disabled. We want to ensure the computer runs fine, with no errors, with all these items unchecked.
If you are unsure about deleting an item or using the registry editor, seek help with your local tech expert.

  1. Launch msconfig once more (see Step 2 if you need a refresher on how).
  2. For the first suspicious item, expand the Location column to see where it is loading from in the registry.
  3. Click on Start > Run, and type regedit and click OK.
  4. Browse to the key listed in the Location column for MSCONFIG.
  5. Delete the key on the right side only, that specifically matches that startup item. **See example below.**
  6. Note the Command folder in MSCONFIG. Browse to this folder, and delete the .exe file itself. **See example below.**

    —–EXAMPLE—–
    In this example, the Startup tab of MSCONFIG indicates that pxzyc.exe loads from Command C:/WINDOWS/PXZYC.EXE and Location “HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/Current/Version/Run”
    In this case, we go to the registry editor and find that Run key on the left pane. On the right pane, you’ll see each item in that Run key, specifically pxzyc.exe in this example. Delete the entry for pxzyc.exe in the registry only.
    In addition, we’ll browse to the C:/WINDOWS folder, and manually delete the pxzyc.exe file there.
    —————–

  7. Repeat these steps for each suspicious item.

Addendum 1: Some spyware also adds itself as web content on your desktop background. To remove this:

  1. Right-click any open area on the desktop, and select Properties.
  2. Select the Desktop tab, then the Customize button.
  3. Select the Web tab, and delete any content indicated.

Addendum 2: In Step 3 above, you may note that the RO, R1, etc. entries point to an .htm or .html file on your local computer. Although Hijack This will clean out your IE settings, it will not delete the local copy of the .html file on your computer. Be sure to browse to the location of the file indicated, and delete the file manually.

More: Still want more info? Check out [[ this excellent site ]] with more detailed info and a watch-through tutorial about Hijack This and the process of removing a browser hijack.