Take back control of IE
Brien M Posey
Published: 29 Oct 2004 14:14 BST
Check for malicious policies
Another method IE hijackers can use to prevent you from fixing their handiwork is to change the system's policies. Normally, you shouldn't have to worry about this with Windows NT, 2000 or XP. With those systems, I've never heard of a browser hijacking that involved a modification of a group policy. If you're running Windows 9x/Me, however, it's very possible that an unauthorised policy may have been placed on your system.
To determine if this is the case, search the hard drive for files with a POL extension. If such files exist, they may or may not be malicious. I recommend booting the system into MS-DOS mode and renaming the policy file with an extension of PCY instead of POL. This will disable the policy without deleting it.
Now, boot Windows normally and play around to see what effect, if any, disabling the policy has. If you're suddenly able to edit IE's home page, then it's probably safe to assume that the policy was malicious and didn't belong on the system. If this is the case, go ahead and delete the policy file.
On the other hand, if you're still unable to edit IE's home page and unable to perform some normal tasks, the policy is probably legitimate and you should reenable it. You can do this by booting the system into MS-DOS mode again and renaming the policy file so that it once again has the POL extension.
Hijack This!
By now, you're probably wondering which technique I used to fix my father-in-law's problem. I used a really cool freeware utility called HijackThis, shown in Figure A, which you can download here. This utility scans the Windows registry and hard drive for IE settings that have been modified. If modifications are found, each modification is listed, and you may then choose which modifications to keep and which to remove.
Figure A
Here is the HijackThis main window before a scan has been run.
Once HijackThis is open, click the Scan button to start a new scan. Once the scan is complete, a list of modifications will be displayed, as shown in Figure B.
Figure B
Here are the HijackThis scan results.
When the scan is complete, you can select the suspicious entries and either click the Fix Checked button to remove them or click the Info On Selected Item button to learn more about each one—you'll need to highlight each entry individually, as shown in Figure C.
Figure C
This entry shows the current IE start page.
I found using HijackThis to be extremely effective, but it's not for the novice. I strongly recommend backing up your Windows installation before running HijackThis because it's easy to accidentally damage Internet Explorer. For example, ViRobot Expert, the antivirus product I mentioned earlier, integrates itself into Internet Explorer and Outlook. If you had ViRobot Expert installed and then used HijackThis to remove all IE modifications, you would be removing ViRobot Expert's IE component, thus weakening your security.
StartupList: Another handy HijackThis tool
Integrated into HijackThis, StartupList generates a list of every application that starts automatically when Windows boots. This list is more in-depth than the one provided by Msconfig, but doesn't provide a GUI or a means to control whether programs start or not.
To run StartupList, click the Config button from the HijackThis main window. Then click the Misc Tools button. Click the Generate StartupList log button, then click Yes. The list is saved as a text file with the name startuplist.txt in the directory where HijackThis is located. HijackThis automatically opens the text file with Notepad, as shown in Figure D.
Figure D
StartupList displays the applications that are automatically started when Windows boots.
Preventing reinfection
If all goes well, by now you've been able to reclaim your Web browser. If not, you may have to reinstall Windows. Simply reinstalling Internet Explorer or upgrading it to a newer version doesn't usually get rid of the problem (believe me, I've tried). Once you do get Internet Explorer back under your control, there are several basic steps that you can take toward preventing this problem from occurring in the future.
If you're using an always-on connection, such as through DSL or a cable modem, use a good personal firewall. Use reputable antivirus software and keep it current. Do not run, save, or download programs that you don't trust.
Regularly delete all temporary Internet files and cookies from your browser's cache. It's possible that IE cached the malicious code, so you'll want to make certain that it's gone for good from your system. Make sure that you have all of the latest security patches in place, especially for Windows, IE (and/or other browsers you may be using), and Outlook.
Still another way to prevent the problem from happening again is to use a freeware utility called Browser Hijack Blaster. This program constantly monitors Internet Explorer for modifications. If a modification is attempted, Browser Hijack Blaster alerts you to the impending modification and asks if you want to allow it or prevent it from happening. Browser Hijack Blaster is compatible with Windows 9x/Me/NT/2000/XP.
Previous
Did you find this article useful?
208 out of 427 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
Full Talkback thread
8 comments
-
For heavens sake, why don't you just install Firef... Les Bernstein -
Proof that Windows really IS easy to use! And has... Chris Rankin
-
HijackThis and SpySweeper not mentioned!
ZDNet pub... Michel Merlin
-
Hijack This is mentioned, in detail and with... annoyed -
No need to visit porn to get infected. ZDNet is mi... Michel Merlin
-
Excellent piece of information.. Interestingly eno... Johnny Boyd
-
The article also doesn't mention Zerospyware which... David Isidro
-
i am currently using PANDA's version of anti virus... Anonymous
