Support
Customer Support
Question:
Hello, everyone! About three weeks ago, on my brand-new Dell, the Internet Explorer home page was hijacked, and I do not know how to get control back. Any suggestions? I have run a number of antispyware utilities (Ad-aware, SpyBot, Ewido, Spyware Doctor, and Highjackthis) with no luck. I called my ISP provider for help, but so far no luck. Also, with having my computer home page hijacked, if I go online to conduct some banking, am I at risk? I run ZoneAlarm and AVG, all my patches and security updates run every day, and I don"t surf dangerous sites. Any help that you can send my way will be most appreciated! Thank you very much!
Submitted by: Maureen M. of Victoria, British Columbia, Canada
***********************************************************************
Answer:
Dear Maureen, setting the home page on your browser is quite easy. Regaining control of a browser hijacking can be trickier, depending on the nature of changes made to your computer. But let's start with the basic, simpler approach.
(It's possible that you've already attempted some of the things I am about to discuss. If so, please bear with me. I am including them for the benefit of readers unfamiliar with the process, and because it is impossible for me to know the exact troubleshooting steps you have undertaken. Even if you have previously done so, let's reset your home page once more. Please restart your computer when you are done.)
To set your browser home page:
1. On your Internet Explorer's Menu bar, click Tools and select Internet Options from the drop-down menu to open IE's Options window.
2. Click the General tab if not already on the forefront. You should see a Home Page box listing your current home page.
3. If the Home Page box is not displayed, or if it has been "grayed out" and the radio buttons are inaccessible, you are dealing with a browser hijacking that involves significant changes to your Windows registry. These will have to be addressed before you can restore your home page. I'll discuss this at a later point.
4. Type a website address in this box (e.g., http://www.cnet.com/), click OK, and the website in question becomes your home page. Alternatively, you can navigate to whatever website you wish to make your home page, open the IE Options window as previously described, then click the Use Current radio button immediately below the home page box.
5. Exit the Internet Options window and close Internet Explorer (IE).
6. Open IE. Your new home page should appear.
(You can learn more about changing your home page by clicking the question mark (?) on the upper right corner of the IE Options window and choosing How Do I Set My Home Page? on the Help document that opens.)
If your home page has been hijacked by malware or a malicious website, either one of the aforementioned methods will allow you to reset your home page. However, if the problem reappears every time you boot your computer and open IE, it is likely that the folks responsible for the hijacking also made changes to the Windows registry to ensure your browser always opens to the page(s) they want you to see.
You mentioned that you "ran" a number of antispyware utilities, among them Spybot Search & Destroy (Spybot S&D) and HijackThis. While these utilities probably identified and removed spyware present in your computer, scanning in itself might not remove the registry values in question or reset your home page. It's also possible that some malware components remained behind after cleaning.
Let's try the following:
1. Start your copy of Spybot Search & Destroy. Make sure it opens in Advanced Mode. The Advanced Mode displays the Settings, Tools, and Info & License options on the left hand panel in addition to the default Spybot S&D entry. If you only the the latter, click Mode on the menu bar and select Advanced.
2. On the left hand panel, click on Tools and scroll down to Browser Pages. Clicking this entry will list all of the websites registered as search and start or "home" pages. Check the list for suspicious entries and/or those websites that have been replacing your preferred home page. If you find entries that shouldn't be there, click on them and then on Change to delete them. Follow the software's instructions carefully. If at any time you have any questions, please click the Help button for more information.
3. Open IE and reset your home page as previously described.
4. Close IE and reopen it to verify that your preferred home page has not been changed. If this is the case, go back to Spybot S&D and select IE Tweaks from the Tools menu on the left panel.
5. Make sure there are check marks on the first two boxes under Miscellaneous Locks. These changes will enhance protection against hijackings and unauthorized changes to your home page. (Note: The aforementioned Home Page box in the Internet Options window will appear grayed out after making these changes. If you wish to change your home page at a later time, simply open Spybot S&D and remove the check marks under the Miscellaneous Locks section. You can then reset your home page from the Internet Options window.)
6. Close Spybot S&D.
7. Restart your computer.
Hopefully this took care of the issue and your browser will open to the website of your choice. If this is indeed the case, the next step is to create a new Restore Point. Why? Because you'll need to delete all previous ones lest a future restore operation also restores the registry value(s) that altered your home page.
You can access the System Restore utility by clicking:
Start/All Programs/Accessories/System Tools/System Restore
If you are unfamiliar with System Restore, please check the following article:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore.mspx
If the advanced tools in Spybot S&D were unable to solve the issue and you are comfortable using HijackThis, you might want to give this utility another shot.
I am assuming that you are familiar with what HijackThis can and cannot do, and understand that running it yields a log of entries without actually changing anything in your system. It is up to the user to analyze the logs and remove troublesome or suspicious items. Simply running HijackThis without analyzing and acting on the results is like running Spybot S&D but failing to fix the problems it identifies. For more information on this subject, please visit:
http://www.merijn.org/htlogtutorial.html
Understand, there is a good reason why HijackThis doesn't remove entries automatically: Editing your computer's registry can have serious consequences if you accidentally delete the wrong thing. For this very reason, I am reluctant - and unable - to give you step-by-step instructions on editing the registry, especially since I have no idea what the actual culprit is and thus what would need to be removed.
If you previously acted on suspicious entries found on the HijackThis log, it's possible that something was left behind. If you remember what you found/removed, do a Google (http://www.google.com/) search to see if you can find information on the nature of the threat as well as changes it usually makes to the registry. With this information in hand, you can run HijackThis once more and see if you missed anything.
If that still doesn't solve the problem, consider doing a Google search using "Internet Explorer Home Page Hijack" as your query. You will find plenty of advice on how to fix a hijacked browser, and perhaps one of the discussions will address your specific issue. Before attempting any of the fixes prescribed on any of those websites, back up your registry. The following website will show you how to back up (and restore) your registry:
http://www.theeldergeek.com/windows_xp_registry.htm
Before performing either of the Google searches, I suggest you install McAfee SiteAdvisor (http://www.siteadvisor.com/), a free utility that assigns a relative safety rating to both websites you visit as well as search results.
In fact, SiteAdvisor will even prevent you from navigating to particularly troublesome sites until you acknowledge the risks and possible consequences of moving forward. In your case, you can use this feature to your advantage: Chances are once you open your home page, SiteAdvisor will warn you about problems with the website in question, and the site details might even provide information that could prove useful in solving your issue once and for all.
It is also possible that changes to your operating system's Hosts files are redirecting traffic to websites commonly used as home pages to malicious ones. You will need to rule out this possibility as well.
http://www.mvps.org/winhelp2002/hosts.htm
However, at this juncture you might be better served by performing a repair-reinstallation of Windows XP.
http://support.microsoft.com/kb/315341
Doing so will be significantly safer than messing with your registry or relying on anonymous online advice, and should resolve any registry (and Hosts files) issues resulting from the browser hijacking. Even though a repair-reinstallation of Windows is relatively time consuming (45-60 minutes), that is nothing compared to what incorrectly editing your registry might cost you in time, frustration and money!
(A repair-reinstallation will NOT erase or reformat your hard disk. It is extremely unlikely that you will lose files in your My Documents folder or elsewhere, nor will other installed programs be modified or removed.)
Once you get things back to normal, read the following document to learn more about browser hijacking and what you can do to safeguard your computer.
http://www.microsoft.com/athome/security/online/browser_hijacking.mspx
Realize that while you might not navigate to "dangerous sites," it is possible that anyone else using your computer does. And if you share your PC with children - especially adolescents - the probability of their stumbling upon unhealthy websites or of downloading software bundled with parasites is somewhere in the neighborhood of 5000000%. SiteAdvisor will help you identify potentially dangerous sites. And, trust me, you will be surprised at the changes many seemingly "safe" websites have been documented to attempt on visitors' computers.
I also encourage you to install Windows Defender (Beta 2). In its previous incarnation as Microsoft AntiSpyware, this software monitored and blocked browser hijacking attempts. While this functionality is not explicitly listed in the Windows Defender options menu, it seems like the hijacking protection is still there buried as part of the utility's software explorers.
http://www.microsoft.com/athome/security/spyware/software/default.mspx
As far as the risk of conducting financial and other sensitive online transactions, the sensible approach is to assume that while your home page remains hijacked, there is a significant risk of personal information falling on the wrong hands. The fact that you have ZoneAlarm installed is encouraging and probably has prevented sensitive data from leaving your computer. However, security software is never perfect, so we must remain proactive. If your version of ZoneAlarm offers identity protection, you might want to take advantage of the Vault feature to store personal and financial information, even after fixing the browser issue. Better safe than sorry!
Online Services
http://www.webroot.com/services/spyaudit_03.htm
http://www.trendmicro.com/hc_intro/default.asp
Helpful Networking Info
http://www.practicallynetworked.com/
Port forward
NOD32 for Windows