Reclaiming a hijacked Internet Explorer

December 2016



Issue


On my laptop when I open Internet Explorer it goes to a page advertising purchasing wifi....no matter what address I type in the address bar it keeps going back to this same page!
Please help

Solution

Note: These instructions involve editing the registry and other advanced techniques. Do not attempt these procedures without making proper backups and don't attempt them at all if you're not familiar with registry editing.
  • 1. If you've been hijacked, you can reclaim your browser with a bit of work.


If your Control Panel's Internet Options have been disabled, get them back by locating the file control.ini (use Start -> Find/Search to locate it).
Open control.ini in Notepad and look for the lines:

[don't load] 
inetcpl.cpl=yes


Delete the second of these two lines, close and save the file and reboot your computer. (Click the image below to see a full-sized image.)

Re-enable your Internet Options (click to see a full-size image)
  • 2. Close any open Internet Explorer windows.
    • a. Click Start -> Run, type regedit and click OK to open the Registry Editor.
    • b. Navigate to:


HKEY_CURRENT_USERSoftwarePoliciesMicrosoftInternet Explorer 


If you find sub-folders called restricted or control panel, delete them. Check for the same sub-folders in:

HKEY_LOCAL_MACHINE SoftwarePoliciesMicrosoftInternet Explorer 


and delete them, too, if they exist. Then close Regedit.

Delete the suspect registry keys
  • 3. If your search pages have been redirected, re-establish the defaults:
    • a. Open the Registry Editor and navigate to:


HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain 


Change the Search Page value to:

http://home.microsoft.com/access/allinone.asp

and, if it exists, change the Search Bar value to:

http://search.msn.com/spbasic.htm


*
    • b. Navigate to:


HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSearchURL 


and change the default value to:

http://home.microsoft.com/access/autosearch.asp?p=%s 



*
    • c. Navigate to:


HKEY_LOCAL_MACHINESoftwareMicrosoftInternet ExplorerSearch 


Change the SearchAssistant value to:

http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

and change the CustomizeSearch value to:

http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

Reset the registry search keys
  • 4. Reset your home page to your chosen page:
    • 1. In Internet Explorer, choose Internet Options from the Tools Menu and, on the General tab, type in your preferred home page.
    • 2. Do a search for any files with the extension HTA. If you find any such files, open each in turn in Notepad and see whether they contain a reference to the site which has hijacked your browser. Delete any HTA files which contain such a reference.
    • 3. Locate the file HOSTS (it has no file extension) and open it in Notepad. Once again, look for any reference to the hijacking site. If you find any references, delete the lines containing those references.


Reset your home page in Internet Explorer
  • 5. Use BHODemon to control which Browser Helper Objects (BHOs) are loaded when you open your browser. When you run the program, it will let you know which BHOs are being loaded. Usually, you should see nothing more than Acrobat Reader (Acroiehelper.ocx) and perhaps an anti-virus helper, such as Norton's NavShExt.dll. If BHODemon reports any other BHOs, click the Details button and then More Details to check the source. If you're suspicious of any BHO, disable it.


Use BHODemon to control Browser Helper programs
  • 6. a. Click Start -> Run -> msconfig and check the programs under the Startup tab. If you find an entry which contains regedit.exe /s disable it, and disable other programs you know to be suspicious.
    • b. Still in msconfig, click the System.Ini tab and click the + beside [boot] to expand the section. Look for a line reading shell=explorer.exe. The line should read exactly that; delete any following commands, but make sure you leave shell=explorer.exe intact.


Note: If you're using Windows NT, 2000 or XP, this information is contained in the registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonShell 


which should contain the value explorer.exe.


*
    • c. Click OK to exit from msconfig and reboot your system.

Note

Thanks to xpcman for this tip on the forum.

Related :

This document entitled « Reclaiming a hijacked Internet Explorer » from CCM (ccm.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the license, as this note appears clearly.