Step-by-step: Reclaiming a hijacked Internet Explorer
Note: These instructions involve editing the registry and other advanced techniques. Do not attempt these procedures without making proper backups and don't attempt them at all if you're not familiar with registry editing.
1. If you've been hijacked, you can reclaim your browser with a bit of work.
If your Control Panel's Internet Options have been disabled, get them back by locating the file control.ini (use Start -> Find/Search to locate it). Open control.ini in Notepad and look for the lines:
Delete the second of these two lines, close and save the file and reboot your computer. (Click the image below to see a full-sized image.)
Re-enable your Internet Options (click to see a full-size image)
2. Close any open Internet Explorer windows.
a. Click Start -> Run, type regedit and click OK to open the Registry Editor.
b. Navigate to:
If you find sub-folders called restricted or control panel, delete them. Check for the same sub-folders in:
HKEY_LOCAL_MACHINE\ Software\Policies\Microsoft\Internet Explorer
and delete them, too, if they exist. Then close Regedit.
Delete the suspect registry keys
3. If your search pages have been redirected, re-establish the defaults:
a. Open the Registry Editor and navigate to:
Change the Search Page value to:
and, if it exists, change the Search Bar value to:
b. Navigate to:
and change the default value to:
c. Navigate to:
Change the SearchAssistant value to:
and change the CustomizeSearch value to:
Reset the registry search keys
4. Reset your home page to your chosen page:
1. In Internet Explorer, choose Internet Options from the Tools Menu and, on the General tab, type in your preferred home page.
2. Do a search for any files with the extension HTA. If you find any such files, open each in turn in Notepad and see whether they contain a reference to the site which has hijacked your browser. Delete any HTA files which contain such a reference.
3. Locate the file HOSTS (it has no file extension) and open it in Notepad. Once again, look for any reference to the hijacking site. If you find any references, delete the lines containing those references.
Reset your home page in Internet Explorer
5. Use BHODemon to control which Browser Helper Objects (BHOs) are loaded when you open your browser. When you run the program, it will let you know which BHOs are being loaded. Usually, you should see nothing more than Acrobat Reader (Acroiehelper.ocx) and perhaps an anti-virus helper, such as Norton's NavShExt.dll. If BHODemon reports any other BHOs, click the Details button and then More Details to check the source. If you're suspicious of any BHO, disable it.
Use BHODemon to control Browser Helper programs
6. a. Click Start -> Run -> msconfig and check the programs under the Startup tab. If you find an entry which contains regedit.exe /s disable it, and disable other programs you know to be suspicious.
b. Still in msconfig, click the System.Ini tab and click the + beside [boot] to expand the section. Look for a line reading shell=explorer.exe. The line should read exactly that; delete any following commands, but make sure you leave shell=explorer.exe intact.
Note: If you're using Windows NT, 2000 or XP, this information is contained in the registry key:
which should contain the value explorer.exe.
c. Click OK to exit from msconfig and reboot your system.