Any of the products below will remove most hijackers completely, unless it is one which has just started spreading.
Spybot S&D [recommended]
Ad-aware
If you have a hijack that is not fixed by any of these products, you may use these solutions below that I have gathered after helping to fix these same problems countless times through email and at a comp tech forums. Read on…
Your browser now has a new start page and a new search page. Every time your browser loads a page that doesn’t exist, you end up at some strange site, probably filled with popup ads.
Skip any step that deals with a problem that doesn’t effect you
1. Assuming that none of the spyware removal programs listed above helps you, the very first thing you need to do is download and run HijackThis. Put a check mark next to every search and start page setting it lists which you haven’t put there yourself and choose fix. Do the same for any hosts file entries. If it lists anything as O5, O6, or O7*, fix those as well. Please ask for advice at a comp tech forums before using HijackThis to change anything else.
*Note: Spybot S&D, Start Page Guard, Settings Sentry, and similar programs may provide options to lock settings against unauthorized changes. If you have these options enabled, HijackThis will detect that as a restrictions hijack. Disable those options before scanning with HijackThis.
2. Second, you have to put Internet Options back into the control panel. Do a file search and look for a file named “control.ini”. Open it in Notepad. You may see something like this:
[don’t load]
inetcpl.cpl=yes
Delete the “inetcpl.cpl=yes” line under “[don’t load]”. Save and close the file, then try the control panel again. If it’s still not there, restart your machine and it should be there.
For Windows 2000 and XP, you will need to edit the registry to do this. Go to the start menu > RUN command > type REGEDIT and press enter. Navigate through the registry keys until you get to HKEY_CURRENT_USER\Control Panel\don’t load\. Look and see if inetcpl.cpl is listed. If it is, delete the entry for it and log off.
3. Run a search on your hard drive for any files ending with *.hta or *.js. If you find any, open them in notepad or some other text editor and look for the URLs that you have been hijacked to. Any file with those URLs, delete them. Also delete all *.tmp files on your drive; some of them contain malicious code (for e.g. browser hijacks or malware (re)installations). Besides, deleting *.tmp files doesn’t hurt, unlike dll’s which are also used sometimes for this purpose. (Thanks to cexx.org for the additional info in this step).
4. HijackThis will list any BHO(browser help object) installed on your computer. Check the BHOs listed against the list of all known BHOs. If you find one listed as some sort of spyware/malware/hijackware, run HijackThis again and find that BHO in the list. Check its box and have HT fix it.
If you find a BHO that is not included in the list, please make a post in the Browser Hijackings section of comp tech support forums with the HijackThis log pasted in along with an explanation of your problem. Please wait for replies before deleting this BHO, as it may be a new one which I can have added to various spyware/malware cleaning programs. It may also be an innocent file that is not causing your problem, so please wait for advice before deleting it.
5. Now you need to see if there is a startup entry for your hijacker file. The next time you reboot, the hijack might come right back. The reason for this would be an entry in the run section of the registry.
Look in HijackThis for 04 startup items. Check the entries listed against Pacman’s List. Items listed as virus, malware, spyware, or something else that is undesirable, put a checkmark next to it and “fix” it.
Again, it will be absolutely necessary for you to close all open Internet Explorer windows before any of these changes will take effect. That includes this window. Some changes may even require a log off or even a reboot before they have any effect.
Still not fixed?
I hope this helps anyone who has become a victim of a browser hijack. If it does, great.
If the problem still remains after doing all of the above, you can visit comp tech support forums and post the specifics of your problem there.
