Cadzow Knowledgebase

Normal view

Internet Explorer: Clearing Some Post-Malware Browser Hijacks

Some types of malware change various browser settings to redirect the user to different home & search pages. The following registry commands in an elevated prompt clear some of those settings:

reg delete "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Search Bar" /f
reg delete "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Search Page" /f
reg delete "HKCU\Software\Microsoft\Internet Explorer\Main" /v Default_Page_URL /f

reg delete "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /f
reg delete "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Search Page" /f
reg delete "HKLM\Software\Microsoft\Internet Explorer\Main" /v Default_Page_URL /f

reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\Search" /v CustomizeSearch /f
reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\Search" /v Default_Search_URL /f
reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\Search" /v SearchAssistant /f

reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\Search" /v CustomizeSearch /f
reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\Search" /v Default_Search_URL /f
reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\Search" /v SearchAssistant /f

reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchUrl" /v Default /f

Other registry locations that may require attention:

  • Reset the default value under HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command to C:\Program Files\Internet Explorer\iexplore.exe

  • HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes

  • HKLM\SYSTEM\ControlSet\Services\iphlpsvc\Parameters\ProxyMgr

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer

Additionally, the shortcuts used to open Internet Explorer or Firefox may have been edited to launch a particular page at startup. If the browser opens a page other than the designated home page, check the properties of the shortcut and remove anything which comes after the browser's executable (.exe).



Copyright © 1996-2023 Cadzow TECH Pty. Ltd. All rights reserved.
Information and prices contained in this website may change without notice. Terms of use.

Question/comment about this page? Please email webguru@cadzow.com.au