BEFORE YOU START -
and install Hijack This from www.downloads.com
-STEP 1- SAFETY STUFF
your documents and create a system restore
-STEP 2- CHECK FOR SUSPICIOUS STARTUP ITEMS You
can use Hijack This to clean out hijacked items from Microsoft's
(redirections due to spyware), however they will return if the executable
program causing it is not removed.
a. Click on Start> Run and type
"msconfig" and click OK.
b. Select the "Startup" tab.
c. Uncheck any
items you don't recognize. Note that many legitimate programs will appear here
Most spyware will load from this area. If unsure if a particular
item is legitimate or not, do a Google search on the .exe
name that loads. The only caveat here is that some spyware .exe files get a
randomly generated name, so a search will not identify them.
You can look in the Command column to see the name of the .exe
file itself and you can stretch this column if you cannot see the entire line of
By the way, it IS safe to uncheck everything here as a test anyway
- nothing critical to Windows loads here. So, if in doubt, it is OK to uncheck
d. Apply the changes, and restart Windows.
-STEP 3 - Run Hijack This
1. Run the tool, and
2. Look mostly at the R0, R1 and 02 entries. This relates to
the hijack, and represent changes to your default browser settings (homepage,
3. Have a look at the addresses for these entries. If they are
different from your preferences, check the box next to it.
4. Click on "Fix
Checked" and confirm.
This process cleans out the modified (hijacked) entries. You can
also define what Hijack This uses by clicking the Config button (lower right),
however this is not required.
-STEP 4 - DOUBLE-CHECK HOME PAGE AND TEST One
problem is that if the IE Home Page isn't cleared, you'll get "rehijacked" when
you launch IE. This is because that particular page is the source of the
problem. (It may try to load an ActiveX
Hijack This may have already reset your Home Page in STEP 3, but
double check before starting IE:
a. Head to Control
b. Change your Home Page on the General tab.
the Internet, reboot
your machine, and test over the next little while.
If the hijack stays away, you've successfully cleared it, and one
of the Startup items you disabled in STEP 2 might still be the cause.
-STEP 5- PERMANENETLY DELETE THE CAUSE
to find the Startup item that is causing this, if any. Recall that in STEP 2 we
disabled some suspicious startup items. One, or several of them may be
triggering the hijack.
Also note that we've been testing
the machine with the Startup Items disabled. We want to ensure the computer runs
fine (no errors) with all these items unchecked.
If you are unsure about deleting an item or using the registry
seek help with your local tech expert.
a. Launch MSCONFIG once
b. For the first suspicious item, expand the "Location" column to see
where it is loading from in the registry.
c. Click on Start, Run, type "regedit"
and click OK.
d. Browse to the key listed in the "Location" column for
e. Delete the key on the right hand side only, that specifically
matches that startup item. **See example below.**
f. Note the "Command"
folder in MSCONFIG. Browse to this folder, and delete the .exe file itself.
**See example below.**
In this example, the Startup
Tab of MSCONFIG indicates that:
pxzyc.exe loads from Command "C:\WINDOWS\PXZYC.EXE" and Location
In this case, we go to the registry editor and find that Run key
on the left window. On the right hand Window pane you'll see each item in that
Run key, specifically "pxzyc.exe" in this case. Delete the entry for "pxzyc.exe"
in the registry only.
In addition, we'll browse to the C:\WINDOWS folder, and manually
delete the pxzyc.exe file that resides there.
g. Repeat these steps for each suspicious item.
Some spyware also adds itself as
Web content on your desktop background.
To remove this:
a. Right-click the desktop,
b. Select the Desktop tab, then the Customize
c. Select the Web tab, and delete any content indicated.
In STEP 3, you may note that the
RO, R1 etc. entries point to an .htm or .html file on your local computer.
Although Hijack This will clean out your IE settings, it will not delete the
local copy of the html file on your computer. Be sure to browse to the location
of the file indicated, and delete the file manually.