Site search Web search

powered by FreeFind

Kill new version of Enjoy Search hijacker

by Philip Chalmers



The “Enjoy Search” hijacker:
* Sets Internet Explorer's start-up page to http://www.enjoysearch.info/
* Does this every time you start your computer, even if you changed the browser's start page to something else.

As far as we know this hijacker affects only Internet Explorer on Windows.

The hijacker's authors change the way it is installed as soon as methods of stopping it are published on the Web. So this article describes the most recent fix first. If that doesn't work, try the next fix listed at http://www.benefit-from-it.com/security_tips/enjoy_search_hijacker.htm, and so on. If none of the fixes work, use a good search engine (e.g. Google) to search for “Enjoy Search”.

Like most hijackers, the “Enjoy Search” hijacker sets entries in the Windows registry to make Internet Explorer show the hijacker's page whenever you start Internet Explorer. But in spring 2004 the hijacker started using a new method of doing this. This version sets a registry entry which tells Windows to run xvwizard32.hta every time Windows starts up, and xvwizard32.hta sets the registry entries which make Internet Explorer's home page enjoysearch.info

Summary of how to remove the “Enjoy Search” hijacker:
* Check whether your computer is infected with the spring 2004 version. The other steps apply only if you find this version of the hijack.
* Prevent Windows from running xvwizard32.hta every time you start your computer.
* Remove all copies of xvwizard32.hta
* Remove the registry entries which make Internet Explorer's home page http://www.enjoysearch.info/.
* Restart your computer and then start Internet Explorer to see if the hijacker has been removed.
* If your Internet Explorer is still hijacked to enjoysearch.info, use the procedure for removing the earlier version of the “Enjoy Search” hijacker - see http://www.benefit-from-it.com/security_tips/enjoy_search_hijacker.htm Perhaps you were really unlucky and your computer was infected with both versions.

Windows Explorer provides the easiest way to find out whether your computer is infected with the spring 2004 version of the “Enjoy Search” hijacker:
* Make all system and hidden files visible - the menu path is Tools > Options > View (tab) > Show all files (radio button in scrolling box) - then click “OK”.
* Then use menu path Tools > Find > Files or folders to open the “Find files” dialogue.
* Type xvwizard32.hta in the dialogue's “Named” box.
* Select “My Computer” in the dialogue's “Look in” box.
* Make sure the dialogue's “Include subfolders” box contains a tick (check mark).
* Click the “Find” button. It will take Windows a minute or two to complete the search.

If you find no copies of xvwizard32.hta, use the procedure for removing the earlier version of the “Enjoy Search” hijacker.

You can use the “Find files” dialogue to remove all copies of xvwizard32.hta - the safest way is probably to use the keyboard, to avoid the risk that you accidentally double-click xvwizard32.hta and run it:
* Use the TAB key to move the cursor into the scrollable list of files found.
* Hit the HOME key to select the first copy of xvwizard32.hta
* Hold down SHIFT and hit END. This will select all copies of xvwizard32.hta
* Hit the DELETE key and click “Yes” when Windows asks if you really want to send these files to the Recycle Bin.

To remove from Windows' registry the entry which tells it to run xvwizard32.hta:
* Click the task bar's “Start” button and then “Run”
* In the “Open” box type regedit then click “OK”. This starts the Registry Editor.
* The left side of the Registry Editor contains a list of folders, rather like Windows Explorer. Click the “+” buttons to open the path HKEY_LOCAL_MACHINE > Software > Microsoft > Windows > Run This tells the Registry Editor to show in the right half of the screen the entries which tell Windows what programs to run when you start your computer.
* Click (once only!) and delete all entries which contain “xvwizard32.hta”

Now you need to remove the registry entries which make Internet Explorer go to enjoysearch.info whenever you start it. The easiest way is:
* Start Internet Explorer.
* In the menu bar, click “Tools” then “Options”.
* Use the dialogue box to set Internet Explorer's home page. If you don't want a blank page or Internet Explorer's default (msn.com), type the first few letters of the home page's address in the “Address” box and wait for Internet Explorer to show you a list of all recently-visited pages whose addresses begin with those letters, then click one of them.
* Then click “Apply” and finally “OK”.

Finally test that you've killed the “Enjoy Search” hijacker - restart Windows and then Internet Explorer, and see which page Internet Explorer displays on start-up.

Mouse clip art by 1 Papacaio