Hijacked!

Browser hijackers take over your browser, change the home page and attempt to funnel you into their own sites whenever you surf. Learn how to fight back.

Web surfing isn’t the pleasure it once was. The dot.com bust has reduced the number of interesting, freely accessible sites. Pop-up, -under and -over advertisements make it almost impossible to view the page you’re after. And security holes in the major browsers make it necessary to bump up the security features to an annoyingly invasive level.

In addition to these daily irritations, there’s an unpleasant technique called browser hijacking which has become increasingly common. Browser hijacking is the use of scripting tools to modify your browser’s default settings. This may be as trivial as adding a new link to your Links or Favorites or as unconscionable as changing your home page persistently via a combination of scripting, registry changes and auto-running programs.

What’s the point of hijacking? To bring you back, over and over, to a site or a site’s sponsor, in the hope of boosting business. Hijackers also use the technique to track the sites you visit and analyse your browsing habits. Let’s face it, anyone who is prepared to kidnap you in this fashion has little regard for your privacy.

The culprits

Who’s responsible for hijacking? Not surprisingly, the technique was pioneered by porn sites. Owners of porn sites have traditionally been on the cutting edge of designing techniques to keep users trapped on their sites. They were first with multiple windows which would pop up as you tried to leave the site, and they’ve used all sorts of techniques – windows half off screen so they’re hard to close, windows without any controls whatsoever – to chain visitors to their sites.

Where porn site owners venture others soon follow. Many sites offering ‘freebies’ have taken browser hijacking to their bosom.

But it’s not merely the Internet’s out-and-out lowlifes who engage in this sort of activity. For years, companies such as Microsoft, Netscape and many others have been adding links and changing browser settings without permission. One example: When you install AOL or any of its affiliated programs, such as ICQ or AOL Instant Messenger, without asking it adds http://free.aol.com to Internet Explorer’s Trusted Sites zone. Any site in the Trusted Site list is treated as a ‘safe site’ and by default all of IE’s security options are set at their least restrictive for these sites. This means if you visit the AOL site, AOL can run any script, download items to your desktop and perform a variety of functions without requesting your permission.

AOL invades the Trusted Sites zone

AOL/Netscape -- in most untrustworthy fashion -- automatically adds itself to Internet Explorer's Trusted Sites zone. To eliminate it: Select Internet Options from the Tools Menu, click the Security tab, click Trusted Sites and then the Sites button, locate http://free.aol.com in the list of sites, select it, then click Remove.

It’s easy enough to undo such changes. Indeed, most browser hijackings require little more than a resetting of options.

Advanced hijacking techniques

Some browser hijackings, though, are more pernicious. Take, for example, home page hijacking. In its simplest form, home page hijacking is very easy to recover from: Select Internet Options from the Tools Menu, on the General tab type your desired home page’s address into the Home Page box, and click OK.

That’s easy enough. But some home page hijackings go further. Three techniques used include:

Removing Internet Options from your browser’s Tools Menu, and from the Control Panel, so you are unable to reset your home page or make any changes whatsoever to your browser settings.
Editing your registry settings so the next time you launch your browser the home page is reset to the hijacker’s page. In this case, you have to go into your registry and make changes in order to weed out the home page squatter.
Installing a program which runs each time you boot your computer and then resets your home page to the hijacker’s page. With this last technique, even if you modify the registry your home page will continue to be hijacked each time you reboot.

How hijackers strike

How do you fall prey to a browser hijacking? There are numerous ways. Here are some common ones:

By installing software which changes your browser settings. This may happen with commercial software, but is much more common with freeware or adware.
By visiting a site which exploits a browser bug to change settings without your permission.
By visiting a site which persuades you to allow your settings to be changed, usually by offering freebies. When you accept the offer, your browser settings are changed or software installed. While such sites may tell you of their intentions, usually it’s in the fine print or couched in deceptive terms.

Defending yourself

Fortunately, most hijacking attempts can be prevented by using a few commonsense measures:

Make sure you have the most recent patches for your browser.
Read ‘freebie’ offers and advertisements very carefully.
Use anti-hijacking tools such as IE-Spyad; StartPage Guard; and Script Sentry.

Step-by-step: Reclaiming a hijacked Internet Explorer

Note: These instructions involve editing the registry and other advanced techniques. Do not attempt these procedures without making proper backups (read Backing Up and Restoring the Windows Registry to learn how) and don’t attempt them at all if you’re not familiar with registry editing.

If you’ve been hijacked, you can reclaim your browser with a bit of work.

If your Control Panel’s Internet Options have been disabled, get them back by locating the file control.ini (use Start -> Find/Search to locate it). Open control.ini in Notepad and look for the lines:

[don’t load]
inetcpl.cpl=yes

Delete the second of these two lines, close and save the file and reboot your computer. (Click the image below to see a full-sized image.)

Close any open Internet Explorer windows.

a. Click Start -> Run, type regedit and click OK to open the Registry Editor.

b. Navigate to:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer

If you find sub-folders called restricted or control panel, delete them. Check for the same sub-folders in:

HKEY_LOCAL_MACHINE\ Software\Policies\Microsoft\Internet Explorer

and delete them, too, if they exist. Then close Regedit.

If your search pages have been redirected, re-establish the defaults:

a. Open the Registry Editor and navigate to:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

Change the Search Page value to:

http://home.microsoft.com/access/allinone.asp

and, if it exists, change the Search Bar value to:

http://search.msn.com/spbasic.htm

b. Navigate to:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL

and change the default value to:

http://home.microsoft.com/access/autosearch.asp?p=%s

c. Navigate to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search

Change the SearchAssistant value to:

http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

and change the CustomizeSearch value to:

http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

Reset your home page to your chosen page:
In Internet Explorer, choose Internet Options from the Tools Menu and, on the General tab, type in your preferred home page.
Do a search for any files with the extension HTA. If you find any such files, open each in turn in Notepad and see whether they contain a reference to the site which has hijacked your browser. Delete any HTA files which contain such a reference.
Locate the file HOSTS (it has no file extension) and open it in Notepad. Once again, look for any reference to the hijacking site. If you find any references, delete the lines containing those references.

Use BHODemon to control which Browser Helper Objects (BHOs) are loaded when you open your browser. When you run the program, it will let you know which BHOs are being loaded. Usually, you should see nothing more than Acrobat Reader (Acroiehelper.ocx) and perhaps an anti-virus helper, such as Norton’s NavShExt.dll. If BHODemon reports any other BHOs, click the Details button and then More Details to check the source. If you’re suspicious of any BHO, disable it.

a. Click Start -> Run -> msconfig and check the programs under the Startup tab. If you find an entry which contains regedit.exe /s disable it, and disable other programs you know to be suspicious.

b. Still in msconfig, click the System.Ini tab and click the + beside [boot] to expand the section. Look for a line reading shell=explorer.exe. The line should read exactly that; delete any following commands, but make sure you leave shell=explorer.exe intact.

Note: If you’re using Windows NT, 2000 or XP, this information is contained in the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

which should contain the value explorer.exe.

c. Click OK to exit from msconfig and reboot your system.