What To Do When . . .Your Browser Has Been Hijacked

sparksspace | Sunday, February 24, 2008 | 3 comments


Browsers may be hijacked in a number of ways. The most basic attack is triggered when you view a Web page and code within that page (or code that is automatically downloaded when the page is viewed) uses a security loophole to change your default home page, default search page, and browser settings. It doesn’t do anything other than that, meaning you can fix the problem by changing those entries back to their original settings.

Many hijackers rely on users installing software, either inadvertently or on purpose, that gives them broader access to the system. Some of these hijackers prevent you from changing your home page or search engine back to what you want by completely disabling those settings in Internet Explorer. Others do even worse things, for instance, causing pop-up advertisements to appear even when you aren’t browsing the Web.

Prevention: One of the easiest ways to practically eliminate the potential for being hijacked is to switch from Internet Explorer to an alternative Web browser such as Firefox 2 (free) or Opera 9 (free). Hijackers focus their efforts on IE because so many people use it, and programs designed to exploit flaws in IE won’t work when applied to other browsers. Firefox and Opera continue to gain in popularity, and this may increase to a point where those browsers become targets, as well. But for now, if you currently use IE, switching over to a different browser comes with immense security benefits. If you use IE, make sure to keep it as up-to-date as possible because Microsoft constantly identifies and fixes security holes.

To do so, open IE, expand the Tools menu, and click Windows Update. Click either Express or Custom (or update the Windows Update software, if necessary) and install all of the patches that are available for Internet Explorer. No matter what Web browser you use, it is extremely important to install multiple antispyware applications on your computer and regularly update them. These programs scan for current problems, and many of them also lock down the computer so hijackers can’t easily use the most common routes of entry. You can use as many antispyware applications on the same computer that you want to (unlike antivirus software, where you must stick to a single program). Recommended softwares are Windows Defender (free), Spybot Search & Destroy (freeAd-Aware (free), and SpywareBlaster (free). Update these programs at least once per month if they don’t come with the ability to do so automatically. Also, download and run BugOff (free), which fixes a lot of exploits commonly used by hijackers.

Be very careful when using BugOff, or you may accidentally disable a legitimate program.


Use Windows Update to keep Windows XP and your Web browser as up-to-date as possible.

BugOff is trickier to use than the other programs mentioned because you must enable or disable entries manually and doing so can have impact on programs you actually want to use. When running BugOff, the goal is to click Disable for as many entries as possible but check the Side Effects text closely to make sure doing so won’t interfere with your applications. For example, disabling the Microsoft.XMLHTTP Object closes a hole that a hijacker can use, but it also prevents Windows Update and Gmail from working properly, so leaving it enabled is probably worth the risk. Clicking the Disable button instantly makes the change, so simply close the program when you are finished.

Finally, always be on your guard when browsing or clicking links in emails or other documents that open Web pages in your browser. The worst hijackers gain access to the computer because people unknowingly install them on their computers by clicking a button or link in a pop-up window that appears while browsing or by installing downloaded software that lets the hijacker get a piggyback ride onto the hard drive.

Don’t blindly click links included in emails and never click anywhere in a pop-up advertisement (you can press CTRL-W to close an IE window without having to click to close it). Also, be on the lookout for pop-ups that look like alerts from Windows but are actually disguises designed to get you to click a button, inadvertently giving your permission to download whatever the hijacker wants to install. A Pound Of Cure Heading off the hijackers doesn’t take a lot of work, but you have real problems if the browser has already been infiltrated. Before getting into specific fixes, it is important to note that the steps provided in this article apply to the latest version of Internet Explorer 7.

If you use an earlier version of IE, you should upgrade to the latest version or use an alternative browser for security reasons. If you’re lucky and the hijacker simply changed your IE settings without installing any other software on your computer, you can easily revert to the settings you want to use. To establish the default home page, open IE, navigate to the page you want to use for a home page, expand the Tools menu, click Internet Options, and select the General tab. Click Use Current, and the page you navigated to becomes the default home page, or you can enter it manually (such as entering www.google .com if you want to use Google as your home page). Click Apply when you’re finished. Click the Settings button in the Search section to re-establish your default search settings. Click to highlight the incorrect search entry, click Remove, and then highlight the entry you want to use and click Set Default. Click OK.

If the search service you want to use doesn’t appear on the list, click Find More Providers, click the entry for the service you want to add, follow any prompts that are provided (if any), and the service should now be available when you establish default settings. There is also a Create Your Own option on this page that lets you add any search service that isn’t represented on Microsoft’s master list. If you think your browser has been hijacked, checking to see if the culprit is the oft-used CoolWebSearch hijacker or one of its myriad offshoots should be your first priority. These hijackers are designed to drive Web traffic to www.coolwebsearch.com (don’t type that address into your Web browser!) or other advertising sites. They accomplish this using many means, ranging from making the computer think that popular sites such as Yahoo! Search don’t exist (and instead redirecting you to an ad site) to making IE think that restricted Web sites should be trusted.

Fortunately, there is a free tool called CWShredder that will detect and remove all known versions of this annoying hijacker. To use the tool, download it from here double-click the file’s icon, and click I Agree. Click Check For Update, click Fix, and then click OK to scan the computer for the CoolWebSearch software and eradicate it if it is discovered.

Sometimes hijack attempts aren’t reversed this easily, and you’ll need specialized tools and a lot of help to complete the job. The best tool by far is HijackThis (free), which thoroughly scans the computer to find everything that is taking advantage of a known security loophole in Internet Explorer and Windows.If you’ve just performed a spyware scan using any antispyware tool, reboot the computer before using HijackThis

Install HijackThis, run it.Do A System Scan And Save A Log File. Wait for the scan to complete, and a new file should appear on the Desktop (or in the folder where you ran Hijack- This) that is labeled Hijackthis.log.You may post that to me

Useful links

1.Internetfixes

2.Cyberwalker

3.Pcstats

4.Antivirus.about.com

5.Pchell.com

Softwares

1.Browser Hijack Recover(BHR) 2.3 [ScreenShots]

2.Browser Hijack.

3.CWShredder

4.IE Protector

5.Browser Hijack Retaliator

Browser Security Test links

1.Scanit

2.Jason's Toolbox

3.Symantec

4.Netfile

Category: , ,

Welcome to SparksSpace . This blog launched on Dec 2007 with a focus on Technology.You can find latest Computer Software, Tutorials, Tricks,Tips & Software promotions here!

3 comments:

  1. Hi,

    I think I've exhauseted all solutions. I have vista and ie7 and firefox. i know i am hijacked because neither browser can open a site just a specific one trying to sell me a software to remove viruses! I have mcafee, ad-aware, and hijack this and did a full scan wtih all three. with hihack this - i deleted a couple of files from the list and when i re-scan that .exe comes back! Any help would be great

    ReplyDelete
  2. Send me the HijackThis log txt to spaaark@gmail.com

    ReplyDelete
  3. Try running GMER.exe from Safe Mode.

    Steps:
    1) Download gmer.zip, extract on desktop (www.gmer.net/files.php)
    2) RUN > MSCONFIG > type "MSCONFIG" (without the quotations, i.e. " ")
    3) 4th TAB is BOOT.ini. Select BOOT in SAFEMODE.
    4) Shut down the computer for at least 2 minutes (remove power cable also in order to wipe the RAM memory residue - 10 min is better).
    5) Restart computer (should boot in Safe mode).
    6) Double click on gmer.exe and run. Initially it will run only the rootkit mode. But then run full scan.
    7) Identified rootkits or trojans can then be permanently erased with Right-Click Context menu (I think).
    8) Please post your experience with this method of rootkit/trojan removal.

    ReplyDelete