Detox-Comic

Browser Hijackers

What is a browser hijacker?

Have you been surfing recently and suddenly noticed that when you start your browser your homepage has changed? Or when you type in a URL or click on a link within a web page you don't seem to go to the location you wanted? Or worse, you get redirected to porn sites or sites trying to sell you something? If yes, you may be infected with what is commonly known as a browser hijacker.

Browser hijackers are often labelled as Spyware. Although some hijackers are part-Spyware in that they can gather data about your surfing habits, the meaning of the term was originally associated with the practice of hijacking URLs. This could be your homepage URL - the default page that your browser starts at or returns to when you click on the home icon on your browsers menu bar - or a search page. Or even any bookmarked URLs in your favourites folder.

More sophisticated hijackers use Browser Helper Objects (BHOs) to control active links. These installed software objects run in the background and re-direct you to specific URLs regardless of what you typed manually in the browser location bar, selected from your favourites menu or clicked on in a web page.

BHOs can be utilised to get the complete list of URLs you have visited, any data you submitted to forms such as passwords and credit card numbers and then send it to a remote location across the internet. They can also change settings on your startup programs list, windows policies or internet settings such as adding themselves to your trusted zones, even altering your HOSTS file. Some are sophisticated enough to restore their settings if you manually undo them or disable your browser options menu.

How can you get infected?

Like Spyware that is hidden in some free software, hijackers can be part of free downloads such as embedded search engine toolbars. These toolbars appear useful in that they allow you to run searches without having to go to a particular search engines web site first. The problem is that they tend not to give you unbiased search results. Instead you will receive listings of web sites that have paid the hijacker company some money or you are presented with a lot of adverts, most probably in the form of pop-ups.

The main methods of becoming infected with a browser hijacker are:

  • Clicking OK or I AGREE at a web sites ENTER page. Read the small print if there is any! Chances are you have just activated an install or ok'd the changing of your homepage or search page URLs
  • Clicking OK on any pop-up that appears over a web page that looks like a Windows message. Always click the X in the top right hand corner and never any of the option buttons. Even CANCEL or NO can install the hijacker.
  • Clicking OK on any pop-ups that offer to install a tool on your PC to improve your browser settings or your connection speed.
  • Allowing any page to run Active X components without asking you first. If in doubt set to prompt in your options menu or use a browser that does not support ActiveX or can disable it.
  • Visiting adult sites. These can contain hijackers that will transfer you to other adult sites that have paid the hijackers author to re-direct to them. These sites can also contain other malware such as porn diallers.

What precautions can you take to prevent infection?

The following is recommended to reduce your exposure to browser hijackers:

  • Use Windows update often and install all critical updates
  • Use a browser other than Internet Explorer such as Mozilla or Opera
  • Use a personal firewall on your PC
  • Run anti-virus software
  • Run Spybot with Immunise enabled (see below)
  • In Internet Explorer, select Tools > Internet Options > Security > Internet > Custom Level and set the following:
    • Download signed ActiveX controls (Prompt)
    • Download unsigned ActiveX controls (Disable)
    • Initialise and script ActiveX controls not marked as safe (Disable)
    • Run ActiveX controls and plug-ins (Prompt)
    • Script ActiveX controls marked safe for scripting (Prompt)
    • Access data sources across domains (Disable)
    • Drag and drop or copy and paste files (Prompt)
    • Installation of desktop items (Prompt)
    • Launching programs and files in an IFRAME (Prompt)
    • Navigate sub-frames across different domains (Prompt)
    • Software channel permissions (High safety)
    • Userdata persistence (Disable)
    • Allow paste operations via script (Prompt)
    • Scripting of Java applets (Prompt)
  • Do not click on web links inside emails. In fact, it's always a good idea to turn off HTML viewing in your email software or to view all HTML emails when off-line.
  • Replace the Microsoft virtual machine on your PC with one from Sun Microsystems
  • Use HijackThis

How can you get rid of them?

The following tips are useful if you think you are infected with a browser hijacker and want to get rid of it:

  • Make sure your browser is up-to-date and patched with the latest bug fixes.
  • Search your system for .hta and .js files and remove any that you believe may be malicious. You can drop them into notepad and take a look at them to see if they contain any URLs that you do not recognise.
  • Search your system for .tmp files and delete them.
  • Run anti-spyware and adware tools such as Spybot and Ad-aware.
  • Turn off the running of script commands in Windows Media Player by selecting Tools > Options > Security, and clear 'Run script commands when present'.
  • When a web site has a disclaimer where you need to click OK or I AGREE to proceed, quickly scan the text for words like 'personal data' or 'email address'. Avoid agreeing to anything that gives someone else the rights to use your personal data or email address for marketing purposes or to sell to a third party. Chances are the methods of collecting this data may employ spyware.
  • Make sure when typing a web site into your browser location bar that you check the spelling before proceeding. Popular misspellings of websites have been registered and set up to show you adverts and install hijackers and Active X components (that may install spyware or diallers).
  • If using Internet Explorer, select Tools > Internet Options > Security, and set your Internet Zone security to High. Sites requiring Java, JavaScript or ActiveX may no longer work. Add those that you trust to your trusted sites one at a time.
  • If you visit a site that generates a lot of pop-ups that generate more when you close them (pop-up loops), run Task Master (CTRL+ALT+DELETE) and kill your browser.
  • Clear your cache after each surf session.
  • Click START > Run and type> msconfig. Then select the Startup tab and look for a command with either the word 'regedit' or '.reg' in it and uncheck it. You can delete the file that regedit runs if you wish just to be safe but DO NOT DELETE REGEDIT! It is always useful to create a restore point and to backup the registry before changing the registry settings.
  • Install the IE-SPYADS registry script to add a list of abusive web sites to Internet Explorers "Restricted Zone".
  • Alternatively you could stop using Internet Explorer which seems to be the target of every malicious web program these days and switch to an alternative such as Opera or Firefox.
  • Use HijackThis a great tool for detecting and removing hijackers.

Useful programs:

Spybot - Search & Destroy by Patrick M. Kolla

Spybot is a great tool in your arsenal against malicious software. My favourite feature is its proactive abilities rather than reactive. Like all anti-malware tools you have to keep it up to date with definition updates. However, Spybot allows you to immunise against all known threats rather than just scan for them, and it allows you to lock the HOSTS file so that hijackers can not change it.

HijackThis

This is a useful tool to employ in your search for browser hijackers on your system if you believe one is still present and Spybot has not found/removed it. It works by listing all possible entries that COULD be a browser hijacker but may not be. It is up to you to decide if it looks ok or not before selecting and removing. When in doubt search the web for references to anything Hijack This finds or consult good spyware/malware forums.

Ad-Aware by Lavasoft

Ad-Aware is another great tool for scanning your system for malware.

  • Select Scan now and use custom scanning options
  • Click on Customise and enable everything you can except the skip options
  • Select drives/folders to scan and select all drives
  • Activate in-depth scan
  • With customise still selected click on next and perform scan

It pays to read all help files and information that accompanies each tool so that you can tweak its operation to best suit your requirements.

Summary

Browser hijackers are just one of many categories of malicious software (malware) that is out there on the internet today. Today's internet user must do more to protect their privacy and internet access than just installing anti-virus software. Browser hijackers are not usually detected by today's anti-virus software. You really need to employ anti-malware tools (generally referred to as 'anti-spyware tools') alongside your anti-virus software to ensure you have a decent amount of protection.

By following the recommendations in this article your PC's exposure to browser hijackers should be reduced - but not completely safe. As the authors of malware get more creative and find more security holes in Windows and Internet Explorer, it's a safe bet that we can expect more malware in the future.

My personal recommendation for the absolute minimum protection today's web surfer should have to install is a good firewall, anti-virus software and anti-malware software. You must check for updates for your software at least once a week minimum and to regularly scan for malware and viruses.

If you have any feedback regarding this article, or you have a suggestion for a new article, or just want to say thanks for the info then feel free to drop me an email at dave@detoxcomic.com.

Article updated: 21-May-2006