What To Do When . . .Your Browser Has Been Hijacked

You open up your Web browser, just like any other day, but something’s not right. The page that always loads when the browser starts is different. There are shortcuts in your Favorites folder that you can’t recall putting there, and other abnormal things happen when you browse. Worst of all, even though you manually switch everything back to the original settings, the changes don’t stick. Or maybe the options to revert to the old settings aren’t even there at all. Your browser has been hijacked, and although most hijackers are not interested in destroying files or doing the malicious things associated with other attacks, such as that of viruses, a hijacked browser is still a major problem that must be handled immediately. Hijackers are designed to redirect your Web browser to Web sites of the hijacker’s choosing to direct more traffic to specific sites so that they can generate more advertising revenue.Hijack Basics Browsers may be hijacked in a number of ways. The most basic attack is triggered when you view a Web page and code within that page (or code that is automatically downloaded when the page is viewed) uses a security loophole to change your default home page, default search page, and browser settings. It doesn’t do anything other than that, meaning you can fix the problem by changing those entries back to their original settings (which we’ll discuss later). Many hijackers rely on users installing software, either inadvertently or on purpose, that gives them broader access to the system. Some of these hijackers prevent you from changing your home page or search engine back to what you want by completely disabling those settings in Internet Explorer. Others do even worse things, for instance, causing pop-up advertisements to appear even when you aren’t browsing the Web.

An Ounce Of Prevention
One of the easiest ways to practically eliminate the potential for being hijacked is to switch from Internet Explorer to an alternative Web browser such as Firefox 2 (free; www.mozilla.com/en-US/firefox) or Opera 9 (free; www.opera.com). Hijackers focus their efforts on IE because so many people use it, and programs designed to exploit flaws in IE won’t work when applied to other browsers. Firefox and Opera continue to gain in popularity, and this may increase to a point where those browsers become targets, as well. But for now, if you currently use IE, switching over to a different browser comes with immense security benefits. If you use IE, make sure to keep it as up-to-date as possible because Microsoft constantly identifies and fixes security holes. To do so, open IE, expand the Tools menu, and click Windows Update. Click either Express or Custom (or update the Windows Update software, if necessary) and install all of the patches that are available for Internet Explorer. No matter what Web browser you use, it is extremely important to install multiple antispyware applications on your computer and regularly update them. These programs scan for current problems, and many of them also lock down the computer so hijackers can’t easily use the most common routes of entry. You can use as many antispyware applications on the same computer that you want to (unlike antivirus software, where you must stick to a single program). We recommend Windows Defender (free; www.microsoft.com/athome/security/spyware/software/default.mspx), Spybot Search & Destroy (free; www.safernetworking.org), Ad-Aware (free; www.lavasoftusa.com), and SpywareBlaster (free; www.javacoolsoftware.com/spywareblaster.html). Update these programs at least once per month if they don’t come with the ability to do so automatically. Also, we recommend downloading and running BugOff (free; www.spywareinfo.com), which fixes a lot of exploits commonly used by hijackers.

BugOff is trickier to use than the other programs mentioned because you must enable or disable entries manually and doing so can have impact on programs you actually want to use. When running BugOff, the goal is to click Disable for as many entries as possible but check the Side Effects text closely to make sure doing so won’t interfere with your applications. For example, disabling the Microsoft.XMLHTTP Object closes a hole that a hijacker can use, but it also prevents Windows Update and Gmail from working properly, so leaving it enabled is probably worth the risk. Clicking the Disable button instantly makes the change, so simply close the program when you are finished. Finally, always be on your guard when browsing or clicking links in emails or other documents that open Web pages in your browser.The worst hijackers gain access to the computer because people unknowingly install them on their computers by clicking a button or link in a pop-up window that appears while browsing or by installing downloaded software that lets the hijacker get a piggyback ride onto the hard drive. Don’t blindly click links included in emails and never click anywhere in a pop-up advertisement (you can press CTRL-W to close an IE window without having to click to close it). Also, be on the lookout for pop-ups that look like alerts from Windows but are actually disguises designed to get you to click a button, inadvertently giving your permission to download whatever the hijacker wants to install.

A Pound Of Cure
Heading off the hijackers doesn’t take a lot of work, but you have real problems if the browser has already been infiltrated. Before getting into specific fixes, it is important to note that the steps provided in this article apply to the latest version of Internet Explorer 7. If you use an earlier version of IE, you should upgrade to the latest version or use an alternative browser for security reasons. If you’re lucky and the hijacker simply changed your IE settings without installing any other software on your computer, you can easily revert to the settings you want to use. To establish the default home page, open IE, navigate to the page you want to use for a home page, expand the Tools menu, click Internet Options, and select the General tab. Click Use Current, and the page you navigated to becomes the default home page, or you can enter it manually (such as entering www.google.com if you want to use Google as your home page). Click Apply when you’re finished. Click the Settings button in the Search section to re-establish your default search settings. Click to highlight the incorrect search entry, click Remove, and then highlight the entry you want to use and click Set Default. Click OK. If the search service you want to use doesn’t appear on the list, click Find More Providers, click the entry for the service you want to add, follow any prompts that are provided (if any), and the service should now be available when you establish default settings. There is also a Create Your Own option on this page that lets you add any search service that isn’t represented on Microsoft’s master list. If you think your browser has been hijacked, checking to see if the culprit is the oft-used CoolWebSearch hijacker or one of its myriad offshoots should be your first priority. These hijackers are designed to drive Web traffic to www.coolwebsearch.com (don’t type that address into your Web browser!) or other advertising sites. They accomplish this using many means, ranging from making the computer think that popular sites such as Yahoo! Search don’t exist (and instead redirecting you to an ad site) to making IE think that restricted Web sites should be trusted. Fortunately, there is a free tool called CWShredder that will detect and remove all known versions of this annoying hijacker. To use the tool, download it from www.intermute.com/products/spysubtract.html, double-click the file’s icon, and click I Agree. Click Check For Update, click Fix, and then click OK to scan the computer for the CoolWebSearch software and eradicate it if it is discovered. Sometimes hijack attempts aren’t reversed this easily, and you’ll need specialized tools and a lot of help to complete the job. The best tool by far is HijackThis (free; www.tomcoyote.org/hjt), which thoroughly scans the computer to find everything that is taking advantage of a known security loophole in Internet Explorer and Windows. HijackThis is an extremely powerful tool, which is its biggest drawback. Scans return information on legitimate programs, as well as hijackers, and there’s no way for a novice to know what to fix and what to leave alone. Fortunately, there are loads of experts ready to offer free help, day or night, at the TomCoyote.com Web forums. If you’ve just performed a spyware scan using any antispyware tool, reboot the computer before using HijackThis. To download the software, go to the aforementioned Web site and click the HijackThis download button. The software is stored in a compressed ZIP file, so you’ll need to use a utility such as IZArc (free; www.izarc.org) or the built-in ZIP utility included with Windows Me/XP to extract it. Once the HighjackThis.exe file is moved from the ZIP archive to the Desktop (or any other folder you like), double-click HighjackThis.exe and click Do A System Scan And Save A Log File. Wait for the scan to complete, and a new file should appear on the Desktop (or in the folder where you ran Hijack This) that is labeled Hijackthis.log.

This is the magic data you need to get help at the forums. To use the forums, go to www.tomcoyote.org and click the Forums link near the top of the page. Look for a Register link in the Welcome screen, click it, and sign up for a free user account (you can’t post about your problem unless you register) Be sure to enter a valid email address when signing up because a confirmation email is sent to make sure your registration is legitimate. When the email arrives, open it, click the activation link, and sign in using the information you entered during the registration process. Scroll down to the Computer Help section and click the HijackThis Logs And Spyware/ Malware Removal link. Be sure to read the Welcome New Members post in the Important Topics section before proceeding. To post your specific log, click the New Topic button. Enter a brief description of your problem in the Topic Title box and then provide more detailed information in the white text box. You now need to copy and paste the contents of the log file you just generated, so double-click it (it should open in Notepad), open the Edit menu, click Select All, open the Edit menu again, and click Copy. Switch back to your forum post, click in the white text box where you want the log file to be inserted, open the Edit menu, and click Paste. Click Post New Topic when you are finished. Be extremely patient and courteous when waiting for a response. The forums are run by volunteer experts and are extremely busy, and it may take days for them to get back to you, so check the forums every so often to see if your topic has any new posts. When you do get a response, follow the Instructions the expert provides to the letter, and they’ll let you know if they need any additional Information or logs to get to the bottom of the problem. Once you know what to disable, fixing things using HijackThis is very easy. Run the program, perform another scan, and select the checkboxes next to any entries you want to remove. Click Fix Checked, click Yes to delete the items, and then click Yes again to reboot the computer and see if the problem is fixed. If it isn’t, you can always head back to the forums.

Bottom Line
Avoiding a hijacked browser is not impossible if you take preventative steps and use caution while browsing the Web. The bottom line is that you don’t want to let your browser be hijacked, and if it does happen, you want to fix the problem as soon as possible.