For years, companies such as
Microsoft, Netscape and many others have been adding links and changing browser settings
One example: When you install AOL or any of its affiliated programs, such as ICQ or
AOL Instant Messenger, without asking it adds http://free.aol.com to Internet
Explorers Trusted Sites zone.
Any site in the Trusted Site list is treated as a safe site and by
default all of IEs security options are set at their least restrictive for these
sites. This means if you visit the AOL site, AOL can run any script, download items to
your desktop and perform a variety of functions without requesting your permission.
AOL/Netscape -- automatically adds itself to
Internet Explorer's Trusted Sites zone. To eliminate it: Select Internet Options from the
Tools Menu, click the Security tab, click Trusted Sites and then the Sites button, locate
http://free.aol.com in the list of sites, select it, then click Remove.
Its easy enough to undo such changes. Indeed, most
browser hijackings require little more than a resetting of options.
Advanced Hijacking Techniques
Some browser hijackings, though, are more destructive. For
example, home page hijacking. In its simplest form, home page hijacking is very easy to
Select Internet Options from the Tools Menu, on the General tab type your desired home
pages address into the Home Page box, and click OK.
Thats easy enough. But some home page hijackings go
further. Three techniques used include:
- Removing Internet Options from your browsers Tools
Menu, and from the Control Panel, so you are unable to reset your home page or make any
changes whatsoever to your browser settings.
- Editing your registry settings so the next time you launch
your browser the home page is reset to the hijackers page. In this case, you have to
go into your registry and make changes in order to weed out the home page squatter.
- Installing a program which runs each time you boot your
computer and then resets your home page to the hijackers page. With this last
technique, even if you modify the registry your home page will continue to be hijacked
each time you reboot.
There are numerous ways.
- By installing software which changes your browser settings.
This may happen with commercial software, but is much more common with freeware or adware.
- By visiting a site which exploits a browser bug to change
settings without your permission.
- By visiting a site which persuades you to allow your settings
to be changed, usually by offering freebies. When you accept the offer, your browser
settings are changed or software installed. While such sites may tell you of their
intentions, usually its in the fine print or couched in deceptive terms.
Fortunately, most hijacking attempts can be prevented by
using a few common sense measures:
- Make sure you have the most recent patches for your browser.
- Read free offers and advertisements very
- Use anti-hijacking tools such as IE-Spyad;
StartPage Guard; and Script Sentry
Step-by-step: Fixing a hijacked
instructions involve editing the registry and other advanced techniques. Do not attempt
these procedures without making proper backups and dont attempt them at all if
youre not familiar with registry editing.
- If your Control Panels Internet Options have been
disabled, get them back by locating the file control.ini.
Go to Start -> Find/Search to locate it.
Normally located in c:\windows.
Open control.ini in Notepad and look for the lines:
Delete the inetcpl.cpl=yes
line, close and save the file and reboot your computer.
Close any open Internet Explorer windows.
- Next Click Start -> Run,
a. type regedit and click OK to
open the Registry Editor.
b. Navigate to:
If you find sub-folders called restricted or control panel,
Check for the same sub-folders in:
and delete them, too, if they exist. Then close Regedit.
- If your search pages have been redirected, re-establish
a. Again open the Registry Editor and navigate to:
- In the Root key HKEY_CURRENT_USER, the key
Software\Microsoft\Internet Explorer\Main has a value "Search Page" that has
likely been reset to something like
- The value "Search Bar" in this key has also likely
been reset to something.
- In the Root key HKEY_LOCAL_MACHINE, the key
Software\Microsoft\Internet Explorer\Search has a value "SearchAssistant" that
has likely been reset to something
- The value "CustomizeSearch" in this key has also
likely been reset to something.
4. Go to IE's top menu
bar, select the Tools menu.
Scroll to "Internet Options".
It will display a popup dialog box.
Click on the Programs tab, to see a display like that on
Find the button near the
bottom labeled "Reset Web Settings".
Click, and these four registry settings will be corrected.
Reset your home page to your chosen page:
- In Internet Explorer, choose Internet Options from the Tools
and, on the General tab, type in your preferred home page.
- Do a search for any files with the extension HTA. If you find
any such files, open each in turn in Notepad and see whether they contain a reference to
the site which has hijacked your browser. Delete any HTA files which contain such a
- BHO'S: A Browser Helper Object, is just a small program
that runs automatically every time you start your Internet browser. Usually, a BHO is
installed on your system by another software program. For example, Go!Zilla, the
downloading utility, installs a BHO created by Radiate (formerly Aureate Media); this BHO
tracks which advertisements you see as you surf the Web. They can also routinely conflict with other running programs, cause a variety
of page faults, run time errors, and the like, and generally impede browsing performance
Bho Captor or BHOCop to control which Browser
Helper Objects (BHOs) are loaded when you open your browser. When you run the program, it
will let you know which BHOs are being loaded. Usually, you should see nothing more than
Acrobat Reader (Acroiehelper.ocx) and perhaps an anti-virus helper, such as Nortons
NavShExt.dll. If BHODemon reports any other BHOs, click the Details button and then More
Details to check the source.
If youre suspicious of any BHO, disable it (usually by unchecking it from the list
provided by the programs).
- Click Start > Run > msconfig and check the programs
under the Startup tab. If you find an entry which contains
disable it, and disable other programs you know to be suspicious.
Still in msconfig, click the System.Ini tab and click
the + beside [boot] to expand the section. Look for a line reading shell=explorer.exe.
The line should read exactly that; delete any following commands, but make sure you leave
Note: If youre using Windows NT, 2000 or XP, this
information is contained in the registry key:
Which should contain the value explorer.exe.
Click OK to exit from msconfig and reboot your system.