Browser Hijackers

By Paladion

May 15, 2006

A browsers home page is a valuable commodity, and the online cheats know it. If they can somehow set the home page, with or without a user’s intervention to their ad packed site, then they are guaranteed of at least one visit every time a user opens the browser. The term used for such an attack is Browser hijacking. Browser hijacking is one of the web's constant dangers. Whether it arrives in the form of a flood of obscene pop-up windows or malicious code taking over the browser completely, chances are good that every Internet user will be subjected to this practice in some form.

So what exactly are browser hijackers?

Browser hijackers are external malicious codes that change the Internet Explorer settings. Often the home page will be changed and new favorites will be added that point to sites of dubious content. In most cases, the hijacker will make changes in system registry causing the home page to revert back to the unwanted destination even if it was changed manually. Additionally, a browser Hijacker may also restrict access to certain web pages such the sites of anti-spyware software manufacturers and could also disable the installed Antivirus and anti-spyware programs. Some browser hijackers will install themselves as legitimate programs, thereby leaving an entry in the ‘add-remove-programs’ list. Apart from making changes to the home page and other Internet Explorer settings, a hijacker may also make entries to the HOSTS file on the system. Thus every time a user types '', he will be redirected to the modified IP address of a sponsored site.

A newer, more clandestine browser hijacker has become popular lately. That is the type of hijacker that alters the searches a user performs even when he uses his preferred search engine. These hijackers are called Search Engine Manipulators (SEMs. SEMs re-arrange search results to make advertisements appear to be search results to a user. A user might have to scroll down then entire page or even two pages to get to the actual search results. What these hijackers attempt to do is fool a user into clicking an advertisement believing it to be part of the actual results from a search. When a user clicks, the company making the hijacker gets paid a few cents. Thus, the company that makes these types of hijackers tries to get their software installed on as many computers as possible because millions of installations mean millions of dollars.

Prevention is the key

  • Update windows with latest patches

    First and foremost preventive measure to thwart any security related issue would be to keep the system updated with the latest service packs and patches for windows. One can get the updates by going to Alternatively one can initiate an update by selecting Tools → Windows Update in Internet Explorer.

  • Ensure Antivirus and Antispyware programs are used regularly

    Many of the known Browser Hijackers are also detected and blocked by anti-virus programs. Anti-virus programs should be run in ‘auto-protect’ mode, so that it continuously scans information entering and leaving the system.

    Browser hijackers fall into the category of spywares and adwares and thus many of the popular anti-spyware programs are capable of detecting and often eliminating them. Thus, install an anti-spyware program and keep it and scan with it often to keep browser hijackers away. Microsoft AntSpyware, Spybot Search and destroy and Ad-aware are some popular anti-spyware programs available which can be considered.

  • Secure Internet Explorer settings

    Internet Explorer contains security features which can be used to keep away a whole lot of annoying malwares like browser hijackers.

    Open Internet Explorer → Tools → Internet Options → Security

    If highest degree of protection is desired, set the Internet zone to the 'high' security setting. This will ensure that IE does not run ActiveX instructions, the means by which most browser hijackers get access to the computer. However, this may also cause problems and missing content in some legitimate web pages. To get around this, one can place trusted websites that are regularly visited into the 'trusted sites' Internet zone.

  • Practice safe browsing

    A common misconception is that most browser hijackers take advantage of Internet Explorer's ability to run ActiveX scripts straight from a web page. However, this is not true. Most hijackers take advantage of the desire for people to believe that some companies will give them something that is truly free. If these companies can convince the visitor that they're product is safe, then they can get them to download and install the hijacker voluntarily. A majority of browser hijacking programs actually requests a user’s permission before installing themselves. A safe practice would be to say ‘NO’ to anything that requests a user’s permission unless a user is absolutely sure of what it is, and what it does.

Recovering from a browser hijack

What if the browser has already been hijacked and a user is being sent to sponsored sites every time the browser is opened. Following section shows some of the steps to be taken to get rid of hijackers.

  • Reset the Home page and recheck the favorites list

    Try changing the homepage back to its normal setting. This, most likely will likely not work, but it's worth a try to help gauge the severity of the problem. In Internet Explorer, go to Tools → Internet options, and change the home page address back to normal site.

    Also check for new entries in IE’s ‘favorites’ list, remove all offending entries by going to favorites>>organize favorites and deleting them. Restart the computer to see if this fixes the issue.

  • Use an Anti-Spyware program

    Update the Anti-Spyware program through it’s built in update feature, and perform a full system scan. Delete all items that are detected by the program. Restart the computer and run the Anti-spyware again to ensure that the result this time is clean. Additionally a full system scan with an anti-virus program can also be performed.

  • Use anti hijack tools

    Trend Micro CWShredder and Hijackthis are two free utilities which can be used to fix most of the browser hijackers. Hijackthis assembles a list of unusual or changed registry and startup entries on the system and allows a user to delete them. Trend Micro CWShredder is specifically intended to remove the prolific "Coolwebsearch" browser hijacker/Trojan programs.

    To use Hijackthis, download the latest version of Hijackthis from here. Start the program and click on 'scan' to check the computer for suspicious registry and startup entries.

    The program will produce a list of items it considers suspicious. One can get more information about a selected entry by clicking on ‘info’. The checkbox at the beginning of each line marks that item for fixing or deletion. Look the list over carefully. If there are any words or lines relevant to symptoms of the browser problems, delete the offending lines. More details on entries to be deleted can be found here.

    Note that the majority of the things that Hijackthis finds will be harmless, helpful or even necessary. Merrily deleting everything that Hijackthis finds without careful thought and research beforehand will likely leave a user in even worse shape. For this reason, the makers of the program recommend users to post results to the forums (like the ones found here ) to find assistance. To do this, click the 'save log' button, then copy and paste the contents of the log file in the relevant forum.

    To use CWShredder, download the latest version from here. Start the program, click on 'fix.' It will check the system against a list of current CWS variants, and fix any infections it finds.

    Run both programs as described above, restart the computer, rerun both programs and then check to see if your problem has been fixed.

  • Manual System inspection

    Add/remove program list: Check for every entry in ‘Add/Remove’ programs list and look for any suspicious entries. Remove any entry that is named oddly or contains links to the problems being experienced.

    Verify HOSTS file: The HOSTS file is the first place checked by the system to resolve DNS addresses into IP addresses. Any domain name to IP mapping here will override DNS resolution through Internet Service Provider's DNS server. HOSTS file does not have an extension and is located at ‘C:WINDOWSSYSTEM32DRIVERSETCHOSTS’. This file can be opened in a notepad. The only entry in a normal HOSTS file should be ‘ localhost'. Delete any other foreign entries here.

    Search through registry: To check Windows registry, Open the registry editor by going to Start → Run and typing 'regedit'. From here, open the 'edit' menu and click 'find'. Now type in the URL of the web page that is being redirected to by the browser hijacker. If any entry is found, delete it and press F3 to continue searching through the registry. Delete all matching registry entries. Successive registry searches with suspicious keywords can be performed to delete all instances of the hijacker.

Users should be aware that browser hijackers are constantly evolving, similar to computer viruses. Hence it is advised to keep all the scanning programs updated to the latest, practice safe browsing and stay away from the dark corners of the internet.

Tags: Technical