Spyware :: Threats :: Browser Hijackers :: Further Information
Start-up tasks are loaded automatically when Windows starts. Many programs these days tend to add there own task to load once it's been installed. The programs loaded are normally executable files. A complete list can be found in the registry.
Where x can be run, runonce, runservices and runservicesonce. Depending on the version of Windows installed.
More advanced Browser Hijackers automatically add an item on the start-up list which could, for instance, load a program to "check" the operating system and browser settings haven't been corrected back to how they were. If they have be corrected the program could remake all the changes back to how they were, making it impossible for the user to have control of their browser without having to edit the start-up list themselves and manually remove this task.
Policies allow the administer of the system to restrict particular functions of the operating system. This can be particularly useful if the system is shared between people or is available to the public. You might want to restrict access to certain operations like the control panel or access to the registry editor.
Some hijackers even go as far as to use policies to restrict access to your control panel, registry editor or parts of your Internet Options screen. They do this by changing policy settings within your registry. Needless to say this is totally unacceptable. Internet Controller and also Hijackthis are programs which can resolve these problems.
All the major browsers like Internet Explorer, Netscape and Opera have settings which can be altered to configure the browser to suit your needs, by changing various functions within your browser. Typically this will contain basic settings like your homepage, font size and colours to more advanced settings like cookie management or whether to allow scripting or activeX for example.
Stage 1 : How Browser Hijackings get though your system
A. Browser vulnerabilities
Internet explorer is well known for its security weaknesses, someone could exploit these loopholes to try to bypass the conformation screen to alter your homepage or bookmarks folders. Even worse run an executable file or .hta file possibly by an ActiveX drive-by install (installs without informing the user). to change policies and append a start-up program to make removal difficult even for an experienced user. There has been a bug in Internet Explorer and Outlook that allows a .hta file to be written to your system then run later when the system restarts just by viewing a web page.
Example: The website whazit.com uses this method. They paid affiliate web sites to automatically install their hijack on peoples machines. It is reported that they paid companies 0.14USD of each complete install of their hijack.
This method involves tricking an unsuspecting user into actually downloading and running the Hijack themselves. This is particularly dangerous because this will mean the user could install a standalone .exe file. This can be achieved by false statements about what they're downloading and making the user believe it's something else like a browser enhancement of an operation system update. It's also known that some sites give messages saying it's essential to install this plug-in to view their site correctly. Many sites try to trick users claiming that their 'verisign certificate proves that our software is safe'. Unknowing users might believe this and not realise certificates are used for authentication purposes not for proving how good their software is.
C. Low or no security measures in place
If the browser settings are at the minimal it's possible that ActiveX scripts could install by themselves without needing the user to agree with what's being installed. Perhaps previous attacks or installations could have changed their browser settings without their knowledge. For example, the aol installation cd automatically adds aol.com to the browser trusted sites, then automatically downloads updates.
Stage 2 : What damage do Hijackers cause once on your system
With all the other threats with internet security like viruses, Trojans and spyware. Browser Hijackers considered quite low down the list compared to these types of attacks. The most common practise of a browser hijacker is too alter your homepage, bookmarks and search page and may make it very difficult for you to revert them back. Whereas it can be quite disturbing to find out your homepage has been changed and whenever you type an incorrect url it might automatically redirect the browser to a pornographic site, browser hijackers won't harm your data or spread themselves through emailing your entire address book. The most worrying thing about Browser hijackers is they do, for an amount of time, have control over your browser configuration. They can therefore compromise your security by allowing unsigned scripts without prompting the user for example. Therefore, I think it's more worrying the damage which can be caused by other attacks taking advantage of a weakness caused by a browser hijack.
Stage 3 : How to sort a browser hijacking attack
Typically the removal of a hijacker will involve editing of the windows registry, browser settings, and removal of files/directories on your system to revert your system back to how it was.
Although is not impossible to prevent a hijacking of your browser you can protect yourself a great deal if you follow these steps.
- 1. Look though your browser settings and make sure there's no obvious problems. If your not sure and might be best to "reset web settings" under the programs section. Then you want to be sure ActiveX objects cannot be executed. This is done by going to the security tab (then custom level), and selecting disable for the ActiveX options (signed, unsigned and not marked as safe). At the very least you may want to leave "signed ActiveX" set to prompt.
- 2. Keep your browser up-to-date by downloading the newest patches from Microsoft. These normally fix known security weaknesses and bugs in the code, so as you can imagine they are frequently available.
- 3. Be very careful about downloading programs from sites your unsure or suspicious about. Run searches on that site and program if your not sure.
- 4. Install a program which can help protect your system before a hijacking can take place.
Manual Removal [at your own risk]
Run the registry editor pressing start->run and typing 'regedit'
Description of Keys
These keys below can often get modified by hijackers, they can be create very annoying effects if they get altered. TopSearcher is a good example of this. Microsoft has some information on how to fix an example of Broswer Hijacking.
Internet Explorer\Main\Start Page
|Your Homepage [initial url loaded when you first open your browser]|
|Your Default Homepage.|
Internet Explorer\Main\Search Page
|Your Search Page - If you type in an invalid URL, it will search using the address within this key.|
|Your Default Search Page|
You can manually remove these restrictions by viewing the following registry keys;
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ [divided into subfolders]
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer [divided into subfolders]
Browser Hijackers : Further Info on Adoko
URL Prefix Attacks
Internet Reset Hijack (iereset.inf hijack)
Adoko Forum - If you've been hijacked, and need any advice on how to remove it - try the adoko forum.
Browser Hijackers : Links
Internet Controller - A program from Adoko.com, you might find this useful for sorting out hijacking problems.
Hijackthis - A great program for sorting out hijacking problems.