Bookmark
Page

Browser Hijacking

Recently we did a tech tip on spyware, those sneaky programs that hide on your system and collect information about your computer usage, which is then reported to someone over the Internet. However you might feel about this invasion of your privacy, spyware does have the advantage that it runs in the background and usually doesn’t interfere with your use of the computer, other than maybe slowing it down. Spyware has a close cousin called a browser hijacker that is a lot harder to ignore, because it takes you somewhere on the Internet that you didn’t plan to go. That somewhere is usually either a porn site or some wannabe search engine.

You might wonder what advantage a website would see from dragging people in who didn’t want to be there and who would be annoyed by it, at the very least. There seems to be two motivations at work here. One viewpoint, prevalent with porn-site webmasters, is that because the cost is minimal it is perfectly OK to attract 1000 annoyed visitors, or 100,000, as long as one of them likes what they see and takes out the credit card. The other motivation applies to sites that charge for advertising based on the number of visitors. In the short term, the fee is the same whether the visitors are willing or not.

In its simplest form, the hijacking program will just substitute its choice of URL into your browser’s address bar. A more efficient variant replaces your default home page and search page, so that you are hijacked immediately whenever the browser opens, and again when you try to do a search. Some versions are quite specific about when they substitute a URL. For instance, they may look for Google, Yahoo and other search engines, and then redirect you to another search portal. Some will redirect the browser whenever a non-existent URL is entered, because of a misspelling or broken link. Instead of seeing the usual prompt that says, “The page could not be found”, you see the hijacker’s web site. And some porn sites will only hijack when you attempt to access one of their competitors.

Many versions will also add bookmarks to your desktop and/or your Favorites list, sometimes deleting the original contents of the Favorites file. A fair number of them have a hidden file that will recreate the program at bootup, so that even if you manage to kill the hijacker, it keeps coming back like something out of a Steven King story.

In spite of all the variations, these bits of malware (malicious software) seem to originate from only a couple of sources, and are then modified (or copied outright with only URL changes) by one unscrupulous webmaster after another. The first hijacker to become widespread was associated with the site lop.com (and no, we don’t recommend that you go there to check it out). More recently, one called CoolWebSearch has spawned over 80 known variations. Both of these source programs were designed for Internet Explorer, simply because it is the most common browser, but some of the variants also affect Netscape and Mozilla.

OK, enough of the bad news. What can we do about it? Sometimes all that is needed is to re-enter the URL you wanted in the first place. And if the default home page has been replaced, right-click on the Internet Explorer icon and select Properties from the pop-up menu. On the General tab you can restore the default home page. While you are there, delete the cookies and Temporary Internet Files, because some of the less sophisticated hijackers use these. Others will use the Windows\Temp folder, whose contents should also be deleted. If these simple measures fail or the program keeps coming back, it’s time to bring out the big guns.

If the hijacker variant infecting your computer has been around for a while, it may be detected by your antivirus software. Anti-spyware programs such as Spybot and Ad-Aware are also good at spotting the older ones, but the more recent variants may slip through the net. A better option is one of the programs designed specifically for handling hijackers. Two of the most popular are shareware programs created by a Dutch programmer who goes by the name of Merijn. The basic one is Hijack This, which looks for a wide variety of hijackers. It provides an assortment of tools and a log file that is very useful for ferreting out hijackers that hide in system folders and such. It is a little complicated in practice, but you can find several good tutorials on the web to help in interpreting the log file and determining the correct course of action to clean out the invader.

A second program called CWShredder was created specifically for the many variants of CoolWebSearch, which has been mutating too fast for Hijack This to keep up. CWShredder will not only spot most versions of the bug, it also gives you a simple one-click ‘fix-it’ option. Both of these programs are kept fairly up-to-date, and you can find either of them at: http://www.merijn.org/downloads.html. Although the downloads are free, there is a PayPal button on the site that allows you to make a donation. If you find these programs useful, please consider the donation. I don’t know about you, but I would like Merijn to continue fighting this battle for us as long as possible.

Disclaimer - The Micro 2000 Tech Tip is a free service providing information only. While we use reasonable care to see that this information is correct, we do not guarantee it for accuracy, completeness or fitness for a particular purpose. Micro 2000, Inc. shall not be liable for damages of any kind in connection with the use or misuse of this information.