Læs dette
Browser Hijacking
This article is located at
http://www.spywareinfo.com/articles/hijacked/. © 2001-2004 Mike Healan. All rights reserved. Under no circumstances are you to republish this article without express written consent. This article changes often, so link it, don't copy it elsewhere.
This page was last updated tweaked on November 5, 2004
The Problem
Author: Mike Healan
There is a despicable trend that is becoming more and more common where the browser settings of web surfers are being forcibly hijacked by malicious web sites and software which modifies your default start and search pages.
Sometimes internet shortcuts will be added to your favorites folder without asking you. The purpose of this is force you to visit a web site of the hijacker's choice so that they can artificially inflate their web site's traffic for higher advertising revenues.
In some cases, these changes are reversible simply by going into internet options and switching them back. Not always, however. Sometimes it's necessary to edit the windows registry (gasp!) to undo the changes made. Sometimes there is even a combination of registry setting and files clandestinely placed on your hard drive that redo your settings every time you reboot the computer.
No matter how often you change your settings back, they are changed again the next time you restart. There have even been cases where internet options have been removed from the tools menu by registry hacking to prevent you from controlling your own computer!
Even AOL has become a browser hijacker by placing it's web site free.aol.com in Internet Explorer's trusted sites security zone, thereby bypassing the most frequently used security settings. This occurs after installing their AOL software, AOL Instant Messenger, Netscape 6.x, and ICQ2001b has reportedly done this. AOL then exploits this by downloading ActiveX components to your computer without your consent. The CWS trojan also does this.
Preventing a hijack
This section has been superseded by a new article which focuses specifically on hijack prevention. That article is available at
http://www.spywareinfo.com/articles/hijacked/prevent.php Hijack Removal
Permalink | Top
Any of the products below will completely remove most hijackers, unless it is one which has just started spreading.
Spybot S&D [recommended]
Ad-aware
SpySweeper
If you have a hijack that is not fixed by any of these products, you may use these solutions below that I've come up with after helping to fix these same problems countless times through email and at the forums. Read on...
Please read the disclaimer below before doing anything described here. By following any of these instructions, you agree to be bound by the disclaimer. If you do not agree, do not follow these instructions. Also note that with Windows NT/2K/XP you will likely need to be logged in as an administrator for much of this. Go ahead and do that now.
The situation: Your browser now has a new start page and a new search page. Every time your browser loads a page that doesn't exist, you end up at some strange site, probably filled with popup ads.
You go to Tools > Internet Options to fix this, only to find that option grayed out. You open the control panel, only to find Internet Options missing from there too. You try to open regedit to start hacking away at the registry, but you're given the message that "your administrator has not given you that privilege".
Some scumbag webmaster has gotten a scumbag script kiddie to truly mess up your browser settings, and has made it next to impossible for you to change it back.
Notice that I said "next to impossible"...........
So, what do you do here?
Skip any step that deals with a problem that doesn't effect you
Assuming that none of the spyware removal programs listed above helps you, the very first thing you need to do is download and run HijackThis. Put a check mark next to every search and start page setting it lists which you haven't put there yourself and choose fix. Do the same for any hosts file entries. If it lists anything as O5, O6, or O7*, fix those as well. Please ask for advice at the forums before using HijackThis to change anything else.
*Note: Spybot S&D, Start Page Guard, Settings Sentry, and similar programs may provide options to lock settings against unauthorized changes. If you have these options enabled, HijackThis will detect that as a restrictions hijack. Disable those options before scanning with HijackThis.
Second, you have to get Internet Options back into the control panel. Do a file search and look for a file named "control.ini". Open it in Notepad. You may see something like this:
[don't load]
inetcpl.cpl=yes
Delete the "inetcpl.cpl=yes" line under "[don't load]". Save and close the file, then try the control panel again. If it's still not there, restart your machine and it should be there.
For Windows 2000 and XP, you will need to edit the registry to do this. Go to the start menu > RUN command > type REGEDIT and press enter. Navigate through the registry keys until you get to HKEY_CURRENT_USER\Control Panel\don't load\. Look and see if inetcpl.cpl is listed. If it is, delete the entry for it and log off.
See the list at the bottom of this page to identify other entries. Thanks to Corné de Leeuw for this information.
Run a search on your hard drive for any files ending with *.hta or *.js. If you find any, open them in notepad or some other text editor and look for the URLs that you have been hijacked to. Any file with those URLs, delete them. Also delete all *.tmp files on your drive; some of them contain malicious code (for e.g. browser hijacks or malware (re)installations). Besides, deleting *.tmp files doesn't hurt, unlike dll's which are also used sometimes for this purpose. (Thanks to cexx.org for the additional info in this step).
HijackThis will list any BHO installed on your computer. Check the BHOs listed against the list of all known BHOs maintained at this site by a member of our support forums. If you find one listed as some sort of spyware/malware/hijackware, run HijackThis again and find that BHO in the list. Check its box and have HT fix it.
If you find a BHO that is not included in the list, please make a post in the Browser Hijackings section of our support forums with the HijackThis log pasted in along with an explanation of your problem. Please wait for replies before deleting this BHO, as it may be a new one which I can have added to various spyware/malware cleaning programs. It may also be an innocent file that is not causing your problem, so please wait for advice before deleting it.
Now you need to see if there is a startup entry for your hijacker file. The next time you reboot, the hijack might come right back. The reason for this would be an entry in the run section of the registry.
Look in HijackThis for 04 startup items. Check the entries listed against Pacman's List. Items listed as virus, malware, spyware, or something else that is undesirable, put a checkmark next to it and "fix" it.
If you find entries in your log that are not listed, you can report them at the forums.
Note: Sysinfo has had server trouble lately, so you may not be able to do steps 4 and 5.
Again, it will be absolutely necessary for you to close all open Internet Explorer windows before any of these changes will take effect. That includes this window. Some changes may even require a log off or even a reboot before they have any effect.
Still not fixed?
I hope this helps anyone who has become a victim of a browser hijack. If it does, great.
If the problem still remains after doing all of the above, you can visit our support forums and post the specifics of your problem there and I or someone else can troubleshoot the problem. Before posting, please make sure you have followed all of the instructions above.
Related Links:
http://www.cexx.org/hphijack.htm - Homepage Hijackers
http://www.spywareinfo.com/articles/lop/ - Lop.com
http://www.pcworld.com/news/article/0,aid,63345,00.asp - Stealth ad explosion
http://www.pcworld.com/news/article/0,aid,101916,00.asp - Web Ad Explosion
http://www.pcworld.com/news/article/0,aid,84464,tk,dn021402X,00.asp - Invasion of the browser snatchers
http://www.spywareinfo.com/newsletter/archives/september-2002/09212002.html#xupiter - Xupiter
Disclaimer of Warranty
Go back
"SpywareInfo and/or the author" assumes no responsibility for errors or omissions in these materials.
THESE MATERIALS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.
"SpywareInfo and/or the author" further does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within these materials. "SpywareInfo and/or the author" shall not be liable for any special, indirect, incidental, or consequential damages, including without limitation, lost revenues or lost profits, which may result from the use of these materials. The information on this server is subject to change without notice and does not represent a commitment on the part of "SpywareInfo and/or the author" in the future.
That said, if you do happen to find a problem with anything here, please contact me immediately. I'll do my best to correct the problem as soon as possible.
Control panel applet file names
Thanks to Corné de Leeuw for this information.
Go back
access.cpl - Accessibility Applet
appwiz.cpl - Add/Remove Programs Applet
console.cpl - Console Applet
timedate.cpl - Date and Time Applet
desk.cpl - Display Applet
fax.cpl - Fax Applet
hdwwiz.cpl - Hardware Wizard Applet
irprops.cpl - Infrared Port Applet
intl.cpl - International and Regional Applet
inetcpl.cpl - Internet Settings Applet
joy.cpl - Joystick Applet
liccpa.cpl - Licensing Applet
main.cpl - Mouse and Keyboard Applet
mlcfg32.cpl - Mail Applet
mmsys.cpl - Sound and Multimedia Applet
modem.cpl - Modem and Phone Applet
ncpa.cpl - Network and connectivity Applet
netcpl.cpl - Network and Dial-up Connectivity Applet
nwc.cpl - Netware Client Applet
odbccp32.cpl - ODBC Applet
devapps.cpl - PC Card Applet
ports.cpl - Ports Applet
powercfg.cpl - Power Management Applet
sticpl.cpl - Scanner and Camera Applet
srvmgr.cpl - Server Manager Applet
sapi.cpl - Speech Properties Applet
sysdm.cpl - System Applet
telephon.cpl - Telephony Applet
tweakui.cpl - TweakUI Applet
nusrmgr.cpl - User Manager Applet
wspcpl32.cpl - WSP Client Applet
quicktime.cpl - QuickTime Applet
S32LUCP1.cpl - Norton Live Update Applet
cpqmgmt.cpl - Compaq Insight Agents Applet
wtcpl.cpl - Wild Tangent Auto Updater Applet (This updater is spyware)
Go back
Spyware Weekly
Read the November 24
Spyware Weekly
Read the previous issue
Subscribe to the Spyware Weekly Newsletter
Syndication
RSS Feed (10 items)
Email a link to this page
Click here to email a link to this page to a friend
Support SpywareInfo - Buy Some Shwag
Site Navigation
About SpywareInfo
Chat Room
Contact us
Links Page
Press Information
Privacy Policy
Software Page
Support SpywareInfo
Support Forums
Online Spyware Scanner
Site Search
Search this web site using Google.com
Search powered by
Google.com
Spyware Search
Look up spyware in Spywareguide's
spyware database
Search powered by
SpywareGuide.com
Support SpywareInfo
Standards Compliance
This page was designed to comply with official web design standards and will work in any web browser that is also designed to comply with those standards.
I do try to validate each new page and edits to existing pages. If you happen to notice that a page does not validate, please contact me to point it out.
Valid XHTML
Valid CSS
Valid RSS Feed
Legal
All materials on this web site are copyrighted © 2001 - 2004 by Mike Healan or their respective owners.
® All rights reserved.
Use of this site and its services are subject to our terms of use.
