Help, My Browser Got Hijacked!

Category: Browsers

A reader asks: 'Every time I open my browser, it goes to an unfamiliar search engine page, and when I search from the toolbar, it no longer uses Google. I also have new toolbars that I didn't ask for. Was my browser hijacked somehow? If so, how do I get my settings back to normal?'

What is Web Browser Hijacking?

If your Internet Explorer, Chrome or Firefox browser suddenly behaves in unexpected or undesirable ways, it may have been hijacked. Browser hijacking is usually an attack by malicious software that changes your Web browser's settings.

Some users who have been hijacked report popups or having searches redirected to pages for online casinos, weight loss products and even porn sites. In other cases, the user's preferred search engine is changed without notice.

Here are some symptoms that indicate you've been hijacked, and how to fix it.

• Browser start page changed to an unwanted site

• New toolbars, bookmarks, or desktop shortcuts that you did not add

• Entering a website address and being taken to some other page instead

• Your default search engine has been changed

• Inability to access certain sites, particularly anti-malware sites that might help you

• Your Internet security settings have been lowered without your knowledge

• Endless pop-up ads for things you don't want to see

• Sluggish computer response; malware often slows your whole system down

How does browser hijacking happen? In some cases, the hijacking software is something you downloaded and installed, thinking it was beneficial. My article on Fake Anti-Virus and Celebrity Scams has details about how some people are being tricked into installing malware.

Sometimes it's a result of unpatched software components that have been exploited by hackers to initiate a "drive-by download." See my related article about Drive-By Download Dangers to learn how to protect against those.

Do-It-Yourself Hijacking

A hijack is not necessarily malevolent, some are just annoying. One example in this category is the Ask.com toolbar, an insidious annoyance that keeps taking over the search functions of the browser on one of my home computers. This falls into the category of what I call Do-It-Yourself Hijacking. The most common reason why people get unwanted toolbars and other parasites is because they're not careful when installing a new program. It's tempting to just click "next-next-next" after downloading, in order to get through the installation process.

But if you look carefully, there's often a pre-checked box, asking if you want to install some other unrelated program or toolbar. These are usually more annoying than harmful, but sometimes are hard to remove. Software such as Conduit and Babylon toolbar fall into this category. Even if there's no malware, per se, you're still better off getting rid of these unwanted browser pests.

My article Downloading? Watch Out For These Danger Signs explains why previously trustworthy sites such as CNET's Download.com and Tucows are now landmines to be avoided.

Getting Back to Good

If you believe your browser has been hijacked, shut down your browser immediately. If you cannot close the browser in the usual way, press Ctrl-Shift-Esc to access Windows Task Manager, highlight your browser's file name in the Processes column (iexplore.exe, firefox.exe, chrome.exe) and click "end process" to close the browser.

Hijackers are one reason it is vital to have real-time anti-malware defenses in place at all times. If you're already running internet security software, obviously it didn't protect you from this particular menace. If the problem happened recently, System Restore may "undo" the problem and get you back to normal.

If that doesn't do the trick, download one of these Free Anti-Virus Programs or another free anti-malware utility such as MalwareBytes Anti-Malware. Install the software and run a full scan on your system. Delete any suspected malware that it finds.

Restart your computer, open your web browser and put things back in order. Review and reset your home page, security settings, privacy settings, etc. Delete any unwanted favorites/bookmarks. Review the list of add-ons and uninstall any that look unfamiliar.

But Wait... There's More!

You're not done yet. Hijacking malware also likes to mess with Windows registry settings, and may not uninstall cleanly. I recommend a free program called Privazer to scan your system and clean up any malware traces.

The HOSTS file is another favorite target of hijacking software. The HOSTS file contains pairs of host names and their associated IP addresses. When a host name listed in the HOSTS file is requested by your browser, Windows directs the request to the associated IP address instead of looking up the host name in the DNS system. Hijack software may add entries to the HOSTS file so that certain sites are blocked or redirected to unwanted sites. The HOSTS file is located at C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS and can be opened with Notepad or your favorite text editor.

On Vista or Windows 7 you may need to open your text editor by right-clicking, then select "Run as Administrator". Make sure the HOSTS file includes ONLY comments (lines that start with "#"). The only exceptions would be "127.0.0.1 localhost" and any other lines that you know you added yourself. Delete unwanted entries and save the HOSTS file.

To avoid browser hijacking, use real-time anti-malware defenses; don't give unknown websites permission to install software, toolbars, or ActiveX controls; and keep your browser's security settings on medium or high level.

Have you been hijacked? Tell us how you fixed the problem, or prevented it from happening again. Post your comment or question below...

 
How Else Can I Help You?   (Enter your question in the box above.)
 

Sign up now for AskBob Updates!

Boost your Internet IQ, keep up with the latest online trends... get your FREE subscription now!


Email:


Posted by on 6 May 2014


For Fun: Buy Bob a Snickers.
Need More Help? Try the AskBobRankin Updates Newsletter. It's Free!

Prev Article:
Facebook and Your Digital Shadow

The Top Twenty
Next Article:
Geekly Update - 07 May 2014

Link to this article from your site or blog. Just copy and paste from this box:


Most recent comments on "Help, My Browser Got Hijacked!"

(See all 24 comments for this article.)

Posted by:

gep2
06 May 2014

I strongly recommend CryptoPrevent as a way to help avoid you inadvertently installing something on your computer that you shouldn't have. CryptoPrevent sets your systems' Group Policies so suspicious .exe files don't get installed so casually. ;-)


Posted by:

Yves
06 May 2014

Spybot is a good help too


Posted by:

Coover
06 May 2014

Free software from Iobit will change your IE or Chrome "Home Page" to an Iobit branded Google search page, even though you remove all checkmarks to add other software or change your home page. I have written to Iobit several times about this and they promise to change this behavior in the future. How far away this "future" is is unknown as this behavior has been going on for more than a year.


Posted by:

D V N Sarma
07 May 2014

spybot SD adds a number of entries to hosts file.
I think we should not remove them.


Posted by:

D V N Sarma
07 May 2014

spybot SD adds a number of entries to hosts file.
I think we should not remove them.


Posted by:

RandiO
07 May 2014

Okay, Look! I am going to let you in on a secret but you HAVE to promise me that you will spend some of your precious time to learn how to use this tool! It is a FREEware but worth every penny to pay for a copy that lasts for your lifetime. I has always booted up with my PCs since before XP and has saved my bacon too mnay times to recall! It is NOT the answer to ALL the malicious attacks on a system but...
-------------------------
http://www.winpatrol.com/
I'll let BillP (and 'Scotty') explain it to you in their own words:
What Does WinPatrol Do?
The popularity of WinPatrol is based on its ability to detect and prevent changes to important Windows settings. You’ll be notified if unwanted programs are set to automatically run, if a toolbar has been added to Internet Explorer, if your home page, search provider or other internal configurations change. When a new Service or ActiveX component is detected it may be part of a legitimate program. WinPatrol will make sure and if it isn’t, you can tell WinPatrol to disable it.
Just adding a program won’t cause a notification but when a program is configured to run without your knowledge, WinPatrol will let you confirm the change is expected.
The techniques used to prevent changes were first developed by BillP Studios over 16 years ago. Feedback from supporters and researching new attacks has allowed WinPatrol to grow while continuing to run quietly in the background.
Woof!


Posted by:

todd
07 May 2014

I will never understand why when doing a reset in Internet explorer (Advanced Tab ) that it does not fully reset to factory settings !

Todd


Posted by:

richard
07 May 2014

On Vista, the Windows Live Essentials 2011 (KB2424419) "Update" installs a Bing Bar as well as Replacing your "Windows Live Toolbar".

It offers to replace newer preferences in the place of what you have already selected (Mail, Photo Viewer, etc).

Apparently this was first offered ('Published') on 4/5/2012... and I have yet to choose to install it with no ill effects as far as I can tell.


Posted by:

David W Solomons
07 May 2014

One way to prevent unwanted programmes (PUPs) from sliding into an installation is to use the freeware "unchecky" - it automatically warns about such PUPs and recommends unchecking the relevant boxes.


Posted by:

Michtrixie
07 May 2014

Install Unchecky (from unchecky.com) which, in their words, "keeps your checkboxes clear." It works in the background and prevents those annoying toolbars, search engines, etc., from being installed. I've installed it on all my computers and my friends' computers and I'm not getting as many calls to remove unwanted toolbars and search engines as I did before. Unfortunately, most people don't take time to carefully read when installing software and this program seems to take care of unchecking the pre-checked boxes pretty well. I also use Privazer and AdwCleaner which work great.


Posted by:

Humbug7
07 May 2014

About a year ago, my browsers were hijacked and the default search set to AVG's search bar. Yes, that's right, the supposedly wonderful AV/security company. It was a hidden install included with an update of a proprietary software (FixCleaner). I always watch for the "extras" offered during downloads; this was an update, so it had no series of "Next" pages. I proved this by doing a system restore to revert everything and then re-installing the update. Yep, there she went. Needless to say, I repeated the system restore, removed FixCleaner, and blasted off angry emails to both AVG and FixCleaner. No response from either, but I won't ever use anything from either company, ever again.


Posted by:

Bob Kamino
07 May 2014

I ran into an especially nasty one. The program erased my system restore files so there was nothing to go back to!


Posted by:

JKeenan
07 May 2014

I found that adwcleaner, downloaded from bleepingcomputer.com got rid of conduit, which had been plaguing me, resisting all other efforts.


Posted by:

Robert
08 May 2014

Someone I know (not me) did a dumb thing by downloading some "coupon" site software off some pop-up ad. Yep, they got the dreaded Conduit virus. Even after they followed my suggestion of downloading Malwarebytes (which was a chore as conduit apparently tried it's best to block it), doing a 9 hour scan (including rootkits) and locking conduit away, it screwed things up so badly they could not access the internet at all, much less even run other basic software. In the end the local Geek Squad had to operate. I hope the "inferno" has a special circle just for those who foist this malware upon us.


Posted by:

SamG
08 May 2014

@ Bob Kamino; Microsoft updates are particularly nasty as they destroy system restore points since Windows XP. (Have been enduring Windows 7 for 4 years or so). It's not a good idea to depend on system restore. DOZENS of times I've gone there to turn back the system and found NO restore points. After MS updates. Learn to use a good backup program and use it. I backup about every 3 months or so. And Adwcleaner will find and remove crap that MBAM or Spybot won't find.


Posted by:

MmeMoxie
08 May 2014

Wait a minute ... I keep seeing, good suggestions for eliminating nasty Malwares, Trojan Horses, Worms and Viruses. Lately, it really does seem that the biggest problems we run into ... Are the Malware/Foistware that comes with Downloads and "Nasty" Websites!!! However, I keep reading a re-occurring theme ... “Let’s blame the Anti-Virus or Malware programs, for this issue.” Please, remember ... The designers of these “nasties”, know fully how to "by-pass" the popular programs, and that is one of the first things, they do.

When, I got the Conduit "drive by" with a download from CNET ... The first thing, I did try to use was Malwarebytes. I even had the Pro version ... It froze at the same spot, every time I tried to scan my PC. Talk about frustrated, I was really upset. Then, I started looking on the Internet, to see what the solution was, to the Conduit issue. ADW Cleaner was mentioned, on several different forums and articles. I first tried using Chameleon, from Malwarebytes. The "designers" did their homework, is all I can say ... Using Chameleon, I got the freezing at the same point and no advancement.

Then, I decided to use ADW Cleaner. Finally, I was able to use my own tools, to continue with the removal of Conduit and for me, Sweet Packs! My Chameleon was the first to work, with a complete scan, then I used my Malwarebytes Pro to scan, again. However, with all of that ... I STILL had Conduit and Sweet Packs!!! I went back to the Internet, for more reading. One of the forum moderators, stated they had a miserable time, getting rid of this mess. They had to go into the Registry, to search for both Conduit and Sweet Packs, both were hidden deep within.

Finally, I had my solution, but, it did take me over all, more than a week to get my Conduit issue resolved. Then, my daughter's PC got the same issue and she lives out in California, while I am in Georgia. Thank goodness for Team Viewer ... I was able to "clean up" her PC, because I knew what to do, by then.

So, back to my original comment … Please, don’t always blame the software program, you are using. The bad guys are smart and know what they are doing, so they know which protective programs, to try and “by pass”, to do their nasty work. It is vital, in today’s world that, all protective programs be kept up to date, with the latest data, as possible. The Bad Boys are mostly coming from China and Russia. They love what they are doing or they would not be doing it … Unless, you subscribe to the “conspiracy theory” that the governments of China and Russia are “allowing” their smartest computer genius’, to do this for political reasons. Trust me that, theory is out there. :)


Posted by:

Therrito
08 May 2014

There have been many times when I have been called by a friend of family member and they tell me they have a virus because their browser is acting "weird". I go over there and discover that they have several browser toolbars and when asked they usually say they had recently installed new software.
When I ask how they installed it they say "I just kept clicking 'next' until it was finished" at which time I am about ready to strangle them. I tell them why they have so many toolbars and mostly they look shocked when I let them know that clicking "next-next-next" is the worst thing to do when installing a new program.
After a long lecture and an explanation on how to install programs I get their PC back into working order and do a little maintenance too (update programs, run CCleaner, Defrag, etc.) and they are usually amazed at how well their PC runs.
I never ceases to amaze me how many people do this (AND STILL DO IT!). Word has spread around my neighborhood that I can "fix" a PC fairly quickly and I just say 'No, I just fixed a simple mistake somebody made'.
Keep up the good work, Bob, and keep spreading the word with your great tutorials.


Posted by:

Annie
20 May 2014

I just wanted to say thank you so much for your emails and excellent advice. Somehow that blasted Conduit got ahold of my laptop. It was there for months and I had no idea what to do. I was very happy to see you address this issue. I did exactly what you suggested....and voila.....all is back to normal. So, thank you so much.


Posted by:

My name
22 Jun 2014

Just go to your "Programs & Features" in the Control Panel, and search for "Search Protect" (Developer's name is Conduit), and uninstall it ;), check the date of installation of your BING and anything else that was installed at the same time, that's your culprit!
It is a stubborn program, if it doesn't want to uninstall or takes foreverrrrrrr, skip it and go find a program: Revo Uninstaller (free version) that will do it in minutes.


Posted by:

Ed Alfano
18 Jul 2014

As a retired Senior Help Desk Analyst I know better than to download programs, etc., without doing my homework first and even I get burned once in a while.

I am careful when I decide to download, paying particular attention to "add ons" like browsers or search engines. My first lesson came when I downloaded an application from a site that I trusted, CNET (I also got hit with the Conduit drive-by, My second "ouch" moment was the result of following a link on CNN.com where I picked up a headache that prevented me from accessing any of the anti-virus and anti-malware sites. It also shut down my firewall and disabled windows defender and Microsoft Security Essentials preventing database updates. At that point I was frustrated but thankfully had an uninfected laptop. I downloaded Exterminate It and installed a copy on my desktop and was able to get rid of the issue. I did not renew my subscription wit Exterminate It when they failed to respond to a trouble ticket I issued.

I use Microsoft Security Essentials for anti-virus,a paid subscription to Malwarebytes and recently added Advance System Care 7 and thought I was fairly well protected.

Yesterday I was browsing for free movie sites and came across Firedrive.ca and Pultocker.is (I believe Firedrive is connected to Putlocker). I don't download anything pirated or illegal and since there were implications that Putlocker was possibly in violation of copyright laws I passed them by, opting to check out Firedrive.

Firedrive required its own media player for watching movies online and as I started to download the player, Malwarebytes alerted me to a possible problem so I aborted the download.

Afterwards, I closed all of my browser windows and rebooted my PC only to find out that my browser was hijacked by IStart123.com and several unwanted programs were installed.

I opened IOBit uninstaller and began removing the three rogue programs. It took a while but eventually I managed to wiped them out. I opened up Chrome settings and changed the homepages back to my original settings but when I closed and restarted Chrome, IStart123.com was still my homepage. I discovered this site while researching removal of the IStart123 homepage issue and I am working on getting rid of it as I make these comments.

This morning I ran Malwarebytes and eliminated two malware items. I am concerned that the installation I cancelled did not stop and decided that the prudent thing to do is put this information online so that other users will read it and avoid theses sites.

I am relatively satisfied with Malwarebytes and Microsoft Security Essentials but the jury is still out on Advance System Care 7. I purchased the Pro version and it turns out that there are several programs that I thought were included but actually turn out to be add-ons that must be purchased separately. That is another issue that is on my list of software to avoid. The information provided when I purchased the application was misleading, ergo, the trust factor is up in the air.

I hope that my experiences with the sites and the software that I purchased to protect me from these issues is helpful to some...


There's more reader feedback... See all 24 comments for this article.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.


Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.


Article information: AskBobRankin -- Help, My Browser Got Hijacked! (Posted: 6 May 2014)
Source: http://askbobrankin.com/help_my_browser_got_hijacked.html
Copyright © 2005 - Bob Rankin - All Rights Reserved