My Browser Got Hijacked!

Category: Browsers

A reader asks: 'Every time I open my browser, it goes to an unfamiliar search engine page, and when I search from the toolbar, it no longer uses Google. Was my browser hijacked somehow? If so, how do I get my settings back to normal?'

What is Web Browser Hijacking?

If your Internet Explorer, Firefox or Chrome browser suddenly behaves in unexpected or undesirable ways, it may have been hijacked. Browser hijacking is usually an attack by malicious software that changes your Web browser's settings. Some users who have been hijacked report popups or having searches redirected to pages for online casinos, weight loss products and even porn sites. In other cases, the user's preferred search engine is changed without notice.

Here are some symptoms that indicate you've been hijacked, and how to fix it.

  • Browser home/start page changed to an unwanted site
  • New favorites, bookmarks, toolbars, or desktop shortcuts that you did not add
  • This is a scene from the movie Panic Mechanic. The guy in the car is named Jack, and when the guy with the gun says 'Hijack', the driver thinks he's saying 'Hi Jack!'. Hilarity ensues...
  • Typing a URL into the address bar and being taken to some other URL instead
  • You default search engine has been changed
  • Inability to access certain sites, particularly anti-malware sites that might help you
  • Your Internet security settings have been lowered without your knowledge
  • Endless pop-up ads for things you don't want to see
  • Sluggish computer response; malware often slows your whole system down

How does hijacking happen? In many cases, the hijacking software is something you downloaded and installed, thinking it was something beneficial. Sometimes it's a result of unpatched software components that have been exploited by hackers to initiate a "drive-by download." See my recent article on the Java security problem. Other hijackers are buried in toolbars, add-ons, and even fake anti-malware programs. My article on Fake Anti-Virus and Celebrity Scams has details about how some people are being tricked into installing malware.

Do-It-Yourself Hijacking

A hijack is not necessarily malevolent, some are just annoying. One example in this category is the Ask.com toolbar, an insidious annoyance that keeps taking over the search functions of the browser on one of my home computers. This falls into the category of what I call Do-It-Yourself Hijacking. The most common reason why people get unwanted toolbars and other parasites is because they're not careful when installing a new program. It's tempting to just click "next-next-next" after downloading, in order to get through the installation process.

But if you look carefully, there's often a pre-checked box, asking if you want to install some other unrelated program or toolbar. These are usually not harmful, and can be removed using the Control Panel. Even if there's no malware, per se, you're still better off getting rid of these unwanted browser pests.

Getting Back to Good

If you believe your browser has been hijacked, shut down your browser immediately. If you cannot close the browser in the usual way, press Ctrl-Shift-Esc to access Windows Task Manager, highlight your browser's file name in the Processes column (iexplore.exe, firefox.exe, chrome.exe) and click "end process" to close the browser.

Hijackers are one reason it is vital to have real-time anti-malware defenses in place at all times. If you're already running internet security software, obviously it didn't protect you from this particular menace. If the problem happened recently, System Restore may "undo" the problem and get you back to normal.

If that doesn't do the trick, download one of these Free Anti-Virus Programs or another free anti-malware utility such as MalwareBytes Anti-Malware. Install the software and run a full scan on your system. Delete any suspected malware that it finds.

Restart your computer, open your web browser and put things back in order. Review and reset your home page, security settings, privacy settings, etc. Delete any unwanted favorites/bookmarks. Review the list of add-ons and uninstall any that look unfamiliar.

But Wait... There's More!

You're not done yet. Hijacking malware also likes to mess with registry settings. See my list of Free Registry Cleaners to remove bad registry entries and close security holes in the registry.

The HOSTS file is another favorite target of hijacking software. The HOSTS file contains pairs of host names and their associated IP addresses. When a host name listed in the HOSTS file is requested by your browser, Windows directs the request to the associated IP address instead of looking up the host name in the DNS system. Hijack software may add entries to the HOSTS file so that certain sites are blocked or redirected to unwanted sites. The HOSTS file is located at C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS and can be opened with Notepad or your favorite text editor.

On Vista or Windows 7 you may need to open your text editor by right-clicking, then select "Run as Administrator". Make sure the HOSTS file includes ONLY the line "127.0.0.1 localhost" and any other pairs that you know you added yourself. Delete unwanted entries and save the HOSTS file.

To avoid browser hijacking, use real-time anti-malware defenses; don't give unknown websites permission to install software, toolbars, or ActiveX controls; and keep your browser's security settings on medium or high level.

Have you been hijacked? Tell us how you fixed the problem, or prevent it from happening. Post your comment or question below...

 
How Else Can I Help You?   (Enter your question in the box above.)
 

Sign up now for AskBob Updates!

Boost your Internet IQ, keep up with the latest online trends... get your FREE subscription now!


Email:


Posted by on 21 Jan 2013


For Fun: Buy Bob a Snickers.
Need More Help? Try the AskBobRankin Updates Newsletter. It's Free!

Prev Article:
Is The FBI Holding Your Computer for Ransom?

The Top Twenty
Next Article:
Is Your Password Strong Enough?

Link to this article from your site or blog. Just copy and paste from this box:


Most recent comments on "My Browser Got Hijacked!"

Posted by:

Des M
21 Jan 2013

Re the 'Hosts' file entries. If you use 'Spybot' as part of your anti-malware protection, then you will find dozens( hundreds?)of Spybot entries in that file. It's all part of the system. It doesn't worry me - should it be a concern?

EDITOR'S NOTE: No, not if you're sure they are put there by Spybot.


Posted by:

tom
21 Jan 2013

Hi guys, went to this location:
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS

All that was in the hosts was a demo file. running windows 7

EDITOR'S NOTE: Exactly! And that's the way it should stay.


Posted by:

Will
21 Jan 2013

I am very fond of WinPatrol, a resident intrusion detector which "barks" to warn of any changes in registry or settings.

Also, when installing something, be careful to uncheck any "requests" to install unrelated programs.


Posted by:

dratner
21 Jan 2013

I had the Google Re-direct Trojan. Try the following to to get rid of it:

Kaspersky's TDSSKiller - Instructions are listed below. (Additional instructions can be found here)
http://support.kaspersky.com/viruses/solutions?qid=208280684

Hitman Pro - It's free to use without a license. If a virus is found, you will receive a free 30-day license to remove the threat. Note: There are separate downloads for 32 and 64-bit versions of Windows 7.

http://www.surfright.nl/en/home/

ESET's Online Scanner - Their FAQ and Help sections should answer any questions you might have. (Temporarily disable your A/V prior to running the scan)

• Did they have you check your LAN settings to make sure they haven't been changed to use a Proxy Server?:

Open Internet Explorer. Go to Tools>Internet Options>Connections Tab. Click on the "LAN Settings" button. If there is a check in the box "Use a proxy server for your LAN", uncheck it. Click "OK". Then "OK", again.

Open Firefox. Go to Tools>Options>Advanced. Click on the "Network" tab. To the right of where you see ""Configure how Firefox connects to the Internet", click on the "Settings" button. Put a tick mark next to "No proxy". Click "OK". Then "OK", again.



Posted by:

HA
21 Jan 2013

Try Superantispyware Free.
It's great!


Posted by:

cruelas
21 Jan 2013

A friend's computer was hijacked by BABYLON...I'm guessing they invited it in along with a program they installed. She tried a few things that didn't work, but the article below AND MALWAREBYTES helped:

http://www.im-infected.com/hijacker/babylon-search-hijacker.html


Posted by:

East Slope Charlie
21 Jan 2013

OK, after using a computer since before the web, I sure think I've been hacked. Through Firefox - I Googled help when my Yahoo! mail failed in Firefox (I can't return a search from your site to find your recommend fix-it-over-the-phone places). I called a 'help' number and got a HIGH POWER FAST TALKER who went in, looked around, told me I would need a new computer, would go to jail, etc - and left an auto-load dialogue box x2 on my re-boot (generally I run 24/7 for World Community Grid). I've run nearly every program I can think of. And I can still not load Firefox in Yahoo! (do I need a period after an exclamation mark?). So, as you know, there went ALL of Sunday. What's the next cheaper place to turn? My computer is pushing 10 years old, and most of what I do is type and research so speed was never really important -- until I began typing faster than words would appear. Now I am nearly insane. Anyone have a clue the next step? EVERY scan: M-BAM, AVG(free full-featured trial), MacAfee, Spybot, Superanti, and a couple of others - ALL returned negative reports -- so I don't suspect a false-negative. (Oh, I run spybot and MacAfee [from my ISP] every night while I sleep, and CCleaner after each daily session. And defrag (IOBIT)each day. Being a retired teacher makes the quoted price to me of $300 seem steep, and I think you had some cheaper places if I recall. ANYONE have a clue the next step? -- thanks in advance -


Posted by:

Rex
21 Jan 2013

I completed all the actions suggested but up comes
http://isearch.glarysoft.com/?src=newtab every time.
The anti-malware I downloaded as suggested found no problems. Where to from here?

EDITOR'S NOTE: Sounds like you've installed GlarySoft utilities, which is not malware. You could uninstall Glary, or see if the program's control panel has an option to NOT use their search feature.


Posted by:

Kathy
22 Jan 2013

Hey East Coast Charlie,
Try deleting Firefox and all of its settings, then re-download. I had some issues with Firefox and fixed it that way. Good luck. I hope it's that simple.


Posted by:

Ari
22 Jan 2013

I am very careful and only once browser got hijacked.

There is a very famous image editing Free software P----.net I downloaded some additional files from their website and installed. Next time my browser started opening the website from where I had downloaded the extra file. Even after deleting the culprit file faced same problem.

Later I opened I.E. Browser and found home page which was http://www.yahoo.co.jp/ was changed to that website. Therefore, I changed that to my old one. Doing this solved my problem.

It is also true we must be careful during installation and should pay attention to items and un-check entries which are not needed to avoid later headache.


Posted by:

Darryl
22 Jan 2013

I checked my HOSTS file and found two. One looked as it should, the other was hosts.old and had been put there by Spybot Search & Destroy. I haven't had that program on my computer for years, but evidently that file got left behind when I uninstalled. Do I delete it, or rename it to hosts (and if I do that, what about the real hosts file?) or just leave it as is?

EDITOR'S NOTE: You can delete it, since you no longer use Spybot. It won't hurt to just leave it, either.


Posted by:

John A
22 Jan 2013

in Windows 7 logged on as admin, I opened hosts as described. Found the stuff left behind years ago by SpyBot. Deleted it. Tried to save -- got msg I had to be an admin! Finally realized I needed to start Notepad with right-click, then clicked 'open as admin' EVEN THOUGH I was signed on as admin. Thought that is a point worth noting.


Posted by:

Bob Milligan
23 Jan 2013

Bob I have Panasonic network webcams and they work fine with IE8 and did work fine with IE9 until recently. Apparently after one of the updates to IE9 my video does not display anymore. If I try MJMPG none of the cameras display. 4 of the six will display MPEG-4 but the other 2 will not. They will all display using 3 second refresh which is pretty much the same as a jpeg still and not video. I have looked at tech support and Google and can find very little about it and nothing that has helped me. Can you offer any suggestions? By the way, they do display in Firefox but I am used to using IE to display them.

EDITOR'S NOTE: Sorry, but I'm not familiar with that product. My best advice would be to ask the manufacturer if they have a software update that fixes the problem. Or use Firefox. :-)


Posted by:

Therrito
23 Jan 2013

Recently I was asked to help a friend who supposedly had his browser hijacked.
After a brief Q and A before I dug into his PC, he told me he had recently installed a few programs.
I asked if he quickly clicked *next-next-next* as you had previously stated in your article, and he said "Yes".
After a brief scolding I went through and cleaned up the mess via the uninstall processes and now his PC is running fine.
It has always been a pet peeve when people click *next-next-next* through the installation process of a program as you never see what else is installing.
I always look carefully at each screen when I install anything on my PC and I have never had this particular problem.
Thanks again for a very insightful article.
I will email a link to this page to my friend and hopefully he will not have this problem again.
Two thumbs up as usual. :-)


Posted by:

darlene
29 Jan 2013

This is driving me crazy! I can't even imagine how it happened; I'm vigilant to the max, however, here it is: somehow I downloaded a "browser portal* ... here is the link:http://www.v9.com/us/newtab ... I have tried numerous things to dislodge it from my computer, but all to no avail.

I searched online for a tool to remove this annoyance, but nothing! Also, this comes up when I'm following a link from one site to another, or when I'm bringing up a new tab on firefox!

PLEASE help me remove this malware ...

Thanks so much .... Darlene Harris


Posted by:

John
03 Feb 2013

My Google search function was also hijacked by Ask.com. How do I get my Google search function back?

Thanks


Posted by:

Linda
05 Feb 2013

FIRST my Yahoo homepage was hijacked to http://ggle.org.uk/FireFox-Tab.php?OVKWID=ff4. Kept resetting it in, but the ggle.org.uk thing kept taking over.

THEN I discovered my System Restore function wouldn't work ("your system could not be restored.")

NOW I've found that ALL my bookmarks are gone. (And the yahoo backup dates are all gone EXCEPT today, which is, of course, empty.)

Malwarebytes, Spybot, & AVG all came up clean.

I finally turned the computer over to a pro, but the biggest thing I'm concerned about at this point is all the personal info, which was in bookmarks. AARRGGHH!!!

Good luck to all with this problem, and special thanks to Bob Rankin for this site.


Posted by:

Otto
08 Feb 2014

When I went to the host file I found a sample file with a # at the beginning of each line, with the exception of the following, which had no #:
74.208.10.249 gs.apple.com
When I tried to modify the file I could not save it as I didn't have permission. How do I get said permission? (Tried right-clicking but didn't find "Run as administrator" anywhere)

EDITOR'S NOTE: I'm not sure why that line would be in your HOSTS file. Perhaps your ISP can answer that. To edit the HOSTS file, see http://helpdeskgeek.com/windows-7/run-notepad-as-administrator-to-avoid-access-is-denied/


Posted by:

james orr
26 Mar 2014

I have just won the lottery with the FBI Money Pak. not lol. I have tried a lot of different things, but, the problem is, even if you start in safe mode, it starts loading safemode then switches to Windows 7, then puts Money Pak screen back up. I can hit ctl/esc and get menu, but, it goes away super fast and it seems like I was fast enough to click on stuff, but, it is overpowered by money pak immediately. I, also, can't get task manager to show. Is there a way to make a disk from another computer to put in to fix hijacking or what do you suggest?

EDITOR'S NOTE: Try this: http://malwaretips.com/blogs/fbi-moneypak-virus/


Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.


Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.


Article information: AskBobRankin -- My Browser Got Hijacked! (Posted: 21 Jan 2013)
Source: http://askbobrankin.com/my_browser_got_hijacked.html
Copyright © 2005 - Bob Rankin - All Rights Reserved

 
Free
Newsletter
Get the FREE  "AskBob Updates" newsletter!       Email:    (Details)