Help, My Browser Got Hijacked!
A reader asks: 'Every time I open my browser, it goes to an unfamiliar search engine page, and when I search from the toolbar, it no longer uses Google. I also have new toolbars that I didn't ask for. Was my browser hijacked somehow? If so, how do I get my settings back to normal?'
What is Web Browser Hijacking?
If your Internet Explorer, Chrome or Firefox browser suddenly behaves in unexpected or undesirable ways, it may have been hijacked. Browser hijacking is usually an attack by malicious software that changes your Web browser's settings.
Some users who have been hijacked report popups or having searches redirected to pages for online casinos, weight loss products and even p**n sites. In other cases, the user's preferred search engine is changed without notice.
Here are some symptoms that indicate you've been hijacked, and how to fix it.
• Browser start page changed to an unwanted site
• New toolbars, bookmarks, or desktop shortcuts that you did not add
• Entering a website address and being taken to some other page instead
• Your default search engine has been changed
• Inability to access certain sites, particularly anti-malware sites that might help you
• Your Internet security settings have been lowered without your knowledge
• Endless pop-up ads for things you don't want to see
• Sluggish computer response; malware often slows your whole system down
How does browser hijacking happen? In some cases, the hijacking software is something you downloaded and installed, thinking it was beneficial. My article on Fake Anti-Virus and Celebrity Scams has details about how some people are being tricked into installing malware.
Sometimes it's a result of unpatched software components that have been exploited by hackers to initiate a "drive-by download." See my related article about Drive-By Download Dangers to learn how to protect against those.
A hijack is not necessarily malevolent, some are just annoying. One example in this category is the Ask.com toolbar, an insidious annoyance that keeps taking over the search functions of the browser on one of my home computers. This falls into the category of what I call Do-It-Yourself Hijacking. The most common reason why people get unwanted toolbars and other parasites is because they're not careful when installing a new program. It's tempting to just click "next-next-next" after downloading, in order to get through the installation process.
But if you look carefully, there's often a pre-checked box, asking if you want to install some other unrelated program or toolbar. These are usually more annoying than harmful, but sometimes are hard to remove. Software such as Conduit and Babylon toolbar fall into this category. Even if there's no malware, per se, you're still better off getting rid of these unwanted browser pests.
My article Downloading? Watch Out For These Danger Signs explains why previously trustworthy sites such as CNET's Download.com and Tucows are now landmines to be avoided.
Getting Back to Good
If you believe your browser has been hijacked, shut down your browser immediately. If you cannot close the browser in the usual way, press Ctrl-Shift-Esc to access Windows Task Manager, highlight your browser's file name in the Processes column (iexplore.exe, firefox.exe, chrome.exe) and click "end process" to close the browser.
Hijackers are one reason it is vital to have real-time anti-malware defenses in place at all times. If you're already running internet security software, obviously it didn't protect you from this particular menace. If the problem happened recently, System Restore may "undo" the problem and get you back to normal.
If that doesn't do the trick, download one of these Free Anti-Virus Programs or another free anti-malware utility such as MalwareBytes Anti-Malware. Install the software and run a full scan on your system. Delete any suspected malware that it finds.
Restart your computer, open your web browser and put things back in order. Review and reset your home page, security settings, privacy settings, etc. Delete any unwanted favorites/bookmarks. Review the list of add-ons and uninstall any that look unfamiliar.
But Wait... There's More!
You're not done yet. Hijacking malware also likes to mess with Windows registry settings, and may not uninstall cleanly. I recommend a free program called Privazer to scan your system and clean up any malware traces.
The HOSTS file is another favorite target of hijacking software. The HOSTS file contains pairs of host names and their associated IP addresses. When a host name listed in the HOSTS file is requested by your browser, Windows directs the request to the associated IP address instead of looking up the host name in the DNS system. Hijack software may add entries to the HOSTS file so that certain sites are blocked or redirected to unwanted sites. The HOSTS file is located at C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS and can be opened with Notepad or your favorite text editor.
On Vista or Windows 7 you may need to open your text editor by right-clicking, then select "Run as Administrator". Make sure the HOSTS file includes ONLY comments (lines that start with "#"). The only exceptions would be "127.0.0.1 localhost" and any other lines that you know you added yourself. Delete unwanted entries and save the HOSTS file.
To avoid browser hijacking, use real-time anti-malware defenses; don't give unknown websites permission to install software, toolbars, or ActiveX controls; and keep your browser's security settings on medium or high level.
Have you been hijacked? Tell us how you fixed the problem, or prevented it from happening again. Post your comment or question below...
This article was posted by Bob Rankin on 6 May 2014
|For Fun: Buy Bob a Snickers.|
Facebook and Your Digital Shadow
The Top Twenty
Geekly Update - 07 May 2014
There's more reader feedback... See all 30 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Help, My Browser Got Hijacked! (Posted: 6 May 2014)
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Help, My Browser Got Hijacked!"(See all 30 comments for this article.)
07 May 2014
I will never understand why when doing a reset in Internet explorer (Advanced Tab ) that it does not fully reset to factory settings !
07 May 2014
On Vista, the Windows Live Essentials 2011 (KB2424419) "Update" installs a Bing Bar as well as Replacing your "Windows Live Toolbar".
It offers to replace newer preferences in the place of what you have already selected (Mail, Photo Viewer, etc).
Apparently this was first offered ('Published') on 4/5/2012... and I have yet to choose to install it with no ill effects as far as I can tell.
David W Solomons
07 May 2014
One way to prevent unwanted programmes (PUPs) from sliding into an installation is to use the freeware "unchecky" - it automatically warns about such PUPs and recommends unchecking the relevant boxes.
07 May 2014
Install Unchecky (from unchecky.com) which, in their words, "keeps your checkboxes clear." It works in the background and prevents those annoying toolbars, search engines, etc., from being installed. I've installed it on all my computers and my friends' computers and I'm not getting as many calls to remove unwanted toolbars and search engines as I did before. Unfortunately, most people don't take time to carefully read when installing software and this program seems to take care of unchecking the pre-checked boxes pretty well. I also use Privazer and AdwCleaner which work great.
07 May 2014
About a year ago, my browsers were hijacked and the default search set to AVG's search bar. Yes, that's right, the supposedly wonderful AV/security company. It was a hidden install included with an update of a proprietary software (FixCleaner). I always watch for the "extras" offered during downloads; this was an update, so it had no series of "Next" pages. I proved this by doing a system restore to revert everything and then re-installing the update. Yep, there she went. Needless to say, I repeated the system restore, removed FixCleaner, and blasted off angry emails to both AVG and FixCleaner. No response from either, but I won't ever use anything from either company, ever again.
07 May 2014
I ran into an especially nasty one. The program erased my system restore files so there was nothing to go back to!
07 May 2014
I found that adwcleaner, downloaded from bleepingcomputer.com got rid of conduit, which had been plaguing me, resisting all other efforts.
08 May 2014
Someone I know (not me) did a dumb thing by downloading some "coupon" site software off some pop-up ad. Yep, they got the dreaded Conduit virus. Even after they followed my suggestion of downloading Malwarebytes (which was a chore as conduit apparently tried it's best to block it), doing a 9 hour scan (including rootkits) and locking conduit away, it screwed things up so badly they could not access the internet at all, much less even run other basic software. In the end the local Geek Squad had to operate. I hope the "inferno" has a special circle just for those who foist this malware upon us.
08 May 2014
@ Bob Kamino; Microsoft updates are particularly nasty as they destroy system restore points since Windows XP. (Have been enduring Windows 7 for 4 years or so). It's not a good idea to depend on system restore. DOZENS of times I've gone there to turn back the system and found NO restore points. After MS updates. Learn to use a good backup program and use it. I backup about every 3 months or so. And Adwcleaner will find and remove crap that MBAM or Spybot won't find.
08 May 2014
Wait a minute ... I keep seeing, good suggestions for eliminating nasty Malwares, Trojan Horses, Worms and Viruses. Lately, it really does seem that the biggest problems we run into ... Are the Malware/Foistware that comes with Downloads and "Nasty" Websites!!! However, I keep reading a re-occurring theme ... “Let’s blame the Anti-Virus or Malware programs, for this issue.” Please, remember ... The designers of these “nasties”, know fully how to "by-pass" the popular programs, and that is one of the first things, they do.
When, I got the Conduit "drive by" with a download from CNET ... The first thing, I did try to use was Malwarebytes. I even had the Pro version ... It froze at the same spot, every time I tried to scan my PC. Talk about frustrated, I was really upset. Then, I started looking on the Internet, to see what the solution was, to the Conduit issue. ADW Cleaner was mentioned, on several different forums and articles. I first tried using Chameleon, from Malwarebytes. The "designers" did their homework, is all I can say ... Using Chameleon, I got the freezing at the same point and no advancement.
Then, I decided to use ADW Cleaner. Finally, I was able to use my own tools, to continue with the removal of Conduit and for me, Sweet Packs! My Chameleon was the first to work, with a complete scan, then I used my Malwarebytes Pro to scan, again. However, with all of that ... I STILL had Conduit and Sweet Packs!!! I went back to the Internet, for more reading. One of the forum moderators, stated they had a miserable time, getting rid of this mess. They had to go into the Registry, to search for both Conduit and Sweet Packs, both were hidden deep within.
Finally, I had my solution, but, it did take me over all, more than a week to get my Conduit issue resolved. Then, my daughter's PC got the same issue and she lives out in California, while I am in Georgia. Thank goodness for Team Viewer ... I was able to "clean up" her PC, because I knew what to do, by then.
So, back to my original comment … Please, don’t always blame the software program, you are using. The bad guys are smart and know what they are doing, so they know which protective programs, to try and “by pass”, to do their nasty work. It is vital, in today’s world that, all protective programs be kept up to date, with the latest data, as possible. The Bad Boys are mostly coming from China and Russia. They love what they are doing or they would not be doing it … Unless, you subscribe to the “conspiracy theory” that the governments of China and Russia are “allowing” their smartest computer genius’, to do this for political reasons. Trust me that, theory is out there. :)
08 May 2014
There have been many times when I have been called by a friend of family member and they tell me they have a virus because their browser is acting "weird". I go over there and discover that they have several browser toolbars and when asked they usually say they had recently installed new software.
When I ask how they installed it they say "I just kept clicking 'next' until it was finished" at which time I am about ready to strangle them. I tell them why they have so many toolbars and mostly they look shocked when I let them know that clicking "next-next-next" is the worst thing to do when installing a new program.
After a long lecture and an explanation on how to install programs I get their PC back into working order and do a little maintenance too (update programs, run CCleaner, Defrag, etc.) and they are usually amazed at how well their PC runs.
I never ceases to amaze me how many people do this (AND STILL DO IT!). Word has spread around my neighborhood that I can "fix" a PC fairly quickly and I just say 'No, I just fixed a simple mistake somebody made'.
Keep up the good work, Bob, and keep spreading the word with your great tutorials.
20 May 2014
I just wanted to say thank you so much for your emails and excellent advice. Somehow that blasted Conduit got ahold of my laptop. It was there for months and I had no idea what to do. I was very happy to see you address this issue. I did exactly what you suggested....and voila.....all is back to normal. So, thank you so much.
22 Jun 2014
Just go to your "Programs & Features" in the Control Panel, and search for "Search Protect" (Developer's name is Conduit), and uninstall it ;), check the date of installation of your BING and anything else that was installed at the same time, that's your culprit!
It is a stubborn program, if it doesn't want to uninstall or takes foreverrrrrrr, skip it and go find a program: Revo Uninstaller (free version) that will do it in minutes.
18 Jul 2014
As a retired Senior Help Desk Analyst I know better than to download programs, etc., without doing my homework first and even I get burned once in a while.
I am careful when I decide to download, paying particular attention to "add ons" like browsers or search engines. My first lesson came when I downloaded an application from a site that I trusted, CNET (I also got hit with the Conduit drive-by, My second "ouch" moment was the result of following a link on CNN.com where I picked up a headache that prevented me from accessing any of the anti-virus and anti-malware sites. It also shut down my firewall and disabled windows defender and Microsoft Security Essentials preventing database updates. At that point I was frustrated but thankfully had an uninfected laptop. I downloaded Exterminate It and installed a copy on my desktop and was able to get rid of the issue. I did not renew my subscription wit Exterminate It when they failed to respond to a trouble ticket I issued.
I use Microsoft Security Essentials for anti-virus,a paid subscription to Malwarebytes and recently added Advance System Care 7 and thought I was fairly well protected.
Yesterday I was browsing for free movie sites and came across Firedrive.ca and Pultocker.is (I believe Firedrive is connected to Putlocker). I don't download anything pirated or illegal and since there were implications that Putlocker was possibly in violation of copyright laws I passed them by, opting to check out Firedrive.
Firedrive required its own media player for watching movies online and as I started to download the player, Malwarebytes alerted me to a possible problem so I aborted the download.
Afterwards, I closed all of my browser windows and rebooted my PC only to find out that my browser was hijacked by IStart123.com and several unwanted programs were installed.
I opened IOBit uninstaller and began removing the three rogue programs. It took a while but eventually I managed to wiped them out. I opened up Chrome settings and changed the homepages back to my original settings but when I closed and restarted Chrome, IStart123.com was still my homepage. I discovered this site while researching removal of the IStart123 homepage issue and I am working on getting rid of it as I make these comments.
This morning I ran Malwarebytes and eliminated two malware items. I am concerned that the installation I cancelled did not stop and decided that the prudent thing to do is put this information online so that other users will read it and avoid theses sites.
I am relatively satisfied with Malwarebytes and Microsoft Security Essentials but the jury is still out on Advance System Care 7. I purchased the Pro version and it turns out that there are several programs that I thought were included but actually turn out to be add-ons that must be purchased separately. That is another issue that is on my list of software to avoid. The information provided when I purchased the application was misleading, ergo, the trust factor is up in the air.
I hope that my experiences with the sites and the software that I purchased to protect me from these issues is helpful to some...
12 Feb 2015
I bought this pc used and I have found a lot of p**n on it. can all visited sites be permanetly delited How can this be done. I have tried many of the programs on the net that says FREE but after the scan they request $30 or $40 in order to remove all the problestms. I have been afraid to send the money because I don't know these peopleevery time I open . Are there any FREE programs that will help me stop these search engines from popping up every time I go online.
EDITOR'S NOTE: Phil, sounds like you need MBAM. It's a free malware scanner. https://www.malwarebytes.org/
21 Sep 2015
Bogots.com is a type of browser hijacker which has been founded by anti-virus software when i completely scan my System. This type of hijacker redirects me alwys into malicious sites when i search any queries. I was very worried from the functionality of this hijacker. Then i used Automatic Removal Tool to delete Bogots.com from System. If your System also affected with this hijacker then you should use this tool. For getting complete information regarding this tool go through with this link - http://www.howtorepairpc.net/how-to-repair-bogots-com-easy-guide-to-delete-bogots-com-completely
25 Dec 2015
The Chrome browser redirected me to piesearch.com that was much like a web search a few days ago. A page claimed that the piesearch is browser hijacker and gave me a step by step removal guide. The tutorial/a> showed me how to reset browser settings, DNS and hosts file that you mentioned above as well.
25 Dec 2015
You are right. Resetting the DNS data can hosts file may remove browser redirect and adware from computers. But to do that, you need to find out some potentially hidden rogue software and remove it from the system. It is reported that browser hijacker and adware often come bundled with rogue programs. You can read this tutorial (http://blog.doofix.com/get-rid-of-piesearch-com-fix-browser-redirect/) that takes pirsearch.com for example to learn more details.
02 Sep 2016
The fastest way to uninstall this nasty virus is to use Windows system restore:
1. In Windows Explorer right click "Computer" and then select "Properties". Then select "Computer Protection" (or whatever it's called in english), located on the left side.
2. There's a button to restore your system settings to a previous date. Pick a date that you feel you can live with. Going back too far and you lose a lot of settings.
3. After the computer reboots and you run Chrome, chances are that the homepage still shows up with Trovigo. The system restore will have done its job if you restored back to a date prior to the virus being added but even after the restore, Chrome will retain the setting to Trovigo because Chrome by default will store your settings on Google's servers and retrieve them the moment you run Chrome again. To get rid of it in Chrome, go to Chrome's Settings screen and under "On startup", click on the link "Set pages" next to "Open a specific page or set of pages.", then change the startup page from Trovigo to your own start page.
For more on how to get rid of browser hijacker program visit: http://www.securingcomputer.com/browser-hijacker/remove-ustarts-xyz-redirect-virus-computer
05 Sep 2016
yeah, or just install reasoncoresecurity.com, or malwarebytes, or other cheaper software. I dont think that unexperienced users will be very excited to try and remove malware manually.