Stand up against hijackers

Question: When I open my browser, all of a sudden my home page is a site that I don’t want and, no matter what I do, I can’t make this problem go away and get back to my real home page. What’s going on? –V.Y.

Answer: Uh oh, your browser has been hijacked. Some unscrupulous Internet company out there has put a little program on your computer that switches your home page every time you re-start your browser or your computer. Not nice.

The good news is there are ways to fix the problem.

First, here’s how you would normally change your browser’s home page:

  • If you’re using Internet Explorer (“IE”), with your browser open, click Tools at the top, then Internet Options, then change the home page address and click OK.
  • In Netscape 7, click Edit, then Preferences, and then change the home page address in the box that appears.

If your home page has been hijacked, though, these fixes won’t work for long, because the rogue programming on your computer will soon change it back. So how did it happen?

Well, from a programming perspective, here’s what’s happened:

The most common scheme used by home page hijackers is to put a reference to their site in your Start-up folder or a Registry Run key, so that their nasty little bit of programming runs every time the computer is started, and its job is to change your settings. If you try to change any of these back, the programming they put on your computer just keeps changing everything so you end up with their site in your browser.

The only way to fix this is to find the hijacking software and remove it.

I can hear a lot of you saying, “But I didn’t download anything that would do this!”

Well, if you don’t regularly update your browser and you don’t use Windows Update to install security fixes, then actually you did, however tacitly. Several of these hijackers exploit an Internet Explorer/Outlook Express bug that lets them secretly install a program (called an ActiveX control) on your system even if all you did was view their web page. Hijackers exploiting this bug will insert one or several .HTA files on your hard drive which run when you start up Windows.

The easiest way to fix a problem like this is to scan your computer for what’s called spyware – programs like this that have been secretly installed by surreptitious downloads or programs you downloaded. Spyware Doctor is a good choice to get rid of this stuff automatically. Also consider the really great CA Anti-Spyware 2007 – formerly called Pest Patrol, which also finds spyware cookies and includes a keylogger scanner.

If you want to fix this nastiness manually, search your computer for *.HTA files. Click Start, then Search or Find (whichever you have), and then Files or Folders and type in *.hta. If you find any files with that extension on their names, rename them so that they can’t be found by the malicious programming. For example, change file.hta to file.hta1 or move the files to another folder on your computer. Then switch your home page back to one you want. If your computer doesn’t do weird things after this, you can permanently delete those files you moved. If it does do weird things, you might want to put them back one by one and keep trying, until you find the offender and then delete that one.

Don’t forget to grab the Microsoft patch which fixes the browser hole that allows the hijacker to work this little piece of dark magic. To get the fix, run Windows Update found on your Start menu or take a look at this Microsoft knowledge base article Microsoft KB305660.

Some hijackers, like one called Gohip, install an executable program (ending in .EXE, a file called something like hijack.exe) on your computer. Since .EXE programs can’t be automatically downloaded in the secure browsers (with all the latest security fixes installed), you usually end up with this by downloading a program from the web.

Hijackers sometimes mark these program as “browser updates” or “browser enhancements” or some other trickery. The hijacker typically offers you all kinds of incentives (freebies, special deals, and stuff like that) to install the evil program which, of course, they don’t tell you is evil.

To remove Gohip specifically, use: http://www.pchell.com/support/gohip.shtml.

Or to remove other spyware, as it’s called, got to this page: http://www.pchell.com/support/spyware.shtml.

There’s another hijacking method. Some sites will find a way to put a shortcut in the Windows Startup folder or a Registry Run key that starts the Registry Editor (“regedit”). The shortcut then tells it to add the contents of a hidden file (for instance, something like c:\windows\temp\abcdefg.tmp) that contains the necessary information to set the hijacker’s homepage to the Registry on every startup.

You can be your own best defense against home page hijackers and other malicious programming. To reduce your vulnerability to these attacks:

  • Use a reliable anti-spyware program, such as the ones suggested here. It will tell you how to make sure it always knows the most current problems to look for — make sure you do so.
  • Be skeptical any time you’re offered something for immediate download, especially if it’s from a site you’ve never done business with before. Not saying you should never download anything, but be cautious and be ready to take fast corrective action at the first sign of trouble.