|
A Hijacker is any software that
resets your browser's settings to point to other
sites. Hijacks may reroute your info and address
requests through an unseen site, capturing that
info. In such hijacks, your browser may behave
normally, but be slower. Search
Hijackers change your search settings. Homepage
Hijackers will change your home page to
some other site. Error Hijackers will
display a new error page when a requested URL is
not found. Hijacking has become very common, as
these examples
illustrate. This document explains how to clear
such hijacks of Microsoft Internet Explorer (IE)
manually and how to prevent it by disabling
scripting.
If your Search capability has been hijacked,
your use of IE's Search Button (see below) will
lead to unexpected (and usually unwanted)
results.
What the hijacker has done is to change four
registry keys:
- In the Root key HKEY_CURRENT_USER, the key
Software\Microsoft\Internet Explorer\Main has
a value "Search Page" that has
likely been reset to something like
"http://www.secret-crush.com/search/search.php"
- The value "Search Bar" in this key
has also likely been reset to something.
- In the Root key HKEY_LOCAL_MACHINE, the key
Software\Microsoft\Internet Explorer\Search
has a value "SearchAssistant" that
has likely been reset to something
- The value "CustomizeSearch" in
this key has also likely been reset to
something.
Fixing this is simple. From IE's top menu bar,
select the Tools menu. On this menu, choose
"Internet Options". It will display a
popup dialog box. Click on the Programs tab, to
see a display like that on the right.
Find the button near the bottom labeled
"Reset Web Settings". Give it a click,
and these four registry settings will be
corrected.
Preventing this is simple, too. Follow the
instructions in Disabling
Scripting below.
If your Home page changes
unexpectedly, you have a "HomePage
hijack", and will see this page each time
you invoke your browser. What the hijacker has
done is to change the registry key:
- In the Root key HKEY_CURRENT_USER, the key
Software\Microsoft\Internet Explorer\Main has
a value "Start Page" that has likely
been reset to something.
- In the Root key HKEY_LOCAL_MACHINE, the key
Software\Microsoft\Internet Explorer\Main has
a value "Start Page" that has likely
been reset to something like http://yourbookmarks.ws/
Fixing this seems simple, but some pests make
repair a bit more difficult. For instance, CWS.Bootconf
sets the first of these entries to http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63
%68%2e%63%6f%6d/%7a/%61/%78%31%2e%63%67%69?%36%35%36%33%38%37
This is
"encrypted"; its decryption works out
to http://www.searchv.com/
IE supports "scripting", a useful
but dangerous capability that you will want to
disable if you ever visit unknown sites. The
scripts that can be run will be Javascript or
VBScript, often embedded in a web page you visit.
Such scripts can execute ActiveX controls, which
can do anything in your machine that any software
can do.
To be stop scripting the easy way, do this:
From IE's top menu bar, select the Tools menu. On
this menu, choose "Internet Options".
It will display a popup dialog box. Click on the Security
tab, to see a display like that to the right.
Each zone has four security levels available,
ranging from Low Security to High. IE is
configured for Low Security when it is first
installed. Medium or High is what you need.
- High (most secure) Exclude content that
could damage your computer.
- Medium (more secure) Warn before running
potentially damaging content.
- Medium-Low (Same as Medium) No warning
before running potentially damaging content.
- Low Minimal safeguard and warning before
running potentially damaging content.
For the Internet Setting, move the slider to
"Medium" This will ensure that
you are prompted before signed ActiveX controls
are run, and unsigned ActiveX controls will not
run.
But it will still allow active scripting. So
click on the "Custom Level" button, and
follow these instructions:
- Configure IE so that it does not run Active
scripts automatically:
- On the Tools menu,
click Internet Options,
click the Security tab,
click the Internet Web
content zone, and then click Custom
Level.
- In the Settings box,
scroll down to the Scripting
section, and click Disable
under Active
scripting and Scripting
of Java applets.
- Click OK, and then
click OK again.
- Configure IE so that it does not
automatically use items that show active
content, such as vertical marquees or
animations:
- On the Tools menu,
click Internet Options,
click the Security tab,
click the Internet Web
content zone, and then click Custom
Level.
- In the Settings box,
click Disable under Download
signed ActiveX controls, Download
unsigned ActiveX controls, Initialize
and script ActiveX controls not marked as
safe, Run
ActiveX controls and plugins, and
Script ActiveX
controls marked safe for scripting.
- Click OK, and then
click OK again.
- Verify that IE's internal Java Just-In-Time
(JIT) compiler is disabled:
- On the Tools menu,
click Internet Options,
click the Advanced tab,
and then click to clear the JIT
compiler for virtual machine enabled
(requires restart) check box
under Java VM.
- Click OK.
- Configure IE so that it does not run Java
programs automatically.
- On the Tools menu,
click Internet Options,
click the Security tab,
click the Internet Web
content zone, and then click Custom
Level.
- In the Settings box,
click Disable Java under Java
Permissions, click OK
and then click OK again.
Using Spyware Doctor
to detect and remove this Hijackers
AUTOMATICALLY!
| 
