Your generous donations help keep this site online! Click here to support
Homepage Hijackers

Homepage Hijackers are a newer trend, I'm not sure quite what to classify it as (adware? spyware? troajn?). The function of these is to change your browser's homepage (and maybe search, etc. pages) to point to their site. This site is almost always loaded with lots of ads, popups and/or other make-money-fast earmarks of a useless portal-potty.

There are two forms of hijacker: the one that is easier to fix is a site that uses an IE vulnerability to automatically set your homepage/etc. to theirs, and that's that. You cuss under your breath, change them back and remember never to visit that site again. The harder one to fix installs a program on your computer (either by exploiting IE's insecure nature, or by enticing the user to install e.g. a "free Web browser enhancement" which contains the hijacking program. Once it gets onto your system, the hijacker program continually changes (or forces) your homepage back to theirs. No matter how many time you try to change it, either from IE or in the Registry, the sneaky software keeps changing it back. According to SpywareInfo, some will even set up your system to lock you out of the Registry, to prevent you from removing their hijacker!
Typically, hijacker programs put a reference to themselves in your StartUp folder or Registry Run key, so that the hijacker runs every time the computer is started. If the user tries to change any of these settings, the hijacker changes them back, sticking the user with the hijacker's site unless the hijacking software can first be found and removed.

Several of these hijackers knowingly exploit an Internet Explorer / Outlook Express bug that allows them to be secretly installed on a user's system upon simply viewing the Web page. Hijackers using this bug wil plant one or more .hta files on your system which are executed on startup by Windows Scripting Host. To restore normal operation, search your system for *.hta files and rename any that are found (e.g. change file.hta to file.hta_) or move them to another directory. Then change your homepage and other browser defaults to those you prefer. Hopefully they will no longer be changed back! Also, don't forget to grab the Microsoft scriptlet.typelib/Eyedog patch which fixes these script vulnerabilities in IE.

Other hijackers (Gohip et al) install a stand-alone .EXE application on the system to perform the same function. Since .EXE programs can't be auto-downloaded in decently secure browsers and must knowingly be installed by the user, the Hijackers will sometimes be disingenuously labelled as "browser updates" or "enhancements", or any number of similarly flowery terms. The hijacker's site will probably go to extraordinary lengths to cajole the user to install the file, maybe even dangling Free Gifts and Special Offers in front of the user's nose. See the section on Trash App exorcism for detailed removal instructions for an .EXE hijacker.
Still other hijacking methods exist. One site uses a *.jse file, loaded at startup, to do its dirty deeds. Still another will place a reference in the StartUp folder or Registry Run key that actually runs Registry Editor, telling it to add the contents of a well-hidden file (e.g. C:\windows\system\2304987.tmp), containing the keys necessary to set the hijacker's homepage, to the Registry on every startup. Unfortunately, the sheer number of hijackers precludes the listing of all offenders.

Info on Browser Hijacking and fixes from

HomeE-mailCopyrights and Disclaimers