If you've ever been infected with a browser hijacker, you know what an infuriating situation it is. For all intents and purposes, your $3,000 computer is converted into a source of revenue for some fly-by-night web site unable to generate legitimate web traffic. Once installed, it usually takes an expert to remove a browser hijacker effectively.

If you've gone through this before, you never, ever want it to happen again. So, how do you prevent being hijacked? This is surprisingly easy.

Dump Internet Explorer
First and most simply, stop using Internet Explorer. If you use either Mozilla (http://www.mozilla.org/), Firefox (http://www.mozilla.org/products/firefox/) or Opera (http://www.opera.com/), you are immune to all known and future browser hijackers.

You are immune for two reasons. First, most people use Internet Explorer, so most malicious code is custom built to exploit it. Second, Opera's and Mozilla's programmers take security very seriously and have made these browsers very secure. It is not possible to install software from a web site using these browsers without at least seeing a prompt of some sort asking permission.

If you have to use MSIE
Switching browsers is the easy answer. For some people, that is not an option for various reasons. Internet Explorer can be made reasonably safe without locking down every useful function, but it requires some third-party software.

The most important thing is to update your browser and operating system. Go to WindowsUpdates (http://windowsupdate.microsoft.com/) and install the latest version of Internet Explorer (currently MSIE 6 Service Pack 1), then go back and install any security patches that are available. Also install any service packs and patches for Windows itself. This one action will save you from the overwhelming majority of browser hijackers.

After you've done that, replace Microsoft Java VM with Sun Java. You can download that from HERE (http://www.java.com/). There are several hijackers that exploit flaws in Microsoft Java VM. Sun's Java is more secure and more up to date. Make certain, in Java's options, that Sun Java JRE is set to work with Internet Explorer.

Open Internet Options from the Windows control panel and click the "Security" tab. Highlight the "Internet" icon and then click "Custom Level". Choose "Medium" from the drop-down box at the bottom, then click the "Reset" button. Click ok, then click "Custom Level" again.

Set your options just as I have listed below:

.NET Framework-reliant components

Run components not signed with Authenticode (Disable)
Run components signed with Authenticode (Prompt)
ActiveX controls and plug-ins

Download signed ActiveX controls (Prompt)
Download unsigned ActiveX controls (Disable)
Initialize and script ActiveX controls not marked as safe (Disable)
Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
Script ActiveX controls marked safe for scripting (Prompt)

Miscellaneous

Access data sources across domains (Disable)
Drag and drop or copy and paste files (Prompt)
Installation of desktop items (Prompt)
Launching programs and files in an IFRAME (Prompt)
Navigate sub-frames across different domains (Prompt)
Software channel permissions (High safety)
Userdata persistance (Disable)

Scripting

Allow paste operations via script (Prompt)
Scripting of Java applets (Prompt)

Next, you need to run a registry script called IE-SPYADS (http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD). This script will place an enormous number of web sites known to be abusive into
Explorer's "Restricted Zone". Any site in that list will be unable to run javascripts, java applets, set or read cookies or use ActiveX scripting. You still will be able to visit those sites but they will be very limited in what they can do.

Be aware that MSIE has many security flaws that will allow a clever site designer to bypass security settings, even if their site is in the restricted zone. More must still be done.

Now you need to install SpywareBlaster (http://www.majorgeeks.com/download.php?det=2859). ActiveX programs need to use a CLSID (identifier number) before Windows will execute them. SpywareBlaster stops certain ActiveX CLSIDs from working by setting a "kill bit" in the Windows registry. This will stop ActiveX drive-by installations from programs that use those numbers, as well as preventing software already installed from running if they use that CLSID.

As a final safeguard, install a program called BrowserHijack Blaster (http://www.majorgeeks.com/download.php?det=3786) This program will watch for alterations to the home page, default page and search page as well as watching for Browser Helper Objects being installed. If it detects a change, it immediately will pop up a warning and ask if you wish to allow the change.

Be very careful about installing programs. By far the most common source of malware infection comes from third party bundles. Grokster, for instance, will install a dozen or more unwanted programs.

Finally, you also should disable the preview pane if you use Outlook or Outlook Express. Simply by highlighting an email while the preview pane is active, even to delete it, you could activate any scripting in that email. Visit TomCoyote's (http://tomcoyote.com/outlook1.php) site for instructions on doing that.

Follow the steps above and it will be very unlikely that you ever will be hijacked again. Periodically scan your system with antispyware and antivirus software. I recommend Spybot S&D (http://www.tomcoyote.com/SPYBOT/) for antispyware and use a good virus application for antivirus.

Thanks for the great info,am having just this problem at present.Going onto my homepage and trying to check my mail,put the first letter of my address in and up pops a porn page,I use norton internet protection and anti-virus but it keeps coming back,will try your fix.
Many thanks
Matkat

Nice, well-crafted, post OAH. You must have gone to some effort to produce that.

I've just received this Further Reading (http://www.windowsbbs.com/showthread.php?t=31794)

Thanks for pointing that out fobotcso. That is an interesting BB that I was not aware of. Thanks for sharing.

Which also brings me to another issue. The above post was kindly sent to me via email by a friend, Graham actually, but you probably do not know him. Anyway I thought the information was very good and decided to share it with others on this board.

In hindsight this was not a good idea, I should have done a google search to see if it was posted elsewhere.

I therefore apologise to you and anyone else for trying to share information. Also to Daniel Miessler for his "original" efforts. I am sure we are all grateful for the info.

However I will not be passing on any info again for fear of attack.

But then again that is what this board is famous for. Shoot before asking questions.

P.S. Maybe next time a pm is more appropriate for an explanation.

More info for you fobotcso, I followed up with Graham the source of his email and he has provided the following, see here (http://www.spywareinfo.com/articles/hijacked/prevent.php).

The author, Mike Healan is a friend of Grahams and has confirmed that he wrote the article and was happy for Graham to send it on.

So where did the other bloke get it from? Hint: compare the posting dates.

Maybe you should get up him instead of me!

However I will not be passing on any info again for fear of attack.
But then again that is what this board is famous for. Shoot before asking questions.

Not quite sure what you mean there. Have posts been deleted?


Anyway, good post. I only use IE for windows update. I've been using Avant Browser for quite some time, mainly just because I like it. However, I believe it is based on IE to get round problems with all those websites that are designed just for IE so probably is just as vulnerable as IE to the ever-growing collection of weaknesses and holes. Can anyone confirm or deny this?

It'll be interesting to see how the next version of IE shapes up, given that MS are now supposed to be more security conscious.

Not quite sure what you mean there. Have posts been deleted?


Not by me.


However I will not be passing on any info again for fear of attack.

But then again that is what this board is famous for. Shoot before asking questions.


Well I hope you'll think again. It's a useful post, and I have no doubt it was posted with good intentions. And I very much hope that this particular forum isn't really famous for a hostile response. I don't think that's true, and, if it is, yours is the first complaint that I've had.

At the risk of being corrected by Flying Lawyer, I believe we do need to take a little care over copyright - not an issue in this particular case, as you have the permission of the author, but it's worth crediting material posted here if it isn't original. A block quote summary and a link elsewhere is also a good way of doing it.

I'm slowly putting together a FAQ to guide the non-technical (our 'target audience' here) in making their system secure. Unless you have an objection I'll include the original post in it.

Hi Evo,

http://www.computercops.biz/postt7736.html

This link has two articles (two stickies combined), both written by Tony Klein. They should give you some useful info for your own FAQ. Please ask in need any more specific info, and I'll be glad to help. :)

Cheers

Liam

Hey, wassup? Don't be sensitive. Nobody was flaming anybody. I was genuinely appreciative of the post and it's a valuable topic.

My offering was meant to complement (and compliment) your post. It wasn't identical. I get regular mailings from from a number of sources (often using IE!), including Microsoft and this happened to be one of them. They don't always agree....

Keep 'em coming.

I kinda miss the days when this was an easy going relaxed Forum without the competitiveness to be "The Good Guy" that we see so often these days. There was once a time when it was Okay to make a helpful suggestion without the certain knowledge that your answer was absolutely correct in every detail. And if you weren't absolutely correct, either it didn't matter or someone more knowledgeable would put the issue straight with style and humour without being attention-seeking or arrogant.

Before you know it, we'll be like the Military Forum. And I don't go there any more!

Capeesh?

fobotsco I took "Nice, well-crafted, post OAH. You must have gone to some effort to produce that." followed by a link, was to me an insinuation that I was pretending to have scripted this myself.

If I am wrong I apologise, if not then I stand by my posts.

For the record I used to post in different areas of Pprune but noticed that some were happy to "pull the gun" on someone, and I do not necessarily mean me, without justification. I decided not to be part of that .

Since then I have only been a "reader".

This is my first post for a considerable amount of time and I felt that the gun had been pulled again. Hence my reaction.

Someone please tell me I am wrong or hibernation here I come again.......

And Evo it was not here that I saw these problems. This is one of the better areas of Pprune.

So now that I have all that off my chest can we please get back to the original purpose of the post being how to avoid hijacking of your browser...

Nope, I meant exactly what I said and in the spirit that the words conveyed. So, I'm really sorry you took it wrong. The was no criticism in my mind.

I've been coming here for more that the 4 years that my Profile suggests. In fact I started when there were only 17,000 members and my first several hundred posts were lost in Armageddon. About the same as you OAH I guess. But it seems that you have been pi$$ed off more that somewhat by the quick-draw merchants.

Me, I'm just a thick-skinned crabby old beggar and don't give a big rat's arse :D about flaming. I come here to help and be helped but the speed with which this Forum is going downhill is likely to make me follow your example and take my bat and ball somewhere else.

PS, ratsarrse I believe that Microsoft had intended no further revisions to IE 6.1 but have recently reversed that decision because of the clamour that greeted their announcement.

Comments accepted fobotsco, sorry for the outburst.:ok:

Maybe I need thicker skin or take on your attitude and don't give a ratsarse!

Truce :p