For years, companies such as Microsoft, Netscape and many others have been adding links and changing browser settings without permission.

One example: When you install AOL or any of its affiliated programs, such as ICQ or AOL Instant Messenger, without asking it adds http://free.aol.com to Internet Explorer’s Trusted Sites zone.

Any site in the Trusted Site list is treated as a ‘safe site’ and by default all of IE’s security options are set at their least restrictive for these sites. This means if you visit the AOL site, AOL can run any script, download items to your desktop and perform a variety of functions without requesting your permission.

AOL/Netscape -- automatically adds itself to Internet Explorer's Trusted Sites zone. To eliminate it: Select Internet Options from the Tools Menu, click the Security tab, click Trusted Sites and then the Sites button, locate http://free.aol.com in the list of sites, select it, then click Remove.

It’s easy enough to undo such changes. Indeed, most browser hijackings require little more than a resetting of options.

Advanced Hijacking Techniques

Some browser hijackings, though, are more destructive. For example, home page hijacking. In its simplest form, home page hijacking is very easy to recover from:

Select Internet Options from the Tools Menu, on the General tab type your desired home page’s address into the Home Page box, and click OK.

That’s easy enough. But some home page hijackings go further. Three techniques used include:

• Removing Internet Options from your browser’s Tools Menu, and from the Control Panel, so you are unable to reset your home page or make any changes whatsoever to your browser settings.
• Editing your registry settings so the next time you launch your browser the home page is reset to the hijacker’s page. In this case, you have to go into your registry and make changes in order to weed out the home page squatter.
• Installing a program which runs each time you boot your computer and then resets your home page to the hijacker’s page. With this last technique, even if you modify the registry your home page will continue to be hijacked each time you reboot.

How hijackers strike

There are numerous ways.

• By installing software which changes your browser settings. This may happen with commercial software, but is much more common with freeware or adware.
• By visiting a site which exploits a browser bug to change settings without your permission.
• By visiting a site which persuades you to allow your settings to be changed, usually by offering freebies. When you accept the offer, your browser settings are changed or software installed. While such sites may tell you of their intentions, usually it’s in the fine print or couched in deceptive terms.

Defending yourself

Fortunately, most hijacking attempts can be prevented by using a few common sense measures:

• Make sure you have the most recent patches for your browser.
• Read ‘free’ offers and advertisements very carefully.
• Use anti-hijacking tools such as IE-Spyad; StartPage Guard; and Script Sentry

Step-by-step: Fixing a hijacked Internet Explorer

Note: These instructions involve editing the registry and other advanced techniques. Do not attempt these procedures without making proper backups and don’t attempt them at all if you’re not familiar with registry editing.

1. If your Control Panel’s Internet Options have been disabled, get them back by locating the file control.ini.

Go to Start -> Find/Search to locate it. 
Normally located in c:\windows. 

Open control.ini in Notepad and look for the lines:

[don’t load]
inetcpl.cpl=yes

Delete the  inetcpl.cpl=yes    line, close and save the file and reboot your computer.



Close any open Internet Explorer windows.

2. Next    Click Start -> Run,

a. type regedit and click OK to open the Registry Editor.

b. Navigate to:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer

If you find sub-folders called restricted or control panel, delete them.

Check for the same sub-folders in:

HKEY_LOCAL_MACHINE\ Software\Policies\Microsoft\Internet Explorer

and delete them, too, if they exist. Then close Regedit.

3. If your search pages have been redirected, re-establish the defaults:

a. Again open the Registry Editor and navigate to:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

 

• In the Root key HKEY_CURRENT_USER, the key Software\Microsoft\Internet Explorer\Main has a value "Search Page" that has likely been reset to something like "http://www.secret-crush.com/search/search.php"
  
• The value "Search Bar" in this key has also likely been reset to something.
  
• In the Root key HKEY_LOCAL_MACHINE, the key Software\Microsoft\Internet Explorer\Search has a value "SearchAssistant" that has likely been reset to something
  
• The value "CustomizeSearch" in this key has also likely been reset to something.

4. Go to  IE's top menu bar, select the Tools menu.
      Scroll to  "Internet Options".
      It will display a popup dialog box.
      Click on the Programs tab, to see a display like that on the right.

      Find the button near the bottom labeled "Reset Web Settings".
      Click, and these four registry settings will be corrected.

   

  Reset your home page to your chosen page:

5. In Internet Explorer, choose Internet Options from the Tools Menu
   and, on the General tab, type in your preferred home page.

6. Do a search for any files with the extension HTA. If you find any such files, open each in turn in Notepad and see whether they contain a reference to the site which has hijacked your browser. Delete any HTA files which contain such a reference.
   
   
   
   
7. BHO'S: A Browser Helper Object,  is just a small program that runs automatically every time you start your Internet browser. Usually, a BHO is installed on your system by another software program. For example, Go!Zilla, the downloading utility, installs a BHO created by Radiate (formerly Aureate Media); this BHO tracks which advertisements you see as you surf the Web.  They can also routinely conflict with other running programs, cause a variety of page faults, run time errors, and the like, and generally impede browsing performance
   
   Use BHODemon   Bho Captor or BHOCop to control which Browser Helper Objects (BHOs) are loaded when you open your browser. When you run the program, it will let you know which BHOs are being loaded. Usually, you should see nothing more than Acrobat Reader (Acroiehelper.ocx) and perhaps an anti-virus helper, such as Norton’s NavShExt.dll. If BHODemon reports any other BHOs, click the Details button and then More Details to check the source.
   
   If you’re suspicious of any BHO, disable it (usually by unchecking it from the list provided by the programs).
   
   
   
8. Click Start > Run > msconfig and check the programs under the Startup tab. If you find an entry which contains    regedit.exe /s         disable it, and disable other programs you know to be suspicious.
   
   

   a.   Still in msconfig, click the System.Ini tab and click the + beside [boot] to expand the section. Look for a line reading shell=explorer.exe. The line should read exactly that; delete any following commands, but make sure you leave shell=explorer.exe intact.

    

   

    

   Note: If you’re using Windows NT, 2000 or XP, this information is contained in the registry key:

   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

   Which should contain the value explorer.exe.
   
   Click OK to exit from msconfig and reboot your system.