Thursday, July 1, 2004

Hijacked

Homepage hijackers are basically those codes or pieces of software that cause your default homepage setting in Internet Explorer to change from your settings to the hijackers’ settings. Even if you manually change IE’s default homepage setting, it will simply revert once you restart your PC. And trust me, the websites set by the hijackers to be your default homepage can be pretty sick.

So what causes your homepage to be hijacked?

The single most important factor is spyware. (Read more in Spider’s October 2003 issue). Spyware which sends information about your surfing habits can just as easily send information about your PC, hence ensuring that a third party has access to your browser’s settings.

Cookies also play an important role. You have no clue as to how many cookies are installed on your PC when you are visiting any website. Any of these cookies can be the culprit.

A program installed on your PC ensures that the hijacker’s homepage remains the default one. This program can come from any source (spyware mostly).

Some programs use the Windows startup registry. They put a reference to their hijacking program in the registry, hence every time you start Windows, this program will run and your default settings will be changed.

Hijacks can also happen if you’ve downloaded an executable file that promised to enhance the abilities of your browsers or update it. Such executable files are nothing but a means of hijacking your browser.

Some hijackers exploit a security loophole in Internet Explorer. This loophole allows the hijacking program to be installed on your PC while you are viewing a website, or by changing your system’s settings, cause the hijacker’s commands to run. Through this program, they will install one or more files which have an .hta extension. These files will be run on Startup by Windows Scripting Host and hijack your browser’s settings.

Detection and Removal

1) Install a good anti-hijack software and keep on updating and running it.

2) Perform a “*.hta” search on all your drives and see if you can locate the files with “.hta” extensions. If you find such files on any your hard drives, then change their extension to either “.hta1” or “hta_1” so that they cannot be accessed by any malicious code.

3) Edit your Windows registry so that the hijack program does not load every time you start your PC. For more technical details on how to edit your registry, check out the sites listed in this article. A word of caution here: if you don’t know what you’re doing, then you’d better not mess with the Windows registry. When my PC got hijacked, I used a combination of the following software before I got rid of the annoying homepages:
Cool Web Search Shredder
HijackThis 1.97.7
Lavasoft Ad-Aware 6.0
Spyware Blaster
Spyware Guard
SpyBot Search and Destroy
Zone Alarm Firewall

Long-term measures

1) Be very vigilant about installing any new software, especially if it makes tall claims.

2) Make sure you have good spyware detection and removal software installed and running.

3) Set your Internet Explorer’s Privacy Level to High (Tools => Internet Options => Privacy). And then click on the “Edit” button below. You can use the Edit option to enable cookies for websites you normally have to visit for example. Hotmail or Yahoo and disable the option for the rest of the websites.

4) Update your copy of Windows. I know it is a hassle but there are many security patches to correct the loopholes within your present operating system which may fall prey to a hijack attempt.

5) Beware of installing these notorious spyware programs on your system: BonziBuddy, Comet Cursors, Direct Dialer, Gator, Kazaa Media Desktop, and ZapSpot Games.

The sites
Ad-Aware http://www.lavasoftusa.com/
Cool Web Search Shredder www.spywareinfo.com/~merijn/downloads.html
HijackThis 1.97.7 www.soft32.com/download_19015.html
Merjin www.spywareinfo.com/~merijn/index.html
SpywareBlaster www.javacoolsoftware.com/spywareblaster.html
SpywareGuard www.javacoolsoftware.com/spywareguard.html
Spybot Search & Destroy http://www.safer-networking.org/
Spy Sweeper www.webroot.com/wb/products/spysweeper/index.php
Windows Update windowsupdate.microsoft.com
Zone Alarm Firewall http://spider.tm/jul2004/popwindow.html?pgsrc=www.zonelabs.com&submenu=none