Easy Desk Newsletters

Previous - Next - All Newsletters

Has your Home Page been Hijacked?

Getting your Internet Explorer or home page hijacked seems to be quite common these days. Some people think that when their home page is hijacked, they've been attacked by a virus. At this point in time, I personally have yet to see a virus hijack anyone's home page, search page, or Internet Explorer. A Hijacker is really just adware trying to get you to go to some particular site and removing a Hijacker is usually simple enough.

My wife loves to research and surf the Internat, but frequently gets into trouble on the Internet and relies on me to fix her computer. I got so tired of having to manually find and remove these pesky hijackers, I decided to add the hijacker removal routine to WinSafe and WinSafe XP . Now, when she clicks on the WinSafe Exit icon, WinSafe will let her know if her home or search page has been hijacked and will then ask her if she wants WinSafe to fix it. When she clicks yes, her home page and Internet Explorer settings are automatically restored. WinSafe will also tell her what files have been added to her system and what location in the Registry the Hijacker file is being loaded from. This in turn will enable me to easily delete the Hijacker files. Since then we developed Special Agent P.C. Secure which kills the hijacker within moments of its arrival.

If your browser gets hijacked you may have a problem reaching the site you want. It will take you to some site you never intended to visit. As an example: you would like to visit our site, so you type into the browsers address window www.easydesksoftware.com; but instead, your browser takes you to a porn site. The reason this is happening is because some program added site names to the host file pointing each of these sites to the porn sites IP address. This is done either from an embedded script on a visiting site while your surfing on the Internet; or a program file that was downloaded on to your machine while surfing.

In order to fix this problem, you need to edit or delete the host file. Do a search for the file Host, the file does not have an extension. So editing the Host.sam file will not help. You will find the Host file in Windows 9x and ME in your Windows folder, on Windows NT, 2000,2003, and XP it is located in the windows\ System32\ Drivers\etc folder.

Either delete it or edit it in Notepad. The Host file is not a required file, so deleting it is quite safe. Reboot, and if you still have a problem you have a Hijacker on your system. You have now fixed your browser but you will need to locate the hijacker program. Special Agent P.C. Secure should be able to locate it for you.

Trying to find a Hijacker without knowing the file name that was downloaded onto your machine is difficult but not impossible. If you have a snapshot of your file system and Registry to compare with the current file system and Registry you can easily find the Hijacker.

So let's say you do not have WinSafe installed and you P.C> Secure cannot find it. And you do not have a prior file system and Registry snapshot available, such as one made by Registry Watch. The best way to find the Hijacker is to first manually restore your home page. Use the Internet Options applet in the Control Panel and on the General tab, change your home page. To reset your search page select the Programs tab and click on Reset Web Settings, reboot and see if it gets hijacked again. If not, then your done; a site you visited had changed your home page using a script and did not download and install any file(s) that will continuously hijack your home page.

If your home page DOES get hijacked again after rebooting, then check the Startup group in Msconfig (type: Msconfig in the run window), see if the Hijacker is there. If you know what each startup item is, you should be able to find the Hijacker. If you don't know what has been added, maybe you have a backup Registry. If you have a backup Registry, reboot to a command prompt, Safe Mode or the Recovery Console, depending on what version of Windows you have and replace the Registry files with a backup. This should stop the Hijacker from hijacking your home page. You can also download HijackThis from the Internet. The program will display all files that are at all the autorun keys.

I pretty much know what my file system looks like and I can spot a file name that is out of place, like winlogon.exe in my Windows folder, not my Windows\System32 folder. Or echwqs.exe in the system32 folder, or a *.vbs file. If you're familiar with your file system, then you can use Msconfig to find out the name of the file and the location of the file by checking the Startup group and see what has been added.

OK, so you don't know what does or doesn't belong on your system. You never got around to making a backup, and you don't have Windows 98, ME or XP that makes registry backups for you. You also don't have WinSafe , Registry Watch or even System Sentry , or other similar software on your computer yet. Most software can fix your Home Page only if it was installed BEFORE you got hijacked; because it wouldn't know what your home page was originally set for or what files have been added. Spy remove software uses a database to look for known malware. The $30.00 you did not spend is going to cost you some time now, so let's get to work.

A Hijacker sometimes will start a backup file to ensure that it can stop you from fixing your home page. It may copy itself to another file name and add a startup Key to the Registry.

You will need to reboot to Windows in Safe Mode which will stop all programs from starting up, the Hijacker will be unable to reinstall its' startup Key in the Registry. Since the hijacker file will not be running you will be able to delete the file(s) when you find it. Next, open Msconfig, you can type the word Msconfig in the Run window and click on OK to start Msconfig. Now, click on the Startup tab, and uncheck all the program entries in the window. Now place a check mark in any one of the entries that are not familiar to you. If you recognize any of the entries in the Startup group and you are 100% sure that they belong there, then you can check mark them as well for the first run that we will do. Be sure to pay attention to what entries you have checked in the startup group. Now fix your home page in the Control Panel. The open the Registry and go to the following keys and delete them if they exist, in both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER:
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
Now reboot in normal mode.

Once your back in Windows, verify that your home page and search page has not been hijacked by opening the Internet Options applet. DO NOT START YOUR BROWSER . Go back to Msconfig and check one more entry, reboot and verify your home page and search page. Once you find the entry that starts the Hijacker, reboot into Safe Mode and remove that start Key. Read the Key carefully and find the file that the Key points to. You will now know what file you will need to delete to get rid of the Hijacker. But as I have mentioned, it may have a backup Hijacker, so continue the process until you have rechecked your entire startup group.

Suppose after going through all the Startup group items, your home page was not hijacked .The Hijacker is then being started by your browser, so let's open the browser now. The Hijacker can be started when you open your browser by adding a Registry Key to the Key HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ explorer\ Browser Helper Objects. Under this Key you may see Keys like {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}.

Reboot in Safe Mode, reset your home page, and rename all the SubKeys by adding a dash in the front of the Key name, like "-{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}". Now reboot and open your browser, The Hijacker should not run. Close your browser and rename one Key back to the original name by removing the dash. Open your browser to see if the Hijacker has returned. Close the browser and repeat the process until all keys have been renamed. Once you have found a Key that starts the Hijacker you will need to view the Key that it is pointing to. Go to the HKEY_CLASSES_ROOT\ CLSID\ {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx}. Open this Key and view the contents of the InprocServ32 Key. In my example it will have the value of the (Default) Key set to C:\ ACROBAT5\ READER\ ACTIVEX\ ACROIEHELPER.DLL. This file belongs to Acrobat Reader. But your Key will contain the Hijacker.

Reboot in Safe Mode, delete both Keys, the CLSID key and the Browser Helper SubKey that points to the Hijacker and delete the Hijacker file. Congratulations, You have now successfully killed the Hijacker.

 

About Us | Privacy Policy | Contact Us | FAQ|Help Files |Humor|©2009 Easy Desk Software