Hijacking Your Computer

[Guest St. Benard]

The attacker uses a program that appears to be the server to the client and appears to be the client to the server. This attack may be used simply to gain access to the messages, or to enable the attacker to modify them before retransmitting them.

 

Author: Mike Healan

 

There is a despicable trend that is becoming more and more common where the browser settings of web surfers are being forcibly hijacked by malicious web sites and software which modifies your default start and search pages.

 

Sometimes internet shortcuts will be added to your favorites folder without asking you. The purpose of this is force you to visit a web site of the hijacker's choice so that they can artificially inflate their web site's traffic for higher advertising revenues.

 

In some cases, these changes are reversible simply by going into internet options and switching them back. Not always, however. Sometimes it's necessary to edit the windows registry (gasp!) to undo the changes made. Sometimes there is even a combination of registry setting and files clandestinely placed on your hard drive that redo your settings every time you reboot the computer.

 

No matter how often you change your settings back, they are changed again the next time you restart. There have even been cases where internet options have been removed from the tools menu by registry hacking to prevent you from controlling your own computer!

 

Even AOL has become a browser hijacker by placing it's web site free.aol.com in Internet Explorer's trusted sites security zone, thereby bypassing the most frequently used security settings. This occurs after installing their AOL software, AOL Instant Messenger, Netscape 6.x, and ICQ2001b has reportedly done this. AOL then exploits this by downloading ActiveX components to your computer without your consent. The CWS trojan also does this.

[Guest Freeway]

Dump Internet Explorer

 

If you use either Mozilla, Firefox or Opera, you are immune to all known and future browser hijackers.

 

You are immune for two reasons. First, most people use Internet Explorer, so most malicious code is custom built to exploit it. Second, Opera's and Mozilla's programmers take security very seriously and have made these browsers very secure. It is not possible to install software from a web site using these browsers without at least seeing a prompt of some sort asking permission.

[Guest Mikey]

Go to WindowsUpdates and install the latest version of Internet Explorer (currently MSIE 6 Service Pack 1), then go back and install any security patches that are available. Also install any service packs and patches for Windows itself. This one action will save you from the overwhelming majority of browser hijackers.

 

http://v4.windowsupdate.microsoft.com/en/default.asp

[Guest Augustine]

Here is what I found to cure my situation of having home page hijacked to a pseudo "about:blank" page. By the way, the real web page is revealed below.

 

To Remove “About:Blank” Hijacker Adware In Windows XP Home edition Service Pack 1 with Internet Explorer 6.0 (probably works in NT and 2000 with some directory name changes only)

 

My Norton Antivirus did not detect this trouble and I’ve read Several confusing approaches that did not work for me.

 

Programs Needed:

 

Reglite.exe (available at “ http://www.resplendence.com/download/reglite.exe ”)

 

Microsoft Recovery Console

(an option available on your Windows CD or root drive) run “X:i386winnt32.exe /cmdcons” where “X” is either CD drive letter or is “C” for your root.

 

HiJackThis.exe

(available at “ http://download.com.com/3000-2144-10227352.html ”)

 

There are two application extensions (.dll) files that Need to be deleted. One is hidden (thanks Akadia!), one is detected with “HiJackThis.exe”

 

1) With “Reglite.exe” find name of hidden file:

 

Double Click on “AppInit_DLLs” located in “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows” The “value” window reveals the hidden file name. (mine was “hlpl.dll”, yours may be different!) In this example let’s call it “hidden.dll”

 

2) Rename the hidden file:

 

Close Windows and reboot using “Windows Recovery Console” Go to “c:Windowssystem32” and do two things. Change file from read only by typing “attrib –r hidden.dll” Then rename it (I don’t know why, but this procedure did not work until I renamed it) type “rename hidden.dll nasty.dll” (and remember that “hidden.dll” is for this explanation only use the name you found earlier) Type “exit” and reboot to Windows.

 

3) Edit registry to remove hidden file

 

Run “reglite.exe” again. Double Click on “AppInit_DLLs” located in “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows” Delete the file in “value” window, the “size” window changes also. “Apply” changes and exit “reglite.exe”

 

4) Edit registry to remove the second file

 

Run “HiJackThis.exe” and scan the registry. Check the boxes to remove the following entries:

“R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = res://C:WINDOWSSystem32jheckb.dll/sp.html (obfuscated)

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = res://C:WINDOWSSystem32jheckb.dll/sp.html (obfuscated)

R1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = res://C:WINDOWSSystem32jheckb.dll/sp.html (obfuscated)

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = res://C:WINDOWSSystem32jheckb.dll/sp.html (obfuscated)

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = res://C:WINDOWSSystem32jheckb.dll/sp.html (obfuscated)

R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = res://C:WINDOWSSystem32jheckb.dll/sp.html (obfuscated)

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,HomeOldSP = about:blank” (as you can see my second .dll was called “jheckb.dll” yours may be different) For this example let’s call it “obvious.dll”.

 

Finally delete the two .dlls (“hidden.dll” and “obvious.dll”) You should be running again.

 

By the way, if you go offline with Internet Explorer and type OK To these nasty adware windows you will see the guys who benefit. From this hijacker. I found:

www.palsol.com

www.likesurfing.com

www.vn.msie.cc (the real web page)

 

They seem to be selling “adware/spyware protection” Pass the word, Boycott them, Who needs to be extorted for “protection money”?