Hijacking

Hijacking is rapidly becoming the number one scourge of the Internet.

Here is a typical scenario. You have been surfing the web for hours. You close your browser and take a break. You come back to your PC a few hours later and fire up your browser. Wait a minute! That isn't my home page! You realize that your usual home page is no longer there and has been replaced by some new page. Pop-up ads start appearing from out of no where, even when your browser is closed.

Your browser has been hijacked...Hijacking can be a simple pain in the neck or an open door for Trojans to infect your computer, resulting in loss of valuable information such as passwords and credit card or banking information AND loss of control of your system.

Some simple steps to help guard against being hijacked:

1. NEVER, EVER install anything that is offered to you while surfing. Only install software that you recognize or trust. Before installing anything read the EULA (End Users License Agreement). Frequently it will disclose that the software you are installing contains other programs that will serve you ads or monitor your usage and browsing. If the EULA states that, cancel the installation, and delete the software.

2. Obtain and install Mike Lin's free StartUp Monitor, a tiny app that will ask you before anything new is allowed to run at start up. An excellent companion program is Mike Lin's StartUp Control Panel. (Note: After installing the control panel module, you open it through Windows Control Panel by clicking on the Startup icon.)

3. Use an alternative browser such as Mozilla. (Bonus: Mozilla contains a popup blocker.)

4. If you still use Internet Explorer, use Sun Java rather than Microsoft's version or download the latest version of Microsoft VM by keeping your Windows updates current.

5. You can actually lock your Internet Explorer homepage to prevent its being changed by editing the registry. Read the instructions carefully before downloading and unzipping. Set a restore point before editing your registry.

Start Page Guard is a free app that will lock your browser homepage for you and also keep your default search engine from being changed. However, it does not run in the background and only checks at start up. It seems to have suddenly disappeared from the Internet. If I find a new source, I'll link it here.

BHODemon v.2 (1402 kb) will make a list of all the browser helper objects (BHOs) that load when you open your browser and allows you to delete BHOs you do not want to run. Highlight a BHO and click on DETAILS for more information about it. Be sure to read the short tutorial.

Spyware Blaster protects your computer from becoming infected and/or victimized by more than 1500 spyware programs. This is not a spyware remover like Spybot or AdAware. It works to prevent Spyware Active-X controls from automatically downloading malware to your computer, while not interfering with good Active-X controls. (Note: This program contains a homepage lock for Internet Explorer but not Mozilla. Be sure to check for updates weekly.)

6. Check Add/remove programs regularly in control panel for anything you did not intend to install.

7. Commercial protective products such as Webroot SpySweeper, editor's choice of PC Magazine and MS choice WUGNET shareware download of the week, (regularly $29.95 but discounted to$19.95 using coupon, SWEEPSPOW) are available. Spy Sweeper is a 2.38 MB download and has a free trial with one update. (Note: I have purchased this and noted a conflict with the free app, Spyware Guard, which I then uninstalled. Don't use duplicate programs doing the same task running in the background and don't use more than one homepage page locking program at the same time. This product does not do anything you cannot do by using the mix of free products mentioned above plus online Trojan scans, but it is a very nice all-in-one solution and has updates. This program will only lock the homepage you use in Internet Explorer, not Mozilla.)

Build a toolkit BEFORE you get hijacked that will help you cleanup your computer. Many malware apps have the ability to prevent your visiting sites to obtain these tools once you are infected. Run both Adaware and Spybot Search and Destroy frequently to keep them updated. You may not be able to update them after the fact.

 

AdAware

AdAware swept the shareware/freeware awards in 2002 for its ability to cleanup spyware and other tracking software from your computer. (1.5 MB)

CWShredder

This is the best resource site and tool for ridding your computer of the Coolwebsearch hijacker. Read through the information of the disguises Coolwebsearch uses and confine your searching to know engines such as Google. I consider this an essential tool that everyone should have.

Enditall2

This is a free app from PC Magazine that allows you to see and identify apps and processes running in the background and shut them off until next restart.

HiJack This!

HijackThis examines certain key areas of the Registry and Hard Drive and lists their contents. These are areas which are used by both legitimate programmers and hijackers. It's up to you to decide what should be removed. Some items are perfectly fine and necessary, and you should not remove them. Doing that could leave you with missing items needed to run legitimate programs and add-ins. (Getting to know the processes running in Task Manager on your computer before a hijacking or Trojan infection occurs, helps you to identify things that may not belong.) (152 KB)

Mozilla

Mozilla is a free browser that is a "work in progress" as it is an open-source project similar to Linux. It is the Screensavers' pick as the BEST browser available, and it's free. Be sure to download the latest "stable" release unless you wish to help debug the latest build. v. 1.7.1 (11 MB)

Process Explorer Task Manager on Steroids!

Ever wonder which program has a particular file or directory open? This free little utility from Winternals shows you which handles and DLL processes have opened or loaded. It also has a powerful search capability.

Regmon by Sysinternals

R egmon is a free registry monitoring utility that will show you which applications are accessing your Registry, which keys they are accessing, and the Registry data that they are reading and writing - all in real-time. This advanced utility takes you one step beyond what static Registry tools can do, to let you see and understand exactly how programs use the Registry.

Spybot Search and Destroy

Recommended by PC World and Tech TV, Spybot Search and Destroy is an essential tool to rid your computer of Spyware and finds things that AdAware misses. It should be used in conjunction with AdAware for more complete spyware removal. (3.5 MB and worth it!!) Note: The DSO Exploit bug has been fixed, as has the recent checksum error received when updating.

OK...you've been hijacked. Where do you start?

Keep in mind that cleaning up your computer is usually a multi-step process requiring diligence and patience. It also requires an understanding of the nature of the beast. Multiple files have been added to your registry (.exe and .dll files) that instruct your computer to open a certain homepage, run popup ads even when you are not browsing, change your search engine, and to re-infect your computer every time you restart. Nice! Furthermore, a hijacker can leave a back door open to a flood of Trojan Horses which further complicate the cleanup process.

Once hijacked, stay off the Internet except for updates to AdAware and Spybot Search and Destroy. Continuing to browse will only make things worse. Physically disconnect by unplugging your modem.

Before you begin, open Windows Explore. Go to TOOLS, FOLDER OPTIONS, then VIEW. Be sure "Show hidden files and folders" is checked. Now uncheck both "Hide extensions for known file types" and "Hide protected operating system files." Click apply.

For safety sake, XP, 2000 and NT users should run ERUNT and backup your registry. Now if you use Windows XP or Me, turn off System Restore. (Right click on My Computer, Properties, System Restore tab.)  Be advised that turning off System Restore will erase your restore points. (Now you know why you backed up the registry with ERUNT. An infected registry may be better than no registry if you mess up your operating system.)

There are many approaches to successfully recovering from a hijacking. The following has worked for me. Use this information at your own risk. When in doubt, seek more experienced assistance. Be sure your data is backed up. A faster recovery option may be reformatting and reinstalling Windows or restoring a known good image, however you can recover from a hijacking with diligence, attention to detail, and patience.

In this order:

1. Go to START, RUN, type in MSCONFIG. Uncheck all unnecessary apps from the start-up tab, especially anything you don't recognize.When in doubt, look up file names in Google on another computer. (Windows 2000 does not have MSCONFIG.) If you find an entry which contains regedit.exe /s disable it.When prompted to restart, do not restart at this time.

2. Bring up Task Manager and end all running processes that do not belong. Also look in Control Panel's Add/remove programs and uninstall anything questionable.

3. Delete all your temp files, including your internet cache and offline content. XP users can use Disk Cleanup in System Tools to do this.

4. Run CWSHREDDER. Some forms of CoolWebSearch can disable other cleanup tools such as AdAware.

5. Run AdAware with its latest updates.

6. Now run Spybot Search and Destroy with its updates.

7. Restart in Safe Mode (F8 immediately after the post will usually do it) and do a complete system scan with your antivirus software if it is working.

8. Still in Safe mode, run CWShredder and Spybot S&D again.

9. Open the HOSTS file in notepad. Usually, the only entry you need is local host 127.0.0.1 unless you are on a network managed by someone else. Delete extraneous or suspicious entries. Note that in some cases, other programs such as Norton's email protection software may insert their own entries into theHosts file. What you are looking for is a diversion of commonly used websites or Internet Explorer search functions to a specific valid IP address. For more info on the HOSTS file, go here.

10. Restart your computer.

11. Run HiJackThis! and do a scan. Make a list of all references to .exe and .dll files and BHOs that do not belong. (The scan will show both good and bad running processes. You must determine which is which.) Now delete entries that do not belong by checking them and letting HiJackThis! fix them. Use extreme caution you do not select something you need as this program edits your registry. If you are in doubt, don't select anything. Make a log file, print it and show it to someone more knowledgeable or upload it to a support group on the web. (You can use Google on another computer to look up file names.) The HiJackThis log tutorial is located here. Take the time to understand this powerful program before you use it!

12. Go to START, RUN, type in REGEDIT. (Back up the registry again first. Do not edit the registry without assistance if you are at all uncertain on how to proceed.)

13. Be sure My Computer is highlighted at the top of the hive. Click on EDIT, then FIND. (Using F3 will find the subsequent entries of any given seach.) One at a time, search for all the malware file names you noted in the preceeding steps. Delete all references to them in the right hand pane. (F3 is the shortcut for FIND NEXT.) You are playing detective at this point. Study the names of apps you see loading in the same location as known malware bearing the same or close dates. If you do not recognize these names, look them up. Do not let your brain play tricks on you. Malware will frequently disguise itself with names one letter different from good and necessary system files. Close the registry and restart your computer.

14. Try your browser and your search engine. If you are still hijacked, repeat steps 1 through 12.

15. When you have regained control of your browser, go to TrendMicro and do an online scan. This scanner is good at finding hidden Trojans. Make a list of anything that cannot be cleaned or deleted. Go back to the registry and manually remove the trojan related files.

16. Be sure to re-enable System Restore when you are done.

This page is a work in progress. Check back frequently for changes and updates. Comments, suggestions are always appreciated and considered. To be continued...

back to top