Homepage Hijackers are a newer trend, I'm not sure quite what to classify it as (adware? spyware? troajn?). The function of these is to change your browser's homepage (and maybe search, etc. pages) to point to their site. This site is almost always loaded with lots of ads, popups and/or other make-money-fast earmarks of a useless portal-potty.
There are two forms of hijacker:
the one that is easier to fix is a site that uses an IE vulnerability to
automatically set your homepage/etc. to theirs, and that's that. You cuss
under your breath, change them back and remember never to visit that site
again. The harder one to fix installs a program on your computer (either
by exploiting IE's insecure nature, or by enticing the user to install
e.g. a "free Web browser enhancement" which contains the hijacking program.
Once it gets onto your system, the hijacker program continually changes
(or forces) your homepage back to theirs. No matter how many time you try
to change it, either from IE or in the Registry, the sneaky software keeps
changing it back. According to
some will even set up your system to lock you out of the Registry, to prevent
you from removing their hijacker!
Typically, hijacker programs put a reference to themselves in your StartUp folder or Registry Run key, so that the hijacker runs every time the computer is started. If the user tries to change any of these settings, the hijacker changes them back, sticking the user with the hijacker's site unless the hijacking software can first be found and removed.
Several of these hijackers
knowingly exploit an
Explorer / Outlook Express bug that allows them to be secretly installed
on a user's system upon simply viewing the Web page. Hijackers using this
bug wil plant one or more .hta files on your system which are executed
on startup by Windows Scripting Host. To restore normal operation, search
your system for *.hta files and rename any that are found (e.g. change
file.hta to file.hta_) or move them to another directory. Then change your
homepage and other browser defaults to those you prefer. Hopefully they
will no longer be changed back! Also, don't forget to grab the Microsoft
patch which fixes these script vulnerabilities in IE.
Other hijackers (Gohip et
al) install a stand-alone .EXE application on the system to perform the
same function. Since .EXE programs can't be auto-downloaded in decently
secure browsers and must knowingly be installed by the user, the Hijackers
will sometimes be disingenuously labelled as "browser updates" or "enhancements",
or any number of similarly flowery terms. The hijacker's site will probably
go to extraordinary lengths to cajole the user to install the file, maybe
even dangling Free Gifts and Special Offers in front of the user's nose.
See the section on Trash App exorcism for detailed
removal instructions for an .EXE hijacker.
Still other hijacking methods exist. One site uses a *.jse file, loaded at startup, to do its dirty deeds. Still another will place a reference in the StartUp folder or Registry Run key that actually runs Registry Editor, telling it to add the contents of a well-hidden file (e.g. C:\windows\system\2304987.tmp), containing the keys necessary to set the hijacker's homepage, to the Registry on every startup. Unfortunately, the sheer number of hijackers precludes the listing of all offenders.
on Browser Hijacking and fixes from SpywareInfo.com