looking for adware info and homepage hijacker info

I certainly hope you aren't planning on writing more malware, but...
Most browser hijackers are implemented as browser helper objects (BHOs). A general run-down on what they are and how to write one can be found at:
hxxp://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwebgen/html/bho.asp
I'm sure there are lots of other ways to hook your code into IE, but that's the most common way.
Now, as far as getting it installed on a user's computer, that's just a matter of finding a software exploit somewhere. Probably the best real-world example was the Java bytcode verifier bug in Microsoft's Java VM. That particular exploit was, well...gang raped by spyware authors. MS finally patched their VM, but it's a far better thing to remove it entirely and use Sun's instead. MS is no longer allowed to distribute a Java VM anyway due to eariler lawsuits by Sun.
But I digress. Probably the biggest, most persistant method of getting spyware installed is through exploiting security zones. In most browsers, you have a system of zones that you classify web content by. For example, IE uses: Internet, Local Intranet, Trusted Sites, and Restricted Sites. Each one has different "permissions" for code execution. Nearly all browsers implement something similar to this - I believe it was Netscape that actually started this madness. It looks good on paper, but it gave birth to a whole class of exploits called "cross-zone scripting exploits". I haven't done enough reading to cite specific examples or how-tos, but the general idea is this: by using various tricks with HTML, vbscript, javascript, etc., you can sometimes convince the browser that a particular web page, or portions of it, belong in a different (and more permissive) zone.
Cross-zone scripting exploits have been especially bad in IE because in addition to the four zones shown on the security tab of your internet settings, there's a 5th zone, the "local machine" zone, which is basically invisble to users, and which has virtually unrestrained access to the machine. By crossing into the local machine zone, you could get the browser to execute just about anything you wanted to. For years, Microsoft has been discreetly warning people that the zone exists, and that they need to lock it down tighter, but they haven't exactly advertised the problem to end users. Finally, they have at least tried to fix the problem as of XPSP2:
hxxp://msdn.microsoft.com/security/productinfo/xpsp2/securebrowsing/locallockdown.aspx
However there are already some known exploits that manage to circumvent the new security:
hxxp://secunia.com/advisories/12889/
Anyway, this should give you a few leads for google. I'm sure there are lots of other methods employed, but AFAIK, those are the big ones.
Edit: Ok, I'm not sure why, but all of a sudden Exetools isn't honoring line breaks for me. Sorry. It works in preview, but then it strips the blank lines out of the post

[JMI]

I have the same result here. Maybe Aaron changed something to try to save room in the database. Not sure at this point, but the line breaks do seem to disappear when the post is saved. Or at least they did yesterday.

Regards,

cool - thanks all for the info....this is what i needed to know


thanks again

This page is also interesting, the part on how you can prevent the
furtive installation of BHO by modifying the security on a unique
key can interest some people I think....

CIACTech02-002: Microsoft Browser Helper Objects (BHO) Could Hide Malicious Code
hxxp://www.ciac.org/ciac/techbull/CIACTech02-002.shtml

etherlord