Free Republic
Browse · Search 		News/Activism
Topics · Post Article

To: finnman69
Dude. Read this. You may have been infected with malware. The only solution is to shoot your computer and never visit another porn site.

http://wired.com/news/infostructure/0,1377,63280,00.html?tw=wn_16techhead
11 posted on 05/06/2004 1:38:11 PM PDT by Asclepius (protectionists would outsource our dignity and prosperity in return for illusory job security)
[ Post Reply | Private Reply | To 1 | View Replies ]

To: Asclepius; All
I FIXED IT! Thanks for reminding me about CWS.

I stand guilty of browsing porn and getting cyber syphllis.

It was a coolwebsearch bastard. This is the second one I have gotten and the second tim I had to use a shredder to get rid of it. The normal Ad-aware type programs don't kill it.

I zapped it with this program: http://www.spywareinfo.com/~merijn/files/CWShredder.exe

from this website: http://www.spywareinfo.com/~merijn/cwschronicles.html#cwshredder



Nasty Malware Fouls PCs With Porn By Michelle Delio
Story location: http://www.wired.com/news/infostructure/0,1377,63280,00.html

02:00 AM Apr. 30, 2004 PT

Last Sunday, Maria DelGiorno gave up. She unplugged her laptop PC and carefully placed it underneath a statue of the Virgin Mary.

"It was the only thing I could think of doing," said the 67-year-old great-grandmother. "The computer was filled with filthy things. It was embarrassing. My grandchildren kept asking me why I was looking at so much pornography."

On Tuesday, DelGiorno's grandson retrieved the computer and examined it. With some help from a computer-savvy friend, Joe DelGiorno discovered that a browser-hijacking program called CoolWebSearch, also known as CWS, had turned his grandmother's mild-mannered computer into a XXX-rated adventure.

"She had dozens of bookmarks for really foul porn sites," said Joe DelGiorno. "And ads for porn were popping up every few minutes. Her homepage had been switched to some weird Web page. She was all upset and crying; she's a religious woman. She shouldn't have to deal with this garbage. If I find the people who did this to her I will make them suffer."

Judging by the many postings in newsgroups and on PC help sites, plenty of people would be happy to join Joe DelGiorno in his quest to find the programmers behind CWS, the latest and most malicious of several browser hijackers that are making some Internet users miserable.

Browser hijackers are malicious small programs that change browser settings, usually altering designated default start and search pages. But CWS is far uglier than other infamous browser hijackers such as Xupiter and Lop.

According to Merijn Bellekom, who has been tracking CWS and its many variants -- more than two dozen since CWS first appeared last summer -- CWS is "the most complex, invisible and devious hijacker" ever programmed.

CWS-infected computers are often plagued with a constant barrage of pornography pop-up ads. A hundred or more bookmarks, some for extremely hard-core pornography websites, are often added by CWS to Internet Explorer's Favorites folder.

Almost all versions of CWS significantly slow the performance of infected computers, and some can cause the system to freeze, crash or randomly reboot. CWS also collects and transfers personal information from the infected PC. A few versions of CWS can add websites to Internet Explorer's "trusted sites" zone, which allows those websites to install new programs on the infected PC without the computer owner's knowledge or permission. Several CWS variants are capable of automatically self-updating their programming code.

A few versions of CWS block a user's access to more than two dozen websites that offer advice on how to detect and delete spyware. Some CWS versions also disable firewall programs.

People who are familiar with computers will often check host processes information to find out what applications are running in the background on their computers. One version of CWS can be active in the system but does not appear in host processes, according to Bellekom and other sources.

Signs that one of CWS' two dozen variants is present in a computer include home and search pages that have been reset to one of the 80 or so domains that appear to have an affiliation with CoolWebSearch.com. Any URLs that are entered without "www" will be redirected to porn, search or other sites apparently affiliated with CoolWebSearch.com.

Some versions of CWS will also redirect users to off-brand search sites when they attempt to visit Google, Yahoo or other search sites, and a few produce pop-up ads intended to look like Google search results.

New versions of CWS are being released almost every week, and antivirus programs struggle to identify and block all the variants. Many users complain that their antivirus or anti-spyware programs did not detect CWS on infected machines.

Jon Erland Madsen, from Oslo, Norway, believes his machine was infected with CWS via one of two security holes in Microsoft's Java Virtual Machine.

CWS affects only PCs running the Windows operating system and Microsoft's Internet Explorer browser. If users haven't applied the patches that protect computers against security flaws in Java Virtual Machine, it appears that some versions of CWS can install themselves automatically, without users agreeing to install the software.

"If you some weeks ago suggested that I was infected with a Trojan that probably records my every keyboard stroke, although I never clicked an unknown attachment, I would take it as a sign of superstition, a bit like getting a chip implanted in your brain," said Madsen. "But this is exactly what has happened to me."

In other cases, users do install CWS themselves, believing it's a game or other desirable program or a plug-in necessary to view a website.

Most versions of CWS are extremely difficult to remove from infected computers. According to Madsen, none of the half-dozen well-known antivirus applications he tried was able to detect the variant of CWS that lurked on his machine. He used CWShredder, a program made by Bellekom, to remove it, but said CWS still comes back after every reboot.

CWShredder does appear to remove every known variant of CWS, and Bellekom updates the program on a weekly basis in order to handle the CWS variant du jour.

CoolWebSearch.com, which bills itself as the "search engine you trust," did not immediately reply to requests for comment.

But in a statement on its website, the company Cool Web Search claimed that it is not responsible for CWS, the hijacker.

In the statement, Cool Web Search said that it pays its "affiliates" for each visitor that is directed to a CoolWebSearch.com domain. According to Cool Web Search's statement, CWS may have been created by one or more of its affiliates in order to collect those fees.

Cool Web Search also chided those whose machines harbored CWS, saying in the statement that "more and more people, nowadays, neglect the security of their browser, and as a result, end up being victims of so called 'browser hijacks'."

"Right, blame the victim," said Joe DelGiorno. "The bottom line is that my grandmom's computer would have never gotten infected by (CWS) if these unethical creeps hadn't released the program in the first place."
31 posted on 05/06/2004 2:04:33 PM PDT by finnman69 (cum puella incedit minore medio corpore sub quo manifestus globus, inflammare animos)
[ Post Reply | Private Reply | To 11 | View Replies ]
To: Asclepius
You've hit the nail on the head.

I have two suggestions:

1. Run Spybot S&D regularly and then install and run the 'Immunize' feature.
2. Since MS IE is the target, download, install and learn to love Mozilla Firefox. You'll never want to go back to MS IE again. I haven't.

56 posted on 05/06/2004 2:56:53 PM PDT by Bloody Sam Roberts (ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,Election '04...It's going to be a bumpy ride,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø)
[ Post Reply | Private Reply | To 11 | View Replies ]

Free Republic
Browse · Search 		News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson