Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

HIJACK! (No, not THAT kind!)
various | Today | Me

Posted on 06/05/2004 8:06:55 PM PDT by Long Cut

You may have heard of this lately, or perhaps have had it happen to you. That's right...your internet browser gets hijacked. Taken from your control, as it were.

It takes you to sites you would never have visited in a million years; your computer slows down and maybe crashes; your homepage is mysteriously changed; you now have about a dozen "favorites" that you never selected and don't want.

You've been HIJACKED!

What happened? How? You ask, as you pull your hair out in disgust.

Well, it happened to me,, and some FReepers I know, and a LOT of my friends, lately. I've been hearing scuttlebutt around the Web, and around the water cooler. People's computers are being taken over by insidious, rotten spyware and malware that effectively seizes control and can have serious reperussions for the user.

These things download some particularly nasty porn, even child porn, to a computer. People have been fired, investigated, and disgraced for something they never did.

I discovered mine one day whil, of all things, trying to access FR. I mistyped the URL, and found myself redirected to some porn search engine. Massive popups overwhelmed my Pop-up Stopper, and froze my computer.

After the reboot, I ran my McAffie antivirus, which quickly crashed the system and failed to ever work again. Ad-Aware removed some registry keys and values, and I thought all was well.

Wrong. It happened again.

Now, I got serious. I obtained Symantec Pro version, and ran it. It caught several more bugs, but some couldn't be quarantined OR removed.

I was in a fix. I was using a computer that FReeper thumperusn had graciously loaned me, and I didn't want to give it back to him all jacked up. Thus began my battle with the Internet demon known as "CoolWebSearch".

I went to sites like Spywareguide.com, Spywareinfo.com,, and Symantec's excellent site, and educated myself about CWS. It's a mean one.

With over 25 versions to date, and about 30 affiliated sites, CWS has infected millions of computers to date. It uses a "hole" in JavaScript Virtual Machine to invade your machine and make changes to IE and your registry. It also copies itself to your "restore" files, which the antivirus and anti-spyware programs DO NOT search or modify.

After educating myself, and wading through literally hundreds of pages of "geek-speak", I formed a plan of attack.

PROTECTION

First, I would fix the holes in my system. The borrowed laptop used Windows Me, from 2000. It needed updating, and MS's website had a whole bunch of them. Since I'm on a dialup, it took hours to download and install all the patches.

Next, some firewalls. At Major Geeks.com, I found and downloaded Zone Alarm and Browser Hijack Blaster, both for free. Thus protected from further invasion, I set about curing the disease.

MEDICINE FOR A SICK COMPUTER

I first updated the Symantec to the latest standards. I then did the same with Ad-Aware, and downloaded Spybot Search&Destroy from Majorgeeks. It was about then I discovered that I was not alone.

I found Merjin.org, a website set up by a computer student with the sole purpose of combatting CWS. From there, I obtained the invaluable CWShredder, a program that can remove ANY CWS bugs, and which is updated frequently. I also got HiJackTHIS!, a program which can find and display anything that is downloaded to your computer, and remove it with a command.

So effective are these programs, CWS has recently conducted Denial Of Service attacks on Merjin.org. Thankfully, it has survived...it also contains detailed information about all the CWS variants, and manual removal procedures.

I was able to sweep my system clean of many more bugs. Unfortunately, I still wasn't done.

HEALING THE PATIENT

I was still getting some spyware from CWS, and some Browser Helper Objects (BHO's) were still turning up. Fortunately, due to Zone Alarm and Hijack Blaster, I was warned well in advance. However, I was suspicious as to how it was happening on a daily basis. Thus, I went even deeper.

I went to Symantec's website and downloaded detailed instructions for THOUROUGHLY cleaning your system. I had missed something important.

CWS also writes itself to your "restore" files. These are immune from the cleaning software. The cure for that was quite new for me, a relative computer novice. However, one learns by doing, so I plowed ahead.

I disabled the "restore" function (instructions from Symantec), and rebooted into "safe" mode(also on Symantec's instructions). I then ran all my cleaning and anti-virus/anti-spyware programs, deleting everything found.

Then, I went to the C://System/Restore files and deleted them all. If it affects the "restore" function adversly, I have not seen evidence of it yet.

I rebooted, performed a scandisk and a defrag, and rebooted again. Then I enabled the "restore" function once more.

That was yesterday, and so far, so good. I'd like to think I got it all, but with these bugs, you never know. Fortunately, I'm now forewarned and forearmed.


TOPICS: Crime/Corruption; Culture/Society; Miscellaneous; News/Current Events; Your Opinion/Questions
KEYWORDS: computers; coolwebsearch; hijack; hijackers; spyware; trojanhorses; virus; viruses; worm
Navigation: use the links below to view more comments.
first 1-2021-4041-6061-80 ... 181-192 next last
I wanted to put this out because I'm SURE that there are numerous FReepers who might have had the same problems. Make no mistake...these bugs can be ruinous to one's job and reputation, and they are out there on many innocent sites. A simple popup is all it takes to get one.

I read many articles on people whose lives were nearly wrecked by them, and who were so repulsed by what they got that they threw their computers away, and swore to never use the 'net again.

There is no legal recourse; CWS and others like it are buried under many layers of internet cover. The company itself denies any wrongdoing.

Please, if you've got similar experiences, share them. Others might benefit from this knowlege, and if you've got links and advice, please share it here, too.

1 posted on 06/05/2004 8:06:56 PM PDT by Long Cut
[ Post Reply | Private Reply | View Replies]

To: MS.BEHAVIN; MrB; 68-69TonkinGulfYatchClub; bentfeather; Kathy in Alaska; mylife; Old Sarge; ...
PING!!!!!!!

Watch out...something wicked this way comes....

2 posted on 06/05/2004 8:09:07 PM PDT by Long Cut (Certainty of Death, small chance of Success...What are we waiting for?...Gimli the Dwarf)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bloody Sam Roberts; inflation; Ichneumon; Pukin Dog; Squantos; Travis McGee; HighWheeler
Bump. Beware.

I spent three weeks and countless hours to learn these lessons.

3 posted on 06/05/2004 8:10:54 PM PDT by Long Cut (Certainty of Death, small chance of Success...What are we waiting for?...Gimli the Dwarf)
[ Post Reply | Private Reply | To 1 | View Replies]

To: HairOfTheDog

You might find this interesting.


4 posted on 06/05/2004 8:12:00 PM PDT by Long Cut (Certainty of Death, small chance of Success...What are we waiting for?...Gimli the Dwarf)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Long Cut

Interesting! We can never be too careful. Thanks for the instructions. I'm sure it can help others who no doubt are infected. (Hopefully not me, but I'm going to double check!)


5 posted on 06/05/2004 8:13:02 PM PDT by IVote2
[ Post Reply | Private Reply | To 1 | View Replies]

To: All

I find it somewhat curious that this story has not made it into the major media. Surely SOMEONE in the journalism field has had this experience.


6 posted on 06/05/2004 8:13:17 PM PDT by Long Cut (Certainty of Death, small chance of Success...What are we waiting for?...Gimli the Dwarf)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Long Cut

bump


7 posted on 06/05/2004 8:13:58 PM PDT by Soaring Feather (~The Dragon Flies' Lair~ Poetry and Prose~)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Long Cut

I have no trouble with any of this, perhaps it's because I run Linux? ;->


8 posted on 06/05/2004 8:14:26 PM PDT by inflation (Cuba = BAD, China = Good? Why, should not both be treated the way Cuba is?)
[ Post Reply | Private Reply | To 3 | View Replies]

To: Long Cut
As an alternative to a lot of the stuff you mentioned, one solution that solves many if not most of the problems, would be to simply stop using IE. Download Mozilla and install it. You will be protected from popups, and a lot of the nastiness you encounter with IE. Aditionally, once you use tabbed browsing, you'll wonder how you lived without it.
9 posted on 06/05/2004 8:15:01 PM PDT by zeugma (The Great Experiment is over.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Long Cut

Bump for later use


10 posted on 06/05/2004 8:15:37 PM PDT by Right Angler
[ Post Reply | Private Reply | To 1 | View Replies]

To: Long Cut

Thank you for passing along this info.


11 posted on 06/05/2004 8:15:42 PM PDT by Socratic (Yes, there is method in the madness.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: IVote2; All
I run Ad-Aware daily after an Internet session, and also CWShredder and HijackTHIS!. I update all my antivirus/anti-spyware weekly, and keep my system updated as well. I also, just before shutdown, delete ALL cookies and history files, followed by the emptying of the recycle bin.

It takes a little time, but peace of mind is worth it. These bugs pretty much compromise your whole system...even sending personall information back to their masters in some variants.

12 posted on 06/05/2004 8:16:41 PM PDT by Long Cut (Certainty of Death, small chance of Success...What are we waiting for?...Gimli the Dwarf)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Long Cut
Oh, that's an ugly one, all right. May I suggest cloning your system with Symantec's Ghost as one means of keeping a backup copy offline? The malware can't get to it if it's sitting in an envelope on your desk...
13 posted on 06/05/2004 8:16:51 PM PDT by Billthedrill
[ Post Reply | Private Reply | To 1 | View Replies]

To: Long Cut

Browser hijacking is nothing new. Run Adaware regulary and use CW Shredder. HijackThis is also a useful tool.


14 posted on 06/05/2004 8:18:39 PM PDT by South40 (Amnesty for ILLEGALS is a slap in the face to the USBP!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: inflation
Beware...CWS puts out new variants almost weekly. They are working on Linux as well. It's only a matter of time. ANY system can be attacked, especially by these clowns.

This is NOT some kid in a basement...it's a company with vast resources.

15 posted on 06/05/2004 8:18:39 PM PDT by Long Cut (Certainty of Death, small chance of Success...What are we waiting for?...Gimli the Dwarf)
[ Post Reply | Private Reply | To 8 | View Replies]

To: Long Cut

One word - "Linux".


16 posted on 06/05/2004 8:20:13 PM PDT by MTR
[ Post Reply | Private Reply | To 1 | View Replies]

To: zeugma
I've been considering doing just that, if the problems continue. However, the latest reports I've read suggest that Mozilla is also coming under attack.

CoolWebSearch apparently has the time and resources to figure out all manner of mischief.

17 posted on 06/05/2004 8:20:32 PM PDT by Long Cut (Certainty of Death, small chance of Success...What are we waiting for?...Gimli the Dwarf)
[ Post Reply | Private Reply | To 9 | View Replies]

To: Billthedrill

Thanks..I'll look into it.


18 posted on 06/05/2004 8:21:13 PM PDT by Long Cut (Certainty of Death, small chance of Success...What are we waiting for?...Gimli the Dwarf)
[ Post Reply | Private Reply | To 13 | View Replies]

To: zeugma

I just loaded firefox and attemted to delete IE but the entire uninstall folder is empty!

running mozilla firefox has made a tremendous difference.

Now to disable that nasty javascript BS


19 posted on 06/05/2004 8:21:47 PM PDT by mylife (The roar of the masses could be farts)
[ Post Reply | Private Reply | To 9 | View Replies]

To: MTR

See post #15. Linux is next on their hit-list.


20 posted on 06/05/2004 8:22:10 PM PDT by Long Cut (Certainty of Death, small chance of Success...What are we waiting for?...Gimli the Dwarf)
[ Post Reply | Private Reply | To 16 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-4041-6061-80 ... 181-192 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson