Posted on 06/05/2004 8:06:55 PM PDT by Long Cut
You may have heard of this lately, or perhaps have had it happen to you. That's right...your internet browser gets hijacked. Taken from your control, as it were.
It takes you to sites you would never have visited in a million years; your computer slows down and maybe crashes; your homepage is mysteriously changed; you now have about a dozen "favorites" that you never selected and don't want.
You've been HIJACKED!
What happened? How? You ask, as you pull your hair out in disgust.
Well, it happened to me,, and some FReepers I know, and a LOT of my friends, lately. I've been hearing scuttlebutt around the Web, and around the water cooler. People's computers are being taken over by insidious, rotten spyware and malware that effectively seizes control and can have serious reperussions for the user.
These things download some particularly nasty porn, even child porn, to a computer. People have been fired, investigated, and disgraced for something they never did.
I discovered mine one day whil, of all things, trying to access FR. I mistyped the URL, and found myself redirected to some porn search engine. Massive popups overwhelmed my Pop-up Stopper, and froze my computer.
After the reboot, I ran my McAffie antivirus, which quickly crashed the system and failed to ever work again. Ad-Aware removed some registry keys and values, and I thought all was well.
Wrong. It happened again.
Now, I got serious. I obtained Symantec Pro version, and ran it. It caught several more bugs, but some couldn't be quarantined OR removed.
I was in a fix. I was using a computer that FReeper thumperusn had graciously loaned me, and I didn't want to give it back to him all jacked up. Thus began my battle with the Internet demon known as "CoolWebSearch".
I went to sites like Spywareguide.com, Spywareinfo.com,, and Symantec's excellent site, and educated myself about CWS. It's a mean one.
With over 25 versions to date, and about 30 affiliated sites, CWS has infected millions of computers to date. It uses a "hole" in JavaScript Virtual Machine to invade your machine and make changes to IE and your registry. It also copies itself to your "restore" files, which the antivirus and anti-spyware programs DO NOT search or modify.
After educating myself, and wading through literally hundreds of pages of "geek-speak", I formed a plan of attack.
PROTECTION
First, I would fix the holes in my system. The borrowed laptop used Windows Me, from 2000. It needed updating, and MS's website had a whole bunch of them. Since I'm on a dialup, it took hours to download and install all the patches.
Next, some firewalls. At Major Geeks.com, I found and downloaded Zone Alarm and Browser Hijack Blaster, both for free. Thus protected from further invasion, I set about curing the disease.
MEDICINE FOR A SICK COMPUTER
I first updated the Symantec to the latest standards. I then did the same with Ad-Aware, and downloaded Spybot Search&Destroy from Majorgeeks. It was about then I discovered that I was not alone.
I found Merjin.org, a website set up by a computer student with the sole purpose of combatting CWS. From there, I obtained the invaluable CWShredder, a program that can remove ANY CWS bugs, and which is updated frequently. I also got HiJackTHIS!, a program which can find and display anything that is downloaded to your computer, and remove it with a command.
So effective are these programs, CWS has recently conducted Denial Of Service attacks on Merjin.org. Thankfully, it has survived...it also contains detailed information about all the CWS variants, and manual removal procedures.
I was able to sweep my system clean of many more bugs. Unfortunately, I still wasn't done.
HEALING THE PATIENT
I was still getting some spyware from CWS, and some Browser Helper Objects (BHO's) were still turning up. Fortunately, due to Zone Alarm and Hijack Blaster, I was warned well in advance. However, I was suspicious as to how it was happening on a daily basis. Thus, I went even deeper.
I went to Symantec's website and downloaded detailed instructions for THOUROUGHLY cleaning your system. I had missed something important.
CWS also writes itself to your "restore" files. These are immune from the cleaning software. The cure for that was quite new for me, a relative computer novice. However, one learns by doing, so I plowed ahead.
I disabled the "restore" function (instructions from Symantec), and rebooted into "safe" mode(also on Symantec's instructions). I then ran all my cleaning and anti-virus/anti-spyware programs, deleting everything found.
Then, I went to the C://System/Restore files and deleted them all. If it affects the "restore" function adversly, I have not seen evidence of it yet.
I rebooted, performed a scandisk and a defrag, and rebooted again. Then I enabled the "restore" function once more.
That was yesterday, and so far, so good. I'd like to think I got it all, but with these bugs, you never know. Fortunately, I'm now forewarned and forearmed.
One thing I found to get around the merjin stuff is that where I was finding problems (wanting to double check the random thing that I find once in awhile before removing from hijack) was that the links to the other sites of lists (like bho lists, etc.) were not allowing for anything to be searched or came up with no responses...I explored long enough that I found that there lists you can download and just 'ctrl f' for whichever you are questioning...
Did that make any sense? In any case, I was glad to find an alternative cause all the problems on his site were getting annoying! LOL!
Mozilla is the full featured browser, firefox is just the browser. I have both and use firefox the most. Thanks for all the info, I have had many problems with the wifes PC off/on for months, reinstalled win98 3 times
Do 'save log' and you can put it in a private message to me (the contents of the log) and I'll help you if you'd like
Okay, just so's I'm clear...I download Mozilla, and Firefox et. al. comes with it, correct? There's several versions of Mozilla on the site...which ones do you recommend?
I've also found tds-3 (free eval. version you can use) is helpful, as is a2 http://www.emsisoft.com/en/
Both found things that I hadn't been able to fix on hijack adaware and spybot...all of which I run (and update) very often.
Might be worth trying just to be sure, too...
Anyone contemplating trying Mozilla or Firefox needs to bookmark this page!
Note that "user forums" are open. In other words, you don't have to register. (The sections down the page you do, however).
http://forums.mozillazine.org/index.php
//I'm no expert (but there are certainly some on this thread), however, I'd assume that the files it found are "hidden" somehow from your "search" function. In my case, they were in the "restore" system folder, and I had to disable it before I could begin deleting the offenders. If it's enabled, it won't allow you to mess with it.//
Well, I use 'dir /a' as my file finder; I suppose something could tamper with it, but I don't know that spyware thingies tamper with DOS.
You can go to this page:
http://tomcoyote.com/hjt/
Look around a little and then register if it looks good to you. If you register you will be able to post your log and the gurus there will tell you what to delete. I have not used them but I have heard about it. I think they will be of help.
As for HiJackTHIS!, you'll have to go line-by-line and check each...it will give details about each, as well as tell you if any are really bad. Anything with "about:blank", for instance, should be deleted forthwith. Read each carefully...if it's something you know, or remember downloading deliberately by the name, just put it on the "ignore" list.
HiJackTHIS! has a guide to its ratings, and so does Merjin. Refer to them before deleting anything.
It'll be a pain, but after you're done, anything else will be easy.
Firefox 0.8.
It's a browser only.
Mozilla 1.6 is okay. It has an e-mail client and even a web page maker. But go with Firefox until you get a little used to the changes.
My opinion....
Why Windows is a Security Nightmare
Security in all mainstream operating systems is non-existent; however, things are especially bad for Windows. Windows happens to be the favorite target of worm and virus writers. Conventional wisdom suggests that the huge installed base of Windows helps spread the worms and viruses, and also makes it a highly attractive target for worm/virus writers. The installed base of Windows certainly has an undeniable effect on the prevalence of malware on Windows, but this is not all there is to it.
The Blaster worm attacks Windows XP, and Win2K systems. In order to infect a system the worm needs to send the correct payload for the respective OS. The worm is not able to differentiate between the XP and Win2K so it randomly guesses the OS type; however, if it guesses wrong the RPC service crashes, and Windows reports it as a crash of svchost. The Blaster attack was quite a surprise as the major outbreak of the worm occurred back in August 2003, and I was expecting all infections of the worm to be fixed by now.
I was in no position to do anything about the Blaster attack, so I continued downloading the 35 MB service pack 4 over my dialup connection. It took me a couple of hours to download it, but Windows Update refused to install it; Windows Update probably needed some functionality provided by the crashed svchost.exe.
I rebooted and connected to the internet, which was a mistake as I was giving the worm a second chance to infect my system. Anyway, I proceeded to Windows Update, and tried the same download again. Alas, Windows Update had forgotten all about the 35 MB it had downloaded previously, and started downloading the same stuff all over again. Worse, the Blaster worm crashed svchost again, and I had to discontinue the download.
I knew about the existence of a standalone security update to patch the vulnerability Blaster exploits, so I decided to bypass Windows Update and download it directly. The download was small less than 1MB, but as soon as I tried running it I learned that it requires at least service pack 2 to install, which I didn't have.
Microsoft provides a separate download for service packs as well, and I decided to download the latest service pack, service pack 4. Well, the standalone service pack 4 distribution turned out to be a mammoth 129 MB download. This is about the maximum I have ever downloaded over a dialup connection; a download of this size can easily take 10 or more hours to complete.
Downloading a large file over dialup requires the ability to resume downloads which Internet Explorer does not provide, so I downloaded Wget to acquire that ability. Wget is a commandline tool and is invoked by calling it with the URL name. I tried pasting the URL on the command line, but it turns out that the cut and paste functionality disappears after a blaster attack, so I was forced to manually type the URL.
Normally, typing a URL is not a big deal. Everyone types URLs all the time, and I do too, but I do mind typing gibberish strings of 95 characters like the following:
http://download.microsoft.com/download/E/6/A/E6A04295-D2A8-40D0-A0C5- 241BFECD095E/W2KSP4_EN.EXE
To cut a long story short I managed to download and install the service pack, and the Blaster security update. Finally, the Windows Update started working and after another 30-40 MB of downloads, and 3 or so reboots, I managed to installed the 18 security updates available there (another 5 have been added to that number as of now).
After this experience I cannot help but laugh at the 'usability' problems Windows users are reporting about GNOME and KDE. It has become pretty clear to me that Windows users are so accustomed to usability problems that they don't even recognize them as usability problems. But, as soon as these people move to a different environment they start complaining simply because the new environment does not replicate the features and bugs of Windows exactly.
The other big lesson from all this is that most Windows users are incapable of 'securing' their systems. This is precisely why an unprotected system gets attacked in a matter of seconds, and spammers are still sending out Messenger service spam. Worse, Microsoft is directly responsible for this state of affairs. Windows encourage users to reinstall it every once in a while, and when they do, Windows Update actively prevents users from updating their systems.
The whole idea of Windows Update is a joke. Using an unreliable and insecure network as the primary means of distributing security updates is simply idiotic. This is like asking people to walk through a minefield to get to a shelter. I was able to download security updates off the internet only because the current generation of worms are not particularly malicious; they are just minor irritants.
If Microsoft is serious about Windows security it needs to fix Windows Update, and get rid of the damned Registry for good. Unfortunately, Microsoft's approach is to layer half baked fixes over utterly broken things to keep them going for as long as possible. Microsoft knows that there is a problem with the Registry, but the way it is dealing with it is by offering Registry rollbacks, and similar worthless functionality.
Thanks to ALL the experts who offered their valuable advice and help. I'm sure there were MANY lurkers who found it as useful as the posters did.
If enough people get the word, maybe we can stop these jerks from ruining people's machines and lives.
Signing off for tonight, back tomorrow.
The Best and only programs I have found that work are spy bot search and destroy and regrun. Regrun is awesome because it can do three things to a malware file like ncase, isolate destroy and block all variations of it from working on my computer sweet a** program.
People work full time creating these threats making it a full time job to stay ahead of them.
Please note!!! While Norton (Symantec) does have an on-line, web based virus scan, Norton (or Symantec) Anti-Virus is NOT freeware!
Mark
Every one of those DNS records has their address record set you your system (127.0.0.1 AKA "localhost").
If you're running XP ( which it appears that you are ), check to see what's in your hosts and lmhosts files. These are both text files in the C:\WINDOWS\SYSTEM32\DRIVERS\ETC directory.
Mark
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.