Posted on 06/05/2004 8:06:55 PM PDT by Long Cut
You may have heard of this lately, or perhaps have had it happen to you. That's right...your internet browser gets hijacked. Taken from your control, as it were.
It takes you to sites you would never have visited in a million years; your computer slows down and maybe crashes; your homepage is mysteriously changed; you now have about a dozen "favorites" that you never selected and don't want.
You've been HIJACKED!
What happened? How? You ask, as you pull your hair out in disgust.
Well, it happened to me,, and some FReepers I know, and a LOT of my friends, lately. I've been hearing scuttlebutt around the Web, and around the water cooler. People's computers are being taken over by insidious, rotten spyware and malware that effectively seizes control and can have serious reperussions for the user.
These things download some particularly nasty porn, even child porn, to a computer. People have been fired, investigated, and disgraced for something they never did.
I discovered mine one day whil, of all things, trying to access FR. I mistyped the URL, and found myself redirected to some porn search engine. Massive popups overwhelmed my Pop-up Stopper, and froze my computer.
After the reboot, I ran my McAffie antivirus, which quickly crashed the system and failed to ever work again. Ad-Aware removed some registry keys and values, and I thought all was well.
Wrong. It happened again.
Now, I got serious. I obtained Symantec Pro version, and ran it. It caught several more bugs, but some couldn't be quarantined OR removed.
I was in a fix. I was using a computer that FReeper thumperusn had graciously loaned me, and I didn't want to give it back to him all jacked up. Thus began my battle with the Internet demon known as "CoolWebSearch".
I went to sites like Spywareguide.com, Spywareinfo.com,, and Symantec's excellent site, and educated myself about CWS. It's a mean one.
With over 25 versions to date, and about 30 affiliated sites, CWS has infected millions of computers to date. It uses a "hole" in JavaScript Virtual Machine to invade your machine and make changes to IE and your registry. It also copies itself to your "restore" files, which the antivirus and anti-spyware programs DO NOT search or modify.
After educating myself, and wading through literally hundreds of pages of "geek-speak", I formed a plan of attack.
PROTECTION
First, I would fix the holes in my system. The borrowed laptop used Windows Me, from 2000. It needed updating, and MS's website had a whole bunch of them. Since I'm on a dialup, it took hours to download and install all the patches.
Next, some firewalls. At Major Geeks.com, I found and downloaded Zone Alarm and Browser Hijack Blaster, both for free. Thus protected from further invasion, I set about curing the disease.
MEDICINE FOR A SICK COMPUTER
I first updated the Symantec to the latest standards. I then did the same with Ad-Aware, and downloaded Spybot Search&Destroy from Majorgeeks. It was about then I discovered that I was not alone.
I found Merjin.org, a website set up by a computer student with the sole purpose of combatting CWS. From there, I obtained the invaluable CWShredder, a program that can remove ANY CWS bugs, and which is updated frequently. I also got HiJackTHIS!, a program which can find and display anything that is downloaded to your computer, and remove it with a command.
So effective are these programs, CWS has recently conducted Denial Of Service attacks on Merjin.org. Thankfully, it has survived...it also contains detailed information about all the CWS variants, and manual removal procedures.
I was able to sweep my system clean of many more bugs. Unfortunately, I still wasn't done.
HEALING THE PATIENT
I was still getting some spyware from CWS, and some Browser Helper Objects (BHO's) were still turning up. Fortunately, due to Zone Alarm and Hijack Blaster, I was warned well in advance. However, I was suspicious as to how it was happening on a daily basis. Thus, I went even deeper.
I went to Symantec's website and downloaded detailed instructions for THOUROUGHLY cleaning your system. I had missed something important.
CWS also writes itself to your "restore" files. These are immune from the cleaning software. The cure for that was quite new for me, a relative computer novice. However, one learns by doing, so I plowed ahead.
I disabled the "restore" function (instructions from Symantec), and rebooted into "safe" mode(also on Symantec's instructions). I then ran all my cleaning and anti-virus/anti-spyware programs, deleting everything found.
Then, I went to the C://System/Restore files and deleted them all. If it affects the "restore" function adversly, I have not seen evidence of it yet.
I rebooted, performed a scandisk and a defrag, and rebooted again. Then I enabled the "restore" function once more.
That was yesterday, and so far, so good. I'd like to think I got it all, but with these bugs, you never know. Fortunately, I'm now forewarned and forearmed.
I might just have to buy a mouse. This touchpad gives me grief in many ways. However, I'm not sure that it'll work, either.
Go to mozilla.org and get firefox, you'll laugh out loud at the speed when u compare it to IE.....Been using mozilla and now firefox for some time and there is NO comparison..
I got it last night! It is indeed an vast improvememt. Aside from the scrolling issues, that is, and I'm working on those.
You should have a link to the Extension area on your links bar...just above your tabs on the left. It's called "Firefox Help". On that page there is a link on the left about halfway down called "Extensions".
If not, here's a link:
This is the same philosophy that convinced passengers to board the "unsinkable" Titanic.
Lock it.
Look at the "Locking the HOSTS File" section on this page at mvps.org, and download the two batch files to lock and unlock your hosts file. (You can just do it manually via command line, but the batch files make it easier.)
PS: the mvps.org site has a nice ready-to-roll HOSTS file you can download.
You can read about it (and download it) from here: http://mvps.org/winhelp2002/hosts.htm
Or, if you just want to grab it straightaway (and already know where it goes), it's here: http://mvps.org/winhelp2002/hosts.txt
I was thinking the same thing. SpybotS&D, for instance, can make a protected hosts file (though it's not a default. You have to manually do it, and can delete it if there's a problem).
Here's a partial example:
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 coolwwwsearch.com
127.0.0.1 coolwebsearch.com
127.0.0.1 hi.studioaperto.net
127.0.0.1 www.webbrowser.tv
127.0.0.1 www.wazzupnet.com
127.0.0.1 gueb.com
127.0.0.1 kabex.com
127.0.0.1 www.hityou.com
127.0.0.1 miosearch.com
127.0.0.1 wazzupnet.com
127.0.0.1 213.131.225.2....
# This list is Copyright 2000-2004 Patrick M. Kolla / Safer Networking Limited
# End of entries inserted by Spybot - Search & Destroy
Ping!!!!!!!!!!!
All of the above work fine in IE and on regular programs, but not in Firefox. I still can't figure it out.
It's all set now, and it works great!
Great! Firefox is making me happy so far..some things have changed, but the benefits beat the drawbacks so far!
FIREFOX BTT!!!!!
Thanks...was looking for something like this. If you don't block registry changes, it is a vicious circle!
I'll go find it.
Here's a "Thanks for the valuable info!" BUMP!
You're very welcome. It seems this thread has helped many with t5hese problems, certainly including myself.
On the advice of some trusty FReepers, I installed Mozilla's FIREFOX browser, and made it my default. This also required a trip to my touchpad's manufacturer's website to download their latest drivers, so the Synaptec touchpad will work properly with Firefox. All in all, about two hour's work with a dialup connection.
What a doll!!!!!!!!!!!!!!!!!!!!
Surfing is now noticeably faster, as are downloads and graphics. There has been no trace of a popup OR a hijack for over a week now. And tabbed browsing is, in fact, a joy. Daily runs of ad-aware and Spybot have turned up NO SPYWARE, ADWARE, OR MALWARE at all for the past seven days, and that includes one evening when I actually TRIED (don't ask how) to get some! Going online has indeed become pleasant again.
However, a few iggies...
Internet Explorer still has access to the 'net after you download Firefox. A brief search found some stuff it had gotten on its lonesome, apparently. No sweat...I merely instructed my Zone Alarm to block all Internet access to that program. No more problems.
Moral? Even if you use Mozilla's excellent products, keep your firewalls and "guard" programs. Mozilla might be immune, but IE still provides backdoors to the bad guys. I did note that IE's homepage was changed by a BHO today (Browser Hijack Blaster kindly informed me whilst it tore the offender out by the roots), but had I not been notified, it's doubtful I'd have noticed. Thus, other things might have happened. If ZA doesn't seal it off, I'll simply delete IE.
Thanks again for all the advice and patience to us novices and nuggets here! I truly hope that as many have been helped as I was, and without the headaches.
I've been having a hell of a time with ebates.com MoeMoney maker. I'v ehad a nasty exchange of email with the freaks in their "customer service" area. If I they were in my city, I'd beat the hell out oe 'em.
Please, tell your story here. Give all the details, too...your experience may help another.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.