Posted on 06/05/2004 8:06:55 PM PDT by Long Cut
You may have heard of this lately, or perhaps have had it happen to you. That's right...your internet browser gets hijacked. Taken from your control, as it were.
It takes you to sites you would never have visited in a million years; your computer slows down and maybe crashes; your homepage is mysteriously changed; you now have about a dozen "favorites" that you never selected and don't want.
You've been HIJACKED!
What happened? How? You ask, as you pull your hair out in disgust.
Well, it happened to me,, and some FReepers I know, and a LOT of my friends, lately. I've been hearing scuttlebutt around the Web, and around the water cooler. People's computers are being taken over by insidious, rotten spyware and malware that effectively seizes control and can have serious reperussions for the user.
These things download some particularly nasty porn, even child porn, to a computer. People have been fired, investigated, and disgraced for something they never did.
I discovered mine one day whil, of all things, trying to access FR. I mistyped the URL, and found myself redirected to some porn search engine. Massive popups overwhelmed my Pop-up Stopper, and froze my computer.
After the reboot, I ran my McAffie antivirus, which quickly crashed the system and failed to ever work again. Ad-Aware removed some registry keys and values, and I thought all was well.
Wrong. It happened again.
Now, I got serious. I obtained Symantec Pro version, and ran it. It caught several more bugs, but some couldn't be quarantined OR removed.
I was in a fix. I was using a computer that FReeper thumperusn had graciously loaned me, and I didn't want to give it back to him all jacked up. Thus began my battle with the Internet demon known as "CoolWebSearch".
I went to sites like Spywareguide.com, Spywareinfo.com,, and Symantec's excellent site, and educated myself about CWS. It's a mean one.
With over 25 versions to date, and about 30 affiliated sites, CWS has infected millions of computers to date. It uses a "hole" in JavaScript Virtual Machine to invade your machine and make changes to IE and your registry. It also copies itself to your "restore" files, which the antivirus and anti-spyware programs DO NOT search or modify.
After educating myself, and wading through literally hundreds of pages of "geek-speak", I formed a plan of attack.
PROTECTION
First, I would fix the holes in my system. The borrowed laptop used Windows Me, from 2000. It needed updating, and MS's website had a whole bunch of them. Since I'm on a dialup, it took hours to download and install all the patches.
Next, some firewalls. At Major Geeks.com, I found and downloaded Zone Alarm and Browser Hijack Blaster, both for free. Thus protected from further invasion, I set about curing the disease.
MEDICINE FOR A SICK COMPUTER
I first updated the Symantec to the latest standards. I then did the same with Ad-Aware, and downloaded Spybot Search&Destroy from Majorgeeks. It was about then I discovered that I was not alone.
I found Merjin.org, a website set up by a computer student with the sole purpose of combatting CWS. From there, I obtained the invaluable CWShredder, a program that can remove ANY CWS bugs, and which is updated frequently. I also got HiJackTHIS!, a program which can find and display anything that is downloaded to your computer, and remove it with a command.
So effective are these programs, CWS has recently conducted Denial Of Service attacks on Merjin.org. Thankfully, it has survived...it also contains detailed information about all the CWS variants, and manual removal procedures.
I was able to sweep my system clean of many more bugs. Unfortunately, I still wasn't done.
HEALING THE PATIENT
I was still getting some spyware from CWS, and some Browser Helper Objects (BHO's) were still turning up. Fortunately, due to Zone Alarm and Hijack Blaster, I was warned well in advance. However, I was suspicious as to how it was happening on a daily basis. Thus, I went even deeper.
I went to Symantec's website and downloaded detailed instructions for THOUROUGHLY cleaning your system. I had missed something important.
CWS also writes itself to your "restore" files. These are immune from the cleaning software. The cure for that was quite new for me, a relative computer novice. However, one learns by doing, so I plowed ahead.
I disabled the "restore" function (instructions from Symantec), and rebooted into "safe" mode(also on Symantec's instructions). I then ran all my cleaning and anti-virus/anti-spyware programs, deleting everything found.
Then, I went to the C://System/Restore files and deleted them all. If it affects the "restore" function adversly, I have not seen evidence of it yet.
I rebooted, performed a scandisk and a defrag, and rebooted again. Then I enabled the "restore" function once more.
That was yesterday, and so far, so good. I'd like to think I got it all, but with these bugs, you never know. Fortunately, I'm now forewarned and forearmed.
That is what my scripts look out for. My system isn't your typical soft target.
One of my kids managed to get some coolweb stuff on a laptop that I hadn't updated. Among other things, it took over Windows media player and turned it into a monster.
In addition to the programs you mention, you also might want to look into CWShredder, a small program that removes Coolweb malware.
And I recommend the combination of SpybotSearch&Destroy and Spyware Blaster to immunize yourself from bad sites.
Do you have any pointers? I'm still pretty computer-illiterate, just way more familiar with hijackers now.
You are not alone.
I am an IT professional and have been so for 20+ years.
I now am cleaning spyware/adware/trojans from computers several times a week.
Most of these machines have become unusable because of it.
The latest genuine threat is Peper. This nasty piece can't be killed until you go into safe mode, delete a pile of hidden files and clean out the registry of BHOs.
I will say this...unless you run a popup stopper and/or an ad remover, you're going to get this garbage.
You need to get and run:
Spywareblaster
spybot search and destroy
Adaware
hijackthis
Further stop using Internet Explorer. Switch over to Mozilla Firefox. At least until this garbage is kept at bay.
Firefox is also VERY extensable. Imagezoomer is a great add-in to firefox. Allows you to zoom in or out any image in any post. There are over 100 add-ins to Firefox that add all sort of nifty things. Firefox displays pages just as fast or faster than IE(if someone tells you otherwise, they have an OS problem, I've installed it on over 50 machines) and Firefox blocks popups and much of the adware issues we've got right now.
-Mal
Exact same thing happened to my Mom's PC. One day, out of nowhere, she opened an IE window, and BAM...some disgusting porn garbage.
This is my MOM we're talking about here. Words could not express my fury and embarrassment over this hijack!
I tried everything I could think of to get rid of the offending bug, but it seemed that every time I thought I made some headway, I'd re-boot and the bugger would re-appear.
Eventually, I just downloaded and installed NetScape. She's been using that ever since with no problems.
ping for later
Man is this a timely thread. I just spent a couple hours getting rid of this crap on my computer. But here's something I can't solve. For some reason my "Favorites" will only except 4 addresses. If I try to add more, it shows up until I close my browser, and then doesn't reappear. Any ideas?
Thanks. I'm downloading it as we speak.
Then run the file
I've got all the programs you listed except Mozilla. Is it difficult to replace IE with it? How exactly is this done?
Thanks for posting this. I would sure like to spend an afternoon with the Democrats (you know that what they are) that create this malware.
see #31
That's a new one on me. Mal, any ideas??
HijackThis is great. I rank it up there with Lavasoft's ad-aware.
I'm doing exactly the same thing right now...been fighting it for two weeks now.
Thanks for the tip on cleaning in Safe Mode.
It has gotten to the point that I rarely venture off of FR. I find myself waiting for commentary on an article rather than clicking on the source for the full story. I use spybot and adaware. The web can be a realy dangerous place.
There are a few Linux viruses in circulation. More will surely come as more start using it.
Same with Mac's. Just this past week there was a thread on a Mac 'vunerability.'
If every one stopped using Windows tomorrow and changed to Mac or Linux, the virus makers would increase their attacks on those.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.