Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

HIJACK! (No, not THAT kind!)
various | Today | Me

Posted on 06/05/2004 8:06:55 PM PDT by Long Cut

You may have heard of this lately, or perhaps have had it happen to you. That's right...your internet browser gets hijacked. Taken from your control, as it were.

It takes you to sites you would never have visited in a million years; your computer slows down and maybe crashes; your homepage is mysteriously changed; you now have about a dozen "favorites" that you never selected and don't want.

You've been HIJACKED!

What happened? How? You ask, as you pull your hair out in disgust.

Well, it happened to me,, and some FReepers I know, and a LOT of my friends, lately. I've been hearing scuttlebutt around the Web, and around the water cooler. People's computers are being taken over by insidious, rotten spyware and malware that effectively seizes control and can have serious reperussions for the user.

These things download some particularly nasty porn, even child porn, to a computer. People have been fired, investigated, and disgraced for something they never did.

I discovered mine one day whil, of all things, trying to access FR. I mistyped the URL, and found myself redirected to some porn search engine. Massive popups overwhelmed my Pop-up Stopper, and froze my computer.

After the reboot, I ran my McAffie antivirus, which quickly crashed the system and failed to ever work again. Ad-Aware removed some registry keys and values, and I thought all was well.

Wrong. It happened again.

Now, I got serious. I obtained Symantec Pro version, and ran it. It caught several more bugs, but some couldn't be quarantined OR removed.

I was in a fix. I was using a computer that FReeper thumperusn had graciously loaned me, and I didn't want to give it back to him all jacked up. Thus began my battle with the Internet demon known as "CoolWebSearch".

I went to sites like Spywareguide.com, Spywareinfo.com,, and Symantec's excellent site, and educated myself about CWS. It's a mean one.

With over 25 versions to date, and about 30 affiliated sites, CWS has infected millions of computers to date. It uses a "hole" in JavaScript Virtual Machine to invade your machine and make changes to IE and your registry. It also copies itself to your "restore" files, which the antivirus and anti-spyware programs DO NOT search or modify.

After educating myself, and wading through literally hundreds of pages of "geek-speak", I formed a plan of attack.

PROTECTION

First, I would fix the holes in my system. The borrowed laptop used Windows Me, from 2000. It needed updating, and MS's website had a whole bunch of them. Since I'm on a dialup, it took hours to download and install all the patches.

Next, some firewalls. At Major Geeks.com, I found and downloaded Zone Alarm and Browser Hijack Blaster, both for free. Thus protected from further invasion, I set about curing the disease.

MEDICINE FOR A SICK COMPUTER

I first updated the Symantec to the latest standards. I then did the same with Ad-Aware, and downloaded Spybot Search&Destroy from Majorgeeks. It was about then I discovered that I was not alone.

I found Merjin.org, a website set up by a computer student with the sole purpose of combatting CWS. From there, I obtained the invaluable CWShredder, a program that can remove ANY CWS bugs, and which is updated frequently. I also got HiJackTHIS!, a program which can find and display anything that is downloaded to your computer, and remove it with a command.

So effective are these programs, CWS has recently conducted Denial Of Service attacks on Merjin.org. Thankfully, it has survived...it also contains detailed information about all the CWS variants, and manual removal procedures.

I was able to sweep my system clean of many more bugs. Unfortunately, I still wasn't done.

HEALING THE PATIENT

I was still getting some spyware from CWS, and some Browser Helper Objects (BHO's) were still turning up. Fortunately, due to Zone Alarm and Hijack Blaster, I was warned well in advance. However, I was suspicious as to how it was happening on a daily basis. Thus, I went even deeper.

I went to Symantec's website and downloaded detailed instructions for THOUROUGHLY cleaning your system. I had missed something important.

CWS also writes itself to your "restore" files. These are immune from the cleaning software. The cure for that was quite new for me, a relative computer novice. However, one learns by doing, so I plowed ahead.

I disabled the "restore" function (instructions from Symantec), and rebooted into "safe" mode(also on Symantec's instructions). I then ran all my cleaning and anti-virus/anti-spyware programs, deleting everything found.

Then, I went to the C://System/Restore files and deleted them all. If it affects the "restore" function adversly, I have not seen evidence of it yet.

I rebooted, performed a scandisk and a defrag, and rebooted again. Then I enabled the "restore" function once more.

That was yesterday, and so far, so good. I'd like to think I got it all, but with these bugs, you never know. Fortunately, I'm now forewarned and forearmed.


TOPICS: Crime/Corruption; Culture/Society; Miscellaneous; News/Current Events; Your Opinion/Questions
KEYWORDS: computers; coolwebsearch; hijack; hijackers; spyware; trojanhorses; virus; viruses; worm
Navigation: use the links below to view more comments.
first previous 1-20 ... 41-6061-8081-100 ... 181-192 next last
To: Long Cut
??????

Has merjin.org been hijacked? I tried your link and got this: http://newnet.qsrch.com/dpark?s=merjin.org&prt=nn01

61 posted on 06/05/2004 8:53:46 PM PDT by mfulstone
[ Post Reply | Private Reply | To 1 | View Replies]

To: M1911A1

Computer "geek" PING for you!~


62 posted on 06/05/2004 8:54:36 PM PDT by M0sby ((PROUD WIFE of MSgt Edwards USMC))
[ Post Reply | Private Reply | To 1 | View Replies]

To: Long Cut

Bump for tomorrow...thanks for "heads up" and useful info.!


63 posted on 06/05/2004 8:56:19 PM PDT by 88keys
[ Post Reply | Private Reply | To 1 | View Replies]

To: Long Cut

Really now ?? You swamp surfin in some bad stuff then. Check my last link to ya to evaluate your system and turn off the back doors to the windows media, real player and file sharing, etc .

http://www.unhsolutions.net/

A good link to look at also..........Stay safe !


64 posted on 06/05/2004 8:57:31 PM PDT by Squantos (Be polite. Be professional. But, have a plan to kill everyone you meet.)
[ Post Reply | Private Reply | To 53 | View Replies]

To: Squantos

shields up is great!

I use a hardware router as a shield and "shields up!" says my machine is a fortress, but this crap still seems to get in thru IE. The Mozilla firefox seems to really be helping my PC.


65 posted on 06/05/2004 8:57:47 PM PDT by mylife (The roar of the masses could be farts)
[ Post Reply | Private Reply | To 55 | View Replies]

To: Luis Gonzalez

Google search shows allot of info on ShopNav

http://www.google.com/search?hl=en&ie=UTF-8&q=shopnav


66 posted on 06/05/2004 8:58:16 PM PDT by TomGuy (Clintonites have such good hind-sight because they had their heads up their hind-ends 8 years.)
[ Post Reply | Private Reply | To 50 | View Replies]

To: Rokke

>>For some reason my "Favorites" will only except 4 addresses. If I try to add more, it shows up until I close my browser, and then doesn't reappear. Any ideas?<<

First I've heard of this...You probably have something. I've not run into this particular one though so I can't help you.

It's probably a BHO. Hijackthis will list all your BHOs. My suggestion is to remove all of them. In fact, if you clear EVERYTHING that Hijackthis shows, your browswer will still work just fine. If you're unsure..checkbox everything. You can always re-install stuff.


67 posted on 06/05/2004 9:00:13 PM PDT by Malsua
[ Post Reply | Private Reply | To 29 | View Replies]

To: mylife

Do ya use zone alarm also ??


68 posted on 06/05/2004 9:01:37 PM PDT by Squantos (Be polite. Be professional. But, have a plan to kill everyone you meet.)
[ Post Reply | Private Reply | To 65 | View Replies]

To: Long Cut
Thanks for the ping LC.

I've been a busy boy cleaning this crap from friends' and co-workers' PCs.

I have found 2 things that will stop this shit right off and I will share with all who will listen.

Go to Google and search for these 2 pieces of software:

1. SpyWareBlaster
2. The Proxomitron

SpyWareBlaster functions much as SpyBot S&D's Immunize function does. It is easily and freely updated whenever you ask it to. It will load protection against thousands of spywarez and DOES NOT NEED TO BE RUNNING IN THE BACKGROUND TO DO THIS.

Install it, set it up and drop a shortcut for it into the Startup Group of your PC and it will load and run its protection at boot up and then you shut it down. Done.

The Proxomitron is a software proxy server that you set up to sit on port 8080. When you configure your browser to use a proxy for HTTP on port 8080, The Proxomitron is now an intermediate step for any traffic coming from the 'net to your browser.

It will work out of the box and protect against such things as popups and homepage hijackers. Run the install program, put a shortcut to it in your startup folder, and then set it as an http proxy on port 8080. To do this for IE go to tools, internet options, connections. Then click settings if you have a dialup connection or click lan settings if you have cable. Either way, the rest is the same. Check the box that says use a proxy server and then click advanced. Under proxy address by HTTP, type in "localhost". Under port, type in 8080. OK your way out and surf free of popups, ads, and other obnoxious stuff. It will also work for Mozilla Firefox as I use both.

You will have an icon in your system tray. If you want to bypass the program and see the page as it would appear normally, right click the icon and select bypass all filters and refresh the page.

Another thing. If you maintain the browser proxy settings as mentioned above and the Proxomitron is not running, you will not be able to connect to the internet. You will either have to reverse the proxy settings in the browser settings or start the Proxomitron.

Finally, this program is a stand-alone meaning it adds nothing to the registry or do such things as install dll's in the windows directory. This means if you don't like it all you have to do is not use it and if you want to uninstall it, just delete its program folder.

The Proxomitron is one hell of a piece of software and it is infinitely configurable and it is free.

I cleaned off my two Win ME systems, set up these two programs and have let my kids surf their asses off for the past week.
I just ran a complete AdAware and Spybot S&D scan on both and came up with NO SPYWARE AT ALL.

I cannot recommend this set of "shields" highly enough.

Good luck.
A hearty 'thank you' (again) to fellow Freeper, "No One Special" for putting me onto The Proxomitron.

"Filthy, nasty spywareses...
trying to ruin the Precious.
We won't lets that happen, no.
We'll shows them good!"

69 posted on 06/05/2004 9:04:22 PM PDT by Bloody Sam Roberts (ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,Election '04...It's going to be a bumpy ride,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø)
[ Post Reply | Private Reply | To 3 | View Replies]

To: Squantos

Nawp no zone alarm, I always figured that the router was acting as a firewall.


70 posted on 06/05/2004 9:04:24 PM PDT by mylife (The roar of the masses could be farts)
[ Post Reply | Private Reply | To 68 | View Replies]

To: Bloody Sam Roberts

Thanks for the great tips


71 posted on 06/05/2004 9:08:09 PM PDT by mylife (The roar of the masses could be farts)
[ Post Reply | Private Reply | To 69 | View Replies]

To: Long Cut

Get a Mac.


72 posted on 06/05/2004 9:08:22 PM PDT by Weimdog
[ Post Reply | Private Reply | To 1 | View Replies]

To: Long Cut

Thanks for the useful post and thread. Bookmarking for Monday morning. One of my computers at work is a mess -- I've forgotten the name of the worm, but it's the back door variety and has really messed up my computer.

I've down-loaded spy bot, but there is one virus that it will not remove, and my anti-virus will not touch it either. I'm trying to avoid stripping the whole machine and starting over - but I may ust have to do it. It locks up several times a day.

I keep getting an offer to download ad-aware and spy-aware, but I've been afraid to do it because I don't know whether those are infected programs too.


73 posted on 06/05/2004 9:14:56 PM PDT by afraidfortherepublic (Re-elect Dubya)
[ Post Reply | Private Reply | To 1 | View Replies]

To: mylife

Must have ZA IMO.........set fire walls to maximum captain ! Program control to medium and manual. You'll get bugged a while till ya learn about the pop up warnings but click always remember on you access and deny choices and you'll be living large . Test on the shields up site and use .....

http://grc.com/lt/leaktest.htm

Stay safe !


74 posted on 06/05/2004 9:15:34 PM PDT by Squantos (Be polite. Be professional. But, have a plan to kill everyone you meet.)
[ Post Reply | Private Reply | To 70 | View Replies]

To: zeugma
one solution that solves many if not most of the problems, would be to simply stop using IE. Download Mozilla and install it.

You are only half right. Unless your system is clean from all variants of the CoolWebSearch type trojans...Mozilla or Firefox will avail you naught.

Once your system is clean...and I mean CLEAN...then 'ol Moz will be a very good choice. (I love Firefox)

I spent 4 days fighting a CWS nasty on a friends XP system that had laid down a hidden file called "svhost.exe" in the Windows directory. Not "svchost.exe" which is an essential service launcer. This bastard would run every 10 seconds and replicate all registry keys and BHOs as soon as I would clean them. It would also not allow Spybot S&D to be run, nor its icon displayed, nor allow its executable to be seen when browsing my hard drive.
When I would go to Spybot's home page it would shut the browser down cold.

I could not simply delete it since it was hidden from Windows and no amount of searching or changing file attributes would change that. Unless I could get a hold of the C:\ drive before Windows did, I was out of luck. Of course with NTFS and XP, that wasn't going to happen. So I reformatted the drive and did a re-install XP. The little sucker is gone now, that's for sure...but it was a hell of a fight.

75 posted on 06/05/2004 9:15:45 PM PDT by Bloody Sam Roberts (ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,Election '04...It's going to be a bumpy ride,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø)
[ Post Reply | Private Reply | To 9 | View Replies]

To: mfulstone

Merjin's been under serious attack lately. He's REALLY pi$$ed off CWS, and they're retaliating.


76 posted on 06/05/2004 9:16:57 PM PDT by Long Cut (Certainty of Death, small chance of Success...What are we waiting for?...Gimli the Dwarf)
[ Post Reply | Private Reply | To 61 | View Replies]

To: Bloody Sam Roberts

WOW! Thanks for the info! Do you have any pointers about CONFIRMING that your machine is "clean"? I still have doubts, and before I get anything else, I want to be sure. Short of reformatting it, that is.


77 posted on 06/05/2004 9:24:38 PM PDT by Long Cut (Certainty of Death, small chance of Success...What are we waiting for?...Gimli the Dwarf)
[ Post Reply | Private Reply | To 69 | View Replies]

To: Malsua; Long Cut; mfccinsd

I don't want to get all emotional here, but you guys are like an answer to a prayer. I literally spent hours today trying to get rid of all the crazy bugs that seem to have appeared lately in my computer. Now that I've downloaded some of the programs you've recommended, I see I've accomplished just about nothing useful. Until now. You've set me right on course. Thanks a lot.


78 posted on 06/05/2004 9:24:48 PM PDT by Rokke
[ Post Reply | Private Reply | To 67 | View Replies]

To: Squantos

Thanks for the info!

Shields to full power! Scotty! where are those damned dilythium crystals!


79 posted on 06/05/2004 9:26:01 PM PDT by mylife (The roar of the masses could be farts)
[ Post Reply | Private Reply | To 74 | View Replies]

To: Rokke; All
I got the idea for this thread by talking today to another FReeper whose machine got all infected. I realized that a good number of us probably had the same problem, so I decided to help out. Obviously, it worked.

I'll sleep well tonight.

80 posted on 06/05/2004 9:30:35 PM PDT by Long Cut (Certainty of Death, small chance of Success...What are we waiting for?...Gimli the Dwarf)
[ Post Reply | Private Reply | To 78 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-20 ... 41-6061-8081-100 ... 181-192 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson