Free Republic
Browse · Search
Topics · Post Article

Skip to comments.

HIJACK! (No, not THAT kind!)
various | Today | Me

Posted on 06/05/2004 8:06:55 PM PDT by Long Cut

You may have heard of this lately, or perhaps have had it happen to you. That's right...your internet browser gets hijacked. Taken from your control, as it were.

It takes you to sites you would never have visited in a million years; your computer slows down and maybe crashes; your homepage is mysteriously changed; you now have about a dozen "favorites" that you never selected and don't want.

You've been HIJACKED!

What happened? How? You ask, as you pull your hair out in disgust.

Well, it happened to me,, and some FReepers I know, and a LOT of my friends, lately. I've been hearing scuttlebutt around the Web, and around the water cooler. People's computers are being taken over by insidious, rotten spyware and malware that effectively seizes control and can have serious reperussions for the user.

These things download some particularly nasty porn, even child porn, to a computer. People have been fired, investigated, and disgraced for something they never did.

I discovered mine one day whil, of all things, trying to access FR. I mistyped the URL, and found myself redirected to some porn search engine. Massive popups overwhelmed my Pop-up Stopper, and froze my computer.

After the reboot, I ran my McAffie antivirus, which quickly crashed the system and failed to ever work again. Ad-Aware removed some registry keys and values, and I thought all was well.

Wrong. It happened again.

Now, I got serious. I obtained Symantec Pro version, and ran it. It caught several more bugs, but some couldn't be quarantined OR removed.

I was in a fix. I was using a computer that FReeper thumperusn had graciously loaned me, and I didn't want to give it back to him all jacked up. Thus began my battle with the Internet demon known as "CoolWebSearch".

I went to sites like,,, and Symantec's excellent site, and educated myself about CWS. It's a mean one.

With over 25 versions to date, and about 30 affiliated sites, CWS has infected millions of computers to date. It uses a "hole" in JavaScript Virtual Machine to invade your machine and make changes to IE and your registry. It also copies itself to your "restore" files, which the antivirus and anti-spyware programs DO NOT search or modify.

After educating myself, and wading through literally hundreds of pages of "geek-speak", I formed a plan of attack.


First, I would fix the holes in my system. The borrowed laptop used Windows Me, from 2000. It needed updating, and MS's website had a whole bunch of them. Since I'm on a dialup, it took hours to download and install all the patches.

Next, some firewalls. At Major, I found and downloaded Zone Alarm and Browser Hijack Blaster, both for free. Thus protected from further invasion, I set about curing the disease.


I first updated the Symantec to the latest standards. I then did the same with Ad-Aware, and downloaded Spybot Search&Destroy from Majorgeeks. It was about then I discovered that I was not alone.

I found, a website set up by a computer student with the sole purpose of combatting CWS. From there, I obtained the invaluable CWShredder, a program that can remove ANY CWS bugs, and which is updated frequently. I also got HiJackTHIS!, a program which can find and display anything that is downloaded to your computer, and remove it with a command.

So effective are these programs, CWS has recently conducted Denial Of Service attacks on Thankfully, it has also contains detailed information about all the CWS variants, and manual removal procedures.

I was able to sweep my system clean of many more bugs. Unfortunately, I still wasn't done.


I was still getting some spyware from CWS, and some Browser Helper Objects (BHO's) were still turning up. Fortunately, due to Zone Alarm and Hijack Blaster, I was warned well in advance. However, I was suspicious as to how it was happening on a daily basis. Thus, I went even deeper.

I went to Symantec's website and downloaded detailed instructions for THOUROUGHLY cleaning your system. I had missed something important.

CWS also writes itself to your "restore" files. These are immune from the cleaning software. The cure for that was quite new for me, a relative computer novice. However, one learns by doing, so I plowed ahead.

I disabled the "restore" function (instructions from Symantec), and rebooted into "safe" mode(also on Symantec's instructions). I then ran all my cleaning and anti-virus/anti-spyware programs, deleting everything found.

Then, I went to the C://System/Restore files and deleted them all. If it affects the "restore" function adversly, I have not seen evidence of it yet.

I rebooted, performed a scandisk and a defrag, and rebooted again. Then I enabled the "restore" function once more.

That was yesterday, and so far, so good. I'd like to think I got it all, but with these bugs, you never know. Fortunately, I'm now forewarned and forearmed.

TOPICS: Crime/Corruption; Culture/Society; Miscellaneous; News/Current Events; Your Opinion/Questions
KEYWORDS: computers; coolwebsearch; hijack; hijackers; spyware; trojanhorses; virus; viruses; worm
Navigation: use the links below to view more comments.
first previous 1-20 ... 81-100101-120121-140 ... 181-192 next last
To: Long Cut

One thing I found to get around the merjin stuff is that where I was finding problems (wanting to double check the random thing that I find once in awhile before removing from hijack) was that the links to the other sites of lists (like bho lists, etc.) were not allowing for anything to be searched or came up with no responses...I explored long enough that I found that there lists you can download and just 'ctrl f' for whichever you are questioning...

Did that make any sense? In any case, I was glad to find an alternative cause all the problems on his site were getting annoying! LOL!

101 posted on 06/05/2004 10:08:55 PM PDT by mfccinsd
[ Post Reply | Private Reply | To 76 | View Replies]

To: Long Cut

Mozilla is the full featured browser, firefox is just the browser. I have both and use firefox the most. Thanks for all the info, I have had many problems with the wifes PC off/on for months, reinstalled win98 3 times

102 posted on 06/05/2004 10:09:05 PM PDT by markman46
[ Post Reply | Private Reply | To 86 | View Replies]

To: Long Cut
Check earlier in this thread. I made a post with several useful Mozilla links that I'm too lazy to retype now. :-) The "extensions" are definitely something to look at, though aren't strictly necessary.
103 posted on 06/05/2004 10:09:08 PM PDT by zeugma (The Great Experiment is over.)
[ Post Reply | Private Reply | To 91 | View Replies]

To: Fraulein

Do 'save log' and you can put it in a private message to me (the contents of the log) and I'll help you if you'd like

104 posted on 06/05/2004 10:09:41 PM PDT by mfccinsd
[ Post Reply | Private Reply | To 100 | View Replies]

To: zeugma

Okay, just so's I'm clear...I download Mozilla, and Firefox et. al. comes with it, correct? There's several versions of Mozilla on the site...which ones do you recommend?

105 posted on 06/05/2004 10:10:18 PM PDT by Long Cut (Certainty of Death, small chance of Success...What are we waiting for?...Gimli the Dwarf)
[ Post Reply | Private Reply | To 98 | View Replies]

To: Bloody Sam Roberts

I've also found tds-3 (free eval. version you can use) is helpful, as is a2

Both found things that I hadn't been able to fix on hijack adaware and spybot...all of which I run (and update) very often.

Might be worth trying just to be sure, too...

106 posted on 06/05/2004 10:13:49 PM PDT by mfccinsd
[ Post Reply | Private Reply | To 81 | View Replies]

To: Long Cut; All

Anyone contemplating trying Mozilla or Firefox needs to bookmark this page!

Note that "user forums" are open. In other words, you don't have to register. (The sections down the page you do, however).

107 posted on 06/05/2004 10:14:38 PM PDT by JoJo Gunn (Intellectuals exist only if you believe they do. )
[ Post Reply | Private Reply | To 105 | View Replies]

To: Long Cut
From the main mozilla page, go to the section titled "mozilla 1.6", and select the one for your operating system. Version 1.6 is considered the latest "stable" release. Right now I'm on version 1.8a, which is an 'alpha' release - it's not considered stable yet. You'd probably be best off with 1.6.
108 posted on 06/05/2004 10:14:52 PM PDT by zeugma (The Great Experiment is over.)
[ Post Reply | Private Reply | To 105 | View Replies]

To: Long Cut

//I'm no expert (but there are certainly some on this thread), however, I'd assume that the files it found are "hidden" somehow from your "search" function. In my case, they were in the "restore" system folder, and I had to disable it before I could begin deleting the offenders. If it's enabled, it won't allow you to mess with it.//

Well, I use 'dir /a' as my file finder; I suppose something could tamper with it, but I don't know that spyware thingies tamper with DOS.

109 posted on 06/05/2004 10:16:09 PM PDT by supercat (Why is it that the more "gun safety" laws are passed, the less safe my guns seem?)
[ Post Reply | Private Reply | To 99 | View Replies]

To: Fraulein

You can go to this page:

Look around a little and then register if it looks good to you. If you register you will be able to post your log and the gurus there will tell you what to delete. I have not used them but I have heard about it. I think they will be of help.

110 posted on 06/05/2004 10:16:27 PM PDT by No One Special
[ Post Reply | Private Reply | To 100 | View Replies]

To: Fraulein
First, delete all of the stuff ad-aware found. You can do this by acessing the "quarantine list", selecting each, and clicking "delete".

As for HiJackTHIS!, you'll have to go line-by-line and check will give details about each, as well as tell you if any are really bad. Anything with "about:blank", for instance, should be deleted forthwith. Read each carefully...if it's something you know, or remember downloading deliberately by the name, just put it on the "ignore" list.

HiJackTHIS! has a guide to its ratings, and so does Merjin. Refer to them before deleting anything.

It'll be a pain, but after you're done, anything else will be easy.

111 posted on 06/05/2004 10:17:57 PM PDT by Long Cut (Certainty of Death, small chance of Success...What are we waiting for?...Gimli the Dwarf)
[ Post Reply | Private Reply | To 100 | View Replies]

To: Long Cut

Firefox 0.8.

It's a browser only.

Mozilla 1.6 is okay. It has an e-mail client and even a web page maker. But go with Firefox until you get a little used to the changes.

My opinion....

112 posted on 06/05/2004 10:18:04 PM PDT by JoJo Gunn (Intellectuals exist only if you believe they do. )
[ Post Reply | Private Reply | To 105 | View Replies]

To: Long Cut
Full article can be read here:

Why Windows is a Security Nightmare
Security in all mainstream operating systems is non-existent; however, things are especially bad for Windows. Windows happens to be the favorite target of worm and virus writers. Conventional wisdom suggests that the huge installed base of Windows helps spread the worms and viruses, and also makes it a highly attractive target for worm/virus writers. The installed base of Windows certainly has an undeniable effect on the prevalence of malware on Windows, but this is not all there is to it.

The Blaster worm attacks Windows XP, and Win2K systems. In order to infect a system the worm needs to send the correct payload for the respective OS. The worm is not able to differentiate between the XP and Win2K so it randomly guesses the OS type; however, if it guesses wrong the RPC service crashes, and Windows reports it as a crash of svchost. The Blaster attack was quite a surprise as the major outbreak of the worm occurred back in August 2003, and I was expecting all infections of the worm to be fixed by now.

I was in no position to do anything about the Blaster attack, so I continued downloading the 35 MB service pack 4 over my dialup connection. It took me a couple of hours to download it, but Windows Update refused to install it; Windows Update probably needed some functionality provided by the crashed svchost.exe.

I rebooted and connected to the internet, which was a mistake as I was giving the worm a second chance to infect my system. Anyway, I proceeded to Windows Update, and tried the same download again. Alas, Windows Update had forgotten all about the 35 MB it had downloaded previously, and started downloading the same stuff all over again. Worse, the Blaster worm crashed svchost again, and I had to discontinue the download.

I knew about the existence of a standalone security update to patch the vulnerability Blaster exploits, so I decided to bypass Windows Update and download it directly. The download was small less than 1MB, but as soon as I tried running it I learned that it requires at least service pack 2 to install, which I didn't have.

Microsoft provides a separate download for service packs as well, and I decided to download the latest service pack, service pack 4. Well, the standalone service pack 4 distribution turned out to be a mammoth 129 MB download. This is about the maximum I have ever downloaded over a dialup connection; a download of this size can easily take 10 or more hours to complete.

Downloading a large file over dialup requires the ability to resume downloads which Internet Explorer does not provide, so I downloaded Wget to acquire that ability. Wget is a commandline tool and is invoked by calling it with the URL name. I tried pasting the URL on the command line, but it turns out that the cut and paste functionality disappears after a blaster attack, so I was forced to manually type the URL.

Normally, typing a URL is not a big deal. Everyone types URLs all the time, and I do too, but I do mind typing gibberish strings of 95 characters like the following: 241BFECD095E/W2KSP4_EN.EXE
To cut a long story short I managed to download and install the service pack, and the Blaster security update. Finally, the Windows Update started working and after another 30-40 MB of downloads, and 3 or so reboots, I managed to installed the 18 security updates available there (another 5 have been added to that number as of now).

After this experience I cannot help but laugh at the 'usability' problems Windows users are reporting about GNOME and KDE. It has become pretty clear to me that Windows users are so accustomed to usability problems that they don't even recognize them as usability problems. But, as soon as these people move to a different environment they start complaining simply because the new environment does not replicate the features and bugs of Windows exactly.

The other big lesson from all this is that most Windows users are incapable of 'securing' their systems. This is precisely why an unprotected system gets attacked in a matter of seconds, and spammers are still sending out Messenger service spam. Worse, Microsoft is directly responsible for this state of affairs. Windows encourage users to reinstall it every once in a while, and when they do, Windows Update actively prevents users from updating their systems.

The whole idea of Windows Update is a joke. Using an unreliable and insecure network as the primary means of distributing security updates is simply idiotic. This is like asking people to walk through a minefield to get to a shelter. I was able to download security updates off the internet only because the current generation of worms are not particularly malicious; they are just minor irritants.

If Microsoft is serious about Windows security it needs to fix Windows Update, and get rid of the damned Registry for good. Unfortunately, Microsoft's approach is to layer half baked fixes over utterly broken things to keep them going for as long as possible. Microsoft knows that there is a problem with the Registry, but the way it is dealing with it is by offering Registry rollbacks, and similar worthless functionality.

113 posted on 06/05/2004 10:23:18 PM PDT by macJoyful (Macs - the only thing liberal about me)
[ Post Reply | Private Reply | To 1 | View Replies]

To: JoJo Gunn; All
Okay, I'm off to download Firefox...seems it's all I need to start off.

Thanks to ALL the experts who offered their valuable advice and help. I'm sure there were MANY lurkers who found it as useful as the posters did.

If enough people get the word, maybe we can stop these jerks from ruining people's machines and lives.

Signing off for tonight, back tomorrow.

114 posted on 06/05/2004 10:24:53 PM PDT by Long Cut (Certainty of Death, small chance of Success...What are we waiting for?...Gimli the Dwarf)
[ Post Reply | Private Reply | To 112 | View Replies]

To: Long Cut

The Best and only programs I have found that work are spy bot search and destroy and regrun. Regrun is awesome because it can do three things to a malware file like ncase, isolate destroy and block all variations of it from working on my computer sweet a** program.

115 posted on 06/05/2004 10:26:28 PM PDT by aft_lizard (I actually voted for John Kerry before I voted against him)
[ Post Reply | Private Reply | To 1 | View Replies]

To: mylife

People work full time creating these threats making it a full time job to stay ahead of them.

116 posted on 06/05/2004 10:28:51 PM PDT by South40 (Amnesty for ILLEGALS is a slap in the face to the USBP!)
[ Post Reply | Private Reply | To 89 | View Replies]

To: No One Special
Thank you for the link. I will check it out.
117 posted on 06/05/2004 10:28:54 PM PDT by Fraulein
[ Post Reply | Private Reply | To 110 | View Replies]

To: Long Cut
Ah, yes, "about: blank" -- 2 words that I am so sick of seeing on windows as they are first spontaneously popping-up!

Thanks, again, for this thread. It's been very helpful. :)

Oddly, my home page was hijacked by a bright red page saying that my computer had spyware/security problems! Lots of windows would start opening up while the 'new' home page took over the whole computer screen, unable to be minimized, and usually shortly thereafter everything locked up.

118 posted on 06/05/2004 10:36:22 PM PDT by Fraulein
[ Post Reply | Private Reply | To 111 | View Replies]

To: Squantos
AVG-Zone Alarm-Norton AV- Ad Aware are all free, get em , use em !.....:o)

Please note!!! While Norton (Symantec) does have an on-line, web based virus scan, Norton (or Symantec) Anti-Virus is NOT freeware!


119 posted on 06/05/2004 10:41:23 PM PDT by MarkL (The meek shall inherit the earth... But usually in plots 6' x 3' x 6' deep...)
[ Post Reply | Private Reply | To 47 | View Replies]

To: HairOfTheDog

Every one of those DNS records has their address record set you your system ( AKA "localhost").

If you're running XP ( which it appears that you are ), check to see what's in your hosts and lmhosts files. These are both text files in the C:\WINDOWS\SYSTEM32\DRIVERS\ETC directory.


120 posted on 06/05/2004 10:44:58 PM PDT by MarkL (The meek shall inherit the earth... But usually in plots 6' x 3' x 6' deep...)
[ Post Reply | Private Reply | To 49 | View Replies]

Navigation: use the links below to view more comments.
first previous 1-20 ... 81-100101-120121-140 ... 181-192 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794 is powered by software copyright 2000-2008 John Robinson