Skip to comments.HIJACK! (No, not THAT kind!)
Posted on 06/05/2004 8:06:55 PM PDT by Long Cut
You may have heard of this lately, or perhaps have had it happen to you. That's right...your internet browser gets hijacked. Taken from your control, as it were.
It takes you to sites you would never have visited in a million years; your computer slows down and maybe crashes; your homepage is mysteriously changed; you now have about a dozen "favorites" that you never selected and don't want.
You've been HIJACKED!
What happened? How? You ask, as you pull your hair out in disgust.
Well, it happened to me,, and some FReepers I know, and a LOT of my friends, lately. I've been hearing scuttlebutt around the Web, and around the water cooler. People's computers are being taken over by insidious, rotten spyware and malware that effectively seizes control and can have serious reperussions for the user.
These things download some particularly nasty porn, even child porn, to a computer. People have been fired, investigated, and disgraced for something they never did.
I discovered mine one day whil, of all things, trying to access FR. I mistyped the URL, and found myself redirected to some porn search engine. Massive popups overwhelmed my Pop-up Stopper, and froze my computer.
After the reboot, I ran my McAffie antivirus, which quickly crashed the system and failed to ever work again. Ad-Aware removed some registry keys and values, and I thought all was well.
Wrong. It happened again.
Now, I got serious. I obtained Symantec Pro version, and ran it. It caught several more bugs, but some couldn't be quarantined OR removed.
I was in a fix. I was using a computer that FReeper thumperusn had graciously loaned me, and I didn't want to give it back to him all jacked up. Thus began my battle with the Internet demon known as "CoolWebSearch".
I went to sites like Spywareguide.com, Spywareinfo.com,, and Symantec's excellent site, and educated myself about CWS. It's a mean one.
After educating myself, and wading through literally hundreds of pages of "geek-speak", I formed a plan of attack.
First, I would fix the holes in my system. The borrowed laptop used Windows Me, from 2000. It needed updating, and MS's website had a whole bunch of them. Since I'm on a dialup, it took hours to download and install all the patches.
Next, some firewalls. At Major Geeks.com, I found and downloaded Zone Alarm and Browser Hijack Blaster, both for free. Thus protected from further invasion, I set about curing the disease.
MEDICINE FOR A SICK COMPUTER
I first updated the Symantec to the latest standards. I then did the same with Ad-Aware, and downloaded Spybot Search&Destroy from Majorgeeks. It was about then I discovered that I was not alone.
I found Merjin.org, a website set up by a computer student with the sole purpose of combatting CWS. From there, I obtained the invaluable CWShredder, a program that can remove ANY CWS bugs, and which is updated frequently. I also got HiJackTHIS!, a program which can find and display anything that is downloaded to your computer, and remove it with a command.
So effective are these programs, CWS has recently conducted Denial Of Service attacks on Merjin.org. Thankfully, it has survived...it also contains detailed information about all the CWS variants, and manual removal procedures.
I was able to sweep my system clean of many more bugs. Unfortunately, I still wasn't done.
HEALING THE PATIENT
I was still getting some spyware from CWS, and some Browser Helper Objects (BHO's) were still turning up. Fortunately, due to Zone Alarm and Hijack Blaster, I was warned well in advance. However, I was suspicious as to how it was happening on a daily basis. Thus, I went even deeper.
I went to Symantec's website and downloaded detailed instructions for THOUROUGHLY cleaning your system. I had missed something important.
CWS also writes itself to your "restore" files. These are immune from the cleaning software. The cure for that was quite new for me, a relative computer novice. However, one learns by doing, so I plowed ahead.
I disabled the "restore" function (instructions from Symantec), and rebooted into "safe" mode(also on Symantec's instructions). I then ran all my cleaning and anti-virus/anti-spyware programs, deleting everything found.
Then, I went to the C://System/Restore files and deleted them all. If it affects the "restore" function adversly, I have not seen evidence of it yet.
I rebooted, performed a scandisk and a defrag, and rebooted again. Then I enabled the "restore" function once more.
That was yesterday, and so far, so good. I'd like to think I got it all, but with these bugs, you never know. Fortunately, I'm now forewarned and forearmed.
One thing I found to get around the merjin stuff is that where I was finding problems (wanting to double check the random thing that I find once in awhile before removing from hijack) was that the links to the other sites of lists (like bho lists, etc.) were not allowing for anything to be searched or came up with no responses...I explored long enough that I found that there lists you can download and just 'ctrl f' for whichever you are questioning...
Did that make any sense? In any case, I was glad to find an alternative cause all the problems on his site were getting annoying! LOL!
Mozilla is the full featured browser, firefox is just the browser. I have both and use firefox the most. Thanks for all the info, I have had many problems with the wifes PC off/on for months, reinstalled win98 3 times
Do 'save log' and you can put it in a private message to me (the contents of the log) and I'll help you if you'd like
Okay, just so's I'm clear...I download Mozilla, and Firefox et. al. comes with it, correct? There's several versions of Mozilla on the site...which ones do you recommend?
I've also found tds-3 (free eval. version you can use) is helpful, as is a2 http://www.emsisoft.com/en/
Both found things that I hadn't been able to fix on hijack adaware and spybot...all of which I run (and update) very often.
Might be worth trying just to be sure, too...
Anyone contemplating trying Mozilla or Firefox needs to bookmark this page!
Note that "user forums" are open. In other words, you don't have to register. (The sections down the page you do, however).
//I'm no expert (but there are certainly some on this thread), however, I'd assume that the files it found are "hidden" somehow from your "search" function. In my case, they were in the "restore" system folder, and I had to disable it before I could begin deleting the offenders. If it's enabled, it won't allow you to mess with it.//
Well, I use 'dir /a' as my file finder; I suppose something could tamper with it, but I don't know that spyware thingies tamper with DOS.
You can go to this page:
Look around a little and then register if it looks good to you. If you register you will be able to post your log and the gurus there will tell you what to delete. I have not used them but I have heard about it. I think they will be of help.
As for HiJackTHIS!, you'll have to go line-by-line and check each...it will give details about each, as well as tell you if any are really bad. Anything with "about:blank", for instance, should be deleted forthwith. Read each carefully...if it's something you know, or remember downloading deliberately by the name, just put it on the "ignore" list.
HiJackTHIS! has a guide to its ratings, and so does Merjin. Refer to them before deleting anything.
It'll be a pain, but after you're done, anything else will be easy.
It's a browser only.
Mozilla 1.6 is okay. It has an e-mail client and even a web page maker. But go with Firefox until you get a little used to the changes.
Why Windows is a Security Nightmare
Security in all mainstream operating systems is non-existent; however, things are especially bad for Windows. Windows happens to be the favorite target of worm and virus writers. Conventional wisdom suggests that the huge installed base of Windows helps spread the worms and viruses, and also makes it a highly attractive target for worm/virus writers. The installed base of Windows certainly has an undeniable effect on the prevalence of malware on Windows, but this is not all there is to it.
The Blaster worm attacks Windows XP, and Win2K systems. In order to infect a system the worm needs to send the correct payload for the respective OS. The worm is not able to differentiate between the XP and Win2K so it randomly guesses the OS type; however, if it guesses wrong the RPC service crashes, and Windows reports it as a crash of svchost. The Blaster attack was quite a surprise as the major outbreak of the worm occurred back in August 2003, and I was expecting all infections of the worm to be fixed by now.
I was in no position to do anything about the Blaster attack, so I continued downloading the 35 MB service pack 4 over my dialup connection. It took me a couple of hours to download it, but Windows Update refused to install it; Windows Update probably needed some functionality provided by the crashed svchost.exe.
I rebooted and connected to the internet, which was a mistake as I was giving the worm a second chance to infect my system. Anyway, I proceeded to Windows Update, and tried the same download again. Alas, Windows Update had forgotten all about the 35 MB it had downloaded previously, and started downloading the same stuff all over again. Worse, the Blaster worm crashed svchost again, and I had to discontinue the download.
I knew about the existence of a standalone security update to patch the vulnerability Blaster exploits, so I decided to bypass Windows Update and download it directly. The download was small less than 1MB, but as soon as I tried running it I learned that it requires at least service pack 2 to install, which I didn't have.
Microsoft provides a separate download for service packs as well, and I decided to download the latest service pack, service pack 4. Well, the standalone service pack 4 distribution turned out to be a mammoth 129 MB download. This is about the maximum I have ever downloaded over a dialup connection; a download of this size can easily take 10 or more hours to complete.
Downloading a large file over dialup requires the ability to resume downloads which Internet Explorer does not provide, so I downloaded Wget to acquire that ability. Wget is a commandline tool and is invoked by calling it with the URL name. I tried pasting the URL on the command line, but it turns out that the cut and paste functionality disappears after a blaster attack, so I was forced to manually type the URL.
Normally, typing a URL is not a big deal. Everyone types URLs all the time, and I do too, but I do mind typing gibberish strings of 95 characters like the following:
To cut a long story short I managed to download and install the service pack, and the Blaster security update. Finally, the Windows Update started working and after another 30-40 MB of downloads, and 3 or so reboots, I managed to installed the 18 security updates available there (another 5 have been added to that number as of now).
After this experience I cannot help but laugh at the 'usability' problems Windows users are reporting about GNOME and KDE. It has become pretty clear to me that Windows users are so accustomed to usability problems that they don't even recognize them as usability problems. But, as soon as these people move to a different environment they start complaining simply because the new environment does not replicate the features and bugs of Windows exactly.
The other big lesson from all this is that most Windows users are incapable of 'securing' their systems. This is precisely why an unprotected system gets attacked in a matter of seconds, and spammers are still sending out Messenger service spam. Worse, Microsoft is directly responsible for this state of affairs. Windows encourage users to reinstall it every once in a while, and when they do, Windows Update actively prevents users from updating their systems.
The whole idea of Windows Update is a joke. Using an unreliable and insecure network as the primary means of distributing security updates is simply idiotic. This is like asking people to walk through a minefield to get to a shelter. I was able to download security updates off the internet only because the current generation of worms are not particularly malicious; they are just minor irritants.
If Microsoft is serious about Windows security it needs to fix Windows Update, and get rid of the damned Registry for good. Unfortunately, Microsoft's approach is to layer half baked fixes over utterly broken things to keep them going for as long as possible. Microsoft knows that there is a problem with the Registry, but the way it is dealing with it is by offering Registry rollbacks, and similar worthless functionality.
Thanks to ALL the experts who offered their valuable advice and help. I'm sure there were MANY lurkers who found it as useful as the posters did.
If enough people get the word, maybe we can stop these jerks from ruining people's machines and lives.
Signing off for tonight, back tomorrow.
The Best and only programs I have found that work are spy bot search and destroy and regrun. Regrun is awesome because it can do three things to a malware file like ncase, isolate destroy and block all variations of it from working on my computer sweet a** program.
People work full time creating these threats making it a full time job to stay ahead of them.
Please note!!! While Norton (Symantec) does have an on-line, web based virus scan, Norton (or Symantec) Anti-Virus is NOT freeware!
Every one of those DNS records has their address record set you your system (127.0.0.1 AKA "localhost").
If you're running XP ( which it appears that you are ), check to see what's in your hosts and lmhosts files. These are both text files in the C:\WINDOWS\SYSTEM32\DRIVERS\ETC directory.
Stay safe !
Have you seen these links?
As far as extensions, I recommend:
IE View (right click and open IE if there's a page you can't render correctly with Firefox)
AdBlock (in addition to the standard popup blocker, this extension allows you to right click on banner ads and some Flash and remove them)
External Application Buttons (with this I've added an OE button to the browser bar)
NOTE -there's been some bugs with trying to install more than one extension at a time. Install one, then close the browser and restart it before getting another one.
Under certain circumstances, that's the ONLY way to see the files. Microsoft's filesystems (NTFS - and if you're using WindowsME (not sure about Win9x) FAT32) has an "undocumented" attribute known as "SuperHidden." This hides a file, even if you're folders are set to show all files. However, a "dir /a" will show these files. BTW, if you do a search on Microsoft's knowledgebase for the word "superhidden," you will not get a single hit! IIRC, Nimda was the first virus to take advantage of this, as well as the ability to block showing the extension of the file in Windows Explorer!
Glad you posted this....I just got a problem about a week ago and am in the process of cleaning it up.
Thanks to all for their links and useful info. Does anyone know what it is these idiots are trying to accompolish with these programs? It seems to me the parasite is killing the host.
Will check back for more info here!
I'm not that deep into it, don't know about the nightlies, but I've noticed on the support threads that doing more than one at a time seems to be at least a common enough occurence.
That likely will change with 0.9, since it's said to have an extension manager/installer built in.
I've been using this with good luck:
If only it could backup the unprotected cache. sigh
Okay! I'm now using Firefox, and so far, it's great! I've got one question...how do I set a homepage to it? I can't seem to figure that out.
Thanks for the pointer. This has been a great thread. I think it has garnered a few Mozilla converts! Now, if only I could convince them to move away from the Dark Side...
One thing that I'd suggest you consider is something I've been doing for quite some time. I browse to my bookmarks.html file by "File", then "Open file". Then I set my homepage to be my bookmarks. I find that this speeds up opening my browser in a major way. Highly reccommended. YMMV
Thanks, I got it. One more thing...I've noticed that my scroller on this laptop now won't work. is that normal?
Even after reboot? I have that problem sometimes if I've been doing too much and it's overwhelmed...but I've always been ok after rebooting...
That's really odd...report back if you figure it out! Never know...now that I said that maybe I'll have the same problem and you can tell me the trick! Ha! :-)
FASTER, built in pop up blocking... and impervious to internet explorer baloney.
Tis also FREE.
I use a Mac.
My husband managed to infect it.
I simply won't have Explorer on my machine any more. I use Safari and that doesn't allow pop-ups.
Us Mac people are vulnerable too.
My husband managed to infect my machine.
He kept insisting on using Explorer and that's how it got in. I finally ended up simply remving the entire program.
We only use Safari, now.
you cannot get rid of IE.. just stop using it. clear it's cache and get rid of it's link in the toolbar...
firefox, thunderbird and mozilla are immune from microsoft based attacks. the firefox browser is blazing fast, has tabbed browsing (incredible feature really really), and graphics rendering is really top notch.
I've used them for four or five years.
Once you have installed a mozilla browser, you won't wanna go back...
My computer has a function called "Favorites", so all I have to do is click on the bookmarked Free Republic link and, voila!, I'm there! No typing necessary! I suggest that you get a computer with a "Favorites" function.
Spy Sweeper is awesome.
Exactly WHAT were you infected with? I know of no infectious programs in the wild for Mac OSX.
He was using Explorer to surf for naughty pictures ( A thing i do NOT appreciate!) and we had a "button" appear and attach itself to Explorer's tool bar. Took you direct to one of these sites, and you would also get droves of nasty pop-ups.
The dumb thing was right there where my daughter could have gotten to it.
I tried to remove the button and could not. He would also have things begin to down-load and not know how he had activated them.
AND he was leaving smut on the desk-top!
I finally just trashed Explorer and told him I'd break his neck if I found anything like that again.
Thanks for the info.
Wow! A 19KB hosts file? You've been hit by something. Please freepmail me your hosts and hosts.old files. You haven't got an lmhosts file (that's OK).
I'll see if I can "fix it" for you, then freepmail it back to you. It should be pretty simple.
I'm still learning the differences, so though I know of .js files and the "user chrome" when they're mentioned, I haven't touched them as of yet.
Maybe someday I'll try Linux. I'm about ready too. I can't fathom so many jumping on the XP bandwagon. One of my pet sayings about it is how you have to have a former fry cook to authorize your using what you bought and paid for.
I understand those who go and buy their first computer at Wal-Mart. As when I started, they know no better and that's what's offered now. But for anyone who has been around computers a while, the Big Brother aspects should have fired off alarm bells. There's been even worse rumors about Longhorn, and that "lockbox" (the DRM thing).
Oh well, I'm still on the Dark Side, but I'm gonna run ME into the ground before becoming a slave to fry cooks.
WOW! You got it! My fiancee is here and knew how to go in and look at that stuff.... and there was all kinds of frap in there he knew how to get rid of and give me a clean hosts file... Now when I flush the cache, nothing insidious shows up there.
Thanks also to mfccinsd, who helped me run the HijackThis tool and get rid of some other leftovers I just didn't need in there!
But just so you know the weight you have lifted from me, here is what was in there! (I did once briefly have Kazaa, but I swear to you, I have never willingly been to any of the sex-type stuff! Here is my host file the way it was:
# localhost: Needs to stay like this to work
# KaZaA related:
# 220.127.116.11 = www.google.com
# Adservers and other crappy sites:
OOPS Forgot to ping you.... see my post above!
You don't know the half of it. The hosts file is searched BEFORE DNS, so a bad guy could easily insert an entry like www.paypal.com or www.ebay.com in your hosts file, which then sends you to an alternate "bad guy" site, and you could unknowingly enter your username and password.
Again, the 127.0.0.1 address is TCP/IP speak for your computer. So, if you've got some trojan or other program running, you could get the porn pop-ups even if you're disconnected from the Internet!
I'm glad I could be of some help
Well, the thing is.... the computer worked fine... I never did have trouble with my computer acting up, I only knew this stuff was in my cache because clearing the cache became part of my troubleshooting for a bad DNS juju problem I had awhile ago. That (I believe) was a bad name server problem with my ISP that they eventually fixed.
But it bothered me that I'd see things like "sextracker" in my cache when I hadn't done anything!
Good post. I've got a friend's laptop on my desk, for a spyware exorcism, right now. It's currently installing Windows updates, after a couple of Ad-Aware and Spybot sessions.
I'm not sure which ring of Hell that spammers and malware/adware/hijacker writers and distributors will occupy, but they are in there somewhere.