Posted on 06/05/2004 8:06:55 PM PDT by Long Cut
You may have heard of this lately, or perhaps have had it happen to you. That's right...your internet browser gets hijacked. Taken from your control, as it were.
It takes you to sites you would never have visited in a million years; your computer slows down and maybe crashes; your homepage is mysteriously changed; you now have about a dozen "favorites" that you never selected and don't want.
You've been HIJACKED!
What happened? How? You ask, as you pull your hair out in disgust.
Well, it happened to me,, and some FReepers I know, and a LOT of my friends, lately. I've been hearing scuttlebutt around the Web, and around the water cooler. People's computers are being taken over by insidious, rotten spyware and malware that effectively seizes control and can have serious reperussions for the user.
These things download some particularly nasty porn, even child porn, to a computer. People have been fired, investigated, and disgraced for something they never did.
I discovered mine one day whil, of all things, trying to access FR. I mistyped the URL, and found myself redirected to some porn search engine. Massive popups overwhelmed my Pop-up Stopper, and froze my computer.
After the reboot, I ran my McAffie antivirus, which quickly crashed the system and failed to ever work again. Ad-Aware removed some registry keys and values, and I thought all was well.
Wrong. It happened again.
Now, I got serious. I obtained Symantec Pro version, and ran it. It caught several more bugs, but some couldn't be quarantined OR removed.
I was in a fix. I was using a computer that FReeper thumperusn had graciously loaned me, and I didn't want to give it back to him all jacked up. Thus began my battle with the Internet demon known as "CoolWebSearch".
I went to sites like Spywareguide.com, Spywareinfo.com,, and Symantec's excellent site, and educated myself about CWS. It's a mean one.
With over 25 versions to date, and about 30 affiliated sites, CWS has infected millions of computers to date. It uses a "hole" in JavaScript Virtual Machine to invade your machine and make changes to IE and your registry. It also copies itself to your "restore" files, which the antivirus and anti-spyware programs DO NOT search or modify.
After educating myself, and wading through literally hundreds of pages of "geek-speak", I formed a plan of attack.
PROTECTION
First, I would fix the holes in my system. The borrowed laptop used Windows Me, from 2000. It needed updating, and MS's website had a whole bunch of them. Since I'm on a dialup, it took hours to download and install all the patches.
Next, some firewalls. At Major Geeks.com, I found and downloaded Zone Alarm and Browser Hijack Blaster, both for free. Thus protected from further invasion, I set about curing the disease.
MEDICINE FOR A SICK COMPUTER
I first updated the Symantec to the latest standards. I then did the same with Ad-Aware, and downloaded Spybot Search&Destroy from Majorgeeks. It was about then I discovered that I was not alone.
I found Merjin.org, a website set up by a computer student with the sole purpose of combatting CWS. From there, I obtained the invaluable CWShredder, a program that can remove ANY CWS bugs, and which is updated frequently. I also got HiJackTHIS!, a program which can find and display anything that is downloaded to your computer, and remove it with a command.
So effective are these programs, CWS has recently conducted Denial Of Service attacks on Merjin.org. Thankfully, it has survived...it also contains detailed information about all the CWS variants, and manual removal procedures.
I was able to sweep my system clean of many more bugs. Unfortunately, I still wasn't done.
HEALING THE PATIENT
I was still getting some spyware from CWS, and some Browser Helper Objects (BHO's) were still turning up. Fortunately, due to Zone Alarm and Hijack Blaster, I was warned well in advance. However, I was suspicious as to how it was happening on a daily basis. Thus, I went even deeper.
I went to Symantec's website and downloaded detailed instructions for THOUROUGHLY cleaning your system. I had missed something important.
CWS also writes itself to your "restore" files. These are immune from the cleaning software. The cure for that was quite new for me, a relative computer novice. However, one learns by doing, so I plowed ahead.
I disabled the "restore" function (instructions from Symantec), and rebooted into "safe" mode(also on Symantec's instructions). I then ran all my cleaning and anti-virus/anti-spyware programs, deleting everything found.
Then, I went to the C://System/Restore files and deleted them all. If it affects the "restore" function adversly, I have not seen evidence of it yet.
I rebooted, performed a scandisk and a defrag, and rebooted again. Then I enabled the "restore" function once more.
That was yesterday, and so far, so good. I'd like to think I got it all, but with these bugs, you never know. Fortunately, I'm now forewarned and forearmed.
by brother-in-laws computer was so completely overwhelmed by
spyware and adware -- CWS was the last and most difficult
to slay -- that it would take LITERALLY 10 minutes to come
up, run out of virtual memory (there were so many IE
instances in the task bar that it wasn't worth counting them) and crash.
I made two trips; made it somewhat better one day, and then
came back later in the week with several other adware tools,
and finally eradicated what turned out to be over 450 bugs.
I defragged him (35%+ fragmented. just mangled), installed
mozille firefox and told him to never run IE EVER AGAIN.
Oh man, PestPatrol has saved me several times from infestation.
I've been hit like this before, with pornographic pop-ups, porn sites added to my favorites list, a strange toolbar beneath my standard internet buttons, etc.
Pest Patrol killed it, thank goodness.
I find it interesting that IE still managed to pick up stuff when you weren't actually using it. THat would point to one of two things, either you have been hijacked and none of your scanners have spotted it, or some other program on your computer is using IE to do something. The most likely culpret in the latter case is if you are using Outlook for your email.
Outlook makes etensive use of IE, and I'm not sure that there is any way to stop it.
Very, very cool. Sounds like you've got a good handle on things. Do check out The Proxomitron though. I think I posted that advice on this thread. With that proxy running on port 8080 and setting IE and Firefox to use port 8080 you'll be looked down tighter than a medieval virgin in a chastity. belt.
Google for a program called Clean My PC, Download it.
In trial mode it will only remove 2 things per category. Uncheck all clean categories to speed up the iteration of the test.
I did this after getting “Rid” of CWS and everything else everything active, and found several registry entries and other stuff I wanted to clean up too. If the registry entries are gone, and the files are gone, revert to “Keep The H!@# out of my machine mode” and enjoy your surfing (Safe surfing anyway)
Speaking of “Active things” I regularly compare my Task list to a File I have made of things I want running ;-D anything new, I look up on the internet Google for swchost.exe for Example. If it is benign, and I like what it does, ok, add to good list, if not, I add it to the “BAD” list and go into kill mode. If it is benign, but I don't want it I keep clutter from slowing down my machine.
Been doing this since Windows 3.1 and I always seem to have fewer problems than those who do not. (Yep, I'm a NERD, no two ways about it, but If'n I didn't want to know how my computer was runnin' Id buy me a MAC.)
BTTT
Thanks, I'll have to check that one out.
Trouble is, I'm not knowlegeable enough to do that "proxy" and "port" stuff yet. Hey, I freely admit to what I have no clues about, and stuff like that is some of it.
The download of the program has complete point-and-click instructions. It's actually isn't a bunch of computerese mumbo-jumbo...it IS just point and click on 2 or 3 items.
Since The Proxomitron is so mind bogglingly useful and won't be available forever...I suggest just downloading it and saving it for a rainy day.
I have also learned with this not only to update Windows, Norton, and my spyware stuff - but also MS Office and Front Page and all those. I had my Access and Front Page hacked before I was done, but have it all restored now.
Hope this helps any of the rest of you.
I'm as dumb as stump when it comes to computers and I was able to download it with no problem. I went with the foxfire edition and went with all the upgrades there is another download for that.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.