Posted on 06/05/2004 8:06:55 PM PDT by Long Cut
You may have heard of this lately, or perhaps have had it happen to you. That's right...your internet browser gets hijacked. Taken from your control, as it were.
It takes you to sites you would never have visited in a million years; your computer slows down and maybe crashes; your homepage is mysteriously changed; you now have about a dozen "favorites" that you never selected and don't want.
You've been HIJACKED!
What happened? How? You ask, as you pull your hair out in disgust.
Well, it happened to me,, and some FReepers I know, and a LOT of my friends, lately. I've been hearing scuttlebutt around the Web, and around the water cooler. People's computers are being taken over by insidious, rotten spyware and malware that effectively seizes control and can have serious reperussions for the user.
These things download some particularly nasty porn, even child porn, to a computer. People have been fired, investigated, and disgraced for something they never did.
I discovered mine one day whil, of all things, trying to access FR. I mistyped the URL, and found myself redirected to some porn search engine. Massive popups overwhelmed my Pop-up Stopper, and froze my computer.
After the reboot, I ran my McAffie antivirus, which quickly crashed the system and failed to ever work again. Ad-Aware removed some registry keys and values, and I thought all was well.
Wrong. It happened again.
Now, I got serious. I obtained Symantec Pro version, and ran it. It caught several more bugs, but some couldn't be quarantined OR removed.
I was in a fix. I was using a computer that FReeper thumperusn had graciously loaned me, and I didn't want to give it back to him all jacked up. Thus began my battle with the Internet demon known as "CoolWebSearch".
I went to sites like Spywareguide.com, Spywareinfo.com,, and Symantec's excellent site, and educated myself about CWS. It's a mean one.
With over 25 versions to date, and about 30 affiliated sites, CWS has infected millions of computers to date. It uses a "hole" in JavaScript Virtual Machine to invade your machine and make changes to IE and your registry. It also copies itself to your "restore" files, which the antivirus and anti-spyware programs DO NOT search or modify.
After educating myself, and wading through literally hundreds of pages of "geek-speak", I formed a plan of attack.
PROTECTION
First, I would fix the holes in my system. The borrowed laptop used Windows Me, from 2000. It needed updating, and MS's website had a whole bunch of them. Since I'm on a dialup, it took hours to download and install all the patches.
Next, some firewalls. At Major Geeks.com, I found and downloaded Zone Alarm and Browser Hijack Blaster, both for free. Thus protected from further invasion, I set about curing the disease.
MEDICINE FOR A SICK COMPUTER
I first updated the Symantec to the latest standards. I then did the same with Ad-Aware, and downloaded Spybot Search&Destroy from Majorgeeks. It was about then I discovered that I was not alone.
I found Merjin.org, a website set up by a computer student with the sole purpose of combatting CWS. From there, I obtained the invaluable CWShredder, a program that can remove ANY CWS bugs, and which is updated frequently. I also got HiJackTHIS!, a program which can find and display anything that is downloaded to your computer, and remove it with a command.
So effective are these programs, CWS has recently conducted Denial Of Service attacks on Merjin.org. Thankfully, it has survived...it also contains detailed information about all the CWS variants, and manual removal procedures.
I was able to sweep my system clean of many more bugs. Unfortunately, I still wasn't done.
HEALING THE PATIENT
I was still getting some spyware from CWS, and some Browser Helper Objects (BHO's) were still turning up. Fortunately, due to Zone Alarm and Hijack Blaster, I was warned well in advance. However, I was suspicious as to how it was happening on a daily basis. Thus, I went even deeper.
I went to Symantec's website and downloaded detailed instructions for THOUROUGHLY cleaning your system. I had missed something important.
CWS also writes itself to your "restore" files. These are immune from the cleaning software. The cure for that was quite new for me, a relative computer novice. However, one learns by doing, so I plowed ahead.
I disabled the "restore" function (instructions from Symantec), and rebooted into "safe" mode(also on Symantec's instructions). I then ran all my cleaning and anti-virus/anti-spyware programs, deleting everything found.
Then, I went to the C://System/Restore files and deleted them all. If it affects the "restore" function adversly, I have not seen evidence of it yet.
I rebooted, performed a scandisk and a defrag, and rebooted again. Then I enabled the "restore" function once more.
That was yesterday, and so far, so good. I'd like to think I got it all, but with these bugs, you never know. Fortunately, I'm now forewarned and forearmed.
Just go to Mozilla.org and download Firebird (which might be Firefox now).
Great browser.
You took the word out of my mouth.
How do you disable JavaScript? Will the computer continue to work correctly without it?
You can also have Spybot block registry changes. If a program tries to write to the registry, you're notified and can deny the action.
Im not sure how to do it yet(disable Javascript)
But I plan on finding out
It is probably incalculable how many man-hours and $$$ are spent battling it, and the wreckage it can leave in lives is priceless.
AVG-Zone Alarm-Norton AV- Ad Aware are all free, get em , use em !.....:o)
http://www.jv16.org/
Get the reg cleaner at the link above and then go to google site and download the google tool bar w/ their pop up killer.
My Norton AV finds things that AVG doesn't and vis vis... also AVG and Ad-Aware have free updates.
Stay safe !
Like I said, it's simply amazing that this hasn't broken in the media. They usually report any new virus long before it gets this far.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Default>ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Default>ipconfig /displaydns
Windows IP Configuration
www.radiate.com
Record Name . . . . . : www.radiate.com
Record Type . . . . . : 1
Time To Live . . . . : 69418
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1
www.adserver.com
Record Name . . . . . : www.adserver.com
Record Type . . . . . : 1
Time To Live . . . . : 69418
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1
s12.sitemeter.com
Record Name . . . . . : s12.sitemeter.com
Record Type . . . . . : 1
Time To Live . . . . : 69418
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1
ads.x10.com
Record Name . . . . . : ads.x10.com
Record Type . . . . . : 1
Time To Live . . . . : 69418
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1
adres.internet.com
Record Name . . . . . : adres.internet.com
Record Type . . . . . : 1
Time To Live . . . . : 69418
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1
z0.extreme-dm.com
Record Name . . . . . : z0.extreme-dm.com
Record Type . . . . . : 1
Time To Live . . . . : 69418
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1
www.valuesponsor.com
Record Name . . . . . : www.valuesponsor.com
Record Type . . . . . : 1
Time To Live . . . . : 69418
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1
www.cash2002.de
Record Name . . . . . : www.cash2002.de
Record Type . . . . . : 1
Time To Live . . . . : 69418
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1
ads.tripod.com
Record Name . . . . . : ads.tripod.com
Record Type . . . . . : 1
Time To Live . . . . : 69418
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1
www.hit-parade.com
Record Name . . . . . : www.hit-parade.com
Record Type . . . . . : 1
Time To Live . . . . : 69418
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1
s0.bluestreak.com
Record Name . . . . . : s0.bluestreak.com
Record Type . . . . . : 1
Time To Live . . . . : 69418
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1
www.adultclicks.com
Record Name . . . . . : www.adultclicks.com
Record Type . . . . . : 1
Time To Live . . . . : 69418
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1
sextracker.com
C:\Documents and Settings\Default>
I have this hijacker called ShopNav, can't get rid of the SOB.
That's my new project.
Ugh. I've been bit by one of these bugs. I ran CWS shredder and tracked down an executable that installed itself in the root directory. I deleted the executable, ran spybot, adaware and cleaned my system. I went through and reset some of the java options to prompt before performing a download and then downloaded Mozilla and Mozilla Firebird. I usually use Firebird except when a page uses a funky Java feature. Firebird doesn't allow much fancy Java stuff to work,but that's a good thing. I haven't had a single problem since.
These bugs are designed by people who know how we fight them in detail, and they are paid big $$$ to circumvent the defenses.
Here's my thought on replacing IE.
Download http://www.mozilla.org/products/firefox/
It's not a perfect replacement. If something doesn't format properly or doesn't play right using firefox, just open IE and do it.
Yes, I understand it's a pain in the ass.
It is however how us folks who wish to avoid nonsense do it.
My next suggestion is to get admuncher. Admuncher is a layer 3 program. What's a layer 3? Well, that's a program that essentially filters everything laying over the tcpip stack.
Firefox will remove just about everything, but if you get admuncher, you're going to get all the ads removed as well.
It's like surfing the net was 7 years ago. Pleasant :)
-Mal
Zone alarm will walk ya through that process of turning off javascript etc if you want. After yer done scroll down on this site and use "shields up" and "leak test" to check yer system.......trust me .......:o)
Also look at blocking Windows media access to the net and windows messenger crap. " Kill the messenger" is also at the link below.
http://grc.com/default.htm
Stay safe !
Thank you, Sir!
Great thread!
Thanks also, to all who posted!
Ms.B
Some great free products against spyware:
Spybot Search and Destroy
http://www.spybot.info
and
Spyware Blaster
http://www.javacoolsoftware.com/products.html
Spyware Guard
http://www.javacoolsoftware.com/spywareguard.html
Thanks Bill.
I have this bookmarked. I think I will just continiue to run firefox if it prevents a lot of the java problems as brett66 says
See my post here:
http://www.freerepublic.com/focus/f-news/1080006/posts?page=84#84
Once your system is clean, this program will go along way towards keeping this junk off your computer. It will work on all Windows systems and with any browser. It will not work with Linux.
Thanks! My problem was not nearly as serious as yours. about three months ago, I noticed that my homepage had changed and that my search engine had changed. Then, I saw that two new entries were entered in my favourites (nasty stuff that bucked my efforts to delete it). The home page and search page were not naughty, but they were not MY choice of pages. I would reset my preferences only to have them changed when I restarted my machine. Thanks for the info on CWShredder - it has cleaned the horrid CWS from my machine. CWS must have been made by a liberal - it forces you to endure something that you never wanted and makes a nuisance of itself.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.