Posted on 06/05/2004 8:06:55 PM PDT by Long Cut
You may have heard of this lately, or perhaps have had it happen to you. That's right...your internet browser gets hijacked. Taken from your control, as it were.
It takes you to sites you would never have visited in a million years; your computer slows down and maybe crashes; your homepage is mysteriously changed; you now have about a dozen "favorites" that you never selected and don't want.
You've been HIJACKED!
What happened? How? You ask, as you pull your hair out in disgust.
Well, it happened to me,, and some FReepers I know, and a LOT of my friends, lately. I've been hearing scuttlebutt around the Web, and around the water cooler. People's computers are being taken over by insidious, rotten spyware and malware that effectively seizes control and can have serious reperussions for the user.
These things download some particularly nasty porn, even child porn, to a computer. People have been fired, investigated, and disgraced for something they never did.
I discovered mine one day whil, of all things, trying to access FR. I mistyped the URL, and found myself redirected to some porn search engine. Massive popups overwhelmed my Pop-up Stopper, and froze my computer.
After the reboot, I ran my McAffie antivirus, which quickly crashed the system and failed to ever work again. Ad-Aware removed some registry keys and values, and I thought all was well.
Wrong. It happened again.
Now, I got serious. I obtained Symantec Pro version, and ran it. It caught several more bugs, but some couldn't be quarantined OR removed.
I was in a fix. I was using a computer that FReeper thumperusn had graciously loaned me, and I didn't want to give it back to him all jacked up. Thus began my battle with the Internet demon known as "CoolWebSearch".
I went to sites like Spywareguide.com, Spywareinfo.com,, and Symantec's excellent site, and educated myself about CWS. It's a mean one.
With over 25 versions to date, and about 30 affiliated sites, CWS has infected millions of computers to date. It uses a "hole" in JavaScript Virtual Machine to invade your machine and make changes to IE and your registry. It also copies itself to your "restore" files, which the antivirus and anti-spyware programs DO NOT search or modify.
After educating myself, and wading through literally hundreds of pages of "geek-speak", I formed a plan of attack.
PROTECTION
First, I would fix the holes in my system. The borrowed laptop used Windows Me, from 2000. It needed updating, and MS's website had a whole bunch of them. Since I'm on a dialup, it took hours to download and install all the patches.
Next, some firewalls. At Major Geeks.com, I found and downloaded Zone Alarm and Browser Hijack Blaster, both for free. Thus protected from further invasion, I set about curing the disease.
MEDICINE FOR A SICK COMPUTER
I first updated the Symantec to the latest standards. I then did the same with Ad-Aware, and downloaded Spybot Search&Destroy from Majorgeeks. It was about then I discovered that I was not alone.
I found Merjin.org, a website set up by a computer student with the sole purpose of combatting CWS. From there, I obtained the invaluable CWShredder, a program that can remove ANY CWS bugs, and which is updated frequently. I also got HiJackTHIS!, a program which can find and display anything that is downloaded to your computer, and remove it with a command.
So effective are these programs, CWS has recently conducted Denial Of Service attacks on Merjin.org. Thankfully, it has survived...it also contains detailed information about all the CWS variants, and manual removal procedures.
I was able to sweep my system clean of many more bugs. Unfortunately, I still wasn't done.
HEALING THE PATIENT
I was still getting some spyware from CWS, and some Browser Helper Objects (BHO's) were still turning up. Fortunately, due to Zone Alarm and Hijack Blaster, I was warned well in advance. However, I was suspicious as to how it was happening on a daily basis. Thus, I went even deeper.
I went to Symantec's website and downloaded detailed instructions for THOUROUGHLY cleaning your system. I had missed something important.
CWS also writes itself to your "restore" files. These are immune from the cleaning software. The cure for that was quite new for me, a relative computer novice. However, one learns by doing, so I plowed ahead.
I disabled the "restore" function (instructions from Symantec), and rebooted into "safe" mode(also on Symantec's instructions). I then ran all my cleaning and anti-virus/anti-spyware programs, deleting everything found.
Then, I went to the C://System/Restore files and deleted them all. If it affects the "restore" function adversly, I have not seen evidence of it yet.
I rebooted, performed a scandisk and a defrag, and rebooted again. Then I enabled the "restore" function once more.
That was yesterday, and so far, so good. I'd like to think I got it all, but with these bugs, you never know. Fortunately, I'm now forewarned and forearmed.
Probably the best way is to use Spybot S&D and AdAware since each will pick up things the other does not.
Also, run a program called "Hicjack This!" It will scan your registry for suspect items and you can pick out the obvious, alien BHOs and whatnots. Be careful with HJT though. It will list good entries as well as the bad and removing the good ones could leave you with an unusable system.
Other than that, once you think it's clean...watch the behavior of the box...look for redirects and changed Homepage settings.
bump
If you're truely adventurous, you can even download a Nightly Release. Nightlies are basically copies of mozilla that are compiled from the latest source each evening. This is only for the brave who want to bug hunt though, as you can occasionally get a build with some nasty bugs in it. I upgrade my nightly about every 2 weeks and work it out as strongly as I can, since I can't program for mozilla. I figure if I can't code, the least I can do is search for bugs.
If you need any help, please feel free to freepmail me. I gain much joy in introducing new users to mozilla, as I truely believe it makes the internet a better place.
Thanks for the info;
After that, I might just stay up late and download Mozilla.
Does Firefox come WITH Mozilla, or is it separate?
BTW, HairOfThe Dog's post #49...any clues?
//Merjin's been under serious attack lately. He's REALLY pi$$ed off CWS, and they're retaliating.//
Do you have a real IP address? That may be harder to spoof than DNS records.
Thanks for the info South40.
Seems that education is a continuing lifelong process eh?
He's using a mirror, provided by Spywareinfo.
I'm downloading Firefox right now. Do I have to do anything else to it afterwards, or will it just run when I ask it to? I mean, do I have to start from scratch with favorites, etc, and do I have to give it my dialup numbers again?
Pest Patrol (on-line scan) shows up "HiWire" on my machine, but I can't find any trace of hwreal.exe or any of the other files listed in Pest Patrol's information. Does that mean I'm not "really" infected, or that HiWire's creators changed its name, or what?
My goodness. The pain and suffering you Gates zombies go through. My PC is not allowed on the net. It's for photo editing only and of course with it's picture in picture TV monitor I can watch the fights or whatever while I'm on line with my powerbook.
Get a clue. Get a Mac.
Firefox doesn't "replace" IE. You choose which one to run each time you get on the web.
I've pretty much settled in on Firefox, but it's not perfect. NOAA radar sites use that damned Java, so IE still has it's place. Yes, there's a Java "plug-in" that's over 8 megs and it's unstable as all get out. Firefox was crashing almost all the time until I removed Java. And those crashes emptied the cache every single time. Sort of a pain for dialup users.
I'll bet that if some of these scum figure out a way to attack Mozilla for Linux, there will be scripts available within hours that you'll be able to call as a part of your 'startx' script that would automatically look for the offending strings in your config and strip them out automatically.
Nothing special, just run the file. it will install firefox and place an icon on your desk top. it will import all your favorites and settings
I might just get rid of all that Java crap too.
I'm no expert (but there are certainly some on this thread), however, I'd assume that the files it found are "hidden" somehow from your "search" function. In my case, they were in the "restore" system folder, and I had to disable it before I could begin deleting the offenders. If it's enabled, it won't allow you to mess with it.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.