Browser Hijack

Discussion in 'Computer Support' started by Badger, Jun 30, 2004.

  1. Badger

    Badger Guest

    Since I got ADSL I have had constant problems with CoolWeb hijacking my
    start page. I have AdAware, Spybot, Pest Patrol and StartPage Guard, all of
    which do their job, but it keeps on happening and I would like to know if
    there is a way to permanently remove this thing and prevent it ever taking
    over again!
    TIA
    Badger
    Badger, Jun 30, 2004
    #1
    1. Advertising

  2. Badger

    Boomer Guest

    "Badger" <> wrote:

    > Since I got ADSL I have had constant problems with CoolWeb
    > hijacking my start page. I have AdAware, Spybot, Pest Patrol and
    > StartPage Guard, all of which do their job, but it keeps on
    > happening and I would like to know if there is a way to
    > permanently remove this thing and prevent it ever taking over
    > again! TIA
    > Badger


    Firewall?
    Boomer, Jun 30, 2004
    #2
    1. Advertising

  3. Badger

    °Mike° Guest

    Yes, stay away from dodgy web sites, and don't accept/open
    unsolicited emails -- read ALL emails in PLAIN TEXT ONLY.


    On Wed, 30 Jun 2004 07:59:55 +0800, in
    <40e20264$>
    Badger scrawled:

    >Since I got ADSL I have had constant problems with CoolWeb hijacking my
    >start page. I have AdAware, Spybot, Pest Patrol and StartPage Guard, all of
    >which do their job, but it keeps on happening and I would like to know if
    >there is a way to permanently remove this thing and prevent it ever taking
    >over again!
    >TIA
    >Badger
    >


    --
    Basic computer maintenance
    http://uk.geocities.com/personel44/maintenance.html
    °Mike°, Jun 30, 2004
    #3
  4. Badger

    Jim Byrd Guest

    Hi Badger - The following is a "canned" response about removing CWS. Note
    particularly the "hotfix" that you need to install to block this exploit and
    prevent many of the CWS variants.


    Sounds like this might be a variant of some malware called CoolWebSearch (if
    CWShredder doesn't fix it, then see AdAware, SpyBot, and HijackThis, below,
    in that order). Do the following:



    Before you try to remove spyware using any of the programs below, download a
    copy of LSPFIX from any of the following sites:

    http://www.cexx.org/lspfix.htm
    http://www.spychecker.com/program/winsockxpfix.html (if your OS is Win2k or
    XP)


    The process of removing certain malware may kill your internet connection.
    If this should occur, this program, LSPFIX, will enable you to regain your
    connection.

    All of the following removal tools should be run from Safe mode when
    possible.

    Download, UPDATE before running, and run:
    http://209.133.47.200/~merijn/files/CWShredder.exe to remove the parasite.
    Be sure to close all instances of IE and OE. You may also get it here if
    that link is blocked: http://www.zerosrealm.com/downloads/CWShredder.zip

    BE SURE that you get v.158 or later!

    You will need to show Hidden files first and then at the end clear the
    malware garbage from your System Restore backups after you've cleaned up.
    It's best to perform CWShredder (and most other malware fixers too) from
    Safe mode and then reboot. AFTER cleaning things up, then you can disable
    and then re-enable System Restore. See ******** below.

    The following links give instructions on how to do these various functions:


    HOW TO Restart in Safe Mode
    <http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406>

    HOW TO Enable Hidden Files
    <http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339>

    HOW TO Disable/Flush System Restore (do this at the end AFTER cleaning or
    use the suggested procedure for XP at the ******'s)
    <http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039>
    (WinXP)
    <http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239>
    (WinME)



    Then download and run:
    http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your
    tabs and remove any restrictions that the parasite has put in place.

    Now download and run:
    http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore
    your search functions if they've been affected (as they probably will have
    been).


    Be sure that you also download and install hotfix Q816093, here:

    http://support.microsoft.com/?kbid=816093

    which blocks the exploit upon which this parasite family depends.



    However, this also indicates that you may have acquired some other malware
    along the way. If you go to this page at Jim Eshelman's site, here:
    http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
    of a number of possible parasites on your machine will be made to help you
    identify and remove them. NOTE: You will need to disable Ad Blocking in Zone
    Alarm 3.x, if present or any other Ad Blocking software which interferes
    with Java Scripting for this scan to work. You should get a message between
    the two lines of **** giving the results of the scan.

    Get Ad-Aware 6.0, Build 181 or later, here:
    http://www.lavasoftusa.com/support/download/. UPDATE and run this regularly
    to get rid of most "spyware/hijackware" on your machine. If it has to fix
    things, be sure to re-boot and rerun AdAware again and repeat this cycle
    until you get a clean scan. The reason is that it may have to remove
    things which are currently "in use" before it can then clean up others.

    Another excellent program for this purpose is SpyBot Search and Destroy
    available here: http://security.kolla.de/ SpyBot Support Forum here:
    http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
    using both normally. After UPDATING and fixing things with SpyBot S&D, be
    sure to re-boot and rerun SpyBot again and repeat this cycle until you get a
    clean "no red" scan. The reason is that SpyBot sometimes has to remove
    things which are currently "in use" before it can then clean up others.

    Note that sometimes you need to make a judgement call about what these
    programs report as spyware. See here, for example:
    http://www.imilly.com/alexa.htm

    Both of these programs should normally be UPDATED and run after doing any
    other fix such as CWShredder and, as a minimum, normally at least once a
    week.



    If they don't fix it then start here:

    Download HijackThis, free, here:
    http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
    fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
    You may also get it here if that link is blocked:
    http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13

    In Windows Explorer, click on Tools|Folder Options|View and check "Show
    hidden files and folders" and uncheck "Hide protected operating system
    files". (You may want to restore these when you're all finished with
    HijackThis.)

    Unzip the downloaded HijackThis to any convenient folder, start it then
    press Scan. Click on SaveLog when it's finished which will create
    hijackthis.log. Now click the Config button, then Misc Tools and click on
    Generate StartupList.log which will create Startuplist.txt

    Then go to one of the following forums:

    Spyware and Hijackware Removal Support, here:
    http://216.180.233.162/~swicom/forums/

    or Net-Integration here:
    http://www.net-integration.net/cgi-...86d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949

    or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx

    or Jim Eshelman's site here: http://forum.aumha.org/



    Sign in, then copy and paste both files into a message asking for
    assistance, Someone will answer with detailed instructions for the removal
    of your parasite(s). Be sure you include at the beginning of your post
    "What problem(s) you're trying to solve" and "What steps you've already
    taken."


    *******
    ONLY IF you've successfully eliminated the malware, you can now make a new,
    clean Restore Point and delete any previously saved (possibly infected)
    ones. The following suggested approach is courtesy of Gary Woodruff: For XP
    you can run a Disk Cleanup cycle and then look in the More Options tab. The
    System Restore option removes all but the latest Restore Point. If there
    hasn't been one made since the system was cleaned you should manually create
    one before dumping the old possibly infected ones.
    *******


    Once you get this cleaned up, you might want to consider installing the
    SpywareBlaster and SpywareGuard here to help prevent this kind of thing from
    happening in the future:

    http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware Active
    X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
    memory load - but keep it UPDATED) The latest version as of this writing
    will prevent installation or prevent the malware from running if it is
    already installed, and it provides information and fixit-links for a variety
    of parasites.

    http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts to
    install malware) Keep it UPDATED. Both Very Highly Recommended


    Finally, go to Windows Update and ensure that ALL Critical updates are
    installed.

    --
    Please respond in the same thread.
    Regards, Jim Byrd, MS-MVP



    In news:40e20264$,
    Badger <> typed:
    > Since I got ADSL I have had constant problems with CoolWeb hijacking my
    > start page. I have AdAware, Spybot, Pest Patrol and StartPage Guard, all

    of
    > which do their job, but it keeps on happening and I would like to know if
    > there is a way to permanently remove this thing and prevent it ever taking
    > over again!
    > TIA
    > Badger
    Jim Byrd, Jun 30, 2004
    #4
  5. Badger

    Ron Martell Guest

    "Badger" <> wrote:

    >Since I got ADSL I have had constant problems with CoolWeb hijacking my
    >start page. I have AdAware, Spybot, Pest Patrol and StartPage Guard, all of
    >which do their job, but it keeps on happening and I would like to know if
    >there is a way to permanently remove this thing and prevent it ever taking
    >over again!
    >TIA
    >Badger
    >


    Get CWShredder from http://www.aumha.org/downloads/cwshredder.zip

    Note: The author of CWShredder has just announced that he has halted
    further development of it

    http://www.theregister.co.uk/2004/06/29/cws_shredder/


    Ron Martell Duncan B.C. Canada
    --
    Microsoft MVP
    On-Line Help Computer Service
    http://onlinehelp.bc.ca

    "The reason computer chips are so small is computers don't eat much."
    Ron Martell, Jun 30, 2004
    #5
  6. Badger

    Roy Guest

    Do a google search for Cwshredder. This will rid you of this pest
    "Badger" <> wrote in message
    news:40e20264$...
    > Since I got ADSL I have had constant problems with CoolWeb hijacking my
    > start page. I have AdAware, Spybot, Pest Patrol and StartPage Guard, all

    of
    > which do their job, but it keeps on happening and I would like to know if
    > there is a way to permanently remove this thing and prevent it ever taking
    > over again!
    > TIA
    > Badger
    >
    >
    Roy, Jun 30, 2004
    #6
  7. Badger

    Badger Guest

    "Boomer" <> wrote in message
    news:40e2031a$0$192$...
    > "Badger" <> wrote:
    >
    > > Since I got ADSL I have had constant problems with CoolWeb
    > > hijacking my start page. I have AdAware, Spybot, Pest Patrol and
    > > StartPage Guard, all of which do their job, but it keeps on
    > > happening and I would like to know if there is a way to
    > > permanently remove this thing and prevent it ever taking over
    > > again! TIA
    > > Badger

    >
    > Firewall?


    I have Zone Alarm, which doesn't seem to do anything in relation to this
    problem. Thanks.
    Badger, Jul 1, 2004
    #7
  8. Badger

    Badger Guest

    "°Mike°" <> wrote in message
    news:40ec0970.34773656@localhost...
    > Yes, stay away from dodgy web sites, and don't accept/open
    > unsolicited emails -- read ALL emails in PLAIN TEXT ONLY.
    >
    >

    Thanks Mike. I don't accept unsolicited email. Apart from the fact that my
    ISP has pretty good junk mail detection I also use Mailwasher which tells me
    what the mail is before it's downloaded to my system. I do sometimes get
    HTML mail from friends - why is this a bad thing?
    What do you mean by dodgy web sites? I don't go to porn sites but not
    infrequently this hijack thing happens as soon as I log on to the Web. IE
    seems to automatically go to about:blank before loading my preferred startup
    page and that's when the hijack occurs.
    Badger
    Badger, Jul 1, 2004
    #8
  9. Badger

    Badger Guest

    "Jim Byrd" <> wrote in message
    news:...
    > Hi Badger - The following is a "canned" response about removing CWS. Note
    > particularly the "hotfix" that you need to install to block this exploit

    and
    > prevent many of the CWS variants.
    >

    <snip lots of valuable information>

    WOW! Thank you very much Jim. There is a mine of information in your reply,
    which I'll have a go at. I do have CWShredder and it does fix the problem
    but not permanently. It always comes back. I use AdAware, Spybot and Spyware
    Blaster plus StartPage Guard but again, the problem always returns. I'll
    certainly check out the other things you suggest though.
    Badger
    Badger, Jul 1, 2004
    #9
  10. Badger

    Badger Guest

    "Ron Martell" <> wrote in message
    news:...
    > "Badger" <> wrote:
    >
    > >Since I got ADSL I have had constant problems with CoolWeb hijacking my
    > >start page. I have AdAware, Spybot, Pest Patrol and StartPage Guard, all

    of
    > >which do their job, but it keeps on happening and I would like to know if
    > >there is a way to permanently remove this thing and prevent it ever

    taking
    > >over again!
    > >TIA
    > >Badger
    > >

    >
    > Get CWShredder from http://www.aumha.org/downloads/cwshredder.zip
    >
    > Note: The author of CWShredder has just announced that he has halted
    > further development of it
    >
    > http://www.theregister.co.uk/2004/06/29/cws_shredder/
    >
    >
    > Ron Martell Duncan B.C. Canada
    > --
    > Microsoft MVP
    > On-Line Help Computer Service
    > http://onlinehelp.bc.ca
    >
    > "The reason computer chips are so small is computers don't eat much."


    Thanks Ron but I do have CWShredder. It fixes the problem but it always
    comes back. I got a lot of info from Jim Byrd which I'll be checking out.
    Badger
    Badger, Jul 1, 2004
    #10
  11. Badger

    Badger Guest

    > "Badger" <> wrote in message
    > news:40e20264$...
    > > Since I got ADSL I have had constant problems with CoolWeb hijacking my
    > > start page. I have AdAware, Spybot, Pest Patrol and StartPage Guard, all

    > of
    > > which do their job, but it keeps on happening and I would like to know

    if
    > > there is a way to permanently remove this thing and prevent it ever

    taking
    > > over again!
    > > TIA
    > > Badger
    > >


    >"Roy" <> wrote in message

    news:QWnEc.888$9.net...
    > Do a google search for Cwshredder. This will rid you of this pest

    Thanks Roy. I do have CWShredder and it works well but the thing keeps
    coming back! I will be trying out some other ideas from Jim Byrd. Thanks for
    your response.
    Badger
    Badger, Jul 1, 2004
    #11
  12. Badger

    Jim Byrd Guest

    YW, Badger - What exactly is your startpage hijacked to? There are some
    variants of CWS which need to be removed by special procedures, not just
    running CWShredder.

    --
    Please respond in the same thread.
    Regards, Jim Byrd, MS-MVP



    In news:,
    Badger <> typed:
    > "Jim Byrd" <> wrote in message
    > news:...
    >> Hi Badger - The following is a "canned" response about removing CWS.

    Note
    >> particularly the "hotfix" that you need to install to block this exploit

    and
    >> prevent many of the CWS variants.
    >>

    > <snip lots of valuable information>
    >
    > WOW! Thank you very much Jim. There is a mine of information in your

    reply,
    > which I'll have a go at. I do have CWShredder and it does fix the problem
    > but not permanently. It always comes back. I use AdAware, Spybot and

    Spyware
    > Blaster plus StartPage Guard but again, the problem always returns. I'll
    > certainly check out the other things you suggest though.
    > Badger
    Jim Byrd, Jul 1, 2004
    #12
  13. Badger

    °Mike° Guest

    On Thu, 1 Jul 2004 07:33:45 +0800, in
    <>
    Badger scrawled:

    >"°Mike°" <> wrote in message
    >news:40ec0970.34773656@localhost...
    >> Yes, stay away from dodgy web sites, and don't accept/open
    >> unsolicited emails -- read ALL emails in PLAIN TEXT ONLY.
    >>
    >>

    >Thanks Mike. I don't accept unsolicited email. Apart from the fact that my
    >ISP has pretty good junk mail detection I also use Mailwasher which tells me
    >what the mail is before it's downloaded to my system. I do sometimes get
    >HTML mail from friends - why is this a bad thing?


    Because scripts and ActiveX controls can run in HTML.

    >What do you mean by dodgy web sites?


    Dodgy web sites.

    >I don't go to porn sites but not infrequently this hijack thing happens as
    >soon as I log on to the Web. IE seems to automatically go to about:blank
    >before loading my preferred startup page and that's when the hijack occurs.
    >Badger


    You have lots to go on from Jim, so go through it all carefully.

    --
    Basic computer maintenance
    http://uk.geocities.com/personel44/maintenance.html
    °Mike°, Jul 2, 2004
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dan

    Browser Hijack

    Dan, Apr 5, 2004, in forum: Computer Support
    Replies:
    6
    Views:
    2,706
    michael turner
    Apr 6, 2004
  2. johndoe

    Browser hijack

    johndoe, Jan 21, 2005, in forum: Computer Support
    Replies:
    7
    Views:
    856
    Governor Swill
    Jan 22, 2005
  3. Watcher111

    Browser Hijack... Help Please!!

    Watcher111, May 5, 2005, in forum: Computer Support
    Replies:
    14
    Views:
    709
    ellis_jay
    May 6, 2005
  4. Babba

    Browser Hijack

    Babba, Jan 31, 2004, in forum: Computer Security
    Replies:
    6
    Views:
    469
    Robin T Cox
    Feb 6, 2004
  5. Lance

    Browser Hijack

    Lance, Apr 8, 2004, in forum: Computer Security
    Replies:
    3
    Views:
    544
    Aaron B. Lingwood
    Apr 20, 2004
Loading...

Share This Page