Google Answers: URL hijacking porn virus! Please Help!

View Question

Q: URL hijacking porn virus! Please Help! ( No Answer, 0 Comments )

Question

Subject: URL hijacking porn virus! Please Help!
Category: Computers > Internet
Asked by: bjork24-ga
List Price: $24.50

Posted: 24 Feb 2004 20:56 PST
Expires: 25 Feb 2004 08:06 PST
Question ID: 310535

I have a malicious virus on my PC. I don't want to have to reformat my
entire computer, but in the end, it may be the only way to get rid of
this problem. Ok, here it is. Whenever I'm surfing the web, random
porn sites will either a) pop-up over the window I'm looking at, or b)
redirect standard links to go to a porn site.

For instance, let's say I'm reading a news story on news.google.com...
now, I hit a link to read about a certain story and the next thing I
know, my browser's been redirected to another porn site. It's really
getting annoying. I've searched all over the web, used Norton
Anti-Virus, Spy-Bot: Search & Destroy, and Adware... nothing will kill
it.

Here's all I know about it: whenever it redirects, the following
variables are penned onto the end of the ip address it's referencing
"?filter_channel=63" or 61 or 60, the channel always changes. This
variable is appended onto an ip address that also changes, but seems
to stay in the 64.xx.xx.xx range. I don't know what the ip has to do
with it, b/c there's something on my computer that's hijacking my
browser... I've also searched all over my registry and can't come up
with anything.

This is my last attempt to solve the problem before wiping the entire
slate clean. Please, any advice would be SO greatly appreciated.
Thanks.

Request for Question Clarification by clouseau-ga on 24 Feb 2004 21:33 PST

Hello bjork24,

Thank you for your question.

I'm going to post this first as a request for clarification as I
believe your symptoms indicate the following, but I would like you to
test to be sure before I post the official answer.

My hunch says that this is a variant of CoolWebSearch. It is being
talked about in a lot of places. For example:
http://www.jimworld.com/apps/webmaster.forums/action::thread/thread::1076701968/forum::scumware/

"...Having problems surfing the Internet? Being redirected to
smartsearch.ws or another site? Is your computer massively slowing
down? These symptoms characterize a growing list of problems with the
latest scumware program to hit the Internet these days, and you could
be next.

Although its meager beginnings demonstrated that this particular
little program was nothing more than a nuisance and a fake stylesheet,
it has evolved to become a powerhouse of annoyances with a growing
list of complaints. This particular company moves faster than any
previous scumware company we've seen, and it attempts to release a new
'strain' by the rate of almost one a week. A particularly virulent
strain redirects users to the 'smartsearch.ws' homepage and to date,
there are over 30 known variants of the CWS (CoolWebSearch) program.
(Note: On Feb. 1 the smartsearch.ws domain name was shut down as an
affiliate of CoolWebSearch. That particular domain will now show up as
a blank page -- making it difficult to figure out what you've been
scummed with. Although the URL remains in the address bar, the entire
page is blank. Most people will probably guess they've just hit a site
in development or something.)

So what exactly is it an why are we calling it a 'crossbred'
scumware/trojan? CoolWebSearch is at times difficult to identify
because it duplicates the symptoms you would normally expect from a
scumware program. It hijacks your browser, redirects you to other
sites, changes your start page and even issues pop-ups with 'enhanced
results.' These are just a few symptoms in its growing repertoire. In
fact, many of the symptoms you will experience are both confusing and
frustrating, because although they duplicate what we have come to
associate with scumware programs, popular removal tools such as
AdAware and SpyBot simply won't find anything. As a matter of fact,
there is a variant of the program that actually closes any scumware or
spyware removal utilities before they even load, which is definitely
playing dirty..."

You can read more if you like, or search for many more pages talking
about the effects of this scumware, but let's try to get rid of it if
this is your problem as I suspect.

The cure is called CoolWebShredder:
http://www.spywareinfo.com/

Note, this site has been targeted for Denial of Service attacks and is
running as a shell of itself right now. You can download the program
you need here:
http://www.spywareinfo.com/downloads/tools/CWShredder.exe

Run this and see if it fixes your problem. I suspect it will. But if
not, I'll next run you through installing and running Hijack This and
where to post the results for free help in cleaning your system.

Hang tough. You should not have to resort to a reformat.

Do let me know how this goes for you.

Regards,

-=clouseau=-

Clarification of Question by bjork24-ga on 25 Feb 2004 05:46 PST

clouseau,

Thanks for the info. I'll take a look at the article and install the
software... I'll go ahead and install HijackThis as well, just in
case. I'll let you know what the progress is.

Thanks,
bjork24

Answer

There is no answer at this time.

Comments

There are no comments at this time.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.

Search Google Answers for

Google Home - Answers FAQ - Terms of Service - Privacy Policy