Need a little troubleshooting help here, whiz kids.

I am suffering from what seems to be an unbeatable case of pop-up ads.

When I had a spate of pop-ups before, I installed the G***le toolbar,
which helped a little.  A subsequent worse case called for a direct
application of Spybot and a raising to the max of the barrier against
cookies, which I later had to lower a notch in order to allow certain
applications to work.  At the time, Spybot detected about 48 bad
programs, and I deleted them all.

When the same thing happened at work, the tech support guys told me to
download Lavasoft Ad-Aware 6.0 and run it.  It cleaned house for me,
and there?s been no trouble on my work computer ever since.  So I also
installed it at home.

Now we come to last night.  All of a sudden, with no apparent
preliminaries, pop-up ads started pummeling my home computer.  Monday
night it was fine; Tuesday night I was attacked by a plague of such an
annoyance level that it would have taken only one of them to get the
better of the Pharaoh.

The ads open an IE window automatically, whether I have IE running or
not.  And they won?t go away.

Here is the current state of things.

-  My computer is on a home LAN.
-  No one else on the LAN is affected.
-  I have not opened any known or unknown virus-bearing messages or
executed any unknown .exe files.
-  I do not have any other virus symptoms.
-  I have not visited any weird or unknown sites lately or opened
anything for the first time.
-  I have not bought anything online lately from a new vendor or
installed anything new on my system.
-  I have Internet Explorer, Netscape, and Mozilla installed.
-  I have Norton Antivirus professional edition installed.
-  Until an hour ago, IE was set as my default browser, but I have
been using Mozilla faithfully for some months, ever since my son
lectured me, saying, ?The Internet has become a really unfriendly
place these days, and IE is the worst of the lot for letting unwanted
stuff in.? (Boy, howdy! as my Texan friend would say.)   I use
Netscape now and then.
-  The ads pop up in IE.
-  One of the most common is that hateful red target with the
despicable extortionist ?click here to . . . STOP POP UPS!? (which I
will never, ever, ever do--I?d sooner pay protection money to a
neighborhood hoodlum) and the window title ?Stop Pop-Ups Now.?  There
are also eBay ads, student loans, Red Lobster promotions, etc. etc.,
and a blank screen that has the window title
?http://z1.adserver.com/w/cp.x;rid=1;tid=2;ev=1;dr=3;ac=28;c=806;?
-  I ran Spybot last night and cleared about 28 bad-boogie entities
out of my system.  The ads continued to pop.
- I ran Ad-Soft 6.0 and got rid of a lot of stuff.  The ads continued.
- I ran Ad-Soft 6.0 three more times, about 10 minutes apart, and each
time cleared out between 6 and 10 more things.  They just kept coming.
-  I ran Spybot again and got no hits.  Tonight, Spybot cleared out a
couple dozen more things, but the effect was nil.
-  I ran Symmantec LiveUpdate.
-  I ran a full NAV scan even though it had run two nights earlier. 
It showed a clean slate, no viruses found, but I had to dig through a
pile of pop-ups even to see the report.
-  I have changed my default browser from IE to Mozilla, but the ads
still keep coming up in IE.
-  I have deleted all cookies from my system.
-  I went to Add/Remove Programs and took out anything that looked
suspicious, including a WildTangent thing that came with the last AIM
update and that I thought I had got rid of once.
-  I attempted to delete IE from my computer but was unable to do it
because it did not appear on the list of installed programs.
-  My husband did a firewall test that pings all ports and found that
nothing would get in.

The ads are still coming on, at a rate of more than once a minute.  It
seems that once a few have gathered on the screen, the rate increases,
but that might just be an illusion.  It is pretty much the same ones
over and over again.

(1)  I need help.  I need to know where to go and what to do to fight
off this filthy cyberspace equivalent of a cockroach infestation, and
I need it now.

--> Please do not advise me to do something I have already done. 
Please be aware of the measures I have already taken before offering
me an answer.

(2)  I also want to know, as a secondary question, if there is
something in the computer, the browser, the networking equipment, or
elsewhere that people can buy into to make this happen.  That is, WHO
IS IT that advertisers make a deal with--say, Microsoft, or Cisco, or
IBM, or *WHO* ?--to do this to customers?  Which part of the network
system--hardware or software, my equipment or internetworking
equipment or operating system or Internet applications or websites or
WHAT--allows the opening through which these creeps can crawl? 
Whoever that is, I want to know, because I intend to give that
organization the benefit of my most scathing rhetoric in hard-copy
form with my signature on it.

Thank you,
Apteryx

Hello apteryx,

Thank you for your question. And let me commend you on a complete and
well written question!

What you have going on is some version of what is called Browser
Hijacking. Unfortunately, this is becoming more and more common and
there are reams of pages that can be read of the variants you will
find in these annoyances.

Let's look at part two of your question first:

"..That is, WHO IS IT that advertisers make a deal with--say,
Microsoft, or Cisco, or IBM, or *WHO* ?--to do this to customers? 
Which part of the network system--hardware or software, my equipment
or internetworking equipment or operating system or Internet
applications or websites or
WHAT--allows the opening through which these creeps can crawl?..."

This is not easy to answer. In part, one might blame Microsoft as it
is common knowledge that there are constant patches issued for
security breaches to the operating system. And, as you probably
realize, Internet Explorer and Outlook Express are packaged as part of
the operating system. Hence, these undiscovered security holes are
exploited and patched after the fact. Just run windows Update and you
can see the amount of "Critical Updates" required to make your OS
secure - at least as secure as Microsoft will admit to today. There is
a never ending stream of these patches, it seems. And since Windows is
by far the most used operating system in the world, it is targeted by
the "script kiddies" that take some sort of pleasure in creating
viruses, trojans, browser hijackers and the like.

Searching for the "hows" of this, I came across the following for
articles to serve as examples for you:

Web Browsers Hijacked by New Bug      

Weird new virus causing headaches for some Web surfers 
http://www.techtv.com/news/securityalert/story/0,24195,3554478,00.html

"A new virus is redirecting Web searchers, and frustrating them
mightily in the process.


Trojan.Qhosts redirects an affected computer's Web browser to sites
that have nothing to do with your intended Internet target. On "Tech
Live" I'll tell you more about this strange, new bug.


Affected users report, for instance, that if they type Google.com in a
browser, they're taken to cpanel.net. Apparently, the same can happen
when they try to visit MSN or Yahoo!'s search pages...

...Method of infection 


Trojan.Qhosts is said to exploit a vulnerability Microsoft divulged in
early October. This hole could allow an attacker to execute code on a
victim's machine through a pop-up window or website. It appears
Trojan.Qhosts is being distributed through this method.

According to Symantec Security Response, "Visiting a specific page on
www.fortunecity.com caused a popup to be displayed that redirected the
visitor to a different Web page. Being redirected to the Web page
appears to have caused the Trojan to be downloaded to a visitor's
system and then executed."

So, you can see that code can be downloaded and run on your computer
simply by visiting a site. You firewall will not block this or notify
you as it is set to allow web browsing and this appears as nothing
unusual. Same with an AntiVirus program that has not yet updated its
virus definition set to include a new exploit.


And, at Spyware Info:
http://www.spywareinfo.com/articles/hijacked/

"...There is a despicable trend that is becoming more and more common
where the browser settings of web surfers are being forcibly hijacked
by malicious web sites and software which modifies your default start
and search pages.

Sometimes internet shortcuts will be added to your favorites folder
without asking you. The purpose of this is force you to visit a web
site of the hijacker's choice so that they can artificially inflate
their web site's traffic for higher advertising revenues.

In some cases, these changes are reversible simply by going into
internet options and switching them back. Not always, however.
Sometimes it's necessary to edit the windows registry (gasp!) to undo
the changes made. Sometimes there is even a combination of registry
setting and files clandestinely placed on your hard drive that redo
your settings every time you reboot the computer...

...Most people use Internet Explorer, which is the most prone to these
sorts of exploits due to its insecure nature. You would be safer using
a better, more secure browser, such as Mozilla. If you insist on using
Internet Explorer, you need to tighten up your browser's security
settings.

Open your control panel and open Internet Options to the Security tab.
In the activex area, disable activex that is not marked as safe and
not signed. If they can't sign their own code, you certainly shouldn't
run it on your system. For activex marked as safe and signed, set to
prompt.

Why is activex so dangerous that you have to increase the security for
it? When your browser runs an activex control, it is running an
executable program. It's no different from double clicking an exe file
on your hard drive. Would you run just any random file downloaded off
a web site without knowing what it is and what it does?..."

You might read this entire article and others of the like. I found
these with a simple search for   how are browsers hijacked .

But let's dive in and find the cure.

As you have seen, the old standby's of Ad-Aware and Norton do not do
the job here. "Most likely" the following application  called
CWShredder will, but it may not.

You can find a great deal about this at Merijn.org:
http://www.spywareinfo.com/~merijn/cwschronicles.html

"This is an article which details the variants of the browser hijacker
known as CoolWebSearch (CWS). In the last few months, the people
behind this name have succeeded in becoming (IMHO) an even bigger
nuisance than the now infamous Lop.

The difficulty of removing CWS from a user's system has grown from
slightly tricky in the first variant to virtually impossible for the
latest few. Some of the variants even used methods of hiding and
running themselves that had never been used before in any other
spyware strains.

The chronological order in which the CWS variants appeared is detailed
here, along with the approximate dates when they appeared online.
However, since the evil programmers of CWS have released over two
dozen versions of their hijacker on the advertising market in such a
short time, and are crunching out new ones steadily practically every
week, this document might be out of date at times.

The CWShredder tool to remove Coolwebsearch will always be up to date
and is updated as fast as possible when new variants emerge..."

Read as much or as little as you like, then download and run the
program. With luck, it will find and cure your problem.

"After about the 3rd CWS variant, I realized this particular spyware
company moved faster than any other I'd seen before, and that the
anti-spyware programs wouldn't be able to keep up with it. So I
decided to write a separate program dedicated to removing
CoolWebSearch. It's called CWShredder and can be downloaded here, in
several forms:

Normal form, will work for most people: 
  http://www.merijn.org/files/CWShredder.exe  

-------------------------------------------------------------- 

If you get a message saying 'A required dll, MSVBVM60.DLL, was not
found', install this first: Visual Basic 6 runtime libraries from
Microsoft
http://download.microsoft.com/download/vb60pro/Redist/sp5/WIN98Me/EN-US/vbrun60sp5.exe

-------------------------------------------------------------- 

If you can't or won't download bare executables for some reason, try
this link to the zipped version:
Zipped version of CWShredder  
http://www.spywareinfo.com/~merijn/files/cwshredder.zip

-------------------------------------------------------------- 

If you get a virus warning for W32/Generic.worm!p2p, try this link
instead: Unpacked version of CWShredder
http://www.spywareinfo.com/~merijn/files/cwshredder_u.zip

Now, if this should turn out not to solve your problem, you have
another option. There is a program you can run called Hijack This that
will create a report on the state of your system's health. Once
created, you can post at forums where experts will assist you in
cleaning out your problem at no charge and often very quickly. There
is an excellent community of volunteers willing to help with these
annoyances. Not surprisingly, all of this is also at the Meijn site:

"HijackThis (zipped): 

A general homepage hijackers detector and remover. Initially based on
the article Hijacked!, but expanded with almost a dozen other checks
against hijacker tricks. It is continually updated to detect and
remove new hijacks. It does not target specific programs/URLs, just
the methods used by hijackers to force you onto their sites. As a
result, false positives are imminent and unless you are sure what
you're doing, you should always consult with knowledgeable folks (e.g.
the forums) before deleting anything.

A rudimentary HijackThis log tutorial by me is available here.
http://www.spywareinfo.com/~merijn/htlogtutorial.html

The official HijackThis QuickStart for posting on the SpywareInfo
forums is available here.
http://tomcoyote.org/hjt/

Currently at version: 1.97.7
http://www.spywareinfo.com/~merijn/files/HijackThis.exe
or  http://www.spywareinfo.com/~merijn/files/hijackthis.zip

As you will see when you read the tutorial, once you have your data
file, you can post at their forums. Unfortunately, they are under a
Denial of Service attack (DOS) and are moving their forums which were
at http://www.spywareinfo.com/forums/ . For now, they are recommending
visiting http://forums.net-integration.net/index.php?s=e6cff2449f603f393d59a7bcd0f19403&showforum=32
where a similar help team can be found.

So, let me leave this with you at this point. Please run CWShredder
and let me know through Clarification if that solved the problem. If
not, proceed on the Hijack This. I'll be here to answer questions you
may have and to keep my fingers crossed that this quickly resolves
your problem.



Search Strategy:

how are browsers hijacked
cwshredder
hijack this


I trust my research has provided you with tools that will hopefully
solve your problem and right the ship. If a link above should fail to
work or anything require further explanation or research, please do
post a Request for Clarification prior to rating the answer and
closing the question and I will be pleased to assist further.

Regards,

-=clouseau=-

---

Request for Answer Clarification by apteryx-ga on 26 Feb 2004 22:08 PST

Hello there, Inspector.  This looks from here like an outstanding
roundup of information.  Obviously you are no stranger to this field. 
I just wanted you to know that I got the information, have read it,
and will proceed to use it.  Until I've tried it, I won't know for
sure if I have a follow-up request for clarification, so please allow
me a little time to check it out before I rate your answer.

Last night in desperation I did also take the "immunize" option of
Spybot, at which point the number of blocks went from 189 to 504, and
the pace of pop-ups did slack off.  But tonight's run of Ad-Aware
picked off another batch, so it hasn't gone away.  Most of them were
labeled WildTangent, which I believe is a spawn of AOL's AIM.  Don't
know if Yahoo's IM is any better, but I am about to try it.

Thank you, and I'll be back to you soon.
Apteryx

---

Clarification of Answer by clouseau-ga on 26 Feb 2004 22:18 PST

Take all the time you need and let me know when questions arise.

There are so many variants of these problems that I'm never 100% sure
of the cure until it has been tried. CWShredder has been effective for
many, but Hijack This should find something more stubborn if need be.

By the way, the fact that Ad-Aware keeps finding more tells me that
Ad-Aware is only finding the symptoms and not the cause that keeps
regenerating the problem. The tools here should help to do a more
thorough cleansing.

Let me know how it goes for you.

Regards,

-=clouseau=-

---

Request for Answer Clarification by apteryx-ga on 29 Feb 2004 13:06 PST

Hi, clouseau--

My assiduous efforts with Ad-Aware and Spybot seem to have got things
under control to the extent that the pop-ups have stopped, but I keep
getting hits and removing the same object names when I rerun those
applications, so whatever it is is not gone, just in remission. 
(Please tell me, do you think I am right that it has something to do
with AIM and the WildTangent tag-along?)

So I decided to take your recommendation and PinkFreud's endorsement
of CWShredder.  But I can't even access the site, either with the full
path in your link or just the merijn.org URL.  I get this message: 
"The connection was refused when attempting to contact merijn.org."

Advice?

Thank you,
Apteryx

---

Clarification of Answer by clouseau-ga on 29 Feb 2004 13:14 PST

Hi again,

Believe it or not, that just might be a result of this hijacker
refusing to let you get the cure!!

Try this link. If it does not work, get right back to me and we'll try
something else.

http://www.majorgeeks.com/download4086.html


Use the link at the bottom to BTN.

-=clouseau=-

---

Request for Answer Clarification by apteryx-ga on 29 Feb 2004 14:10 PST

Well, I believe it, all right, clouseau.  This is pretty creepy stuff,
and I am perfectly sure that the perpetrators' imagination for
mischief far outstrips mine.  However, I was reading about Frank
Abagnale last night and saw a quotation in which he remarked something
to the effect that any system devised by man or woman can be broken by
man or woman.  (I'm not sure if the same is also true of a system
devised by a kid!)

So--I did what you said, and I got into the site all right.  Got
through the download and run.  Here is the message I got at the end:

==================================================

Done!
Your system was completely clean.

Windows XP (5.01.2600 SP1)
CWShredder v1.50.0
Written by Merijn - merijn@spywareinfo.com

For any additional help with this program or removing CWS, visit:
http://forums.spywareinfo.com/

For information and documentation on the Coolwebsearch
trojan and its variants, visit:
http://www.merijn.org/cwschronicles.html

For donations to help support me, visit:
http://www.merijn.org/donate.html

==================================================

I clicked the button that let me ask how I got infected in the first
place and how to avoid getting reinfected, and one of the choices was
to download Windows SP1a, so I did that, even though I have kept
completely up to date with all those incoming "new updates are ready
to download" messages.

Now I am feeling a little uncertain and concerned.  It said my system
was clean.  Was it or wasn't it?  After installing SP1a, reboot took
an unusally long time, and it took nearly a minute to launch Mozilla,
which was really weird.  Is everything all right?  How do I know?

And--is CWShredder something I have to run periodically for cleanup,
or did it install protection of some kind, so it just has to sit there
quietly and do its thing without any action from me?

Thank you,
Apteryx

---

Clarification of Answer by clouseau-ga on 29 Feb 2004 14:28 PST

Hmmm.

To answer a bit, no, CWShredder only needs to be run when you have a
problem and does not protect against future problems.

My next move would be to run Hijack This and post results of the scan
both here and on the Forum at the site. I **may** see something from
your results, but the folks on the HT forum are defintely more expert
intheir analysis.

Have uou tried rebooting again to see if boot time and Mozilla launch
time are back to normal? Might have only been first boot after the
update.

-=clouseau=-

---

Request for Answer Clarification by apteryx-ga on 29 Feb 2004 15:24 PST

Well, clouseau, I don't think I want to hold up this question any
longer.  Your answers have been most comprehensive and clear.  With
rare exceptions, I don't want to join anything or sign up for anything
or create an account anywhere--an aversion of mine that goes back at
least 25 years and costs me a lot of discounts that other people
get--so I don't know about posting to any kind of forum.  But I think
I can do a lot with what you've told me here.  So I'll accept your
answer with thanks.

(Thanks to PinkFreud, too, for supplementary assistance.)

Apteryx

---

Clarification of Answer by clouseau-ga on 29 Feb 2004 15:36 PST

Hello apteryx,

First, thank you for the stars and tip. But I really wish you would go
through with Hijack This. It is an excellent way of finding out what
is the root cause of your problem and the folks that monitor the forum
there are excellent at providing insight. Perhaps read a bit of their
forums just to see how they have helped others. And, if you want some
anonimity, create a Hotmail or Yahoo email account just to use for
this purpose.

I know I would feel better knowing this is resolved for you.

Thanks again, and let me know if I can help further.

Best,

-=clouseau=-

First-rate information and follow-through.  Thank you.

Apteryx

CWShredder has my highest recommendation. I had a nasty and tenacious
hijacker that Ad-Aware and SpyBot couldn't touch. Thanks to
CWShredder, I regained control of my computer. I was so strung out
that I was ready to reformat the machine and reinstall everything, but
fortunately I didn't have to go to that extreme. Three cheers for the
Shredder!

Apteryx,

There's a good article here about how we can protect ourselves against scumware: 

http://www.computercops.biz/postt7736.html

Oddly, the article's author uses a likeness of Inspector Clouseau as his avatar!

Thanks, Pink, for adding your recommendation.  I have a lot of
confidence in your experience and your opinion.

Apteryx

Apteryx,

Regarding your inability to access the merijn.org site, this may be
because the servers are again under attack (presumably in revenge
against sites that help users to defeat the purveyors of scumware).

This has happened before:

http://www.meryl.net/blog/archives/001489.php

Scum dies hard. :-(