Thank you for your question. And let me commend you on a complete and
well written question!
What you have going on is some version of what is called Browser
Hijacking. Unfortunately, this is becoming more and more common and
there are reams of pages that can be read of the variants you will
find in these annoyances.
Let's look at part two of your question first:
"..That is, WHO IS IT that advertisers make a deal with--say,
Microsoft, or Cisco, or IBM, or *WHO* ?--to do this to customers?
Which part of the network system--hardware or software, my equipment
or internetworking equipment or operating system or Internet
applications or websites or
WHAT--allows the opening through which these creeps can crawl?..."
This is not easy to answer. In part, one might blame Microsoft as it
is common knowledge that there are constant patches issued for
security breaches to the operating system. And, as you probably
realize, Internet Explorer and Outlook Express are packaged as part of
the operating system. Hence, these undiscovered security holes are
exploited and patched after the fact. Just run windows Update and you
can see the amount of "Critical Updates" required to make your OS
secure - at least as secure as Microsoft will admit to today. There is
a never ending stream of these patches, it seems. And since Windows is
by far the most used operating system in the world, it is targeted by
the "script kiddies" that take some sort of pleasure in creating
viruses, trojans, browser hijackers and the like.
Searching for the "hows" of this, I came across the following for
articles to serve as examples for you:
Web Browsers Hijacked by New Bug
Weird new virus causing headaches for some Web surfers
"A new virus is redirecting Web searchers, and frustrating them
mightily in the process.
Trojan.Qhosts redirects an affected computer's Web browser to sites
that have nothing to do with your intended Internet target. On "Tech
Live" I'll tell you more about this strange, new bug.
Affected users report, for instance, that if they type Google.com in a
browser, they're taken to cpanel.net. Apparently, the same can happen
when they try to visit MSN or Yahoo!'s search pages...
...Method of infection
Trojan.Qhosts is said to exploit a vulnerability Microsoft divulged in
early October. This hole could allow an attacker to execute code on a
victim's machine through a pop-up window or website. It appears
Trojan.Qhosts is being distributed through this method.
According to Symantec Security Response, "Visiting a specific page on
www.fortunecity.com caused a popup to be displayed that redirected the
visitor to a different Web page. Being redirected to the Web page
appears to have caused the Trojan to be downloaded to a visitor's
system and then executed."
So, you can see that code can be downloaded and run on your computer
simply by visiting a site. You firewall will not block this or notify
you as it is set to allow web browsing and this appears as nothing
unusual. Same with an AntiVirus program that has not yet updated its
virus definition set to include a new exploit.
And, at Spyware Info:
"...There is a despicable trend that is becoming more and more common
where the browser settings of web surfers are being forcibly hijacked
by malicious web sites and software which modifies your default start
and search pages.
Sometimes internet shortcuts will be added to your favorites folder
without asking you. The purpose of this is force you to visit a web
site of the hijacker's choice so that they can artificially inflate
their web site's traffic for higher advertising revenues.
In some cases, these changes are reversible simply by going into
internet options and switching them back. Not always, however.
Sometimes it's necessary to edit the windows registry (gasp!) to undo
the changes made. Sometimes there is even a combination of registry
setting and files clandestinely placed on your hard drive that redo
your settings every time you reboot the computer...
...Most people use Internet Explorer, which is the most prone to these
sorts of exploits due to its insecure nature. You would be safer using
a better, more secure browser, such as Mozilla. If you insist on using
Internet Explorer, you need to tighten up your browser's security
Open your control panel and open Internet Options to the Security tab.
In the activex area, disable activex that is not marked as safe and
not signed. If they can't sign their own code, you certainly shouldn't
run it on your system. For activex marked as safe and signed, set to
Why is activex so dangerous that you have to increase the security for
it? When your browser runs an activex control, it is running an
executable program. It's no different from double clicking an exe file
on your hard drive. Would you run just any random file downloaded off
a web site without knowing what it is and what it does?..."
You might read this entire article and others of the like. I found
these with a simple search for how are browsers hijacked .
But let's dive in and find the cure.
As you have seen, the old standby's of Ad-Aware and Norton do not do
the job here. "Most likely" the following application called
CWShredder will, but it may not.
You can find a great deal about this at Merijn.org:
"This is an article which details the variants of the browser hijacker
known as CoolWebSearch (CWS). In the last few months, the people
behind this name have succeeded in becoming (IMHO) an even bigger
nuisance than the now infamous Lop.
The difficulty of removing CWS from a user's system has grown from
slightly tricky in the first variant to virtually impossible for the
latest few. Some of the variants even used methods of hiding and
running themselves that had never been used before in any other
The chronological order in which the CWS variants appeared is detailed
here, along with the approximate dates when they appeared online.
However, since the evil programmers of CWS have released over two
dozen versions of their hijacker on the advertising market in such a
short time, and are crunching out new ones steadily practically every
week, this document might be out of date at times.
The CWShredder tool to remove Coolwebsearch will always be up to date
and is updated as fast as possible when new variants emerge..."
Read as much or as little as you like, then download and run the
program. With luck, it will find and cure your problem.
"After about the 3rd CWS variant, I realized this particular spyware
company moved faster than any other I'd seen before, and that the
anti-spyware programs wouldn't be able to keep up with it. So I
decided to write a separate program dedicated to removing
CoolWebSearch. It's called CWShredder and can be downloaded here, in
Normal form, will work for most people:
If you get a message saying 'A required dll, MSVBVM60.DLL, was not
found', install this first: Visual Basic 6 runtime libraries from
If you can't or won't download bare executables for some reason, try
this link to the zipped version:
Zipped version of CWShredder
If you get a virus warning for W32/Generic.worm!p2p, try this link
instead: Unpacked version of CWShredder
Now, if this should turn out not to solve your problem, you have
another option. There is a program you can run called Hijack This that
will create a report on the state of your system's health. Once
created, you can post at forums where experts will assist you in
cleaning out your problem at no charge and often very quickly. There
is an excellent community of volunteers willing to help with these
annoyances. Not surprisingly, all of this is also at the Meijn site:
A general homepage hijackers detector and remover. Initially based on
the article Hijacked!, but expanded with almost a dozen other checks
against hijacker tricks. It is continually updated to detect and
remove new hijacks. It does not target specific programs/URLs, just
the methods used by hijackers to force you onto their sites. As a
result, false positives are imminent and unless you are sure what
you're doing, you should always consult with knowledgeable folks (e.g.
the forums) before deleting anything.
A rudimentary HijackThis log tutorial by me is available here.
The official HijackThis QuickStart for posting on the SpywareInfo
forums is available here.
Currently at version: 1.97.7
As you will see when you read the tutorial, once you have your data
file, you can post at their forums. Unfortunately, they are under a
Denial of Service attack (DOS) and are moving their forums which were
at http://www.spywareinfo.com/forums/ . For now, they are recommending
where a similar help team can be found.
So, let me leave this with you at this point. Please run CWShredder
and let me know through Clarification if that solved the problem. If
not, proceed on the Hijack This. I'll be here to answer questions you
may have and to keep my fingers crossed that this quickly resolves
how are browsers hijacked
I trust my research has provided you with tools that will hopefully
solve your problem and right the ship. If a link above should fail to
work or anything require further explanation or research, please do
post a Request for Clarification prior to rating the answer and
closing the question and I will be pleased to assist further.
Request for Answer Clarification by
29 Feb 2004 14:10 PST
Well, I believe it, all right, clouseau. This is pretty creepy stuff,
and I am perfectly sure that the perpetrators' imagination for
mischief far outstrips mine. However, I was reading about Frank
Abagnale last night and saw a quotation in which he remarked something
to the effect that any system devised by man or woman can be broken by
man or woman. (I'm not sure if the same is also true of a system
devised by a kid!)
So--I did what you said, and I got into the site all right. Got
through the download and run. Here is the message I got at the end:
Your system was completely clean.
Windows XP (5.01.2600 SP1)
Written by Merijn - email@example.com
For any additional help with this program or removing CWS, visit:
For information and documentation on the Coolwebsearch
trojan and its variants, visit:
For donations to help support me, visit:
I clicked the button that let me ask how I got infected in the first
place and how to avoid getting reinfected, and one of the choices was
to download Windows SP1a, so I did that, even though I have kept
completely up to date with all those incoming "new updates are ready
to download" messages.
Now I am feeling a little uncertain and concerned. It said my system
was clean. Was it or wasn't it? After installing SP1a, reboot took
an unusally long time, and it took nearly a minute to launch Mozilla,
which was really weird. Is everything all right? How do I know?
And--is CWShredder something I have to run periodically for cleanup,
or did it install protection of some kind, so it just has to sit there
quietly and do its thing without any action from me?