The Hijacked Explorer, Part II
by Andy Turudic
The most notorious web page hijacker is CoolWebSearch (CWS -- also known as the "about:blank" hijacker), a home page hijacker that installs itself into the nooks and crannies of Explorer, system file folder, and a PC's registry and actually reinstalls itself after removal from a hard drive or RAM. CWS' signature is that it replaces a user's home page to the "about:blank" search page, which allows the creators of CWS to record search clickthroughs from a specific computer since each CWS installation has a unique installation ID number.
Not only does CWS attempt to mine clickthrough revenue with its attempt to act as a biased portal search page, it actually generates pop-up ads, including alerts of a possible virus and an ad for cleanup software, for further click-through opportunities. With the home web page hijacked, each home page access results in telemetry on clickthroughs to a host somewhere in unscrupulous land. Don't bother manually changing the home page to something else under Explorer's "tools/Internet Options" -- "about:blank" will reappear as sure as the Pope is German (this new phrase just doesn't have the same ring to it, does it?)
There has not been an effective, legitimate, hijack removal program produced, that I could find, that keeps up with the ever-evolving CWS hijacker. One caution with supposed removal programs: most are scams that either reinforce threats or introduce new ones. Googling for advice on removal results in highly-Google-ranked endorsement of illegitimate software; a marketing effort of sorts by the scammers themselves (in the old days we used to call it fraud), with high Google rankings being given to illegitimate solutions.
A shareware program called CWShredder has been effective in removing earlier versions of the CWS hijacker. With CoolWebSearch continually evolving, and with CWShredder actually having been written by a hobbyist, CWS has outpaced CWShredder's ability to detect and remove CWS, since the hobbyist has recently given up writing new code, no doubt for a more lucrative career as an outsourcing consultant. Perhaps CWShredder's new owners will be just as timely in their offerings.
Spybot is a great shareware program for catching tracking-cookies and other malware, but proved useless against CWS' latest variant. The freeware program AdAware handily detects the newer CWS hijacker, and does make a valiant attempt to remove it. However, the latest variant of CWS, which infected my Win2000 homebuilt machine recently, is AdAware aware and uses several mechanisms to reinstall itself after AdAware determines that it was successful in removing the virus.
CWS actually punches through firewalls unscathed by accessing an updated copy of itself located on "safe" sites like Yahoo and MSN. CWS uses a hidden system file to perform the loading and is invisible to virus scanners since it hijacks a legitimate system file called out by a registry entry. Through all this, please remember that I'm not a software or PC guy and will take a Mac any day, given the choice.
The only way I found to remove CWS, after consulting some experts at work, after failing to find a legitimately-endorsed removal program, after coming to a dead end with the newness of my malware variant, after 5 evenings of thrashing the problem, and after researching the Internet with this pest in place, is to do a scan with AdAware. With an AdAware scan, most of the files are identified, but I didn't use AdAware to perform the removal, since it couldn't remove the malware anyway. Been there, tried that. After the files have been identified, the .exe files can be manually corrupted by changing them to text file extensions, editing some text into the executable, and then changing the name back to an exe. My logic here was that with the file more or less present, CWS would not go to Plan B.
Then, I went into the registry, a very risky process, and deleted the CWS entries and files, including anything related to the CWS installation number. I also killed off anything that had to do with a "temp" file directory reference, as well as changing the registry entries for my home page to Google. Not only this, but in surfing the Explorer and "current system" registry entries, I found some file references to Yahoo and a callout to the system files that contained the executables, all of which I deleted by hand. The run program list, which is invoked at system initialization, also ran an executable to reinstall CWS, so I deleted the entry there as well, after having come completely clean on an AdAware scan only to find the scum reappear after restart.
After about 5 evenings I came up with this undocumented trial, error, and feedback methodology -- unfortunately not taking meticulous notes -- and managed to clean CWS off of my machine. I am now somewhat happily running Firefox, have inoculated my machine with AdAware, and am not sure I will ever return to IE, particularly in light that I may have missed deletion or corruption of a CWS file. (If any of you out there have successfully removed CWS using a "legitimate" source of software, let the gang at analogZONE know and we'll update this installment with a list, albeit with the caveat that we are not endorsing any solution, and are not testing any solution, as being clean or as actually removing CWS completely).
One cannot imagine the countless man-years spent by the Internet community in dealing with viruses and hijackings, or the frustration of a person that just wants to read the daily news and e-mail their grandkids, only to find pornographic popups on their machine. I would hazard a guess that these "turnkey" users, who should really own Macs, would fall for the ruse of removal via CWS' popup offer to rid their machine of frustration -- install malware and then sell its removal.
If we compared the hundreds of life-equivalents snuffed by these malicious, self serving acts, it warrants at least the same punishment as taking a single life. Congress seems to be going through the motions lately, but let's see if the laws have any teeth -- as compared to their anti-SPAM laws. After all, with anti-spyware being an estimated $300 million industry by 2008, our government stands to collect some revenue from maintaining the activity.
So, despite having shelled out good money for Symantec virus and firewall
software, I have found their products frustratingly useless against CWS.
Symantec appears indifferent, is not current on the variant of this malware,
and can't even detect its presence, since a hijacker is not a virus. Not
yet.
Read Part I of this column here.
Contact the author