Hijacked IE Favorites

My IE favorites keep getting hijacked. About a week ago, I first noticed that there were about five adult links in my favorites list when I never put them there. I didn’t think much of it and deleted them and went about my business until I restarted my computer and upon clicking on my favorites, had them show up again.

A little annoyed, I deleted them again only to have the same situation happen again and again. I’ve downloaded both Adaware and Spybot and run them both on my computer to see if they might be able to do anthing but so far, neither has and it’s getting very irksome.

Does anyone have any idea what might be causing this and how I could get rid of the damned things? It would be much appreciated.

What is causing it? Dunno.

How to fix it? Stop using IE. Even Netscape doesn’t get this stuff.

There’s possibly something in the Run or Run Once section of the Windows registry that’s creating these shortcuts. If you run msconfig, or (my preference) download Mike Lin’s Startup Control Panel and run that, you can look in the Run section(s) for the culprit, and remove it. Or you can edit the registry directly with regedit, but only if you really know what you’re doing.

If you prefer, post a list of the Run entries here for us resident Windows geeks to have a look at.

If you must use IE, you can avoid this sort of thing by disabling ActiveX scripting. A few sites require ActiveX, though.

I’m not as computer literate as I could be. I know enough to know how to run msconfig but what tab am I supposed to click on afterwards? And are you wanting me to list every program that it shows as running?

The Startup tab, the rightmost one. If you are using Windows XP, msconfig will tell you where each startup entry is to be found, in the Location column. We’re interested in the ones located in either HKLM\bla bla bla\Run, RunOnce, or HKCU\bla bla bla\Run. Other versions of Windows either don’t have msconfig or don’t show the Location, which is why I prefer Mike Lin’s little program.

Anyway, chances are you will recognise what some of the Run entries are. They may be related to your video card, or your anti-virus software or whatever. One of the ones that you don’t recognise might be the culprit.

BTW there’s a pretty comprehensive list of known startup entries here, including ones created by spyware. You can search for them by name.

The cause is likely to be “coolwebsearch” or some such browser hijacker.

They’re a right bitch to get rid of.

Firstly, and I’m fucking sick of telling people, STOP USING IE. It sucks. Use Netscape 7.1 - freely available from netscape.com. If you can / won’t use netscape, use Firefox or Opera. Seriously. These hijackers only affect IE.

This is a very fucking serious problem - check out the story of the guy busted for kiddie pr0n, on account of his broswer being hijacked:

With a view to getting rid of coolwebsearch, check out this article:

You’ll need to get CWShredder. Google for it.

And change browser immediately.

First of all, have you run Ad-Aware? That’s the first thing to do when you get a problem like this. Be sure to update the definitions (click on “Check for Updates Now” when you run it.

Though CoolWebSearch is a problem, this doesn’t sound like a CWS infestation (which hijacks your home page, not your favorites). If Ad-Aware doesn’t fix things, you could try CWShredder, though if it’s not CWS, it won’t help (but it won’t hurt, either).

If neither of these works, download and run Hijackthis and post the log at http://www.spywareinfo.com for analysis.

Aesiron, did you read the first thread in the GQ Forum? The one at the top? The one that was made a “Sticky” so you couldn’t miss it? The one that is titled Have a Computer Question ? Read this first."?

Think it might be worth reading? First? :slight_smile:

More answers in that thread than you can shake a hijacked stick at.

No. I didn’t read the sticky. I have a habit of scrolling past the things since I read most of them way back when and never think to look and see if there’re new ones. I’ll look at it now though.

It’s hijacked my homepage too. I have google as the default but every time I restart, it gets reset to about:blank. For a while there, it was directed at some other site but thankfully, it’s stopped that and just gone with what I’ve mentioned. It’s still annoying though.

And coolwebsearch does sound familiar. I think I saw it listed as one of the programs that Spybot flagged but never actually immunizes against. Every time I try to block the programs, the damned thing freezes me out and I have to close it.

Thanks for the replies, everyone. I’ll be sure to check this out when I get home and post further if I have any more questions.

Aesiron, the CoolWeb stuff is not detected by AdAware, by their own admission, and Spybot may have a problem with it, too. I have a dialogue going with AdAware over this. So for now, the CWShredder specialized routine is the one to use.

Check for BHO (brower help objects), too. Links in the sticky thread.

Oh man. The about:blank hijacking is about the worst sort to have. I spent a couple weeks before finally getting rid of it. Without the help of the folks at www.spywareinfo.com, I don’t think I’d have been successful. They are truly helpful – but unfortunately, they’re swamped. It can take days for one of the experts to respond.

I’d suggest going to their forums (link above), and doing a lot of reading. They have numerous tools, techniques, and suggestions that they give to people day after day. You can obtain enough knowledge just by reading to solve your hijacking.

Good luck.