My default home page in IE has always been austin.rr.com, but lately, it gets hijacked constantly, and changed to something else I don’t want.
People have recommended AdAware, and it DOES find the hijacks by CoolWebSearch… but once I delete the offending module and reset my homepage, CoolWebSearch seems to create a new module in Windows System32, and I’m back to the beginning, with a home page I don’t want.
How do I get rid of these hijacks for good? (And while I appreciate that there are many folks out there who hate Microsoft and IE, I’d prefer a solution, rather than advice to get a different browser).
Go here to download Hijack This. It will show you a log of what is on your computer. Copy paste the log so we can read it, and one of our resident gurus will be along shortly to help you delete it once and for all.
There is also a link there for CWShredder. You may want to run it first.
These are excellent, handy, free webtools that I’ve found to be lifesavers.
If you go to this website, there is a tool to remove CoolWebSearch called CWShredder. It works great, imho. Also, there is a tool called Hijack This. The link actually takes you to the tutorial for how to use Hijack This. On the left hand side in the navigation box there is a download link, where you can get the tools from.
But you see, the folly of your request is that, generally speaking, no other browser and mail client suffers the security problems that IE and Outlook do. If you wish to avoid the security problems that only IE and Outlook have, then you must avoid using them.
~
Go to Google (I assume you can get there, and search for Merijn +CWShredder. Download the program CWShredder.exe This is a small application (takes less than a minute to download over dialup) which will find and eradicate most of the variants on Cool Web Search. You need to have all browser windows closed when you run it. There’s a wealth of other useful information on that site regarding Cool Web Search and its multitude of friends and relations.
Also search this forum in the past two weeks – there have been a couple of other threads dealing with this – one provided a direct link to the Merijn website, and another gave a link to the HijackThis program which works on the true bastard variants of CWS that don’t get eliminated by CWShredder.exe (Use caution with HijackThis – it identifies all changes to your system, and can delete fun stuff like your Media Player if you don’t examine the results carefully before deleting them.)
People should be aware that AdAware and Spybot Search and Destroy will find the cookie links embedded by spyware, but are not built to identify the more nefarious browser hijackers or viruses. The two groups of programs have two quite distinct purposes, both related to finding and removing kinds of malware you pick up from the Internet, but which should not be confused with each other.
And may I suggest to the Moderators that a good post summarizing the functions and webpage sources for these two kinds of free anti-malware tools ought to be added to the “Computer Problems” sticky thread?
Yes, I should have clarified a bit more. That is why I said he could post the log here, because Hijack This can be extremely tricky if you’re not 100% sure of what you’re doing. Thanks for including that.
The link in my post is to the Merijn website. It is to the actual page which has instructions for running Hijack This. They are pretty detailed and I have found them to be very helpful.
I saw that, and I appreciate it – most of my favorites links went up with my old hard drive.
When I started writing my post, it was a bare OP with no responses – you got your comment (or technically your comment under your wife’s login) in while I was typing!
Yes, I realized that when I read your post. For some reason, every time I tried to go the the Merijn site, I got a Page Not Found error, which was why I linked to a mirror.
Install Spybot and Ad-aware. Update the reference files on both, but don’t scan yet.
If you aren’t an experienced tech, run HijackThis and post the log to a helpful forum. Find out which lines shouldn’t be there.
Reboot and start up in Safe Mode. This is the important part. It ensures that none of the malicious processes are running so they won’t have a chance to repair themselves.
Scan with Spybot, Ad-aware, and CWShredder. Remove any items they find.
Run HijackThis and remove anything that the other utilities didn’t catch. Also manually delete any files that the undesirable registry entries were pointing to.
Reboot and let Windows start up normally.
Reset Internet Explorer’s security settings and install all Critical Updates. Many are important even if you don’t use IE.
When you run CWShredder, there is a final button which offers tips for avoiding re-infection. The basic process is to remove the Microsoft Java engine and replace it with the Sun Java engine, which is not subject to CoolWebSearch’s nefarious depredations – for now.
I have done this. Complete instructions are provided, and it’s pretty easy. No system I have done this to has been reinfected with CWS.
Also, I switched to Firefox for my personal work – except those few sites which don’t work with it. I love it.
It should be noted that there are at least two CWS variants out right now that cannot be defeated simply by deleting registry keys with HijackThis. Neither Spybot nor Adaware remove them either. These variants are nefarious in that they are able to hide files that are not visible in Windows (no matter what your folder options settings are), have permissions that defy most attempts to delete them, and they rename themselves to random names each time IE is started. The procedure to removing them is complicated and involved, and requires the guidance of an experienced spyware guru. I suggest posting your HJT logs over at the SpywareInfo forums, they are developing new tools and techniques for dealing with these resistant variants.
I second the advice to dump Microsoft JavaMachine, and install Sun Java instead.
Good choice for a browser. In order to open the pages that only work in internet explorer and not have to open anything else, you can download a modification for Firefox that adds a “Open link in IE” option when you right click. Very usefull for banking sites and school sites that only work in IE.
Sigh. I followed Number’s excellent advice, and still have a problem.
This is what I’ve done so far (I’m at my wit’s end)…
Ensured that AdAware and SpyBot and CWShredder were up to date.
Rebooted in Safe Mode
Ran AdAware, Spybot, and CWShredder; removed everything they found
Ran HijackThis
Deleted the R0 and R1 entries that listed lefqd.dll (this is in the page url that is getting hijacked to), and the 04… sdkhy.exe entry.
Restarted; same problem
Ran HijackThis again and deleted the same entries (which reappeared)
Manually reset my home page
Exited IE and went back in; same problem
Something somewhere is obviously still hijacking my system, but I don’t know what. Assistance requested. <= (understatement of the year)
Here is the HijackThis log…
Being the cautious sort, though, I have to add that a) categorical statements like this make me cringe, as it just invites trouble, and b) I’ve been lucky enough not to have been infected by any hijackers, so I can’t say from direct experience whether Firefox will immediately fix your problems or not.
All that said, Firefox is just a much, much better browser than IE in so many ways that you should install it anyway. Get it, and you won’t ever look back.
Actually, there are some sites – e.g., Windows Update – that won’t work with anything other than IE, but they’re in the minuscule minority.
