I Pit Greedy Malicious Programers

Well, my first thread on SDMB… a momentous occasion. That aside, let me get right to it.

I spent three and a half hours today working on my computer. Why was I working on my computer you ask? Was I installing a new Video card, or some sweet sweet lighting effects? No, I was working on my computer because some greedy bastard sitting somewhere in his little dark cavern (or well appointed office building, who knows these day) decided he wanted to make a quick buck by making sure every time I typed in a web address, I was redirected to a search engine that pays him for each hit.

Now being a programmer (incase you couldn’t tell by my name), I have seen my share of spy ware. This one on the other hand was good, and when I say good I mean bad enough to make me scream at my computer continuously for the entire three and a half hours. I am well versed in the use of SpybotSD© and SpyScan©, but this one required that much time to remove because as I scanned, and cleaned, and removed registry entries, it replicated itself like a work and I started the process all over again. It even activly blocked the windows update site so I couldn’t even get the fix to plug the hole it got in through.

What really makes me angry about all of this is that there is no real incentive for people not to do it. AFAIK there is no law against it. So this person can create a program that deliberately inserts itself into someone’s system without permission - causing very undesireable operation - and then make it as hard as humanly possible to remove. If I went up to another persons car and added something to it that I made sure was very hard to remove, I would be arrested for vandalism. If I was not capable of removing it myself, it would have cost me well over $100 to remove, or to have the OS reinstalled.

These kinds of spyware are a the textbook definition of a worm, and as we all know worms are just as malicious (in some cases moreso) than a virus. I say it’s high time the powers that be enact laws that punish people for doing this and take away the incentive for doing so. If there is a law in effect that I am unaware of, then I say it’s high time they enforce it.


That’s a bummer. Do you have any idea where you picked up this little jewel? I’ve never heard of spyware that blocked access to sites before. It does sound more like a virus.

There are trespass laws against these people - but finding them is the trick. And I doubt the author is in an office building - he’s more likely a pimply script kiddy in his room in Russia.

Sounds like Coolwebsearch to me. Get CWShredder (I’m sure it’s linked in the sticky about computer problems).
As for dodgy Russians…My suspicion has long been that the ‘affiliates’ that are involved with the adverts on CWS are fronts for money-laundering. Is there any evidence of this?

I picked it up when I was looking for info on Smart Card programmers. I clicked on a link that was appearantly for satelite card hackers (No I am not one of them, though I have been in the past :wink: )and was redirected to a site that installed it on page load.

It’s called CoolWWWSearch (CWS) there are about a thousand different forms of it, however most are not as malicious as this one. It hijacks and takes you to a search page that pops up ads, no doubt those ads beng the way they make money. It fits the textbook definition of a worm, so yeah, it IS a virus, but no a destructive virus, a greed one.


That’s what it was. I did finally get rid of it at the end of the three and a half hours using CWShredder, Spy Sweeper, and finally HijackThis. HijackThis is not a tool for everyone, luckily I worked on a project once that concentrated heavily on registry keys, so I was able to identify the ones causing the problem.

But if you’re not an advanced computer user, your pretty well pooched.


I take care of hundreds of elementary school computers. Imagine all those little fingers who can’t resist “you’re a winner/hit the monkey”.

I figure I can reload the system in the time it takes to run spybot/adaware the multiple times required.

Today I did have to fight the dragon. A nice teacher’s system got hosed and she needed those files. The bad part was she’s going in for surgery for back pain. Jeez was she hurting. She didn’t need any malware.

Welcome to the SDMB, Code Monkey . Glad to have ya.

I work at a large University where there are a surprising amount of people who have never used a computer before, which means all of them should really take a course on how to use one, and some of them shouldn’t use one at all. My co-workers and I get plenty of Spam every day, usually with subjects along the lines of “Important Question” with a cute little .zip file attached. Some people I work with will open these files without hesitation. Next thing you know an entire department is down for the day and IS is sending out stern emails to “Never open attachments if you don’t know who they are from!!” Apparently some people never learn, because we get these warnings from IS at least once every couple weeks.

Our servers are great targets for hackers - especially internal ones. I know there are some less-than-honest Computer Science students who would love to screw things up enough to put off an assignment, and they have the knowledge to cover their tracks, too.

I can’t figure out why some people’s only purpose in life seems to be to do as much damage as possible to someone else’s system. I consider it vandalism if nothing else, IMHO.

Since you take care of the machines, would it be possible for you to place a more spyware resistant browser (like Firefox) on the computer? That should cut down on the number of reloads you have to do, though you might have to hide the Internet Exploder Icon to keep the less computer savy from using it.

And this is why I run Firefox as my web browser, and have a nicely designed hosts file that blocks most ads.

The first time it won’t do something that IE will, you’re installing IE on your XP’s; and you can’t force them to use a different browser on the W98 machines.

this made me laugh.

the district policy is to require IE and Outlook Express.

I tried to sneak Netscape on a system. The district guy removed it.

What, are they suicidal? Get kickbacks from MIcrosoft?
Maybe the Boss just likes Outlook. :slight_smile:

how do I learn more about this ‘hosts file’ ?

Search your PC for it. HOSTS with no file extension. You can edit it with notepad.
Essentially, you can redirect the browser by listing another IP address for a host name. There are examples in the file.

I have a fair bit of experience in IT desktop suppor, and if I could put a bullet in the back of the head of everyone who had authored widespread, crippling viruses, worms, and malware, I wouldn’t hesitate to do it. Hell, I’d do them all in with a tire iron. There is no one else on the planet for whom I have such visceral hatred.

I’ve had my work computer infected, and I now use Firefox. I bough a nice new computer for home use a week ago, and I do not intend putting it onto the Internet. (I’dd transfer things into it using CD-ROMs – that way I know what’s going onto it).

If they ever catch those sleazeballs who write this stuff or try to profit from it, they should sentence them to removing the stuff from computers for the rest of their lives. That would make the punishment fit the crime.

Calm yourself.
Tie them upside down and pour molten AOL CDs into their nostrils.

One at a time.

open hosts file.

define the offending site’s ip as

Do usual cleanup.

Thanks alot. I had to many moments of “Man I wish I could reply so I could take this loudmouth down a peg or two” so I decided to join so I could.

Well I got lazy today, I got home the other night to see that it had come back. Guess I missed a registry key. I took a page from jsleek’s manual and nuke & paved. The damn thing had messed up my video codecs by removing the class ID from all the video extensions. When I worked in an IT department for a large call center (300 workstations and 40 servers) It was much easier booting up a RIS image rather than installing SpyBot and SpySweeper and then waiting for them to finish their scans.


Check out this link for more info and an excellent pre-configured HOSTS file.

Also, check out Maxthon (formerly MIE2). It’s based on IE, looks like it, but it’s more powerful and spyware resistant. Maybe you can sneak this on your machines.