A
AD5MB
I have had my browser hijacked by Nowfind.net, which
apparently uses CoolWebSearch as a highjacking implement.
This computer is not currently connected to a network, so
the behavior described below is caused by software on the
hard disk. I am trying to solve this problem with
troubleshooting techniques and finesse, rather than brute-
force methods like reinstalingl XP.
Antispyware is aware of CoolWebSearch, and claims to
remove it, but...
It reinstalls while it is being removed. Antispyware is
aware of this; it asks if I want to block CoolWeb
Installer while I am removing CoolWeb.
Seems to me, if I'm removing it, I obviously don't want
it reinstalled.
Seems to me, if asked once if I want to block
installation, I should not be asked to block again thirty
seconds later.
Seems to me, if I say I don't want it reinstalled once, I
don't want it reinstalled ever.
Seems to me, if it recognizes the CoolWeb Installer, it
should remove the installer.
One thing I'm trying to do is find all the software
installed at the time of the highjacking. Two problems:
1) It's everywhere. I can go to certain obvious
directories;
C;\Windows
C:\Documents and Settings\LOGIN NAME\Local Settings
~\ContentIE5
and delete MOST of the extraneous software by date. But
there is a program hiding somewhere that reinstalls these
programs, and re-corrupts the registry, within seconds. I
can't find that, and it could be anywhere. But it was
installed at the same time as the programs it keeps
reinstalling. So it would be easy to find, if I had the
right search tool.
2) I can't delete certain files because I get a popup
that says they are in use by another program.
Regrettably, it doesn't inform me what that program is.
That program is the source of this recurring problem. If
that popup identified which file was using that non-
deleteable file, I could end this aggravation.
What I need:
1) A global search for files installed since the
hijacking. I shouldn't have to search thousands of
directories when I have a device built for the purpose in
my rack. Ideally, the software should search for a
certain number of files that came in as a group at a
certain time, and identify, log and isolate this group.
2) A mechanism that identifies the process that is using
files I can't delete. So I can terminate that process,
then the files.
3) A mechanism to flag certain files as unwelcome and
undesirable:
Do not install;
Determine the software that is attempting to install
these files;
Terminate and quarantine this software.
Block future attempts to install or run this software.
Log websites that attemp to install this software in the
future.
Seems to me, I should have the ability to tell the
registry, once, that the entries for IE are just the way
I like them, and to weld in what I have.
Any attempt to alter them is a highjack attempt, which
should be blocked, and logged . The website that
attempted to inflict this hijack or spyware on me should
be logged and blocked.
Antispyware keeps popping up a message telling me that a
certain file is trying to run. The format is:
C:\Documents and Settings:\LOGIN NAME\LOCA~...\temp\a.bat
is trying to run.
This popup shows up for about 8 seconds. Try to imagine
how many times I saw this popup before I wrote down
enough info to find it.
a.bat was in - and keeps coming back to - a \TEMP folder
in the Local Settings folder mentioned above. This is a
hidden system folder, and you can't find a.bat with
Search, unless you know to allow Explorer to show hidden
system folders and files.
Seems to me, if an unwanted program file keeps coming
back, you you ask the user ONCE if he wants to "Block"
the file. Then you truly block the blinking thing.
Forever, or until given approval by the administrator.
Seems to me, if an unwanted program file keeps coming
back, you log the location, instead of repeatedly popping
messages up. And log the number of times it comes back.
Seems to me, if you just have to pop messages up, you
separate the file path and increase the font size so
people can read it.
Seems to me, if an unwanted program file keeps coming
back, you track down the source, eliminate that.
This popup has come back several times while I am writing
this. If you catch it fast enough, you can click on
Manage Blocked Scripts. You are given an opportunity to
Remove. Is this Remove the script, or the block? Some of
the terminology in Antispyware seems ambiguous to me. I
would prefer an option to Ban, 86, Terminate with extreme
prejudice...
Unrelated Rant: I am not the only person I know who has
this problem:
Many times in the course of composing this document, I
engaged Caps Lock. The result freQUENTLY LOOKS LIKE THIS.
wHEN i DISCOVER MY ERROR, i HAVE TO RETYPE EVERYTHING.
Seems to me, I should be able to highlight the affected
text, hit some key combination, and let the computer
invert everything.
apparently uses CoolWebSearch as a highjacking implement.
This computer is not currently connected to a network, so
the behavior described below is caused by software on the
hard disk. I am trying to solve this problem with
troubleshooting techniques and finesse, rather than brute-
force methods like reinstalingl XP.
Antispyware is aware of CoolWebSearch, and claims to
remove it, but...
It reinstalls while it is being removed. Antispyware is
aware of this; it asks if I want to block CoolWeb
Installer while I am removing CoolWeb.
Seems to me, if I'm removing it, I obviously don't want
it reinstalled.
Seems to me, if asked once if I want to block
installation, I should not be asked to block again thirty
seconds later.
Seems to me, if I say I don't want it reinstalled once, I
don't want it reinstalled ever.
Seems to me, if it recognizes the CoolWeb Installer, it
should remove the installer.
One thing I'm trying to do is find all the software
installed at the time of the highjacking. Two problems:
1) It's everywhere. I can go to certain obvious
directories;
C;\Windows
C:\Documents and Settings\LOGIN NAME\Local Settings
~\ContentIE5
and delete MOST of the extraneous software by date. But
there is a program hiding somewhere that reinstalls these
programs, and re-corrupts the registry, within seconds. I
can't find that, and it could be anywhere. But it was
installed at the same time as the programs it keeps
reinstalling. So it would be easy to find, if I had the
right search tool.
2) I can't delete certain files because I get a popup
that says they are in use by another program.
Regrettably, it doesn't inform me what that program is.
That program is the source of this recurring problem. If
that popup identified which file was using that non-
deleteable file, I could end this aggravation.
What I need:
1) A global search for files installed since the
hijacking. I shouldn't have to search thousands of
directories when I have a device built for the purpose in
my rack. Ideally, the software should search for a
certain number of files that came in as a group at a
certain time, and identify, log and isolate this group.
2) A mechanism that identifies the process that is using
files I can't delete. So I can terminate that process,
then the files.
3) A mechanism to flag certain files as unwelcome and
undesirable:
Do not install;
Determine the software that is attempting to install
these files;
Terminate and quarantine this software.
Block future attempts to install or run this software.
Log websites that attemp to install this software in the
future.
Seems to me, I should have the ability to tell the
registry, once, that the entries for IE are just the way
I like them, and to weld in what I have.
Any attempt to alter them is a highjack attempt, which
should be blocked, and logged . The website that
attempted to inflict this hijack or spyware on me should
be logged and blocked.
Antispyware keeps popping up a message telling me that a
certain file is trying to run. The format is:
C:\Documents and Settings:\LOGIN NAME\LOCA~...\temp\a.bat
is trying to run.
This popup shows up for about 8 seconds. Try to imagine
how many times I saw this popup before I wrote down
enough info to find it.
a.bat was in - and keeps coming back to - a \TEMP folder
in the Local Settings folder mentioned above. This is a
hidden system folder, and you can't find a.bat with
Search, unless you know to allow Explorer to show hidden
system folders and files.
Seems to me, if an unwanted program file keeps coming
back, you you ask the user ONCE if he wants to "Block"
the file. Then you truly block the blinking thing.
Forever, or until given approval by the administrator.
Seems to me, if an unwanted program file keeps coming
back, you log the location, instead of repeatedly popping
messages up. And log the number of times it comes back.
Seems to me, if you just have to pop messages up, you
separate the file path and increase the font size so
people can read it.
Seems to me, if an unwanted program file keeps coming
back, you track down the source, eliminate that.
This popup has come back several times while I am writing
this. If you catch it fast enough, you can click on
Manage Blocked Scripts. You are given an opportunity to
Remove. Is this Remove the script, or the block? Some of
the terminology in Antispyware seems ambiguous to me. I
would prefer an option to Ban, 86, Terminate with extreme
prejudice...
Unrelated Rant: I am not the only person I know who has
this problem:
Many times in the course of composing this document, I
engaged Caps Lock. The result freQUENTLY LOOKS LIKE THIS.
wHEN i DISCOVER MY ERROR, i HAVE TO RETYPE EVERYTHING.
Seems to me, I should be able to highlight the affected
text, hit some key combination, and let the computer
invert everything.