Spyware-Guide How to Stop Spies Product Reviews General Privacy Tips Home Search the guide Product Reviews Contact Us Shopping Have questions about spyware? We have the answers. Access the Guide Lookup Spyware List of Spyware List of Categories List of Companies Our Online Tools Spyware Block List Online Spyware Scan Fix "Messenger Spam" Product Reviews Privacy Products Anti-Virus Anti-Spam Anti-Popup Backups Firewall Education Identity Theft Introduction Terms & Definitions FAQ How to Detect Spies General Privacy Tips Don't Panic Contact Us Mailing list Link to us RSS Feeds [rss_entries.gif] References Questions/Comments? Help us out! Bookmark this site [spacer.gif] Full Name: CoolWebSearch Websearch Type: Browser Hijacker Also Known as: CWS CoolSearcher BootConf MSInfo SvcHost DNSRelay DataNotary Trojan.Norio Jetseeker winlink XPlugin Danger Level: [danger6.gif] 6 [Explain] Official Description: One of the most infamous highjackers know to date. Comes in a variety of versions, all using different techniques. Handle with extreme care! CoolWebSearch is a name given to a wide range of different browser hijackers. Though the code is very different between variants, they are all used to redirect users to coolwebsearch.com and other sites affiliated with its operators. Comment: Known variants: CoolWebSearch/DataNotary: earliest known variant, hijacking to datanotary.com. Drops a CSS stylesheet file in the Windows folder and sets it to be used as the user stylesheet for all web pages viewed in IE. The stylesheet includes embedded JavaScript code which tries to guess when the user is viewing porn sites. CoolWebSearch/BootConf: drops a user CSS file in the same way as DataNotary, but pointing at www.coolwebsearch.com. Also hijacks the home page and all search settings to point to coolwebsearch, and hacks the DNS Hosts file to redirect access of MSN address-bar search to coolwebsearch.com. The site names are obfuscated using URL-encoding (%XX) to make them difficult to read. A program bootconf.exe is set up to run on every startup, resetting the hijack. Finally coolwebsearch.com is added to the Trusted Sites list, along with msn.com, whom coolwebsearch are also impersonating. CoolWebSearch/MSInfo: another user-CSS-hijacker, this time pointed at true-counter.com, currently redirecting to global-finder.com. CoolWebSearch/SvcHost: a Hosts file hijacker, which works in a rather unusual way (probably to avoid being detected by anti-hijacker tools). Its targeted sites (Yahoo Search, MSN Search and all countries versions of Google) are set in the Hosts file to point to localhost (127.0.0.1). Since the local host (the computer the browser is running on) is most often not running a web server, this results in an error page; it is this error page that is then hijacked to the CWS site slawsearch.com. CoolWebSearch/PnP: a search hijacker that hides inside the inf folder usually used for storing device driver information. Its hijacker file oemsyspnp.inf is run on each startup, using a slightly different install command each time. This command cycles through install sections 'RunOnce', 'AudioPnP', 'VideoPnp', 'IdePnP' and 'SysPnP', though quite why is unknown as it does the same thing regardless of which section is used, namely hijacking home page and search settings to point at www.adulthyperlinks.com and www.allhyperlinks.com. It also adds activexupdate.com to the IE Safe Sites list, for unknown purpose (this is not the same as the Trusted Sites Zone). CoolWebSearch/MSSPI: a search results hijacker implemented as a Winsock2 Layered Service Provider (a fairly low-level networking component, which is tricky to remove). Targets Google, Yahoo and Altavista, opening advertising from unipages.cc. CoolWebSearch/DNSRelay: an address bar search hijacker implemented as an IE URL Search Hook. As well as search phrases, entering any site name into the address bar without a leading http:// or www will result in a search aimed at activexupdate.com, a CWS site redirecting through yellow2.com to allhyperlinks.com. Information URL: http://www.coolwebsearch.com/ Properties: Attacks security software Stealth Tactics Adds other software Changes browser Stays Resident Overwrites Affiliate tracking Connects to the internet Shows ads Manual removal: Removal can be quite a pain, and is dependant on the version. Refer to these pages for detailed instructions: http://www.symantec.com/avcenter/venc/data/trojan.norio.html http://www.spywareinfo.com/~merijn/cwschronicles.html Removal tools: List of products that detect/remove/protect against CoolWebSearch: X-Cleaner RegBlock PestPatrol Ad-Aware Norton AntiVirus Copyright © 2004 by Spyware-Guide.com. All rights reserved. All site content is subjected to disclaimer