CoolWebSearch

Browser Changer

CWS, CoolSearcher, Cool Web Search, BootConf, MSInfo, SvcHost, DNSRelay, DataNotory, Trojan.Norio, Jetseeker, winlink, XPlugin, coolwwwsearch

9

One of the most infamous highjackers known to date. Comes in a variety of versions, all using different techniques.

Handle with extreme care!

CoolWebSearch is a name given to a wide range of different browser hijackers. Though the code is very different between variants, they are all used to redirect users to coolwebsearch.com and other sites affiliated with its operators.

·   Attacks security software

·   Stealth Tactics

·   Adds other software

·   Connects to the internet

·   Shows ads

·   Changes browser

·   Stays Resident

·   Overwrites Affiliate tracking

sets it to be used as the user stylesheet for all web pages viewed in IE. The stylesheet includes embedded JavaScript code which tries to guess when the user is viewing porn sites.

CoolWebSearch/BootConf: drops a user CSS file in the same way as DataNotary, but pointing at www.coolwebsearch.com. Also hijacks the home page and all search settings to point to coolwebsearch, and hacks the DNS Hosts file to redirect access of MSN address-bar search to coolwebsearch.com. The site names are obfuscated using URL-encoding (%XX) to make them difficult to read. A program bootconf.exe is set up to run on every startup, resetting the hijack. Finally coolwebsearch.com is added to the Trusted Sites list, along with msn.com, whom coolwebsearch are also impersonating.

CoolWebSearch/MSInfo: another user-CSS-hijacker, this time pointed at true-counter.com, currently redirecting to global-finder.com.

CoolWebSearch/SvcHost: a Hosts file hijacker, which works in a rather unusual way (probably to avoid being detected by anti-hijacker tools). Its targeted sites (Yahoo Search, MSN Search and all countries’ versions of Google) are set in the Hosts file to point to ‘localhost’ (127.0.0.1). Since the local host (the computer the browser is running on) is most often not running a web server, this results in an error page; it is this error page that is then hijacked to the CWS site slawsearch.com.

CoolWebSearch/PnP: a search hijacker that hides inside the ‘inf’ folder usually used for storing device driver information. Its hijacker file oemsyspnp.inf is run on each startup, using a slightly different install command each time. This command cycles through install sections 'RunOnce', 'AudioPnP', 'VideoPnp', 'IdePnP' and 'SysPnP', though quite why is unknown as it does the same thing regardless of which section is used, namely hijacking home page and search settings to point at www.adulthyperlinks.com and www.allhyperlinks.com. It also adds activexupdate.com to the IE ‘Safe Sites’ list, for unknown purpose (this is not the same as the Trusted Sites Zone).

CoolWebSearch/MSSPI: a search results hijacker implemented as a Winsock2 Layered Service Provider (a fairly low-level networking component, which is tricky to remove). Targets Google, Yahoo and Altavista, opening advertising from unipages.cc.

CoolWebSearch/DNSRelay: an address bar search hijacker implemented as an IE URL Search Hook. As well as search phrases, entering any site name into the address bar without a leading ‘http://’ or ‘www’ will result in a search aimed at activexupdate.com, a CWS site redirecting through yellow2.com to allhyperlinks.com.

List of products that detect/remove/protect against CoolWebSearch:

·  X-Cleaner

·  RegBlock

Removal can be extremely complex, and is dependant on the version. We strongly advise you do not try manual removal but use an anti-spyware tool.