Name: CoolWebSearch Category: Browser Hijacker Alias: CWS, Cool Web Serach, CoolWwwSearch Advice: Remove Risk: Elevated Risk Elevated threats are usually threats that fall into the range of adware in which data about a user's habits are tracked and sent back to a server for analysis without your consent or knowledge. Description: CoolWebSearch is a name given to a wide range of different browser hijackers. Though the code is very different between variants, they are all used to redirect users to coolwebsearch.com and other sites affiliated with its operators. CoolWebSearch is part of a strain of trojans that have recently been identified that all have one thing in common: they install through the ByteVerify exploit in the MS Java VM and change the IE homepage, search page, search bar, etc. CoolWebSearch Symptoms: - Hijacks to various search engines. Different variants of CoolWebSearch will redirect you to different sites. - When a URL is mistyped in the browser, CoolWebSearch will redirect the page to affiliate websites as well as CoolWebSearch.com. - Installs bookmarks to adult websites in the favorites menu. - Installs toolbars into the browser. - Slows down PC. - Can cause reboots. - Targets anti-spyware websites, usually vendors of spyware removal tools. Once infected with CoolWebSearch, you may be unable to visit these websites to download their products. - Will open porn popups if it thinks the website being viewed is pornographic in nature. - Can cause significant slowdowns when attempting to type into a browser. - Will add CoolWebSearch.com to the trusted sites list. CoolWebSearch has a number of variants: CWS.Aboutblank IE pages changed to about-blank.ws and 213.159.118.226 (1-se.com), hijack returning on system restart. This variant does everything in its powers to redirect you to a domain owned by 1-se.com. IE is hijacked to it, the hosts file is replaced to redirect about 100 porn and CWS domains to 1-se.com, and a randomly named stylesheet is dropped that redirects to 1-se.com when certain keywords appear in webpages. CWS.Smartfinder IE hijacked to nkvd.us and smart-finder.biz, redirections to nkvd.us and smart-finder.biz when typing incomplete URLs into address bar. CWS.Datanotary There only were several threads of users experiencing enormous slowdowns in IE when typin messages into text boxes. Delays of over a minute before the typed text appeared were reported. Also some redirections to www.datanotary.com were reported. The hijack installed a stylesheet that used a flaw in Internet Explorer and allowed a .css stylesheet file to execute Javascript code. The code in the file was encrypted, and spawned a popup off-screen that did the redirecting. However, this file was called on almost every action taken in IE, slowing it down - this was the most obvious when typing text. CWS.Gonnasearch IE hijacked to gonnasearch.com. CWS.Xrectar A browser helper object that changes your Home Page and open pop-up windows based on the currently visited url. CWS.Xplugin also known as TROJ_ESEPOR.A, TROJ_ESEPOR.B or TROJ_ESEPOR.C, operations seems to vary from opening pop-up windows, to changing search results from popular search engines. Signatures: process: svc.exe: MD5 Hash: ... process: iedll.exe: MD5 Hash: ... process: loader.exe: MD5 Hash: ... process: SNDBDRV3104.EXE: MD5 Hash: ... process: systeminit.exe: MD5 Hash: ... process: WINPROC32.EXE: MD5 Hash: ... process: y.exe: MD5 Hash: ... process: olehelp.exe: MD5 Hash: ... process: quicken.exe: MD5 Hash: ... process: editpad.exe: MD5 Hash: ... process: qttasks.exe: MD5 Hash: ... process: quicken.exe: MD5 Hash: 7eff0177688b9e6d003... process: quicken.exe: MD5 Hash: 629f051759edec6a8a2... process: msupdate.exe: MD5 Hash: ddc50d3f88bc7dc3dd9... process: ADDCLASS.EXE: MD5 Hash: ... process: addclass.exe: MD5 Hash: c470774b3885df27723... process: svcinit.exe: MD5 Hash: ... process: svcinit.exe: MD5 Hash: ... process: mssys.exe: MD5 Hash: ... process: info32.exe: MD5 Hash: ... process: ctfmon32.exe: MD5 Hash: ... process: msinfo.exe: MD5 Hash: ... process: msinfo.exe: MD5 Hash: 387196ac17e040b9845... process: svchost32.exe: MD5 Hash: 3a488b868cad71faaf9... process: qttasks.exe: MD5 Hash: 42915d88dac8e5cf16e... process: directx.exe: MD5 Hash: 94c37a07eacd011fc9f... process: msupdate.exe: MD5 Hash: 30a552ce381376e5b5b... process: msupdate.exe: MD5 Hash: d6a83ac5d83ba6615b0... process: notepad32.exe: MD5 Hash: ... process: notepad32.exe: MD5 Hash: ... process: sdkif.exe: MD5 Hash: ... process: winlgn.exe: MD5 Hash: 6c96d774347b2ee484e... process: msupdate.exe: MD5 Hash: 5f5b184e9834a4b8a1b... process: hostv1.exe: MD5 Hash: 219bd1bd1c81c83a66f... process: ntnc32.exe: MD5 Hash: 048ad50781862008049... process: d15.exe: MD5 Hash: 240503672ee856cac52... process: efve.exe: MD5 Hash: f7682775685b3d3cabb... process: gx9fzj83m9.exe: MD5 Hash: 573a07eae1d8af7512a... process: HLInstaller3.exe: MD5 Hash: f1e2f1eedd5a15c432b... process: HyperLinker3.exe: MD5 Hash: dd7e29173836653dada... process: InstaFinder_inst.exe: MD5 Hash: 8c117a88faa84e13731... process: oyqsnell.exe: MD5 Hash: 9c32fbccf9644b01296... process: suka.exe: MD5 Hash: 4b3b740ae9aeeb31a84... process: suicidetb.exe: MD5 Hash: 17959b8c4e9f0a29a3b... process: tibs5.exe: MD5 Hash: 081741557fb25f69ec4... process: Xhrmy.exe.bak: MD5 Hash: 58e15f7301e37924ba2... process: kdczsrv.exe: MD5 Hash: 786f139add9e48c87e5... process: pzplpq.exe: MD5 Hash: bd7acf2b49878aa9274... process: actalert.exe: MD5 Hash: e4c6a22c692d8455eec... process: auf0.exe: MD5 Hash: 53cbce799bfa4c9f0f2... process: bundle.exe: MD5 Hash: 61a956c596e887ada4c... process: djtopr1150.exe: MD5 Hash: c9fb2dea9d9237b6d50... process: emusic.exe: MD5 Hash: baedb6491f046c41bc5... process: esyndicateinst.exe: MD5 Hash: 0debf728545ad706fe3... process: exploit.exe: MD5 Hash: 2af246a945f48942f3c... process: f10213.exe: MD5 Hash: 89580e1e71a485a6231... process: f33095.exe: MD5 Hash: ce6147cb2f18daf3354... process: feat2.exe: MD5 Hash: 1a436479eeaf1d52f21... process: feat.exe: MD5 Hash: f96ef1d4d3aa1e5dce3... process: file[1].exe: MD5 Hash: cc488685a238e336d66... process: Fingerprint.exe: MD5 Hash: de7ee6af147f5baa1de... process: grkyrtc.exe: MD5 Hash: 7785220631cb9fe6b59... process: htH0.exe: MD5 Hash: 0ab80f2d66449106a73... process: iecust.exe: MD5 Hash: 5a97e1a9fcd78e3f7c7... process: iecust.exe: MD5 Hash: cb729a7596dd01df44a... process: iinstall.exe: MD5 Hash: 0f3c75fa0c9bbf31a3c... process: jkill.exe: MD5 Hash: 3ebfd187e43df9b4527... process: kspnaaaa.exe: MD5 Hash: bd2f04118f1caac7353... process: ipvcx6.exe: MD5 Hash: 10b15f0b170d34f7ad9... process: nbtrstat.exe: MD5 Hash: 7e36e821a9ffc236b35... process: netupd32.exe: MD5 Hash: fe9e72f1e32cb077307... process: wowdbe.exe: MD5 Hash: c741de1b247d6a8ed0f... process: msupdate.exe: MD5 Hash: 5ffb606ea5c67359b19... process: ipwd.exe: MD5 Hash: d166981e5b0040acdf4... process: irleprfg.exe: MD5 Hash: 9fd5d96733cfa272b9a... process: ctfmon32.exe: MD5 Hash: 76549f6207ea7c69ae7... process: services.exe: MD5 Hash: 49899e502b6bc791cba.. Type: Browser Hijacker - Browser hijackers are malicious programs that change a user's web browser settings, usually altering designated default start and search pages. In addition a browser hijacker can modify nearly every aspect of a web browser including adding bookmarks, and redirecting search traffic to alternative sites.