Full
Name: |
CoolWebSearch |
Type: |
Adware |
Also Known As: |
CWS
CoolSearcher
Cool Web Search
BootConf
MSInfo
SvcHost
DNSRelay
DataNotary
Trojan.Norio
Jetseeker
winlink
XPlugin
coolwwwsearch
Aze Search Toolbar
Trojan.StartPage (Sunbelt)
WinRes
Spyware.CHM.A
ieak6.CWS
CoolWebSearch.info |
Danger Level: |
10 |
Category Description: |
Program that delivers advertisements on your PC.
Note that many websites have their own advertising, unrelated to adware.
Adware is any software application in which advertising is displayed while the program is running. The authors of these applications include additional code that delivers the ads, which can be viewed through pop-up windows or through a bar that appears on a computer screen and sometimes through text links or in integrated search results. Adware may or may not track personal information. It may also gather information anonymously or in aggregate only. Users should check the EULA and Privacy policy to ensure if the adware on their machines conforms to their standards. |
Comment: |
Known variants:
CoolWebSearch/DataNotary: earliest known variant, hijacking to datanotary.com. Drops a CSS stylesheet file in the Windows folder and sets it to be used as the user stylesheet for all web pages viewed in IE. The stylesheet includes embedded JavaScript code which tries to guess when the user is viewing porn sites.
CoolWebSearch/BootConf: drops a user CSS file in the same way as DataNotary, but pointing at www.coolwebsearch.com. Also hijacks the home page and all search settings to point to coolwebsearch, and hacks the DNS Hosts file to redirect access of MSN address-bar search to coolwebsearch.com. The site names are obfuscated using URL-encoding (%XX) to make them difficult to read. A program bootconf.exe is set up to run on every startup, resetting the hijack. Finally coolwebsearch.com is added to the Trusted Sites list, along with msn.com, whom coolwebsearch are also impersonating.
CoolWebSearch/MSInfo: another user-CSS-hijacker, this time pointed at true-counter.com, currently redirecting to global-finder.com.
CoolWebSearch/SvcHost: a Hosts file hijacker, which works in a rather unusual way (probably to avoid being detected by anti-hijacker tools). Its targeted sites (Yahoo Search, MSN Search and all countries? versions of Google) are set in the Hosts file to point to ?localhost? (127.0.0.1). Since the local host (the computer the browser is running on) is most often not running a web server, this results in an error page; it is this error page that is then hijacked to the CWS site slawsearch.com.
CoolWebSearch/PnP: a search hijacker that hides inside the ?inf? folder usually used for storing device driver information. Its hijacker file oemsyspnp.inf is run on each startup, using a slightly different install command each time. This command cycles through install sections 'RunOnce', 'AudioPnP', 'VideoPnp', 'IdePnP' and 'SysPnP', though quite why is unknown as it does the same thing regardless of which section is used, namely hijacking home page and search settings to point at www.adulthyperlinks.com and www.allhyperlinks.com. It also adds activexupdate.com to the IE ?Safe Sites? list, for unknown purpose (this is not the same as the Trusted Sites Zone).
CoolWebSearch/MSSPI: a search results hijacker implemented as a Winsock2 Layered Service Provider (a fairly low-level networking component, which is tricky to remove). Targets Google, Yahoo and Altavista, opening advertising from unipages.cc.
CoolWebSearch/DNSRelay: an address bar search hijacker implemented as an IE URL Search Hook. As well as search phrases, entering any site name into the address bar without a leading ?http://? or ?www? will result in a search aimed at activexupdate.com, a CWS site redirecting through yellow2.com to allhyperlinks.com.
CoolWebSearch/Winres: It registers Winres.dll under %Windir%. Then it changes the Start Page to about-blank.(This page itself looks like a Search engine). It changes the start page frequently.It downloads and installs other adwares like 2020 search, isearch.. Etc., It adds some of the sites into trusted zone. It also creates two shortcuts on Desktop.
|
|
|
Properties: |
|
Manual Removal: |
Removal can be extremely complex, and is dependant on the version. We strongly advise you do not try manual removal but use an anti-spyware tool.
|
Back to the list of products removed by X-Cleaner
|