Home > System Infected > Cwshredder



The first attacks on the Internet3 Jun 2014 November 2, 1988 is an important day for the Internet. The program can change an infected computer's web browser homepage to coolwebsearch.com, and although originally thought to only work on Internet Explorer, recent variants affect Firefox as well as others. SHOW ME NOW CNET © CBS Interactive Inc.  /  All Rights Reserved. pqnelhleyy c2728583 5399ea94 CoolWebSearch is a name given to a wide range of different browser hijackers.

My most noteworthy contribution was coming up with the name for the program, CWShredder. All rights reserved Windows XP Troubleshooting - http://windowsxp.mvps.org Please click here if you are not redirected within a few seconds. The CWS.Look2Me variant also hooks into the Windows XP logon system and tracks visited websites as well as downloading further malware. Fixing this hijack involved using a process killer to stop the webserver process, and editing the Hosts file to remove the Google/Yahoo/MSN redirections.


CoolWebSearch is also linked to CoolWebSearch.org and appears to be related to webcoolsearch.com. The 'hijack' becomes obvious when iedll.exe crashes - and it does this frequently. Hope this helpsHere is the Link for SpySweeperhttp://www.webroot.com/products/spysweeper/?WRSID=29b0b14348cc3673a7038871a26a296eThis is the trial version. Both files are set to autostart when Windows starts.

The red color spreads throughout the disc to indicate whether a threat is moderate, high or severe.PreviousNextSummaryWhat to do nowTechnical informationSymptoms Symptoms Symptoms vary among variants of this family. Flag Permalink This was helpful (0) Back to Windows Legacy OS forum 5 total posts Popular Forums icon Computer Help 51,912 discussions icon Computer Newbies 10,498 discussions icon Laptops 20,411 discussions Thanks & Best regards Leave a Reply Cancel reply Comment Name * Email (will not be published) * Website Yes, add me to your mailing list. Variant 11: CWS.Tapicfg - Msinfo part 2 Approx date first sighted: September 21, 2003 Log reference: http://boards.cexx.org/viewtopic.php?t=2075 Symptoms: Slow scrolling in IE, redirections to luckysearch.net, hijack returning on reboot, info32.exe errors.

Some versions of CoolWebSearch are installed through what's known as drive-by installation, in which browsing an infected webpage can automatically install CoolWebSearch without the user's knowledge. Spyware Examples I have no time. What device you use? Yes.

IRC2 Jun 2014 IRC stands for Internet Relay Chat, a service that enables real-time communication using text messaging... CWS itself attempts to evade others by not labelling its ads, not providing an EULA, not providing any data about itself and not having a website. Board index All times are UTC - 8 hours [ DST ] Login FAQ / Rules Register Search Boards : Knowledge Base: knowledge base chat about fr ja es mozillaZine is In the last few weeks, the people behind this name have succeeded in becoming (IMHO) an even bigger nuisance than the now infamous Lop.

Spyware Examples

Polls Archive Recent CommentsGavin on World Poker TourKeith Wilson on Mathematical calculation of poker probability in Draw PokerWulan Taline on Indian Fairy Tales (Contes de fées indiens)Nicolae on Light a Candle Deleting GoogleMS.dll and reinstalling Windows Media Player fixes the hijack. Cwshredder Deleting the file and resetting the IE home and search pages fixes the hijack. Browser Hijacker It's ran from 3 places at boot, as well as merging a .reg file that reinstalls the hijack, and adding an adult site to the Trusted Zone.

It uses material from the Wikipedia. CWS.Svcinit.2: A mutation of this variant exists, which uses the filename svcpack.exe instead. O13 - WWW Prefix: http://ehttp.cc/? We also started to see some pages which seemed affiliates of CWS since almost all their links led to www.coolwebsearch.com.

Mobile phone. The hijack is the same as the first version for almost all other aspects, and both HijackThis and CWShredder have been updated to circumvent the problem. Yes. Sorry, there was a problem flagging this post.

Enjoy! Share... Deleting the autorun entry, resetting IE, deleting msconfd.dll and the porn bookmarks fixes this hijack.

Cleverness: 7/10 Manual removal difficulty: Involves some Registry editing, and reinstalling Windows Media Player Identifying lines in HijackThis log: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.idgsearch.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page

Handle with extreme care! Investigation connected Stanislav Avdeyko, the Koobface hacker, with CoolWebSearch.[4] Variants[edit] CWS.Addclass CWS.Alfasearch CWS.Bootconf CWS.CameUp CWS.Cassandra CWS.Control CWS.Ctfmon32 CWS.Datanotary CWS.Dnsrelay CWS.Dreplace CWS.Gonnasearch CWS.Googlems CWS.Hiddendll CWS.Homesearch CWS.Loadbat CWS.Look2Me CWS.Msconfd CWS.Msconfig CWS.MSFind CWS.Msinfo CWS.Msoffice Identifying lines in HijackThis log: Running processes: C:\WINDOWS\System32\svc.exe O1 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\System32\BrowserHelper.dll O4 - HKCU\..\Run: [svc] C:\WINDOWS\System32\svc.exe This variant seems to consist of two files that The Windows' System Restore can reportedly remove some, but possibly not all, variants of CoolWebSearch.

CWS.Aff.Winshow.3: A third version of this variant exists, that uses the filename winlink.dll for the BHO. A program bootconf.exe is set up to run on every startup, resetting the hijack. Comment: Known variants: CoolWebSearch/DataNotary: earliest known variant, hijacking to datanotary.com. About CNET Privacy Policy Ad Choice Terms of Use Mobile User Agreement Help Center Board index Change font size Information The requested topic does not exist.

Unlike deleting programs (virus, trojans, etc) in Normal Mode, safe mode gives all privelages to you allowing you to delete it. Some variants may do little more than change the user's default Internet Explorer home page and/or search page via modifications to the registry. Time duration: from november 2010 to january 2011. 2 months. Installation of Adware:Win32/CoolWebSearch.MWSearch may result in any of the following files being installed: %windir%\timon2.dll %windir%\mtbsys3.dll \iasada.dll \iacad.dll Some or all of these registry entries may exist: HKEY_LOCAL_MACHINE\Software\ZSearchCo\ZSearch"GUID" = "b08cd81b-8f57-42e4-9997-cb246e70ac7c"

The hijack installed a stylesheet that used a flaw in Internet Explorer and allowed a .css stylesheet file to execute Javascript code. Certain variants insert links on random text, leading to advertiser websites. Variant 16: CWS.Addclass - Halloween edition Approx date first sighted: October 30, 2003 Log reference: http://forums.techguy.org/showthread.php?threadid=175680 Symptoms: Redirections through ehttp.cc before reaching pages, IE homepage/searchpage changing to rightfinder.net, hijack returning on Cleverness: 7/10 Manual removal difficulty: Involves some Registry editing, and using a command prompt to delete the files.

Click Automatic Updates. Terminating the running process, and deleting the three autorun values fixed it. The second variant added a hosts file hijack of auto.search.msn.com and the Verisign Sitefinder to something called 'FLS' that linked to Umaxsearch, as well as hijacking smutserver.com domains to another porn