The CoolWebSearch Chronicles

The story of a thousand hijacks


Dear reader. Please note that this article was written originally by the creator of a program designed to remove all CoolWebSearch related infections, Merijn Bellekom.
My most noteworthy contribution was coming up with the name for the program, CWShredder.
After Merijn sold CWShredder to TrendMicro these chronicles disappeared from the internet. But since I think it is important to read the story behind what, in my eyes, was the first opponent that actually looked at the methods the expert malware-fighters were using and actively came up with new methods to make it harder for us. And I have to admit they made nice puzzles. Some of them probably still do.

Everything below here until the ENDQUOTE was left as it was witten by Merijn. Enjoy!



This is an article which details the variants of the browser hijacker known as CoolWebSearch (CWS). In the last few weeks, the people behind this name have succeeded in becoming (IMHO) an even bigger nuisance than the now infamous Lop.

The difficulty of removing CWS from a user's system has grown from slightly tricky in the first variant to virtually impossible for the latest few. Some of the variants even used methods of hiding and running themselves that had never been used before in any other spyware strains.

The chronological order in which the CWS variants appeared is detailed here, along with the approximate dates when they appeared online. However, even though the evil programmers of CWS have released over two dozen versions of their hijacker on the advertising market in such a short time, it should be mentioned that it is very hard to catch a live installer.


This article has been divided into sections:

CoolWebSearch variants
  1. CWS.Datanotary
  2. CWS.Bootconf
  3. CWS.Oslogo
  4. CWS.Msspi
  5. CWS.Vrape
  6. CWS.Oemsyspnp
  7. CWS.Svchost32
  8. CWS.Dnsrelay
  9. CWS.Msinfo
  10. CWS.Ctfmon32
  11. CWS.Tapicfg
  12. CWS.Svcinit
  13. CWS.Msoffice
  14. CWS.Dreplace
  15. CWS.Mupdate
  1. CWS.Addclass
  2. CWS.Googlems
  3. CWS.Xplugin
  4. CWS.Alfasearch
  5. CWS.Loadbat
  6. CWS.Qttasks
  7. CWS.Msconfd
  8. CWS.Therealsearch
Affiliate variants:
More info on CWS
How do I get rid of this?

How did it get onto my system?

How do I prevent it from happening again?


Note: If you just want to get rid of CoolWebSearch, skip ahead to the bottom of this page where you can download a removal tool.

New clue to CWS's origin! There seems to be a very new, very active strain of trojans that uses the ByteVerify exploit in the Microsoft Java VM to install itself, and change the IE homepage, among other things. Sound familiar? See the bottom of this page for more info.

Variant 1: CWS.Datanotary - Introduction to Destruction

Approx date first sighted: May 27, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=8661
Symptoms: Massive IE slowdown, especially when typing text into forms
Cleverness: 9/10
Manual removal difficulty: Very easy, if you know where to look
Identifying lines in HijackThis log:
O19 - User stylesheet: c:\windows\my.css

The first variant of CoolWebSearch wasn't even identified as such. There only were several threads of users experiencing enormous slowdowns in IE when typin messages into text boxes. Delays of over a minute before the typed text appeared were reported. Also some redirections to www.datanotary.com were reported.

The solution to this problem took a while to surface, but after a few weeks (which is pretty long) someone reported the problem going away when going into IE Options, Accessability and disabling the 'Use My Stylesheet' option. After that, the fake stylesheet file could be deleted.

The hijack installed a stylesheet that used a flaw in Internet Explorer and allowed a .css stylesheet file to execute Javascript code. The code in the file was encrypted, and spawned a popup off-screen that did the redirecting. However, this file was called on almost every action taken in IE, slowing it down - this was the most obvious when typing text.

Variant 2: CWS.Bootconf - Evolution

Approx date first sighted: July 6, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=7821
Symptoms: Massive IE slowdown, illegible URLs ie IE Options, redirections when mistyping URLs, startpage & search page changed on reboot
Cleverness: 8/10
Manual removal difficulty: Involves some Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://%77%77%77%2e
%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e
%63%67%69?%36%35%36%33%38%37
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://%77%77%77%2e%63
%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%63/%78%31%2e
%63%67%69?%36%35%36%33%38%37
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://%77%77%77%2e%
63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e
%63%67%69?%36%35%36%33%38%37
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://%77%77%77%2e
%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%61/%78%31%2e
%63%67%69?%36%35%36%33%38%37 about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://yourbookmarks.ws/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://www.searchxp.com/search.php?qq=%s
O1 - Hosts: 1123694712 auto.search.msn.com
O4 - HKLM\..\Run: [sysPnP] C:\WINNT\System32\bootconf.exe
O19 - User stylesheet: C:\WINNT\default.css
After HijackThis had built-in support for decrypting the URLS:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.coolwwwsearch.com/z/b/x1.cgi?100 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.jetseeker.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.coolwwwsearch.com/z/c/x1.cgi?100 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.coolwwwsearch.com/z/a/x1.cgi?100 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.jetseeker.com/ffeed.php?term=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://search.xrenoder.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://search.xrenoder.com

The second variant seemed like the first one in only one way: it used the exact same .css stylesheet file. But it took the hijack one step further by not only changing the IE startpage and search pages, but changing them to illegible hexcode garbage.

Only when this code was decyphered it became clear that CoolWebSearch was behind this all. It almost seemed as if they let Datanotary take the stylesheet exploit hijack for a test ride, before using it themselves.

The hijack further involved redirecting the default 'server not found' page to the CoolWebSearch portal homepage by editing the Hosts file, and reloading the entire hijack when the machine was rebooted using a bootconf.exe file that was started with Windows. We also started to see some pages which seemed affiliates of CWS since almost all their links led to www.coolwebsearch.com.

Variant 3: CWS.OSLogo.bmp - Send in the affiliates

Approx date first sighted: July 10, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=8210
Symptoms: Massive IE slowdowns
Cleverness: 2/10
Manual removal difficulty: Involves some Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.allhyperlinks.com/ redir?lang={S...201058341631385
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.coolwwwsearch.com/z/a/ x1.cgi?656387 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.coolwwwsearch.com/z/b/ x1.cgi?656387 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.allhyperlinks.com/ redir?lang={S...201058341631385
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.allhyperlinks.com/ redir?lang={S...201058341631385
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://stopxxxpics.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.allhyperlinks.com/ redir?lang={S...201058341631385
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.allhyperlinks.com/ redir?lang={S...201058341631385
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.allhyperlinks.com/ redir?lang={S...201058341631385
R1 - HKCU\Software\Microsoft\Internet Explorer\Main\,HomeOldSP = http://www.coolwwwsearch.com/z/a/ x1.cgi?656387 (obfuscated)
O1 - Hosts: 1123694712 auto.search.msn.com
O4 - HKLM\..\Run: [sysPnP] C:\WINNT\System32\bootconf.exe
O15 - Trusted Zone: *.coolwwwsearch.com
O15 - Trusted Zone: *.msn.com
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp

After HijackThis was updated for a few tricks CWS used, a new variant surfaced that showed CWS was just getting started. The filename of the user stylesheet changed into one that didn't even look like a stylesheet on the outside, but got accepted by IE anyway. Two domains were added to the Trusted Zone to ensure CWS could do its dirty work and install any updates if they ever became available.

But most of all, IE start and search pages started getting changed to several dozen different sites that were all affiliated to CWS. There didn't seem to be an end to the flow of different domains users were hijacked to. When I write this, over 80 domains are known CWS affiliates - and all appeared in users' logs.

Variant 4: CWS.Msspi - Let's get dangerous

Approx date first sighted: July 28, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=9170
Symptoms: Popups with 'enhanced results' when doing searches on Google, Yahoo and Altavista
Cleverness: 9/10
Manual removal difficulty: Impossible, I kid you not
Identifying lines in HijackThis log:
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll

At about this time, the variant appeared that was the hardest to remove. Users started reporting that when they went to Google, Yahoo or Altavista to search for something, popups appeared that (most of the time) advertised bogus 'enhanced results'. This was the one and only symptom.

After looking over the log, it was quickly concluded the msspi.dll file was to blame. One expert took the file apart and found several key URLs that were monitored, and when he changed them to bogus URLs the popups were gone.

However, the file hooked into the Winsock LSP chain, which lies very deep into the bowels of Windows and is one of the hardest parts of Windows to manipulate. Only a very small selection of spyware used this method of infection, and incorrect removal left a computer with a broken Internet connection that could not be fixed even by reinstalling Windows.

Luckily there were one or two tools that could fix a broken Internet connection due to this problem. LSPFix was the one used most since it allowed direct editing of the LSP chain.

Variant 5: CWS.Vrape - Mix and mangle

Approx date first sighted: July 20, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=9067
Symptoms: Redirections to vrape.hardloved.com on virtually anything done in IE, as well as redirections to adult sites, dialers, etc
Cleverness: 5/10
Manual removal difficulty: Involves lots of Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://vrape.hardloved.com/ top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet Explorer,Search Page = http:// vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:// vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:// vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:// vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:// vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:// vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http:// vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http:// vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:// vrape.hardloved.com/top/search.php?id=2&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:// vrape.hardloved.com/top/search.php?id=2&s=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http:// vrape.hardloved.com/top/search.php?id=2&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http:// vrape.hardloved.com/top/search.php?id=2&s=
O1 - Hosts: 65.77.83.222 thehun.com
O1 - Hosts: 65.77.83.222 thehun.net
O1 - Hosts: 65.77.83.222 madthumbs.com
O1 - Hosts: 65.77.83.222 worldsex.com
O1 - Hosts: 65.77.83.222 teeniefiles.com
O1 - Hosts: 65.77.83.222 al4a.com
O1 - Hosts: 65.77.83.222 sublimedirectory.com
O1 - Hosts: 65.77.83.222 thumbzilla.com
O1 - Hosts: 65.77.83.222 sexocean.com
O1 - Hosts: 65.77.83.222 easypic.com
O1 - Hosts: 65.77.83.222 absolut-series.com
O1 - Hosts: 65.77.83.222 jpeg4free.com
O1 - Hosts: 65.77.83.222 thumbnailpost.com
O13 - DefaultPrefix: http://vrape.hardloved.com/top/search.php?id=2&s=
O13 - WWW Prefix: http://vrape.hardloved.com/top/search.php?id=2&s=

Perhaps the most widely spread variant of CoolWebSearch, this one was a nightmare for the average user. It combined several hijacking methods, along with random redirections to porn pages, portals and even adult dialers.

The hijack covered most of IE, and a user was left to sit helplessly and watch as almost his every move was redirected to vrape.hardloved.com. One strange thing about this hijack though, is that it operated alone: it didn't use any affiliates and even redirected other adult sites to its own site. It has only been connected with CWS since it appeared together with it in a few logs.

The only good thing about this variant is that the domain hardloved.com has been offline for more than half a week at the time of writing. It is unknown whether this is because of the sheer amount of users being routed to their site, DoS attacks by irate users, account termination because of violation of their host's user agreement, or something else.

Variant 6: CWS.Oemsyspnp - Pure genius

Approx date first sighted: July 29, 2003
Log reference: http://www.spywareinfo.com/forums/index.php?s=&act=ST&f=11&t=8643
Symptoms: Start page/search pages changed to allhyperlinks.com, activexupdate.com in the IE Trusted Zone, reloading of the hijack on some reboots.
Cleverness: 10/10
Manual removal difficulty: Involves a bit of Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adulthyperlinks.com/favorites/8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
O4 - HKLM\..\Run: [SysPnP] rundll32 setupapi,InstallHinfSection OemVideoPnP 128 oemsyspnp.inf

This variant was spotted nearly by sheer luck, since it used the same Registry value as the second variant (Bootconf) 'SysPnp'. This was a very clever hijack that disguised itself as a driver update. When the computer was started, there was a 1 in 5 chance the hijack was re-installed and changed the IE start page and search pages to allhyperlinks.com.

However, once the hijack was identified, it was easy to stop: only the autostarting oemsyspnp.inf file had to be disabled using MSConfig, and then it could be safely deleted.

CWS.Oemsyspnp.2: A mutation of this variant exists that uses the filename keymgr3.inf, and the Registry value keymgrldr instead.

CWS.Oemsyspnp.3: A mutation of this variant exists that uses the filename drvupd.inf, and the Regustry value drvupd instead. It hijacks to searchforge.com.

Variant 7: CWS.Svchost32 - Evading detection

Approx date first sighted: August 3, 2003
Log reference: http://boards.cexx.org/viewtopic.php?t=1027
Symptoms: Redirections to slawsearch.com when accessing Google, searching on Yahoo or mistyping an URL
Cleverness: 10/10
Manual removal difficulty: Involves a process killer
Identifying lines in HijackThis log:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.slawsearch.com
O4 - HKLM\..\Run: [svchost.exe] "C:\WINDOWS\SYSTEM\svchost32.exe"

This variant of CWS was focused on only evading existing detection tools. What was visible in a HijackThis log wasn't nearly all of it. The hijack installed dozens of redirections from international Google domains, MSN and Yahoo search engines to a webserver running at the user's own machine. The webserver even had the seemingly unsuspicious filename of 'svchost32.exe' to look like the Windows system file 'svchost.exe'. Anytime a user accessed Google, searched with Yahoo or mistyped an URL, he was redirected to slawsearch.com.

Fixing this hijack involved using a process killer to stop the webserver process, and editing the Hosts file to remove the Google/Yahoo/MSN redirections.

Variant 8: CWS.DNSRelay - Hey, that wasn't here before!

Approx date first sighted: August 7, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=9074
Symptoms: Redirections to allhyperlinks.com when omitting 'www' from an URL typed in IE
Cleverness: 8/10
Manual removal difficulty: Involves lots of Registry editing
Identifying lines in HijackThis log:
R3 - URLSearchHook: MailTo Class - {01A9EB7D-69BC-11D2-AB2F-204C4F4F5020} - C:\WINDOWS\System32\dnsrelay.dll

A very clever hijack that uses a method never used before by any other hijacker, this variant monitored all URLs entered into the IE Address bar, and redirected any URLs starting without 'www' to allhyperlinks.com. The hijack isn't very widespread, and is also pretty hard to spot. Luckily, fixing it requires only deleting one Registry value and one file.

CWS.Dnsrelay.2: A mutation of this variant exists which uses the filename ASTCTL32.OCX instead.

CWS.Dnsrelay.3: A mutation of this varianit exists which uses the filename mswsc10.dll instead, which is located in C:\Program Files\Common Files\Web Folders. It hijacks IE to payfortraffic.net. It also adds a custom stylesheet (like CWS.Bootconf) located at C:\Program Files\Internet Explorer\Readme.txt. (This file is not present on uninfected systems.) It uses a Registry value named nvstart to re-register the main mswsc10.dll file on startup.

Variant 9: CWS.Msinfo - running out of ideas

Approx date first sighted: August 22, 2003
Log reference: http://www.spywareinfo.com/forums/index.php?s=&act=ST&f=4&t=9933
Symptoms: Redirection to Global-Finder.com, hijack reappearing when rebooting, possible errors about a missing file 'msinfo.exe'.
Cleverness: 6/10
Manual removal difficulty: Involves lots of Registry editing and some .ini file editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://out.true-counter.com/b/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://out.true-counter.com/a/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://out.true-counter.com/b/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://out.true-counter.com/c/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://out.true-counter.com/b/?101 (obfuscated)
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\msinfo.exe
F1 - win.ini: run=msinfo.exe
O4 - HKLM\..\Run: [Internat Conf] \bootconf.exe

This variant, using a file called 'msinfo.exe' to reinstall the hijack on a reboot, appears to have several versions. The first one seemed to malfunction often, as seen in the 'first sighted' link where the file wasn't actually installed, but the reference to it was. The second version probably fixed this a few days later, since people started surfacing that had been hijacked by this thing. Lastly, the third version appeared together with a slightly mutated variant #2 (bootconf.exe).

The MSINFO.EXE is installed in a Windows folder where also the legitimate MSINFO32.EXE file resides. It is ran from win.ini, a method rarely used by programs nowadays. It sets nearly all Start and Search pages from IE to URLs at out.true-counter.com, and reinstates these whenever the system is restarted. Fixing this variant involves resetting all the Registry values changed for IE, editing the autorun values in win.ini and the Registry, and deleting the two files.

Variant 10: CWS.Ctfmon32 - SlawSearch part II

Approx date first sighted: September 22, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=11886
Symptoms: Start page and Search pages changed to www.slawsearch.com, 'Customize Search Assistant' closing after opening it, hijack coming back after a reboot.
Cleverness: 3/10
Manual removal difficulty: Involves some Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.slawsearch.com/autosearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.slawsearch.com/autosearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slawsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.slawsearch.com/autosearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = javascript:window.close()
O4 - HKLM\..\Run: [CTFMON32.EXE] "C:\WINDOWS\System32\ctfmon32.exe"

This variant surfaced after a quiet time. CWShredder could fix it, but it would return after rebooting the computer. Apart from the new filename 'CTFMON32.EXE' (note that 'CTFMON.EXE' is the real Windows system file) it worked pretty much the same way as CWS.Bootconf: the file loads at startup, resetting homepages and search pages, and then closes. Deleting the file and changing everything back to normal fixes it.

Variant 11: CWS.Tapicfg - Msinfo part 2

Approx date first sighted: September 21, 2003
Log reference: http://boards.cexx.org/viewtopic.php?t=2075
Symptoms: Slow scrolling in IE, redirections to luckysearch.net, hijack returning on reboot, info32.exe errors.
Cleverness: 8/10
Manual removal difficulty: Involves quite some Registry editing, win.ini editing and hosts file editing. The style sheet files are marked read-only, system and hidden.
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://acc.count-all.com/--/?oaoca (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://acc.count-all.com/--- /?oaoca (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://acc.count-all.com/-- /?oaoca (obfuscated)
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\info32.exe
O1 - Hosts: 3510794918 auto.search.msn.com
O4 - HKLM\..\Run: [Tapicfg.exe] C:\WINDOWS\SYSTEM\tapicfg.exe
O19 - User stylesheet: C:\WINDOWS\Web\win.def
O19 - User stylesheet: C:\WINDOWS\default.css

This hijack consists of only one file, that duplicates itself in two places (info32.exe and tapicfg.exe) and acts different depending on its filename. It drops two style sheets on the system, hijacks to acc.count-all.com which redirects to luckysearch.net, and reinstalls the hijack on each reboot. The hosts file redirection also hijacks any mistyped domains to luckysearch.net.
Though a file determining its actions depending on the filename is very bad programming, it surprised me somewhat because it works so well.

Variant 12: CWS.Svcinit - Sneaky little fellow

Approx date first sighted: September 10, 2003
Log reference: ?
Symptoms: Homepage changed to xwebsearch.biz and 'http:///', hijack returning on reboot or even sooner.
Cleverness: 9/10
Manual removal difficulty: Involves lots of Registry editing, ini file editing and a process killer.
Identifying lines in HijackThis log:
Running processes:
C:\WINDOWS\System32\SVCINIT.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:///
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:////
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://xwebsearch.biz
F1 - win.ini: run=C:\WINDOWS\svcinit.exe
O4 - HKLM\..\RunServices: [SVC Service] C:\WINDOWS\SYSTEM\svcinit.exe
O4 - HKLM\..\Run: [mssys] C:\WINDOWS\mssys.exe
Additional identifying line in StartupList log:
Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon]
UserInit=C:\WINNT\System32\userinit.exe,C:\WINNT\System32\svcinit.exe

This variant was somewhat surprising, because fixing all the items in HijackThis didn't remove it completely - it came back after a reboot (on Windows 2000 and XP). Only after a user had posted a StartupList log it became clear that this hijacker used another additional method of running at boot, besides the two visible in the HijackThis log. Terminating the running process, and deleting the three autorun values fixed it. Also, mssys.exe is possibly involved in this hijack.

CWS.Svcinit.2: A mutation of this variant exists, which uses the filename svcpack.exe instead. It hijacks to http:/// (sic) and uses the same autostarting methods as the first version. Possibly it also drops the file SVCHOST.OLD for unknown purposes.

Variant 13: CWS.Msoffice - HTA exploit revisited

Approx date first sighted: October 12, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=13362
Symptoms: Homepage changed to searchdot.net, hijack coming back after a reboot, slow scrolling and text typing in IE.
Cleverness: 7/10
Manual removal difficulty: Involves some Registry editing, and using a command prompt to delete the files.
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchdot.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdot.net
O4 - HKLM\..\Run: [Msoffice] C:\WINDOWS\Fonts\msoffice.hta
O4 - HKCU\..\Run: [Msoffice] C:\WINDOWS\Fonts\msoffice.hta

This variant uses a .hta script file to reinstall the hijack on a reboot. The msoffice.hta file is hard to find because the Fonts folder is a special folder for Windows, setup to hide all files in it that are not font files. Thus, a command prompt is needed to be able to see and delete the file. Deleting the file and resetting the IE home and search pages fixes the hijack.

Variant 14: Dreplace - Just a BHO... OR IS IT?

Approx date first sighted: October 12, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=13497
Symptoms: Redirections to xwebsearch.biz and 213.159.117.233, hijack returning on reboot
Cleverness: 3/10 , 10/10 on second version
Manual removal difficulty: Involves some Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://xwebsearch.biz/
O1 - Hosts: 213.159.117.233 sitefinder.verisign.com
O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\System32\DReplace.dll

This variant installs a BHO with unknown purpose, though it's probable the BHO is there to ensure xwebsearch.biz is set as your homepage on reboot. It redirects the Verisign Sitefinder, so all mistyped domains are redirected to 213.159.117.233.

CWS.Dreplace.2: There is a second version of this variant that used the most dastardly trick I have ever seen in a piece of malware. It changed the dreplace.dll so fixing it with either HijackThis or CWShredder will cause your entire system to fail on Windows 98, 98SE and ME! The hijack is the same as the first version for almost all other aspects, and both HijackThis and CWShredder have been updated to circumvent the problem.

Variant 15: Mupdate - Turning up everywhere

Approx date first sighted: October 13, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=13613
Symptoms: Homepage changing to searchv.com, redirections to runsearch when mistyping URLs, *.masspass.com in the Trusted Zone, hijack returning on a reboot.
Cleverness: 9/10
Manual removal difficulty: Involves some Registry editing and lots of ini file editing.
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.searchv.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.searchv.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.searchv.com/search.html
F0 - system.ini: Shell=explorer.exe mupdate.exe
F1 - win.ini: run=mupdate.exe
F2 - REG:system.ini: Shell=explorer.exe mupdate.exe
O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O15 - Trusted Zone: *.masspass.com

This variant isn't very common, but it makes up for this by being very persistent in its existance. It's ran from 3 places at boot, as well as merging a .reg file that reinstalls the hijack, and adding an adult site to the Trusted Zone. It also redirects any mistyped domains to runsearch.com.

Variant 16: CWS.Addclass - Halloween edition

Approx date first sighted: October 30, 2003
Log reference: http://forums.techguy.org/showthread.php?threadid=175680
Symptoms: Redirections through ehttp.cc before reaching pages, IE homepage/searchpage changing to rightfinder.net, hijack returning on reboot.
Cleverness: 4/10
Manual removal difficulty: Involves lots of Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rightfinder.net/hp/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\TEMP\ADDCLASS.EXE
O13 - DefaultPrefix: http://ehttp.cc/?
O13 - WWW Prefix: http://ehttp.cc/?

This one just surfaced when a sample (and thus a CWShredder update) was found for it. The hijack involves AddClass.exe installing the hijack and reinstalling it on reboot. It also changes the DefaultPrefix, WWW Prefix and a non-functional 'www.' prefix which makes each URL you type without 'http://' in front of it redirect through ehttp.cc before reaching the correct destination. IOW, they log everywhere you go. Luckily they are even kind enough to provide a uninstall for this 'Enhanced HTTP protocol' at their site here. This will only partially remove CWS.Addclass though.

Variant 17: CWS.Googlems - We have a payload!

Approx date first sighted: November 1, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=16643
Symptoms: IE pages changed to http://www.idgsearch.com/, hijack reinstalled on reboot and when running Windows Media Player.
Cleverness: 7/10
Manual removal difficulty: Involves some Registry editing, and reinstalling Windows Media Player
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.idgsearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.idgsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.idgsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.idgsearch.com/
O2 - BHO: GoogleMS Search Helper - {79369D5C-2903-4b7a-ADE2-D5E0DEE14D24} - C:\Documents and Settings\[username]\Application Data\GoogleMS.dll

This variant is first of its kind, since an important development was observed here: the Windows Media Player executable was deleted and replaced by the trojan. This file reinstalled the hijack when ran. No other variants modify or delete system files, but this one seems to.
It also installs a BHO that reinstalls hijack on a reboot. Deleting GoogleMS.dll and reinstalling Windows Media Player fixes the hijack.

Variant 18: CWS.Xplugin - 'Helping' you search the web

Approx date first sighted: November 11, 2003
Log reference: Not visible in HijackThis log!
Symptoms: Some links in Google results redirecting to umaxsearch.com or coolwebsearch.com every now and then
Cleverness: 10/10
Manual removal difficulty: Involves some Registry editing
Identifying lines in HijackThis log:
Not visible in HijackThis log!

This variant is the first one that is not visible in a HijackThis log. It works invisible, changing links from Google search results to other pages. It took a while to find out how this variant works, since it doesn't use any of the standard locations.
A file xplugin.dll is installed, which creates a new protocol filter for text/html. In normal english, this means it reads most of the web pages downloaded to your browser. It also randomly alters some links in Google search results to pages on umaxsearch.com and coolwebsearch.com. It claims to be made by something called TMKSoft.
It is unknown if deleting the file has no side-effects, but using CWShredder or running regsvr32 /u c:\windows\system32\xplugin.dll (may vary depending on Windows version) fixes the hijack completely.

Variant 19: CWS.Alfasearch - Child's Play

Approx date first sighted: November 5, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=16730
Symptoms: IE pages changed to alfa-search.com, possibly porn sites being redirected to 216.200.3.32 (alfa-search.com), error message about a 'runtime error' at startup, 4 porn bookmarks added to favorites (one possible child porn).
Cleverness: 1/10
Manual removal difficulty: Involves a little Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.alfa-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.alfa-search.com/home.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alfa-search.com/home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.alfa-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.alfa-search.com/search.html
O4 - Global Startup: MSupdate.exe

Possibly the most simple CWS variant since CWS.Datanotary, this hijack only does the basic stuff: changes your IE homepage and search pages, adds porn bookmarks, and pops up a bogus error message at startup.
Deleting MSupdate.exe from the All Users Startup group, deleting the porn bookmarks and resetting the IE homepage and search pages fixed the hijack.
The MSupdate.exe file is capable of installing a hosts file hijack as well, but doesn't seem to do this.

Variant 20: CWS.Loadbat - Dastardly

Approx date first sighted: November 1, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=16132
Symptoms: DOS window flashing by at system startup, IE pages being hijacked to ie-search.com, redirection to 'FLS' or Umaxsearch when mistyping URLs or visiting porn sites
Cleverness: 9/10
Manual removal difficulty: Involves some Registry editing and deleting a few files
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie-search.com/home.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\windows\hp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie-search.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
O1 - Hosts: 206.161.200.105 auto.search.msn.com
O1 - Hosts: 206.161.200.105 sitefinder.verisign.com
O1 - Hosts: 206.161.200.105 sitefinder-idn.verisign.com
O1 - Hosts: 206.161.200.103 www.smutserver.com
O1 - Hosts: 206.161.200.103 www1.smutserver.com
O1 - Hosts: 206.161.200.103 www2.smutserver.com
[...]
O1 - Hosts: 206.161.200.103 www29.smutserver.com
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set -- by windows setup --
O4 - HKLM\..\Run: [Win64 Compatibility Check] load win64.drv /c /set -- by windows setup --

Overlooked at first, this CWS variant used a clever way of reloading the hijack by making it look like some other file (shell.dll or win64.drv) was doing it, when in fact it was just a LOAD.BAT file merging a .reg file.

The second variant added a hosts file hijack of auto.search.msn.com and the Verisign Sitefinder to something called 'FLS' that linked to Umaxsearch, as well as hijacking smutserver.com domains to another porn site.

To remove this manually, killing the autostarts and removing hp.htm , load.bat and srch.reg from the Windows folder along with resetting the IE homepage/search page is enough.

Variant 21: CWS.Qttasks - Even more simple than CWS.Alfasearch

Approx date first sighted: November 23, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=18331
Symptoms: IE pages being changed to start-space.com
Cleverness: 2/10
Manual removal difficulty: Involves some Registry editing
Identifying lines in HijackThis log:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start-space.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start-space.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.start-space.com/
O4 - HKCU\..\Run: [QuickTime Task] c:\windows\qttasks.exe

Mimicking the legit 'QuickTime Task' autorun entry in the Registry (which is in the HKLM hive), this variant loaded at startup and changed only the Start Page to start-space.com. That's it. I'm serious. *Yawn*

Variant 22: CWS.Msconfd - Finally using rundll32

Approx date first sighted: November 26, 2003
Log reference: none, local test
Symptoms: IE pages being changed to webcoolsearch.com, bogus error message about msconfd.dll at startup, porn bookmarks added to Favorites (some possibly childporn)
Cleverness: 7/10
Manual removal difficulty: Involves quite some Registry editing and deleting porn bookmarks
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://webcoolsearch.com/
O4 - HKLM\..\RunServices: [Desktop] rundll32.exe msconfd,Restore ControlPanel
Additional line from StartupList log:
Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=msconfd.dll

This is the first variant to use a dll file together with the Windows rundll32 file. This makes it a little harder to find the culprit msconfd.dll, responsible for hijacking IE to webcoolsearch.com and adding 11 adult bookmarks to IE, of which 4 are possibly child porn sites.

Deleting the autorun entry, resetting IE, deleting msconfd.dll and the porn bookmarks fixes this hijack.

Variant 23: CWS.Therealsearch - Misery travels in pairs

Approx date first sighted: November 29, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=19137
Symptoms: IE pages changed to therealsearch.com, porn bookmarks added to IE Favorites, porn sites appearing in IE autocomplete
Cleverness: 4/10
Manual removal difficulty: Involves lots of Registry editing, a process killer, and deleting bookmarks
Identifying lines in HijackThis log:
Running processes:
C:\WINDOWS\quicken.exe
C:\WINDOWS\editpad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.therealsearch.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.therealsearch.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.therealsearch.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.therealsearch.com/hp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.therealsearch.com/sp.php
O4 - HKCU\..\Run: [quicken] C:\WINDOWS\quicken.exe
O4 - HKCU\..\Run: [editpad] C:\WINDOWS\editpad.exe

This variant of CWS appeared to be worse than it actually was at first. Since it had two running processes, it looked like the Peper virus, that was very hard to remove. Luckily these two processes didn't behave like that. The smallest one quicken.exe downloaded and ran the second one editpad.exe (like CWS.Aff.Iedll does) and hijacked IE to therealsearch.com, as well as setting themselves to run at startup.

To remove this variant a process killer is needed to kill editpad.exe and quicken.exe and deleting the files, as well as resetting the IE homepage/search pages and possibly removing CWS.Aff.Tooncomics.2 which can be downloaded by this variant.


Affiliate variants - not directly related to CWS, but sighted together with it very often


Affiliate variant: iedll - Bad coder

Approx date first sighted: August 18, 2003
Log reference: http://boards.cexx.org/viewtopic.php?t=1499
Symptoms: Errors in a file 'iedll.exe' or 'loader.exe' on Windows startup. Sighted a lot together with other CWS variants.
Cleverness: 3/10
Manual removal difficulty: Involves a process killer and a bit of Registry editing.
Identifying lines in HijackThis log:
Running processes:
C:\WINDOWS\IEDLL.EXE
C:\WINDOWS\LOADER.EXE

O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe
O4 - HKCU\..\Run: [loader] C:\WINDOWS\loader.exe

This affiliate variant, with unknown origin, consists of two files. The first one, loader.exe downloads the second one, iedll.exe and runs it. Both files are set to autostart when Windows starts. The 'hijack' becomes obvious when iedll.exe crashes - and it does this frequently. Apparently, this program is programmed so badly, it won't even carry out its payload and does not hijack IE. It is only displayed here because it has been sighted together with other CWS variants on very numerous occasions.

CWS.Aff.iedll.2: A mutation of this variant exists, that has the same files iedll.exe and loader.exe located at C:\Program Files\Windows Media Player.

Affiliate variant: Winshow - Comes in two flavours

Approx date first sighted: July 13, 2003
Log reference: ?
Symptoms: Changed IE pages to youfindall.com, BHO added to IE named 'winshow.dll'. Second variant hijacks to searchv.com and also redirects mistyped URLs to a porn site, and reloads the hijack on a reboot, or even sooner.
Cleverness: 5/10, second variant 8/10
Manual removal difficulty: Involves lots and lots of Registry editing, a bit of hosts file editing and deleting one file.
Identifying lines in HijackThis log:
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINDOWS\WINSHOW.DLL
Second variant CWS.Aff.Winshow.2:
O1 - Hosts file: 209.66.114.130 sitefinder.verisign.com
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents And Settings\username\Application Data\winshow\Winshow.dll
O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
O4 - Global Startup: MSUpdater.exe

This affiliate variant originally was quite innocent, consisting only of one Browser Helper Object (BHO) named 'Winshow', with unknown goal. It was frequently sighted together with other CWS variants.

CWS.Aff.Winshow.2: The second variant of this one also used the BHO and filename, but added a hosts file hijack that redirected mistyped domains/URLs to a porn site, and reloaded a IE hijack to searchv.com on reboot using a Registry command file. One file named MSUpdater.exe was sitting in the 'All Users' startup folder in the Start Menu, and also reloaded the hijack. Deleting both files fixed the hijack. It is still unknown what the BHO actually does.

CWS.Aff.Winshow.3: A third version of this variant exists, that uses the filename winlink.dll for the BHO. It hijacks to both searchv.com and thesten.com. It does not have the additional files the second version has.

Affiliate variant: Madfinder - Kinda like ClientMan

Approx date first sighted: October 15, 2003
Log reference: http://forums.spywareinfo.com/index.php?showtopic=14977
Symptoms: IE homepage changed to madfinder.com, BHO with filename 'BrowserHelper.dll', hijack returning on reboot, or even sooner.
Cleverness: 5/10
Manual removal difficulty: Involves a process killer and lots of Registry editing.
Identifying lines in HijackThis log:
Running processes:
C:\WINDOWS\System32\svc.exe

O1 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\System32\BrowserHelper.dll
O4 - HKCU\..\Run: [svc] C:\WINDOWS\System32\svc.exe

This variant seems to consist of two files that support each other. svc.exe runs invisible, downloads the second BrowserHelper.dll and installs it as a BHO. However, this BHO file also contains the first file and probably puts it back when it is deleted. The variant is always accompanies by a hijack to madfinder.com.

Affiliate variant: Tooncomics - Changing the Internet

Approx date first sighted: September 18, 2003
Log reference: http://boards.cexx.org/viewtopic.php?p=11617#11617
Symptoms: IE hijacked to tooncomics.com, targets of hyperlinks on websites changed to porn sites
Cleverness: 9/10
Manual removal difficulty: Involves really lots of Registry editing, and some hosts file editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://tooncomics.com/main/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tooncomics.com/main/hp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://66.250.130.194/main/hp.php
O1 - Hosts: 66.40.16.131 livesexlist.com
O1 - Hosts: 66.40.16.131 lanasbigboobs.com
O1 - Hosts: 66.40.16.131 thumbnailpost.com
O1 - Hosts: 66.40.16.131 adult-series.com
O2 - BHO: DNSErr object - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - C:\WINDOWS\DNSErr.dll

This variant seems to be in the league of CWS.Vrape, hijacking to porn sites, redirecting other porn sites to itself, and even using a BHO to change the target of hyperlinks to porn sites like eZula Toptext does. Some users even reported being unable to download CWShredder because the links at the bottom of this article were altered to point to porn sites. Manual removal is pretty hard, because the DNSErr.dll file responsible for the latter part of the hijack has no uninstall built-in like most dlls. However, flat-out deleting the file has no side effects.

CWS.Aff.Tooncomics.2: There is a second version of this hijack that Uses the filename dnse.dll as the BHO, and a second file ld.exe that is always running, reloading the hijack. In this version, the IE homepage and search pages are changed to fastwebfinder.com. A process killer is needed to get rid of ld.exe.

Epilogue - The Fix

After reading all of this, you must be under the impression that a CoolWebSearch hijack is near impossible to fix since there are so many variants. Though it is true that the conventional tools like Ad-Aware, Spybot S&D and HijackThis won't fix all of the variants, there is one tool that will.

After about the 3rd CWS variant, I realized this particular spyware company moved faster than any other I'd seen before, and that the anti-spyware programs wouldn't be able to keep up with it. So I decided to write a separate program dedicated to removing CoolWebSearch. It's called CWShredder and can be downloaded here, in several forms:


ENDQUOTE


Here I have to point you to a few different points where this story lead.
Trend Micro
More CWS variants, a write-up by Unzy, dvk01 and myself.



Epilogue - The Origin

We are pretty sure now CoolWebSearch is part of a new strain of trojans that have recently been identified that all have one thing in common: they install through the ByteVerify exploit in the MS Java VM and change the IE homepage, search page, search bar, etc. Take a look at this snippet from the description of the Java.Shinwow trojan:
This is a growing family of trojans that exploits the ByteCodeVerifier vulnerability in the Microsoft Virtual Machine to execute unauthorized code on an affected machine.
The variants of this trojan that we have seen in the wild have been functionally diverse; the common factor amongst them has been the use of the ByteVerify exploit to achieve their goals. Some variants may do little more than change the user's default Internet Explorer home page and/or search page via modifications to the registry.
We strongly recommend you install the patch, available from this MS security bulletin. If you have Windows XP with Service Pack 1a, your system has no MS Java VM. Information on removing the MS Java VM completely and replacing it with the newer, safer Sun Java VM can be found here.

An a side note, some of the affiliates (Search-Meta has been verified) use another Java exploit to install their malware. It's classified as the JS.Exception.Exploit, and a patch can be downloaded from this MS security bulletin.