Coolwebsearch remove instructions, learn more about this adware and how to uninstall Coolwebsearch in our removing and uninstaller guide
Coolwebsearch is a name given to a wide range of different browser hijackers.
Though the code is very different between variants, they are all used to redirect
users to Coolwebsearch.com and other sites affiliated with its operators.
Cool web search is part of a strain of trojans that have recently been identified
that all have one thing in common: they install through the ByteVerify exploit
in the MS Java VM and change the IE homepage, search page, search bar, etc.
Coolwebsearch Symptoms:
- Hijacks to various search engines. Different variants of Coolwebsearch will
redirect you to different sites.
- When a URL is mistyped in the browser, Coolwebsearch will redirect the page
to affiliate websites as well as Coolwebsearch.com.
- Installs bookmarks to adult websites in the favorites menu.
- Installs toolbars into the browser.
- Slows down PC.
- Can cause reboots.
- Targets anti-spyware websites, usually vendors of spyware removal tools. Once
infected with Coolwebsearch, you may be unable to visit these websites to download
their products.
- Will open porn popups if it thinks the website being viewed is pornographic
in nature.
- Can cause significant slowdowns when attempting to type into a browser.
- Will add Coolwebsearch.com to the trusted sites list.
Coolwebsearch has a number of variants:
CWS.Aboutblank
IE pages changed to about-blank.ws and 213.159.118.226 (1-se.com), hijack returning
on system restart. This variant does everything in its powers to redirect you
to a domain owned by 1-se.com. IE is hijacked to it, the hosts file is replaced
to redirect about 100 porn and CWS domains to 1-se.com, and a randomly named
stylesheet is dropped that redirects to 1-se.com when certain keywords appear
in webpages.
CWS.Smartfinder
IE hijacked to nkvd.us and smart-finder.biz, redirections to nkvd.us and smart-finder.biz
when typing incomplete URLs into address bar.
CWS.Datanotary
There only were several threads of users experiencing enormous slowdowns in
IE when typin messages into text boxes. Delays of over a minute before the typed
text appeared were reported. Also some redirections to www.datanotary.com were
reported. The hijack installed a stylesheet that used a flaw in Internet Explorer
and allowed a .css stylesheet file to execute Javascript code. The code in the
file was encrypted, and spawned a popup off-screen that did the redirecting.
However, this file was called on almost every action taken in IE, slowing it
down - this was the most obvious when typing text.
CWS.Gonnasearch
IE hijacked to gonnasearch.com.
CWS.Xrectar
A browser helper object that changes your Home Page and open pop-up windows
based on the currently visited url.
CWS.Xplugin
also known as TROJ_ESEPOR.A, TROJ_ESEPOR.B or TROJ_ESEPOR.C, operations seems
to vary from opening pop-up windows, to changing search results from popular
search engines.
Coolwebsearch behavior
- Changes browser settings
- Shows commercial adverts
- Connects itself to the internet
- Hides from the user
- Stays resident in background
Coolwebsearch remove and uninstalling Introduction
To manually remove them, follow these instructions:
DataNotary, BootConf, MSInfo variants
For these variants, start by opening Tools->Internet Options->Accessibility
and make sure the 'user style sheet' option is turned off.
You should then be able to delete the user stylesheet from the Windows folder.
With DataNotary it is called 'default.css'; with MSInfo it is called 'oslogo.bmp';
with Bootconf it may be either.
MSInfo variant only
Next, open the file 'win.ini' from the Windows folder in a text editor. Delete
the line ??run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\msinfo.exe?? and
save. (This line may change a little on different systems, but will always point
to msinfo.exe.) Delete the 'MSInfo' folder inside 'Common Files' in the 'Program
Files' folder.
BootConf, SvcHost variants
Next, open the registry (Start->Run->regedit), find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run,
and delete the bootconf.exe or svchost.exe entry. You can then delete the bootconf.exe
or svchost32.exe file from the System folder (which is inside the Windows folder,
and called 'System32' on Windows NT/2000/XP)
BootConf, SvcHost, MSInfo variants
From the System folder, open the drivers->etc folders and find the file named
'HOSTS', with no extension. Either edit it to remove the hijacker entries, or
simply delete the file.
PnP variant
Open the registry (Start->Run->regedit) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
Delete the 'SysPnP' entry, and the 'oemsysinf.pnp' file from the 'inf' folder
(which is inside the Windows folder).
MSSPI variant
Removing a Layered Service Provider by hand is tricky and if you get it wrong
you'll lose your internet connection. If you really want to try, open the registry
key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2 \Parameters\Protocol_Catalog9\Catalog_Entries,
delete the subkeys starting with the path of msspi.dll, renumber the remaining
subkeys, and set the Num_Catalog_Entries value in the Protocol_Catalog9 key
to match the highest numbered subkey left.
Normally it is better to get a program (eg. CWShredder, HijackThis or LSPFix
to remove an LSP for you.
Having done that, open the registry and check the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
for an 'msupdate' entry; delete it if you find it. Restart the computer and
you should be to delete msspi.dll in the System folder (which is inside the
Windows folder, and called 'System32' on Windows NT/2000/XP), along with msupdate.exe
if you have it.
DNSRelay variant
Open a DOS command prompt window (from Start->Programs->Accessories) and
enter the following commands:
cd "%WinDir%\System"
regsvr32 /u dnsrelay.dll
Restart and you should be able to delete the file 'dnsrelay.dll' in the System
folder (which is inside the Windows folder, and called 'System32' on Windows
NT/2000/XP).
All variants
After having removed the software, use Internet Options->Programs->Reset
Web Settings to remove the bogus home page and search settings.
|