GoFuckYourself.com - Adult Webmaster Forum - View Single Post

candyflip · 12-15-2003, 07:11 PM

Description
CoolWebSearch is a name given to a wide range of different browser hijackers. Though the code is very different between variants, they are all used to redirect users to coolwebsearch.com and other sites affiliated with its operators.

The script at this site can only detect one of the variants listed here, namely CoolWebSearch/DNSRelay.

Variants
CoolWebSearch/DataNotary: earliest known variant, hijacking to datanotary.com. Drops a CSS stylesheet file in the Windows folder and sets it to be used as the user stylesheet for all web pages viewed in IE. The stylesheet includes hahahahahaded hahahahahahahahahaha code which tries to guess when the user is viewing porn sites.

CoolWebSearch/BootConf: drops a user CSS file in the same way as DataNotary, but pointing at www.coolwebsearch.com. Also hijacks the home page and all search settings to point to coolwebsearch, and hacks the DNS Hosts file to redirect access of MSN address-bar search to coolwebsearch.com. The site names are obfuscated using URL-encoding (%XX) to make them difficult to read. A program bootconf.exe is set up to run on every startup, resetting the hijack. Finally coolwebsearch.com is added to the Trusted Sites list, along with msn.com, whom coolwebsearch are also impersonating.

CoolWebSearch/MSInfo: another user-CSS-hijacker, this time pointed at true-counter.com, currently redirecting to global-finder.com.

CoolWebSearch/SvcHost: a Hosts file hijacker, which works in a rather unusual way (probably to avoid being detected by anti-hijacker tools). Its targeted sites (Yahoo Search, MSN Search and all countries? versions of Google) are set in the Hosts file to point to ?localhost? (127.0.0.1). Since the local host (the computer the browser is running on) is most often not running a web server, this results in an error page; it is this error page that is then hijacked to the CWS site slawsearch.com.

CoolWebSearch/PnP: a search hijacker that hides inside the ?inf? folder usually used for storing device driver information. Its hijacker file oemsyspnp.inf is run on each startup, using a slightly different install command each time. This command cycles through install sections 'RunOnce', 'AudioPnP', 'VideoPnp', 'IdePnP' and 'SysPnP', though quite why is unknown as it does the same thing regardless of which section is used, namely hijacking home page and search settings to point at www.adulthyperlinks.com and www.allhyperlinks.com. It also adds activexupdate.com to the IE ?Safe Sites? list, for unknown purpose (this is not the same as the Trusted Sites Zone).

CoolWebSearch/MSSPI: a search results hijacker implemented as a Winsock2 Layered Service Provider (a fairly low-level networking component, which is tricky to remove). Targets Google, Yahoo and Altavista, opening advertising from unipages.cc.

CoolWebSearch/DNSRelay: an address bar search hijacker implemented as an IE URL Search Hook. As well as search phrases, entering any site name into the address bar without a leading ?http://? or ?www? will result in a search aimed at activexupdate.com, a CWS site redirecting through yellow2.com to allhyperlinks.com.

Distribution
Suspected to be installed by pop-ups exploiting security holes in IE.

What it does
Advertising
Yes. In DataNotary and BootConf variants, the script hahahahahaded in this style sheet may open mostly porn pop-ups if it thinks the page being viewed is porn-related. The MSSPI variant will pop up ad links in a window after every few pages viewed on a targeted search engine.

Privacy violation
No.

Security issues
Yes, in the BootConf variant. Adding coolwebsearch.com to IE's Trusted Sites Zone means pages there are allowed to download and install any code they like.

Stability problems
The DataNotary, BootConf and MSInfo variants may cause significant slowdown when typing in a browser window on some systems. The SvcHost variant also prevents you from reaching Google or the search services of MSN or Yahoo completely.

Removal
Merijn Bellekom has prepared a tool called CWShredder which should be able to remove all known CoolWebSearch variants automatically.

Manual removal
DataNotary, BootConf, MSInfo variants
For these variants, start by opening Tools->Internet Options->Accessibility and make sure the 'user style sheet' option is turned off.

You should then be able to delete the user stylesheet from the Windows folder. With DataNotary it is called 'default.css'; with MSInfo it is called 'oslogo.bmp'; with Bootconf it may be either.

MSInfo variant only
Next, open the file 'win.ini' from the Windows folder in a text editor. Delete the line ?run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSIN FO\msinfo.exe? and save. (This line may change a little on different systems, but will always point to msinfo.exe.) Delete the 'MSInfo' folder inside 'Common Files' in the 'Program Files' folder.

BootConf, SvcHost variants
Next, open the registry (Start->Run->regedit), find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run, and delete the bootconf.exe or svchost.exe entry. You can then delete the bootconf.exe or svchost32.exe file from the System folder (which is inside the Windows folder, and called 'System32' on Windows NT/2000/XP)

BootConf, SvcHost, MSInfo variants
From the System folder, open the drivers->etc folders and find the file named 'HOSTS', with no extension. Either edit it to remove the hijacker entries, or simply delete the file.

PnP variant
Open the registry (Start->Run->regedit) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run. Delete the 'SysPnP' entry, and the 'oemsysinf.pnp' file from the 'inf' folder (which is inside the Windows folder).

MSSPI variant
Removing a Layered Service Provider by hand is tricky and if you get it wrong you'll lose your internet connection. If you really want to try, open the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\WinSock2 \Parameters\Protocol_Catalog9\Catalog_Entries, delete the subkeys starting with the path of msspi.dll, renumber the remaining subkeys, and set the Num_Catalog_Entries value in the Protocol_Catalog9 key to match the highest numbered subkey left.

Normally it is better to get a program (eg. CWShredder, HijackThis or LSPFix to remove an LSP for you.

Having done that, open the registry and check the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run for an 'msupdate' entry; delete it if you find it. Restart the computer and you should be to delete msspi.dll in the System folder (which is inside the Windows folder, and called 'System32' on Windows NT/2000/XP), along with msupdate.exe if you have it.

DNSRelay variant
Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u dnsrelay.dll
Restart and you should be able to delete the file 'dnsrelay.dll' in the System folder (which is inside the Windows folder, and called 'System32' on Windows NT/2000/XP).

All variants
After having removed the software, use Internet Options->Programs->Reset Web Settings to remove the bogus home page and search settings.

12-15-2003, 07:11 PM
candyflip Carpe Visio Industry Role: Join Date: Jul 2002 Location: New York Posts: 43,065	Description CoolWebSearch is a name given to a wide range of different browser hijackers. Though the code is very different between variants, they are all used to redirect users to coolwebsearch.com and other sites affiliated with its operators. The script at this site can only detect one of the variants listed here, namely CoolWebSearch/DNSRelay. Variants CoolWebSearch/DataNotary: earliest known variant, hijacking to datanotary.com. Drops a CSS stylesheet file in the Windows folder and sets it to be used as the user stylesheet for all web pages viewed in IE. The stylesheet includes hahahahahaded hahahahahahahahahaha code which tries to guess when the user is viewing porn sites. CoolWebSearch/BootConf: drops a user CSS file in the same way as DataNotary, but pointing at www.coolwebsearch.com. Also hijacks the home page and all search settings to point to coolwebsearch, and hacks the DNS Hosts file to redirect access of MSN address-bar search to coolwebsearch.com. The site names are obfuscated using URL-encoding (%XX) to make them difficult to read. A program bootconf.exe is set up to run on every startup, resetting the hijack. Finally coolwebsearch.com is added to the Trusted Sites list, along with msn.com, whom coolwebsearch are also impersonating. CoolWebSearch/MSInfo: another user-CSS-hijacker, this time pointed at true-counter.com, currently redirecting to global-finder.com. CoolWebSearch/SvcHost: a Hosts file hijacker, which works in a rather unusual way (probably to avoid being detected by anti-hijacker tools). Its targeted sites (Yahoo Search, MSN Search and all countries? versions of Google) are set in the Hosts file to point to ?localhost? (127.0.0.1). Since the local host (the computer the browser is running on) is most often not running a web server, this results in an error page; it is this error page that is then hijacked to the CWS site slawsearch.com. CoolWebSearch/PnP: a search hijacker that hides inside the ?inf? folder usually used for storing device driver information. Its hijacker file oemsyspnp.inf is run on each startup, using a slightly different install command each time. This command cycles through install sections 'RunOnce', 'AudioPnP', 'VideoPnp', 'IdePnP' and 'SysPnP', though quite why is unknown as it does the same thing regardless of which section is used, namely hijacking home page and search settings to point at www.adulthyperlinks.com and www.allhyperlinks.com. It also adds activexupdate.com to the IE ?Safe Sites? list, for unknown purpose (this is not the same as the Trusted Sites Zone). CoolWebSearch/MSSPI: a search results hijacker implemented as a Winsock2 Layered Service Provider (a fairly low-level networking component, which is tricky to remove). Targets Google, Yahoo and Altavista, opening advertising from unipages.cc. CoolWebSearch/DNSRelay: an address bar search hijacker implemented as an IE URL Search Hook. As well as search phrases, entering any site name into the address bar without a leading ?http://? or ?www? will result in a search aimed at activexupdate.com, a CWS site redirecting through yellow2.com to allhyperlinks.com. Distribution Suspected to be installed by pop-ups exploiting security holes in IE. What it does Advertising Yes. In DataNotary and BootConf variants, the script hahahahahaded in this style sheet may open mostly porn pop-ups if it thinks the page being viewed is porn-related. The MSSPI variant will pop up ad links in a window after every few pages viewed on a targeted search engine. Privacy violation No. Security issues Yes, in the BootConf variant. Adding coolwebsearch.com to IE's Trusted Sites Zone means pages there are allowed to download and install any code they like. Stability problems The DataNotary, BootConf and MSInfo variants may cause significant slowdown when typing in a browser window on some systems. The SvcHost variant also prevents you from reaching Google or the search services of MSN or Yahoo completely. Removal Merijn Bellekom has prepared a tool called CWShredder which should be able to remove all known CoolWebSearch variants automatically. Manual removal DataNotary, BootConf, MSInfo variants For these variants, start by opening Tools->Internet Options->Accessibility and make sure the 'user style sheet' option is turned off. You should then be able to delete the user stylesheet from the Windows folder. With DataNotary it is called 'default.css'; with MSInfo it is called 'oslogo.bmp'; with Bootconf it may be either. MSInfo variant only Next, open the file 'win.ini' from the Windows folder in a text editor. Delete the line ?run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSIN FO\msinfo.exe? and save. (This line may change a little on different systems, but will always point to msinfo.exe.) Delete the 'MSInfo' folder inside 'Common Files' in the 'Program Files' folder. BootConf, SvcHost variants Next, open the registry (Start->Run->regedit), find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run, and delete the bootconf.exe or svchost.exe entry. You can then delete the bootconf.exe or svchost32.exe file from the System folder (which is inside the Windows folder, and called 'System32' on Windows NT/2000/XP) BootConf, SvcHost, MSInfo variants From the System folder, open the drivers->etc folders and find the file named 'HOSTS', with no extension. Either edit it to remove the hijacker entries, or simply delete the file. PnP variant Open the registry (Start->Run->regedit) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run. Delete the 'SysPnP' entry, and the 'oemsysinf.pnp' file from the 'inf' folder (which is inside the Windows folder). MSSPI variant Removing a Layered Service Provider by hand is tricky and if you get it wrong you'll lose your internet connection. If you really want to try, open the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\WinSock2 \Parameters\Protocol_Catalog9\Catalog_Entries, delete the subkeys starting with the path of msspi.dll, renumber the remaining subkeys, and set the Num_Catalog_Entries value in the Protocol_Catalog9 key to match the highest numbered subkey left. Normally it is better to get a program (eg. CWShredder, HijackThis or LSPFix to remove an LSP for you. Having done that, open the registry and check the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run for an 'msupdate' entry; delete it if you find it. Restart the computer and you should be to delete msspi.dll in the System folder (which is inside the Windows folder, and called 'System32' on Windows NT/2000/XP), along with msupdate.exe if you have it. DNSRelay variant Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands: cd "%WinDir%\System" regsvr32 /u dnsrelay.dll Restart and you should be able to delete the file 'dnsrelay.dll' in the System folder (which is inside the Windows folder, and called 'System32' on Windows NT/2000/XP). All variants After having removed the software, use Internet Options->Programs->Reset Web Settings to remove the bogus home page and search settings. __________________ Spend you some brain. Email Me