Main Menu
Contact Us

CoolWebSearch Browser Hijacker Information

Name: CoolWebSearch
Category: Browser Hijacker
Advice: Remove
Risk: Elevated Risk Elevated threats are usually threats that fall into the range of adware in which data about a user's habits are tracked and sent back to a server for analysis without your consent or knowledge.
Description: CoolWebSearch is a name given to a wide range of different browser hijackers. Though the code is very different between variants, they are all used to redirect users to and other sites affiliated with its operators.

CoolWebSearch is part of a strain of trojans that have recently been identified that all have one thing in common: they install through the ByteVerify exploit in the MS Java VM and change the IE homepage, search page, search bar, etc.

CoolWebSearch Symptoms:
- Hijacks to various search engines. Different variants of CoolWebSearch will redirect you to different sites.
- When a URL is mistyped in the browser, CoolWebSearch will redirect the page to affiliate websites as well as
- Installs bookmarks to adult websites in the favorites menu.
- Installs toolbars into the browser.
- Slows down PC.
- Can cause reboots.
- Targets anti-spyware websites, usually vendors of spyware removal tools. Once infected with CoolWebSearch, you may be unable to visit these websites to download their products.
- Will open porn popups if it thinks the website being viewed is pornographic in nature.
- Can cause significant slowdowns when attempting to type into a browser.
- Will add to the trusted sites list.

CoolWebSearch has a number of variants:

IE pages changed to and (, hijack returning on system restart. This variant does everything in its powers to redirect you to a domain owned by IE is hijacked to it, the hosts file is replaced to redirect about 100 porn and CWS domains to, and a randomly named stylesheet is dropped that redirects to when certain keywords appear in webpages.

IE hijacked to and, redirections to and when typing incomplete URLs into address bar.

There only were several threads of users experiencing enormous slowdowns in IE when typin messages into text boxes. Delays of over a minute before the typed text appeared were reported. Also some redirections to were reported. The hijack installed a stylesheet that used a flaw in Internet Explorer and allowed a .css stylesheet file to execute Javascript code. The code in the file was encrypted, and spawned a popup off-screen that did the redirecting. However, this file was called on almost every action taken in IE, slowing it down - this was the most obvious when typing text.

IE hijacked to

A browser helper object that changes your Home Page and open pop-up windows based on the currently visited url.

also known as TROJ_ESEPOR.A, TROJ_ESEPOR.B or TROJ_ESEPOR.C, operations seems to vary from opening pop-up windows, to changing search results from popular search engines.

Signatures: process: svc.exe: MD5 Hash: ... process: iedll.exe: MD5 Hash: ... process: loader.exe: MD5 Hash: ... process: SNDBDRV3104.EXE: MD5 Hash: ... process: systeminit.exe: MD5 Hash: ... process: WINPROC32.EXE: MD5 Hash: ... process: y.exe: MD5 Hash: ... process: olehelp.exe: MD5 Hash: ... process: quicken.exe: MD5 Hash: ... process: editpad.exe: MD5 Hash: ... process: qttasks.exe: MD5 Hash: ... process: quicken.exe: MD5 Hash: 7eff0177688b9e6d003... process: quicken.exe: MD5 Hash: 629f051759edec6a8a2... process: msupdate.exe: MD5 Hash: ddc50d3f88bc7dc3dd9... process: ADDCLASS.EXE: MD5 Hash: ... process: addclass.exe: MD5 Hash: c470774b3885df27723... process: svcinit.exe: MD5 Hash: ... process: svcinit.exe: MD5 Hash: ... process: mssys.exe: MD5 Hash: ... process: info32.exe: MD5 Hash: ... process: ctfmon32.exe: MD5 Hash: ... process: msinfo.exe: MD5 Hash: ... process: msinfo.exe: MD5 Hash: 387196ac17e040b9845... process: svchost32.exe: MD5 Hash: 3a488b868cad71faaf9... process: qttasks.exe: MD5 Hash: 42915d88dac8e5cf16e... process: directx.exe: MD5 Hash: 94c37a07eacd011fc9f... process: msupdate.exe: MD5 Hash: 30a552ce381376e5b5b... process: msupdate.exe: MD5 Hash: d6a83ac5d83ba6615b0... process: notepad32.exe: MD5 Hash: ... process: notepad32.exe: MD5 Hash: ... process: sdkif.exe: MD5 Hash: ... process: winlgn.exe: MD5 Hash: 6c96d774347b2ee484e... process: msupdate.exe: MD5 Hash: 5f5b184e9834a4b8a1b... process: hostv1.exe: MD5 Hash: 219bd1bd1c81c83a66f... process: ntnc32.exe: MD5 Hash: 048ad50781862008049... process: d15.exe: MD5 Hash: 240503672ee856cac52... process: efve.exe: MD5 Hash: f7682775685b3d3cabb... process: gx9fzj83m9.exe: MD5 Hash: 573a07eae1d8af7512a... process: HLInstaller3.exe: MD5 Hash: f1e2f1eedd5a15c432b... process: HyperLinker3.exe: MD5 Hash: dd7e29173836653dada... process: InstaFinder_inst.exe: MD5 Hash: 8c117a88faa84e13731... process: oyqsnell.exe: MD5 Hash: 9c32fbccf9644b01296... process: suka.exe: MD5 Hash: 4b3b740ae9aeeb31a84... process: suicidetb.exe: MD5 Hash: 17959b8c4e9f0a29a3b... process: tibs5.exe: MD5 Hash: 081741557fb25f69ec4... process: Xhrmy.exe.bak: MD5 Hash: 58e15f7301e37924ba2... process: kdczsrv.exe: MD5 Hash: 786f139add9e48c87e5... process: pzplpq.exe: MD5 Hash: bd7acf2b49878aa9274... process: actalert.exe: MD5 Hash: e4c6a22c692d8455eec... process: auf0.exe: MD5 Hash: 53cbce799bfa4c9f0f2... process: bundle.exe: MD5 Hash: 61a956c596e887ada4c... process: djtopr1150.exe: MD5 Hash: c9fb2dea9d9237b6d50... process: emusic.exe: MD5 Hash: baedb6491f046c41bc5... process: esyndicateinst.exe: MD5 Hash: 0debf728545ad706fe3... process: exploit.exe: MD5 Hash: 2af246a945f48942f3c... process: f10213.exe: MD5 Hash: 89580e1e71a485a6231... process: f33095.exe: MD5 Hash: ce6147cb2f18daf3354... process: feat2.exe: MD5 Hash: 1a436479eeaf1d52f21... process: feat.exe: MD5 Hash: f96ef1d4d3aa1e5dce3... process: file[1].exe: MD5 Hash: cc488685a238e336d66... process: Fingerprint.exe: MD5 Hash: de7ee6af147f5baa1de... process: grkyrtc.exe: MD5 Hash: 7785220631cb9fe6b59... process: htH0.exe: MD5 Hash: 0ab80f2d66449106a73... process: iecust.exe: MD5 Hash: 5a97e1a9fcd78e3f7c7... process: iecust.exe: MD5 Hash: cb729a7596dd01df44a... process: iinstall.exe: MD5 Hash: 0f3c75fa0c9bbf31a3c... process: jkill.exe: MD5 Hash: 3ebfd187e43df9b4527... process: kspnaaaa.exe: MD5 Hash: bd2f04118f1caac7353... process: ipvcx6.exe: MD5 Hash: 10b15f0b170d34f7ad9... process: nbtrstat.exe: MD5 Hash: 7e36e821a9ffc236b35... process: netupd32.exe: MD5 Hash: fe9e72f1e32cb077307... process: wowdbe.exe: MD5 Hash: c741de1b247d6a8ed0f... process: msupdate.exe: MD5 Hash: 5ffb606ea5c67359b19... process: ipwd.exe: MD5 Hash: d166981e5b0040acdf4... process: irleprfg.exe: MD5 Hash: 9fd5d96733cfa272b9a... process: ctfmon32.exe: MD5 Hash: 76549f6207ea7c69ae7... process: services.exe: MD5 Hash: 49899e502b6bc791cba..
Type: Browser Hijacker - Browser hijackers are malicious programs that change a user's web browser settings, usually altering designated default start and search pages. In addition a browser hijacker can modify nearly every aspect of a web browser including adding bookmarks, and redirecting search traffic to alternative sites.

Top Browser Hijacker Visited Pages:
SuperSpider - Alias: Network Security Guard, Melcosoft - 577 visits
Tubby - Alias: MakeMeSearch, CoolWebSearch.Tubby, Spyware.Arau, Trojan.Win32.StartPage.ih, Trojan.StartPage-FJ - 211 visits - 123 visits
SecurityToolbar.DesktopScam - 122 visits
EUniverse Updater - Alias: WUpdate, eUniverse Flowgo toolbar, eUniverse SirSearch, SearchUpgrader, Search Upgrader - 120 visits
CoolWebSearch - Alias: CWS, Cool Web Serach, CoolWwwSearch - 116 visits
CrackSpider - Alias: Troj/Favadd-D - 106 visits
Trojan.StartPage - Alias: SearchCentral - 86 visits
Paytime - 84 visits
IEHijacker.Q - 80 visits

Random Browser Hijacker Pages:
iLookup.GlobalWebSearch - Alias: global Search Page, Worldanywhere Toolbar, Hotwebsearch Toolbar,Bigwebportal Toolbar, Searchitquick
KeenValue PerfectNav - Alias: PerfectNav, KeenValue.PerfectNav
SafeSearch - Alias: Adware.SafeSearch, AutoSearch
STRAd32.BHO - Alias: Confusearch, StickyPopsBHO
WishBone Toolbar


2006-2008 - Privacy Policy