• Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Phishing
    • Ransomware
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools

My AntiSpyware

Your Go-To Destination for Scam Awareness, Malware Removal, Antispyware Downloads, and Expert Guidance

Menu
  • Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Phishing
    • Ransomware
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools
Home › Browser Hijacking › Tips › Tutorials - HowTo › How to remove CWS Hijacker

How to remove CWS Hijacker

Myantispyware team December 5, 2005     No Comment    

This is old news, but and now many peoples have a question:
“How to remove CWS Hijacker from my pc ?“.
Read below.

CWS is a trojan that hijacks Internet Explorer start and search settings to one of several different web sites (see below). Most of these web sites appear to have an affiliate relationship with coolwebsearch.com in which coolwebsearch pays them for every visitor they refer. There could be other domains involved in the future.

This hijack is similar to the datanotary.com hijack discovered last month. As with datanotary, the CWS hijack sets Internet Explorer to use a custom style sheet containing javascript that opens a pop up window. In fact, we believe the trojan involved with CWS is an updated version of the same malware involved with datanotary.

In the original variant, the start and search settings were changed to an address in which the letters are converted into an unreadable mess of numbers and % symbols to hide the domain name from the user. It also made it difficult to blacklist the domain. Internet Explorer is able to translate the symbols and load the hijacker’s web site.

An executable file named bootconf.exe is copied to the \windows\system32\ folder and set to load at startup. Even if you fix the hijack, this file will reinstall it the next time it is loaded.

More current variants also install a small web server, contained in a file named svchost32.exe. It adds several google addresses (google.de, google.ch, google.ca, etc) search.yahoo.com, and search.msn.com to the HOSTS file, telling windows that the IP addresses for those sites is 127.0.0.1, and that’s where it’s webserver is listening.

Yet another variant hijacks Internet Explorer’s SearchHook setting with a file named dnsrelay.dll. This redirects all search and start page settings to allhyperlinks.com.

Finally, the trojan lists the hijacker’s web site in Internet Explorer’s trusted security zone. Domains listed in the trusted security zone have no restrictions on what they can do. This allows that web site to have virtually unlimited access to the infected computer’s file system.

We believe the source of the infections might be activex drive by installers located on pornographic web sites, or possibly trojan programs pretending to be illegal serial number generators. Unfortunately, this is just speculation for now.

This trojan is detected by Computer Associates antivirus products under the following names :
Win32.Startpage.C
JS.CSSPopup.B,
JScript/IEstart.Trojan,
Win32/IEstart.Trojan

Removal Instructions

Merijn, author of HijackThis and StartupList, has created CWShredder specifically to remove this parasite. Please make certain that all browser and folder windows are closed before using CWShredder.

Browser Hijacking Tips Tutorials - HowTo

Author: Myantispyware team

Myantispyware is an information security website created in 2004. Our content is written in collaboration with Cyber Security specialists, IT experts, under the direction of Patrik Holder and Valeri Tchmych, founders of Myantispyware.com.

Leave a Reply Cancel reply




New Guides

Newsesne.com YEHWAN scam store
Newsesne.com Review: Decoding the YEHVAN Clearance Sale
Steeles.online scam store
Cecilwilson.top Review: The Scam Behind the $2.99 Nike Warehouse Clearance Sale
Service.contact24h.store scam contacts
Unmasking Service@contact24h.store Email: Beware of Scams
scam alert
806-692-8003 Wells Fargo Text Scams 🚫
Lopsddf.com scam store
Lopsddf.com Review: Is the Warehouse Clearance Legit?

Follow Us

Search

Useful Guides

How to remove browser hijacker virus (Chrome, Firefox, IE, Edge)
How to reset Internet Explorer settings to default
remove chrome extension
How to remove Chrome extensions installed by enterprise policy
Best free malware removal tools
Best Free Malware Removal Tools 2023
Iphone Calendar virus spam
Iphone Calendar Virus/Spam 2022 (Removal guide)

Recent Posts

IE flaw lets intruders into Google Desktop
More exploits out for Windows flaws
Vulnerability in the Internet Explorer
Determining Sun Java Vulnerability
Spyware: WebHancer – How to remove

MYANTISPYWARE.COM

  • About Us
  • Contact Us
  • Privacy Policy

NEED A HELP ?

If you're seeing unwanted pop-ups or ads in your web-browser, you might have an adware installed on your computer. Use the following guide to stop pop-up ads and remove malicious software. Or ask for help here.

Links

  • Downloads
  • Instructions
  • Questions and Answers
  • Free Malware Removal Tools
Copyright © 2004 - 2023 MASW - Myantispyware.com.