Weekly Spyware Alert: CoolWebSearch

Has your browser been hijacked by CoolWebSearch spyware? If you've ever been redirected to coolwebsearch.com unexpectedly, you may be infected.

Variants: This spyware is morphing at a rapid rate. Below, variants and their estimated appearance date are listed in reverse chronological order.

  • DNSRelay.dll – August 7, 2003
  • Svchost32 – August 3, 2003
  • Oemsyspnp – July 29, 2003
  • Msspi.dll – July 28, 2003
  • Vrape – July 20, 2003
  • OSLogo.bmp – July 10, 2003
  • Bootconf – July 6, 2003
  • Datanotary – May 27, 2003

Description: CoolWebSearch is a name given to a wide range of different browser hijackers. The code is very different between variants, but all are currently used to redirect users to coolwebsearch.com and other sites affiliated with its operators. The alarming trend with this hijacker is rapid metamorphosis and the increasing difficulty of removal. Some documented behaviors associated with each variant include:

  • DNSRelay.dll - Implemented as an IE URL hook. Hijacks address bar search phrases as well as any site name entered into the address bar without a leading http:// or www to search aimed at activexupdate.com (a CWS site redirecting through yellow2.com to allhyperlinks.com).