CoolWebSearch - the most infamous browser hijacker

by Gabriel E. Hall - - 2005-07-08

Browser hijackers – the pest on the computer

CoolWebSearch virus CoolWebSearch is a notorious browser hijacker that came out in 2003. Since then, it infected more than 8% of computers worldwide

The term “potentially unwanted program” is highly controversial still up to this day, as countless legal battles were raised by consumers, security experts, and PUP developers. A browser hijacker is a name that its authors refrain from using, while some security experts go as far as calling it “legal malware.”

While the debate is still on, one thing is clear: there are very few regular users that prefer a hijacked browser, since it diminishes browsing experience by displaying ads, redirecting users to questionable websites, displaying sponsored links within search results and changing browser settings (usually) without asking for permission.

Users are especially unhappy that the dubious applications, which come in forms of browsers extensions, toolbars, add-ons, etc., show up on their computers seemingly out of nowhere. However, speaking in legal terms, software bundling^[1] is a legitimate marketing scheme, and users are often blamed for “not reading ToC and the text in small text.”

From the first sight, hijackers appear to be relatively harmless: browser settings can be quickly restored. But some hijackers are just worse than the others and getting rid of them becomes a nightmare scenario for countless users. One of such applications is CoolWebSearch^[2] – a notorious browser hijacker with over 100 versions.

CoolWebSearch – it does more than a regular browser hijacker

CoolWebSearch is a single name for the entire family of different hijackers that all attempt to redirect users' browser to coolwebsearch.com domain or other related sites. CoolWebSearch.com claims that it is not responsible for the hijacking. Apparently, that is true. The company has an affiliate program and pays its clients for every user redirected to its site.

Since the pest's creation in 2003, over 100 CoolWebSearch variants emerged which infected 8.2% of computers worldwide.^[3] Only about 15 of them can be less or more easily removed from the system. Others require deep registry editing, searching for and deleting many files and numerous modifications of the infected system.

Moreover, some CWS parasites are virtually impossible to remove manually. They use specialized techniques that sometimes are more complex than those used in dangerous viruses. Even special anti-spyware software is unable to get rid of certain Cool Web Search hijackers. Spyware experts say that the most effective way to fight the CWS infection is to restore the Windows registry from unaffected copy or even to erase all the data from hard disk and reinstall the OS.

Infection symptoms of the browser hijacker

Here are the symptoms of most common CWS infections:

Microsoft Internet Explorer runs very slowly. Browser doesn't respond immediately to taken actions. Text that you enter into various web forms or fields appears with huge latency. Page scrolling is sluggish.
Default browser settings have been modified. Default start or search pages are changed (for example, address about:blank doesn't belong to the standard blank page anymore). Miss-typed or even correct Internet addresses direct to unknown sites. Suspicious domains are listed in the browser's Trusted sites zone.
New bookmarks to suspicious Internet resources have appeared in the Favorites or Bookmarks. Usually, such bookmarks lead to adult and advertising sites.
Following a legitimate link on legal website results in automatic redirection to a different resource.
Your system shows strange error messages. Some of them are caused by system components or third-party executables.
Security-related software crashes or closes without any messages.

CoolWebSearch authors engaged in DDoS attacks

While many users were struggling with constant attacks of the Cool Web Search, in 2004 a student Merjin Bellekom from the Netherlands created a tool called CWShredder.^[4] The removal tool was continually updated and helped victims battle the unpleasant computer infection.

While it is now much known about the authors of malware, they were unhappy about such an event, as their product was being compromised. Therefore, crooks launched a series of Distributed Denial of Service^[5] (DDoS) attacks aimed at websites that host the virus-battling software. Nevertheless, the CWShredder was regularly updated and kept destroying new versions of CWS.

It's been 15 years since CoolWebSearch creation and malware battling techniques changed, as well as anti-spyware tools' capabilities significantly increased. Therefore, in case you managed to catch this notorious PUP, make sure to eliminate it using modern anti-malware solutions.

About the author

Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References

^ Bundled software. Webopedia. Online Tech Dictionary.
^ Jake Doevan . CoolWebSearch. How to remove? (Uninstall guide). 2-spyware. Cybersecurity news and articles.
^ 88% of PCs have spyware, CoolWebSearch most prevalent. ZDnet. Cybersecurity and tech news.
^ Jan Libbenga . CoolWebSearch is winning Trojan war. The Register. IT website.
^ What is a DDoS Attack?. Cloudflare. Helps building a better internet.