|
 |
|
|
| How to delete CoolWebSearch - Removal tool, fix instructions |
|
CoolWebSearch
Name: CoolWebSearch
Aliases: CoolWebSearch, Cool Web Search, CoolWWWSearch, CWS, WebCoolSearch, Web Cool Search
Type: Spyware (subtype: adware)
Size: 178176
First appeared on: 26.01.2004
Damage: High
Brief Description:
CoolWebSearch is adware. Adware is a license form for using programs, which offers the application at the only cost of viewing a series of advertisements. However, these programs sometimes collect data on Internet usage habits, pages viewed, inventory of the applications installed in the computer, etc.
Then, this information can be sent to Internet advertising companies.
Visible Symptoms:
CoolWebSearch carries out the following actions:
- It collects user details, such as Internet usage, pages viewed, phone connection details, inventory of the applications installed in the computer, etc.
- It uses this information to display pop-up advertisements.
Technical description:
When Adware.CoolWebSearch is executed, it performs the following actions:
- Copies itself as %System%\Services\<executed filename>.
Note: %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- Creates the following entry in the file %Windir%\System.ini:
[windows]
load=%sysdir%\services\<executed filename>
- Adds the value:
"xpsystem"="%System%\services\<executed filename>"
to the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run
so that the adware runs when Windows is started.
- Adds the value:
"run"="%Sysdir%\services\<executed filename>"
to the registry key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\Windows
so that the adware runs when Windows NT/2000/XP is started.
- Registers itself as a Browser Helper Object, by adding the subkey:
{5321E378-FFAD-4999-8C62-03CA8155F0B3}
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Explorer \Browser Helper Objects
and setting multiple values in the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {5321E378-FFAD-4999-8C62-03CA8155F0B3}
- Adds the values:
ProxyEnabled = 0
MigrateProxy = 1
ProxyEnabled = 0
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Internet Settings
- Adds the value:
ProxyBypass = 1
IntranetNames = 1
UNCAIntranet = 1
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\ windows\CurrentVersion\ Internet Settings\ZoneMap
- May redirect search queries made in Microsoft Internet Explorer to an advertising Web site.
Propagation:
CoolWebSearch does not use any specific means to spread. It can reach computers through any of the means normally used by viruses: CD-ROMs, e-mail messages with infected attachments, Internet downloads, FTP, etc.
Removal tool and instruction:
You can try to use HijackThis Removal Tool. Click here to download the tool.
AntivirusWorld recommends:
If you're not sure you can remove the virus manually, use the following antivirus:
-
 Buy Panda Antivirus
- Latest generation antivirus
- Immediate and automatic updates against new viruses
- Complete protection
- Up-to-the-minute bulletins about new Internet threats
- Antivirus self-diagnosis and protection
- Maximum speed, minimum resource use
- Simple to use: install and forget
- Tech Support 24 hours a day, 365 days a year
|
|
|
|
|
