Tuesday, January 10, 2006

How to remove CWS Hijacker

CWS is a trojan that hijacks Internet Explorer start and search settings to one of several different web sites (see below). Most of these web sites appear to have an affiliate relationship with coolwebsearch.com in which coolwebsearch pays them for every visitor they refer. There could be other domains involved in the future.
This hijack is similar to the datanotary.com hijack discovered last month. As with datanotary, the CWS hijack sets Internet Explorer to use a custom style sheet containing javascript that opens a pop up window. In fact, we believe the trojan involved with CWS is an updated version of the same malware involved with datanotary.
In the original variant, the start and search settings were changed to an address in which the letters are converted into an unreadable mess of numbers and % symbols to hide the domain name from the user. It also made it difficult to blacklist the domain. Internet Explorer is able to translate the symbols and load the hijacker’s web site.
An executable file named bootconf.exe is copied to the \windows\system32\ folder and set to load at startup. Even if you fix the hijack, this file will reinstall it the next time it is loaded.
This trojan is detected by Computer Associates antivirus products under the following names:
Win32.Startpage.C
JS.CSSPopup.B,
JScript/IEstart.Trojan,
Win32/IEstart.Trojan
Click here for CWS Hijacker removal instructions