CWS Removal is important before it takes over your Computer 

CWS Trojan hijacks Internet Explorer start and search settings of several websites. These websites have an affiliate relationship with coolwebsearch.com in which coolwebsearch pays them for every visitor they refer.

The CWS Trojan sets Internet Explorer to use a custom style sheet containing JavaScript that opens a pop up window. The origanal variant changes the start and search settings to an address in which the letters are converted into an unreadable numbers and % symbols to hide the domain name from the user. The browser is able to translate the symbols and load the hijacker's web site and it is difficult to blacklist the domain. CWS has several variants.

Trojan and bootconf.exe 

The file named bootconf.exe is copied to the /windows/system32/ folder and loads at startup. Even after fixing the problem you won't get rid of. This file get reinstalled when it is loaded. It adds various Google, Yahoo and MSN addresses to the HOSTS file, misleading windows that the IP addresses for those sites is 127.0.0.1,

One of the CWS variants hijacks Internet Explorer's Search book setting with a file named dnsrelay.dll. This redirects all search and start page settings to allhyperlinks.com.

Attacks Internet Explorer 

CWS trojan lists the hijacker's web site and attacks the Internet Explorer's trusted security zone leaving it out of control. It enables the domains to list in the trusted security zone of the browser and couldn’t restrict their activities. It enables that web site to have unlimited access to the infected computer's file system.

It is not yet confirmed whether the source of the infections is active x drive by installers located on pornographic web sites, or Trojan programs simulating to be illegal serial number generators.

CWS Trojan is detected by Computer Associates antivirus products by various names such as;

• Win32.Startpage.C
  

• JS.CSSPopup.B
  

• JScript/IEstart.Trojan
  

• Win32/IEstart.Trojan

How to remove CWS Trojan? 

CWS also known as an About:Blank coolWebSearch infection. Read the following instruction carefully to remove it.

The important thing to do first is to unzip the hijackthis.exe file with a program like Winrar into a folder of its own preferable location.

C:HijackThishijackthis.exe.

It enables you to use its backups. Its current location is not secure. Delete the contents of the temp folder during the fix. You cannot make backups within a zip file.

Follow the instructions given below

• Click start.

• Select Settings

• Click Control Panel.

• Double click Add/Remove Programs.

Select and completely remove the following programs

• Ebates
  

• Ebates_MoeMoneyMaker
  

• MyWebSearch
  

• MY WEB SEARCH BAR
  

• MYSEARCH BAR
  

• MY WEB SEARCH ASSISTANT

Now, download following four programs:

a) FxAgentB.exe
b) CWShredder.exe
c) Ad-aware SE latest Version
d) Spybot Search & Destroy - NEW Version

Now update Spybot Search & Destroy & Ad-aware SE and run both programs. They will help you to find and clean adwares and malwares off your system. They will also repair some minor registry entries left behind by the uninstalls. Don’t forget to reboot between each scan.

For detail study of Ad-aware SE product; copy and paste the following address in your browser’s URL:

http://www.lavasoftusa.com/software/adaware/ -
Download - Latest Version

You can read the tutorial here.
http://pcpitstop.ibforums.com/index.php?showtopic=67373

For detail study of how to use Spybot Search & Destroy; copy and paste the following address in your browser’s URL:

http://security.kolla.de/ - Download - NEW Version 1.3

http://www.bleepingcomputer.com/forums/tutorial43.html - Read Tutorial

This worm usually spreads by using shared folders on networked computers. Take care to ensure that the worm does not infect the computer again once it has been removed. It is recommended to share folders on Internet only with Read Only access or by using password protection.

Now run FxAgentB file by double-clicking it. This will scan your entire hard drive, which may take few seconds. When it is done, it will generate a log file called FxAgentB.log Save the information, it is required to paste here later. Exit the program.

Reboot into SAFE MODE: Start > Logoff > Restart

*Frequently press the F8 key.
*Using arrow keys select the option for Safe Mode.
* Press Enter key to boot into Safe Mode.
*A black screen will appear. Wait for one or two minutes.
*Double click on the saved icon of CWShredder.
*Click "I AGREE" to accept the terms of service.
*Click FIX opposite to Scan Only or Make Report.
*After finishing, follow the next step.

Cleaning up 

* Open the browser window.
* Click tool.
* Click Internet Options.
* Click General tab.
* Click Delete Files option.
* Select the check box to delete all Offline content.
* Click OK.
* Clear history.
* Delete cookies.

Now,

* Go to Start
* Select find
* Click Files or Folders
* Choose All Files or Folders
* In the named box, type, *.tmp and choose Edit.
* Press Ctrl+A
* Click delete.
* Empty Recycle bin
* Close all programs
* Reboot.

Now run Ad-aware SE & Spybot Search and Destroy program seperately. Don't forget to reboot between each scan. After finishing reboot rescan with HijackThis and post a new log here, together with the FxAgentB log.

I hope this information will help you to remove CWS Trojan and CoolWebSearch infection.

List of the CWS trojan variants

CWS-GAZPORN, CWS-4U, CWS-DUEP, CWS-FIND, CWSWINAJBM, CWS-VIAGRA, CWS-INCEST, CWS-SUPERBAR, CWS-MDMHELP, CWS-REAL1, CWS-REAL2, CWS-SLAW, CWSEXCEL, CWS-WEBCAM, CWS-WINRES, CWS/10204, CWS/ADDIS, CWS/ABOUT, CWS/ADDTT, CWS/ADOWN,CWSCONTROL,CWS/ARPA,CWS/BAND, CWS/BEEF, CWS/BGCORP, CWS/BHUI, CWS/BOOKMARK, CWS/CAMEUP, CWS/CIE32, CWS/CMKL, CWS/CIE, CWS/CPAN, CWS/DDM, CWS/DIAL, CWS/DIALER, CWS/DKPROG, CWS/DNS, CWS/DNS2, CWS/FAKESCAN, CWS/FINDON, CWS/GOOGLE, CWS/HARNIG, CWS/HTTPFILER, CWS/IEPLUG, CWS/FANG4, CWS/FEADS, CWS/IMAGE,CWS/INDEXCWS/INETG, CWS/LOAD, CWS/LOAD2, CWS/LOADAD, CWS/LOADER, CWS/LOOKFOR, CWS/LTA, CWS/MARGOC, CWS/MDS, CWS/MERIJN, CWS/MFCML, CWS/MSDOCVW,CWS/MSVIEW, CWS/NDRV, CWS/NDRV2, CWS/NOTEPAD, CWS/NOTEPAD, CWS/NS3, CWS/NTSW, CWS/ONLINE, CWS/PAYOUT, CWS/POPBLOCK, CWS/POPBLOCK2, CWSBEYOND, CWSCONFD, CWSCONFD2, CWSCONFD3, CWSWINSHOW.A, CWSWINSHOW.B, CWS/REGSHAPE, CWS/RES, CWS/RETRO, CWS/RSLOCAL,CWS/SEARCH, CWS/SEEK99, CWS/SERCH, CWS/SERVICE, CWS/SERVICES,CWS/SEXTIME, CWS/SP2, CWS/SP3, CWS/SP4,CWS/SPOOL, CWS/SR, CWS/ST, CWS/STARTCHM, CWS/STARTUP, CWS/SVCINIT, CWS/SYSTIME, CWS/TEEN, CWS/TEEN2, CWS/TEMPURI, CWS/UMAX, CWS/UPDATE, CWS/UPDER2, CWS/TOOLBARG, CWS/TOPOTUN, CWS/URSRCH, CWS/WEBEXE, CWS/WMMSE, CWS/WMS, CWS/WSS, CWS/WTOOL, CWS/WUPDT,CWS/X.

Subscribe to "COMPTECH" ezine to get the latest news and updates on Computer Hardware, Software, Tips & Tutorials.

Enter your E-mail Address Enter your First Name (optional) Then Don't worry -- your e-mail address is totally secure. I promise to use it only to send you Mindpc.