CoolWebSearch browser hijacker

what is distribution way of CoolWebSearch browser hijacker? I did not see any clear, competent explanation still. Just general, vague phrases, or just unreal explanations. http://www.spywareinfo.com/~merijn/ http://doxdesk.com/parasite/CoolWebSearch.html
For example, some experts are explained that it idistributed by exploitation in pop-ups windows in IE etc

 

albatros--I would have thought this site would have most of what is known/has been written on the subject
http://www.spywareinfo.com/~merijn/cwschronicles.html
About 1/10 down the page is a link to "How did it get onto my system? "
http://www.spywareinfo.com/~merijn/cwschronicles.html#byteverify

 

Albatros, you need to understand the creators of CoolWebSearch are constantly changing their tactics of infecting, mostly due to Merijin, the creator of the CWShredder.
The creators of CoolWebSearch are in it for the money, how they get it it, I do not know. They do not seem to care what their product does to the perfomance of your system.
Merijin, the creator of CWShredder, is not in it for the money, although he does welcome donations. He does care about the performance of your system, and does not want to put something out that may damage your system while fixing it.
You do have to applaud him for the work he has done, as it is not easy reverse engineering a compiled program, you do not get the original source code doing this. In short, he is looking for cause and effect.

 

markp62, I completely agree; and I also approve the Merijin work, of course. But a little bit closer to mine question- does someone know how the CWS is distributed?

 

My first guess would be through drive-by DPF's. Second would be scripted web pages and third would be questionable downloads.

 

albatros--At least some of the answer is in the link I have already suggested
http://www.spywareinfo.com/~merijn/cwschronicles.html#byteverify

 

There is no specific answer to your question, there are several ways to accomplish this.
Read post #6 in the link.
http://www.windowsbbs.com/showthread.php?t=31535
About the link that Welshjim provided, do you have a specific question?

 

Yes, the link Welshjim provide is much closer.
Just not clear still where do located this hijackers web pages the CWS installs from. Some peoples say CWS installs from such advertisers as www.approvedlinks.com

 

That seems to be one of them, that site is Restricted in my browser.
So you are looking for the sites that do this? The best I could do is suggest the IEspyads.Zip file, it contains a few thousand of them. The link is below.

 

It seems, the CWS installs not from that site directly, but from some affiliated sites. Which? How to add site to Restricted in IE browser?

 

If you install IESpyads you won't need to add it to the resticted sites.

 

If you install the IEspyads.Reg [double click on it] file included in the download, it doesn't matter if you are directly on the webpage, as I stated in my previous post, or an affiliated site is included on a website you are at.
In the first case, when I was directly at the site, in the lower right corner where it normally says Internet, it said Restricted instead.
In a case where one of the websites in the Restricted Zone appears in a webpage as an affiliated site, it will say Unknown [Mixed] instead.
Just do a Custom configuration of the Restricted Zone. Set everything to Disable, if Disable is not available as an option choose High, set password to Prompt, and these sites will not be able to put so much as a cookie on you.
When you install the file correctly, you will be prompted if you want to merge this information into the registry, yes you do, then a confirmation message will appear.

 

I mean for standard IE configuration, I have no IESpyads installed.

 

albatros--

Well, you can set up your own customized Restricted Sites list (see below), but why bother when IESpyAds will do the work for you? (I think there are over 2000 websites in IESpyAds.) You get IESpyAds here
https://netfiles.uiuc.edu/ehowes/www/resource.htm
The only downside is that you may want to use ActiveX, scripting, etc. on some of those sites. When that happens you can always remove the site from Restricted Sites.
Here is how to set up Restricted Sites manually
http://www.infinisource.com/techfiles/surf-safe.html
Note the Power Tweak Web Accessory offered. Could help simplify the job.

P.S. to Markp62--Your link to IESpyAds is old. It will redirect, but the new one is above.

 

Probably someone who has infected by CWS recently, can look at IE history and define from what page exactly he has got infection?

 

albatros - this might go a little quicker if we had a better idea of what you are after.

 

I mean if we shall define the exact address, we could investigate a method which it uses, and it would enable to struggle not with CWS versions(which constantly changes, therefore it's inefficient), but we can block the reason. As a variant, probably we could to attack and destroy some of this sites.

 

albatros--You have a good idea. From History you can see where you have surfed and when. But I unless you can pinpoint the exact time you got the CWS malware, how can you use the History info? Maybe a right click|Properties on a CWS malware file (like a .exe or .dll) can provide that info??

 

Of course, it will be better if know exact time as well. Most probably, it installs from **** sites.

 

Here's a way you can check for CWS domains. Create a shortcut on the desktop to CWShredder, right click the shortcut and choose properties. In the 'target' box, add a space then /debug and apply. Now open CWS from the shortcut. From the history, right click and properties of a site, copy the URL then paste it in the CWS box. Remove the http://

You can also check this site.

http://www.spywareinfo.com/~merijn/junk/cws_domains.txt