Hijacked By Cool Web Search & Rightfinder
WhatÂ’s up? In the last few weeks, the people behind this name have succeeded in becoming (IMHO) an even bigger nuisance than the now infamous Lop. Cleverness: 5/10, second variant 8/10 Manual removal difficulty: Involves lots and lots of Registry editing, a bit of hosts file editing and deleting one file. All virus definitions are up-to-date. https://forums.techguy.org/threads/hijacked-by-cool-web-search-rightfinder.180824/
Here is the report...SmitFraudFix v2.237Scan done at 15:52:17.59, Thu 10/04/2007Run from C:\Documents and Settings\KATHY\Desktop\SmitfraudFix\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTThe filesystem type is NTFSFix run in safe mode»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before By the way, both IE and NN browsers work through the dial-up. or perhaps more likely Dell - how new is this box? I downloaded the newest version of Ad-Aware 2007.
CWS.Alfasearch.2: A mutation of this variant exists, that hijacks IE to www.find-itnow.com, drops 7 porn bookmarks in the IE Favorites, and causes error messages concerning 'Win Min' at system shutdown, as Thread Status: Not open for further replies. Thank you! If you have email address at Hotmail, Hotmail.uk, etc etc then you will not get notifications and need to manually check for new replies.
Variant 19: CWS.Alfasearch - Child's Play Approx date first sighted: November 5, 2003 Log reference: http://forums.spywareinfo.com/index.php?showtopic=16730 Symptoms: IE pages changed to alfa-search.com, possibly porn sites being redirected to 220.127.116.11 (alfa-search.com), error The new log is listed at the end. It changed the dreplace.dll so fixing it with either HijackThis or CWShredder will cause your entire system to fail on Windows 98, 98SE and ME! http://www.pieter-arntz.info/cwschronicles.html The chronological order in which the CWS variants appeared is detailed here, along with the approximate dates when they appeared online.
It is ran from win.ini, a method rarely used by programs nowadays. Probably the most active is at The CD Forum. Reboot and run the scan again to make sure they are gone. All rights reserved.
When Spybot was run from Windows PE, the iwantsearch.com hijack and corresponding intbar toolbar were removed, as were the two CWS service startup entries. How do I prevent it from happening again? The filename of the user stylesheet changed into one that didn't even look like a stylesheet on the outside, but got accepted by IE anyway. Share this post Link to post Share on other sites Trilobite Malware Hunter Trusted Advisor 711 posts Location:South Dakota Posted June 2, 2005 (edited) · Report post Quoted from an
It's classified as the JS.Exception.Exploit, and a patch can be downloaded from this MS security bulletin.