From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

CoolWebSearch (also known as CoolWWWSearch or abbreviated as CWS) is a spyware or virus program that installs itself on Microsoft Windows based computers. It first appeared in May 2003.


CoolWebSearch has numerous effects when it is successfully installed on a user's computer.[1] The program can change an infected computer's web browser homepage to, and although originally thought to only work on Internet Explorer, recent variants affect Mozilla Firefox as well as others like Google Chrome. It can also create pop-up ads that redirect to other websites including pornography sites, collect private information about users and slow the speed of infected computers.

CoolWebSearch uses various techniques to evade detection and removal, and as such many common spyware removal programs fail to properly remove the software.[2] Since it is bundled with many other potentially unwanted software or add-ons, users need to uninstall those unwanted programs first, or else CoolWebSearch can come back even after they have changed their home page and search engine provider.

Some versions of CoolWebSearch are installed through what's known as drive-by installation, in which browsing an infected webpage can automatically install CoolWebSearch without the user's knowledge. CoolWebSearch attempts to evade detection by not labelling its ads as such, not providing a EULA, not providing any data about itself and not having a website. Certain variants insert links on random text, leading to advertiser websites. Others attempt to access websites that are redirected to pay-per-click search engines which may install more malware display ads. Some variants of CoolWebSearch also add links to pornography, and gambling sites to the user's Desktop, Internet Explorer's bookmarks and history.[3] Certain versions attempt to edit users' trusted sites and modify security settings as well as to hide from removal programs. Variants are often named for the effects they have such as msconfig, Msoffice, Mupdate, Msinfo and Svchost32.

Possible creators[edit]

The website claims that they are not responsible for the browser hijacking. They run an affiliate program that pays affiliates to direct others to their site with paid advertising links.'s terms of service use the laws of Quebec, Canada, whilst their DNS registration lists an address in the British Virgin Islands, and their web server appears to be run by HyperCommunications in Massachusetts, USA. CoolWebSearch is also linked to and appears to be related to Investigation connected Stanislav Avdeyko, the Koobface hacker, with CoolWebSearch.[4]


  1. CWS.Addclass
  2. CWS.Alfasearch
  3. CWS.Bootconf
  4. CWS.CameUp
  5. CWS.Cassandra
  6. CWS.Control
  7. CWS.Ctfmon32
  8. CWS.Datanotary
  9. CWS.Dnsrelay
  10. CWS.Dreplace
  11. CWS.Gonnasearch
  12. CWS.Googlems
  13. CWS.Hiddendll
  14. CWS.Homesearch
  15. CWS.Loadbat
  16. CWS.Look2Me
  17. CWS.Msconfd
  18. CWS.Msconfig
  19. CWS.MSFind
  20. CWS.Msinfo
  21. CWS.Msoffice
  22. CWS.Msspi
  23. CWS.Mupdate
  24. CWS.Oemsyspnp
  25. CWS.Olehelp
  26. CWS.Oslogo
  27. CWS.Qttasks
  28. CWS.Q-url3
  29. CWS.Realyellowpage
  30. CWS.Searchx
  31. CWS.Smartfinder
  32. CWS.Smartsearch
  33. CWS.Sounddrv
  34. CWS.Svchost32
  35. CWS.Svcinit
  36. CWS.Systeminit
  37. CWS.Systime
  38. CWS.Tapicfg
  39. CWS.Therealsearch
  40. CWS.Vrape
  41. CWS.Winproc32
  42. CWS.Winres
  43. CWS.Xmlmimefilter
  44. CWS.Xplugin
  45. CWS.Xxxvideo
  46. CWS.Yexe

Affiliate variants[edit]

  1. CWS.Aff.iedll
  2. CWS.Aff.Madfinder
  3. CWS.Aff.Tooncomics
  4. CWS.Aff.Winshow


  1. ^ "Encyclopedia entry: Spyware:Win32/Coolwebsearch.H". Microsoft Malware Protection Center. 
  2. ^ Russel, Charlie (May 13, 2005). "Dealing with an infected PC". Microsoft. Archived from the original on September 27, 2010. ...many of the Cool Web Search variants can prevent the other anti-spyware programs from doing their job correctly... 
  3. ^ Vincentas (5 July 2013). "CoolWebSearch in". Spyware Loop. Retrieved 28 July 2013. 
  4. ^ The Koobface malware gang - exposed! Indepth investigation by Jan Droemer and Dirk Kollberg, SophosLabs