by Dr. Nikolai Bezroukov.
Copyright: Dr. Nikolai Bezroukov 1994-2013.
Unpublished notes. Version 0.80.October, 2013
Contents :
Foreword :
Ch01 :
Ch02 :
Ch03 :
Ch04 :
Ch05 :
Ch06 :
Ch07 :
Ch08 :
Ch09 :
Ch10 :
Ch11 :
Ch12 :
Ch13
Chapter 8: Spyware
CoolWebSearch
merijn.org.
This is an article which details the variants of the browser hijacker known
as CoolWebSearch (CWS). In the last few months, the people behind this name
have succeeded in becoming (IMHO) an even bigger nuisance than the now infamous
Lop. The difficulty of removing CWS from a user's system has grown from slightly
tricky in the first variant to virtually impossible for the latest few. Some
of the variants even used methods of hiding and running themselves that had
never been used before in any other spyware strains.
The chronological order in which the CWS variants appeared is detailed here,
along with the approximate dates when they appeared online. However, since the
evil programmers of CWS have released over two dozen versions of their hijacker
on the advertising market in such a short time, and are crunching out new ones
steadily practically every week, this document might be out of date at times.
The
CWShredder tool to remove Coolwebsearch will always be up to date and is
updated as fast as possible when new variants emerge.
Document last updated: April 17, 2004
| CWS.Datanotary |
Variant 1: CWS.Datanotary - Introduction to Destruction
Approx date first sighted:
May 27, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=8661
Symptoms: Massive IE slowdown, especially when
typing text into forms
Cleverness: 9/10
Manual removal difficulty: Very easy, if you
know where to look
Identifying lines in HijackThis log:
| O19 - User stylesheet:
c:\windows\my.css |
The first variant of CoolWebSearch wasn't even identified as such.
There only were several threads of users experiencing enormous slowdowns
in IE when typin messages into text boxes. Delays of over a minute
before the typed text appeared were reported. Also some redirections
to www.datanotary.com were reported. The solution to this problem took a while to surface, but after
a few weeks (which is pretty long) someone reported the problem
going away when going into IE Options, Accessability and disabling
the 'Use My Stylesheet' option. After that, the fake stylesheet
file could be deleted. The hijack installed a stylesheet that used a flaw in Internet Explorer
and allowed a .css stylesheet file to execute Javascript code. The
code in the file was encrypted, and spawned a popup off-screen that
did the redirecting. However, this file was called on almost every
action taken in IE, slowing it down - this was the most obvious
when typing text. |
|
| CWS.Bootconf |
Variant 2: CWS.Bootconf - Evolution
Approx date first sighted:
July 6, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=7821
Symptoms: Massive IE slowdown, illegible URLs
ie IE Options, redirections when mistyping URLs, startpage & search
page changed on reboot
Cleverness: 8/10
Manual removal difficulty: Involves some Registry
editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet
Explorer,SearchURL=http://%77%77%77%2e
%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e
%63%67%69?%36%35%36%33%38%37
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar=http://%77%77%77%2e%63
%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%63/%78%31%2e
%63%67%69?%36%35%36%33%38%37
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page=http://%77%77%77%2e%
63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e
%63%67%69?%36%35%36%33%38%37
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page=http://%77%77%77%2e
%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%61/%78%31%2e
%63%67%69?%36%35%36%33%38%37 about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page=http://yourbookmarks.ws/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://www.searchxp.com/search.php?qq=%s
O1 - Hosts: 1123694712 auto.search.msn.com
O4 - HKLM\..\Run: [sysPnP] C:\WINNT\System32\bootconf.exe
O19 - User stylesheet: C:\WINNT\default.css
|
After HijackThis had built-in support for decrypting the URLS:
R1 - HKCU\Software\Microsoft\Internet
Explorer,SearchURL = http://www.coolwwwsearch.com/z/b/x1.cgi?100
(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL
= http://www.jetseeker.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://www.coolwwwsearch.com/z/c/x1.cgi?100 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
= http://www.coolwwwsearch.com/z/a/x1.cgi?100 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.searchv.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)
= http://www.jetseeker.com/ffeed.php?term=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local
Page = http://search.xrenoder.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page_bak = http://search.xrenoder.com
|
The second variant seemed like the first one in only one way: it
used the exact same .css stylesheet file. But it took the hijack
one step further by not only changing the IE startpage and search
pages, but changing them to illegible hexcode garbage.Only when this code was decyphered it became clear that CoolWebSearch
was behind this all. It almost seemed as if they let Datanotary
take the stylesheet exploit hijack for a test ride, before using
it themselves. The hijack further involved redirecting the default 'server not
found' page to the CoolWebSearch portal homepage by editing the
Hosts file, and reloading the entire hijack when the machine was
rebooted using a bootconf.exe file that was started with Windows.
We also started to see some pages which seemed affiliates of CWS
since almost all their links led to www.coolwebsearch.com. |
|
| CWS.Oslogo |
Variant 3: CWS.OSLogo.bmp - Send in the affiliates
Approx date first sighted:
July 10, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=8210
Symptoms: Massive IE slowdowns
Cleverness: 2/10
Manual removal difficulty: Involves some Registry
editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet
Explorer,SearchURL = http://www.coolwwwsearch.com/z/b/x1.cgi?656387
(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://www.allhyperlinks.com/ redir?lang={S...201058341631385
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
= http://www.coolwwwsearch.com/z/a/ x1.cgi?656387 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://www.coolwwwsearch.com/z/b/ x1.cgi?656387 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://www.allhyperlinks.com/ redir?lang={S...201058341631385
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
= http://www.allhyperlinks.com/ redir?lang={S...201058341631385
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://stopxxxpics.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://www.allhyperlinks.com/ redir?lang={S...201058341631385
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
= http://www.allhyperlinks.com/ redir?lang={S...201058341631385
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://www.allhyperlinks.com/ redir?lang={S...201058341631385
R1 - HKCU\Software\Microsoft\Internet Explorer\Main\,HomeOldSP
= http://www.coolwwwsearch.com/z/a/ x1.cgi?656387 (obfuscated)
O1 - Hosts: 1123694712 auto.search.msn.com
O4 - HKLM\..\Run: [sysPnP] C:\WINNT\System32\bootconf.exe
O15 - Trusted Zone: *.coolwwwsearch.com
O15 - Trusted Zone: *.msn.com
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp
|
After HijackThis was updated for a few tricks CWS used, a new variant
surfaced that showed CWS was just getting started. The filename
of the user stylesheet changed into one that didn't even look like
a stylesheet on the outside, but got accepted by IE anyway. Two
domains were added to the Trusted Zone to ensure CWS could do its
dirty work and install any updates if they ever became available.But most of all, IE start and search pages started getting changed
to several dozen different sites that were all affiliated to CWS.
There didn't seem to be an end to the flow of different domains
users were hijacked to. When I write this, over 80 domains are known
CWS affiliates - and all appeared in users' logs. |
|
| CWS.Msspi |
Variant 4: CWS.Msspi - Let's get dangerous
Approx date first sighted:
July 28, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=9170
Symptoms: Popups with 'enhanced results' when
doing searches on Google, Yahoo and Altavista
Cleverness: 9/10
Manual removal difficulty: Impossible, I kid
you not
Identifying lines in HijackThis log:
O10 - Unknown file
in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
|
At about this time, the variant appeared that was the hardest to
remove. Users started reporting that when they went to Google, Yahoo
or Altavista to search for something, popups appeared that (most
of the time) advertised bogus 'enhanced results'. This was the one
and only symptom.After looking over the log, it was quickly concluded the msspi.dll
file was to blame. One expert took the file apart and found several
key URLs that were monitored, and when he changed them to bogus
URLs the popups were gone. However, the file hooked into the Winsock LSP chain, which lies
very deep into the bowels of Windows and is one of the hardest parts
of Windows to manipulate. Only a very small selection of spyware
used this method of infection, and incorrect removal left a computer
with a broken Internet connection that could not be fixed even by
reinstalling Windows. Luckily there were one or two tools that could fix a broken Internet
connection due to this problem.
LSPFix
was the one used most since it allowed direct editing of the LSP
chain. |
|
| CWs.Vrape |
Variant 5: CWS.Vrape - Mix and mangle
Approx date first sighted:
July 20, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=9067
Symptoms: Redirections to vrape.hardloved.com
on virtually anything done in IE, as well as redirections to adult
sites, dialers, etc
Cleverness: 5/10
Manual removal difficulty: Involves lots of Registry
editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet
Explorer,SearchURL = http://vrape.hardloved.com/ top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet Explorer,Search
Page = http:// vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http:// vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http:// vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http:// vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http:// vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
= http:// vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = http:// vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http:// vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http:// vrape.hardloved.com/top/search.php?id=2&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
= http:// vrape.hardloved.com/top/search.php?id=2&s=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local
Page = http:// vrape.hardloved.com/top/search.php?id=2&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local
Page = http:// vrape.hardloved.com/top/search.php?id=2&s=
O1 - Hosts: 65.77.83.222 thehun.com
O1 - Hosts: 65.77.83.222 thehun.net
O1 - Hosts: 65.77.83.222 madthumbs.com
O1 - Hosts: 65.77.83.222 worldsex.com
O1 - Hosts: 65.77.83.222 teeniefiles.com
O1 - Hosts: 65.77.83.222 al4a.com
O1 - Hosts: 65.77.83.222 sublimedirectory.com
O1 - Hosts: 65.77.83.222 thumbzilla.com
O1 - Hosts: 65.77.83.222 sexocean.com
O1 - Hosts: 65.77.83.222 easypic.com
O1 - Hosts: 65.77.83.222 absolut-series.com
O1 - Hosts: 65.77.83.222 jpeg4free.com
O1 - Hosts: 65.77.83.222 thumbnailpost.com
O13 - DefaultPrefix: http://vrape.hardloved.com/top/search.php?id=2&s=
O13 - WWW Prefix: http://vrape.hardloved.com/top/search.php?id=2&s=
|
Perhaps the most widely spread variant of CoolWebSearch, this one
was a nightmare for the average user. It combined several hijacking
methods, along with random redirections to porn pages, portals and
even adult dialers.The hijack covered most of IE, and a user was left to sit helplessly
and watch as almost his every move was redirected to vrape.hardloved.com.
One strange thing about this hijack though, is that it operated
alone: it didn't use any affiliates and even redirected other adult
sites to its own site. It has only been connected with CWS since
it appeared together with it in a few logs. The only good thing about this variant is that the domain hardloved.com
has been offline for more than half a week at the time of writing.
It is unknown whether this is because of the sheer amount of users
being routed to their site, DoS attacks by irate users, account
termination because of violation of their host's user agreement,
or something else. |
|
| CWS.Oemsyspnp |
Variant 6: CWS.Oemsyspnp - Pure genius
Approx date first sighted:
July 29, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=8643
Symptoms: Start page/search pages changed to
allhyperlinks.com, activexupdate.com in the IE Trusted Zone, reloading
of the hijack on some reboots.
Cleverness: 10/10
Manual removal difficulty: Involves a bit of
Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
= http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.adulthyperlinks.com/favorites/8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
= http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
O4 - HKLM\..\Run: [SysPnP] rundll32 setupapi,InstallHinfSection
OemVideoPnP 128 oemsyspnp.inf |
This variant was spotted nearly by sheer luck, since it used the
same Registry value as the second variant (Bootconf) 'SysPnp'. This
was a very clever hijack that disguised itself as a driver update.
When the computer was started, there was a 1 in 5 chance the hijack
was re-installed and changed the IE start page and search pages
to allhyperlinks.com.However, once the hijack was identified, it was easy to stop: only
the autostarting oemsyspnp.inf file had to be disabled using MSConfig,
and then it could be safely deleted. CWS.Oemsyspnp.2: A mutation of this variant
exists that uses the filename keymgr3.inf,
and the Registry value keymgrldr instead.
CWS.Oemsyspnp.3: A mutation of this variant
exists that uses the filename drvupd.inf,
and the Regustry value drvupd instead.
It hijacks to searchforge.com. |
|
| CWS.Svchost32 |
Variant 7: CWS.Svchost32 - Evading detection
Approx date first sighted:
August 3, 2003
Log reference:
http://boards.cexx.org/viewtopic.php?t=1027
Symptoms: Redirections to slawsearch.com when
accessing Google, searching on Yahoo or mistyping an URL
Cleverness: 10/10
Manual removal difficulty: Involves a process
killer
Identifying lines in HijackThis log:
R0 - HKLM\Software\Microsoft\Internet
Explorer\Main,Start Page=http://www.slawsearch.com
O4 - HKLM\..\Run: [svchost.exe] "C:\WINDOWS\SYSTEM\svchost32.exe"
|
This variant of CWS was focused on only evading existing detection
tools. What was visible in a HijackThis log wasn't nearly all of
it. The hijack installed dozens of redirections from international
Google domains, MSN and Yahoo search engines to a webserver running
at the user's own machine. The webserver even had the seemingly
unsuspicious filename of 'svchost32.exe' to look like the Windows
system file 'svchost.exe'. Anytime a user accessed Google, searched
with Yahoo or mistyped an URL, he was redirected to slawsearch.com.Fixing this hijack involved using a process killer to stop the webserver
process, and editing the Hosts file to remove the Google/Yahoo/MSN
redirections. |
|
| CWS.Dnsrelay |
Variant 8: CWS.DNSRelay - Hey, that wasn't here before!
Approx date first sighted:
August 7, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=9074
Symptoms: Redirections to allhyperlinks.com when
omitting 'www' from an URL typed in IE
Cleverness: 8/10
Manual removal difficulty: Involves lots of Registry
editing
Identifying lines in HijackThis log:
| R3 - URLSearchHook:
MailTo Class - {01A9EB7D-69BC-11D2-AB2F-204C4F4F5020}
- C:\WINDOWS\System32\dnsrelay.dll |
A very clever hijack that uses a method never used before by any
other hijacker, this variant monitored all URLs entered into the
IE Address bar, and redirected any URLs starting without 'www' to
allhyperlinks.com. The hijack isn't very widespread, and is also
pretty hard to spot. Luckily, fixing it requires only deleting one
Registry value and one file.CWS.Dnsrelay.2: A mutation of this variant
exists which uses the filename ASTCTL32.OCX
instead. CWS.Dnsrelay.3: A mutation of this variant
exists which uses the filename mswsc10.dll
instead, which is located in C:\Program Files\Common
Files\Web Folders. It hijacks IE to payfortraffic.net. It
also adds a custom stylesheet (like
CWS.Bootconf) located at C:\Program Files\Internet
Explorer\Readme.txt. (This file is not present on uninfected
systems.) It uses a Registry value named nvstart
to re-register the main mswsc10.dll file
on startup. CWS.Dnsrelay.4: A mutation of this variant
exists that is like CWS.Dnsrelay.3, but
uses the filename mswsc20.dll instead,
located at the same place. It hijacks IE to gofreegalleries.com,
adds the same custom stylesheet, and uses the hosts file to hijack
numerous sites to allhyperlinks.com. |
|
| CWS.Msinfo |
Variant 9: CWS.Msinfo - running out of ideas
Approx date first sighted:
August 22, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=9933
Symptoms: Redirection to Global-Finder.com, hijack
reappearing when rebooting, possible errors about a missing file
'msinfo.exe'.
Cleverness: 6/10
Manual removal difficulty: Involves lots of Registry
editing and some .ini file editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://out.true-counter.com/b/?101
(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
= http://out.true-counter.com/a/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://out.true-counter.com/b/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://out.true-counter.com/c/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
= http://out.true-counter.com/b/?101 (obfuscated)
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\msinfo.exe
F1 - win.ini: run=msinfo.exe
O4 - HKLM\..\Run: [Internat Conf] \bootconf.exe |
This variant, using a file called 'msinfo.exe' to reinstall the
hijack on a reboot, appears to have several versions. The first
one seemed to malfunction often, as seen in the 'first sighted'
link where the file wasn't actually installed, but the reference
to it was. The second version probably fixed this a few days later,
since people started surfacing that had been hijacked by this thing.
Lastly, the third version appeared together with a slightly mutated
variant #2 (bootconf.exe). The MSINFO.EXE is installed in a Windows folder where also the legitimate
MSINFO32.EXE file resides. It is ran from win.ini, a method rarely
used by programs nowadays. It sets nearly all Start and Search pages
from IE to URLs at out.true-counter.com, and reinstates these whenever
the system is restarted. Fixing this variant involves resetting
all the Registry values changed for IE, editing the autorun values
in win.ini and the Registry, and deleting the two files. |
|
| CWS.Ctfmon32 |
Variant 10: CWS.Ctfmon32 - SlawSearch part II
Approx date first sighted:
September 22, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=11886
Symptoms: Start page and Search pages changed
to www.slawsearch.com, 'Customize Search Assistant' closing after
opening it, hijack coming back after a reboot.
Cleverness: 3/10
Manual removal difficulty: Involves some Registry
editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://www.slawsearch.com/autosearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://www.slawsearch.com/autosearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.slawsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://www.slawsearch.com/autosearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
= javascript:window.close()
O4 - HKLM\..\Run: [CTFMON32.EXE] "C:\WINDOWS\System32\ctfmon32.exe"
|
This variant surfaced after a quiet time. CWShredder could fix it,
but it would return after rebooting the computer. Apart from the
new filename 'CTFMON32.EXE' (note that 'CTFMON.EXE' is the real
Windows system file) it worked pretty much the same way as CWS.Bootconf:
the file loads at startup, resetting homepages and search pages,
and then closes. Deleting the file and changing everything back
to normal fixes it. |
|
| CWS.Tapicfg |
Variant 11: CWS.Tapicfg - Msinfo part 2
Approx date first sighted:
September 21, 2003
Log reference:
http://boards.cexx.org/viewtopic.php?t=2075
Symptoms: Slow scrolling in IE, redirections
to luckysearch.net, hijack returning on reboot, info32.exe errors.
Cleverness: 8/10
Manual removal difficulty: Involves quite some
Registry editing, win.ini editing and hosts file editing. The style
sheet files are marked read-only, system and hidden.
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet
Explorer,SearchURL = http://acc.count-all.com/--/?oaoca
(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://acc.count-all.com/--- /?oaoca (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://acc.count-all.com/-- /?oaoca (obfuscated)
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\info32.exe
O1 - Hosts: 3510794918 auto.search.msn.com
O4 - HKLM\..\Run: [Tapicfg.exe] C:\WINDOWS\SYSTEM\tapicfg.exe
O19 - User stylesheet: C:\WINDOWS\Web\win.def
O19 - User stylesheet: C:\WINDOWS\default.css |
This hijack consists of only one file, that duplicates itself in
two places (info32.exe and tapicfg.exe) and acts different depending
on its filename. It drops two style sheets on the system,
hijacks to acc.count-all.com which redirects to luckysearch.net,
and reinstalls the hijack on each reboot. The hosts file redirection
also hijacks any mistyped domains to luckysearch.net.
Though a file determining its actions depending on the filename
is very bad programming, it surprised me somewhat because it works
so well.CWS.Tapicfg.2: A mutation of this variant
exists that uses the filename soundmx.exe,
and hijacks IE to globe-finder through a redirection page at in.webcounter.cc.
Possibly the same file is loaded as fntldr.exe
from WIN.INI. A hosts file redirection of auto.search.msn.com to
globe-finder is installed. Two custom stylesheets named
tips.ini and hh.htt
are installed. |
|
| CWS.Svcinit |
Variant 12: CWS.Svcinit - Sneaky little fellow
Approx date first sighted:
September 10, 2003
Log reference: Reconstruction
Symptoms: Homepage changed to xwebsearch.biz
and 'http:///', hijack returning on reboot or even sooner.
Cleverness: 9/10
Manual removal difficulty: Involves lots of Registry
editing, ini file editing and a process killer.
Identifying lines in HijackThis log:
Running processes:
C:\WINDOWS\System32\SVCINIT.EXER1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http:///
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http:////
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://xwebsearch.biz
F1 - win.ini: run=C:\WINDOWS\svcinit.exe
O4 - HKLM\..\RunServices: [SVC Service] C:\WINDOWS\SYSTEM\svcinit.exe
O4 - HKLM\..\Run: [mssys] C:\WINDOWS\mssys.exe |
Additional identifying line in StartupList log:
| Checking Windows
NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon]
UserInit=C:\WINNT\System32\userinit.exe,C:\WINNT\System32\svcinit.exe
|
This variant was somewhat surprising, because fixing all the items
in HijackThis didn't remove it completely - it came back after a
reboot (on Windows 2000 and XP). Only after a user had posted a
StartupList log it became clear that this hijacker used another
additional method of running at boot, besides the two visible in
the HijackThis log. Terminating the running process, and deleting
the three autorun values fixed it. Also, mssys.exe
is possibly involved in this hijack.CWS.Svcinit.2: A mutation of this variant
exists, which uses the filename svcpack.exe
instead. It hijacks to http:/// (sic) and uses the same autostarting
methods as the first version. Possibly it also drops the file
SVCHOST.OLD for unknown purposes. CWS.Svcinit.3: Possibly, a mutation of
this variant exists, which hijacks to xwebsearch.biz and http:///
(sic), as well as installing a hosts file redirection of several
dialer sites to searchmeup.com. CWS.Svcinit.4: A mutation of this variant
exists, that hijacks IE to sex.free4porno.net, and adds porn bookmarks
to the IE Favorites and on the desktop. It reinstalls from a file
c:\windows\svchost.exe (not a valid Windows
system file, which is in the system32 folder), running at startup
using the name Online Service. It also
uses the trojan file msin32.dll for unknown
reasons. |
|
| CWS.Msoffice |
Variant 13: CWS.Msoffice - HTA exploit revisited
Approx date first sighted:
October 12, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=13362
Symptoms: Homepage changed to searchdot.net,
hijack coming back after a reboot, slow scrolling and text typing
in IE.
Cleverness: 7/10
Manual removal difficulty: Involves some Registry
editing, and using a command prompt to delete the files.
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://www.searchdot.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
= http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
= http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://www.searchdot.net
O4 - HKLM\..\Run: [Msoffice] C:\WINDOWS\Fonts\msoffice.hta
O4 - HKCU\..\Run: [Msoffice] C:\WINDOWS\Fonts\msoffice.hta
|
This variant uses a .hta script file to reinstall the hijack on
a reboot. The msoffice.hta file is hard
to find because the Fonts folder is a special folder for Windows,
setup to hide all files in it that are not font files. Thus, a command
prompt is needed to be able to see and delete the file. Deleting
the file and resetting the IE home and search pages fixes the hijack.CWS.Msoffice.:2 A mutation of this variant
exists that hijacks IE to sexpatriot.net and royalsearch.net, installs
a hosts file hijack of two porn sites to 64.246.33.179, and reinstalls
through a file named fonts.hta using the
name AdobeFonts. CWS.Msoffice.:3 A mutation of this variant
exists that hijacks IE to supersearch.com and hugesearch.net, and
reinstalls through a file named fonts.hta
using the name TrueFonts. It also changes
the DefaultPrefix and WWW Prefix to redirect all URLs through hugesearch.net.
|
|
| CWS.Dreplace |
Variant 14: Dreplace - Just a BHO... OR IS IT?
Approx date first sighted:
October 12, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=13497
Symptoms: Redirections to xwebsearch.biz and
213.159.117.233, hijack returning on reboot
Cleverness: 3/10 , 10/10 on second version
Manual removal difficulty: Involves some Registry
editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet
Explorer,SearchURL = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP
= http://xwebsearch.biz/
O1 - Hosts: 213.159.117.233 sitefinder.verisign.com
O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85}
- C:\WINDOWS\System32\DReplace.dll |
This variant installs a BHO with unknown purpose, though it's probable
the BHO is there to ensure xwebsearch.biz is set as your homepage
on reboot. It redirects the Verisign Sitefinder, so all mistyped
domains are redirected to 213.159.117.233. CWS.Dreplace.2: There is a second version
of this variant that used the most dastardly trick I have ever seen
in a piece of malware. It changed the dreplace.dll
so fixing it with either HijackThis or CWShredder will cause your
entire system to fail on Windows 98, 98SE and ME! The hijack
is the same as the first version for almost all other aspects, and
both HijackThis and CWShredder have been updated to circumvent the
problem. |
|
| CWS.Mupdate |
Variant 15: Mupdate - Turning up everywhere
Approx date first sighted:
October 13, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=13613
Symptoms: Homepage changing to searchv.com, redirections
to runsearch when mistyping URLs, *.masspass.com in the Trusted
Zone, hijack returning on a reboot.
Cleverness: 9/10
Manual removal difficulty: Involves some Registry
editing and lots of ini file editing.
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page=http://www.searchv.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page=http://www.searchv.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar=http://www.searchv.com/search.html
F0 - system.ini: Shell=explorer.exe mupdate.exe
F1 - win.ini: run=mupdate.exe
F2 - REG:system.ini: Shell=explorer.exe mupdate.exe
O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O15 - Trusted Zone: *.masspass.com |
This variant isn't very common, but it makes up for this by being
very persistent in its existance. It's ran from 3 places at boot,
as well as merging a .reg file that reinstalls the hijack, and adding
an adult site to the Trusted Zone. It also redirects any mistyped
domains to runsearch.com. |
|
| CWS.Addclass |
Variant 16: CWS.Addclass - Halloween edition
Approx date first sighted:
October 30, 2003
Log reference:
http://forums.techguy.org/showthread.php?threadid=175680
Symptoms: Redirections through ehttp.cc before
reaching pages, IE homepage/searchpage changing to rightfinder.net,
hijack returning on reboot.
Cleverness: 4/10
Manual removal difficulty: Involves lots of Registry
editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://www.rightfinder.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.rightfinder.net/hp/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://www.rightfinder.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://www.rightfinder.net/search/
O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\TEMP\ADDCLASS.EXE
O13 - DefaultPrefix: http://ehttp.cc/?
O13 - WWW Prefix: http://ehttp.cc/? |
This one just surfaced when a sample (and thus a CWShredder update)
was found for it. The hijack involves AddClass.exe installing the
hijack and reinstalling it on reboot. It also changes the DefaultPrefix,
WWW Prefix and a non-functional 'www.' prefix which makes each URL
you type without 'http://' in front of it redirect through ehttp.cc
before reaching the correct destination. IOW, they log everywhere
you go. Luckily they are even kind enough to provide a uninstall
for this 'Enhanced HTTP protocol' at their site
here. This will only partially remove CWS.Addclass though.
|
|
| CWS.Googlems |
Variant 17: CWS.Googlems - We have a payload!
Approx date first sighted:
November 1, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=16643
Symptoms: IE pages changed to http://www.idgsearch.com/,
hijack reinstalled on reboot and when running Windows Media Player.
Cleverness: 7/10
Manual removal difficulty: Involves some Registry
editing, and reinstalling Windows Media Player
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://www.idgsearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.idgsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://www.idgsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://www.idgsearch.com/
O2 - BHO: GoogleMS Search Helper - {79369D5C-2903-4b7a-ADE2-D5E0DEE14D24}
- C:\Documents and Settings\[username]\Application Data\GoogleMS.dll
|
This variant is first of its kind, since an important development
was observed here: the Windows Media Player executable was deleted
and replaced by the trojan. This file reinstalled the hijack when
ran. No other variants modify or delete system files, but this one
seems to.
It also installs a BHO that reinstalls hijack on a reboot. Deleting
GoogleMS.dll and reinstalling Windows Media Player fixes the hijack.
CWS.Googlems.2: A mutation of this variant
exists that hijacks IE to idgsearch.com and 2020search.com, installs
a BHO named 'Microsoft SearchWord' using the filename
SearchWord.dll in the same location as
the first version. It also adds *.xxxtoolbar.com
to the Trusted Zone. CWS.Googlems.3: A mutation of this variant
exists that hijacks IE to idgsearch.com, installs a BHO named 'Microsoft
SearchWord' using the filename Word10.dll
in the location C:\Documents And Settings\[username]\Application
Data\Microsoft\Office.
This version can also be loaded by a fake Notepad.exe
file in the Windows system folder. The fake file has an icon different
from the default notepad one. CWS.Googlems.4: A mutation of this variant
exists that hijacks IE to idgsearch.com, 2020search.com and possibly
coundnotfind.com. It installs a hosts file hijack to 69.56.223.196
(idgsearch.com), redirecting from several CWS affiliate domains
(!), one Lop.com domain, one misspelled Spywareinfo domains (hehe)
and several porn domains. It installs a BHO named 'Microsoft Excel'
using the filename Excel10.dll, located
at the same place as the third mutation. It also adds *.xxxtoolbar.com
and *.teensguru.com to the Trusted Zone. |
|
| CWS.Xplugin |
Variant 18: CWS.Xplugin - 'Helping' you search the web
Approx date first sighted:
November 11, 2003
Log reference:
Not visible in HijackThis log!
Symptoms: Some links in Google results redirecting
to umaxsearch.com or coolwebsearch.com every now and then
Cleverness: 10/10
Manual removal difficulty: Involves some Registry
editing
Identifying lines in HijackThis log:
|
Not visible in HijackThis log!
|
This variant is the first one that is not visible in a HijackThis
log. It works invisible, changing links from Google search results
to other pages. It took a while to find out how this variant works,
since it doesn't use any of the standard locations.
A file xplugin.dll is installed, which
creates a new protocol filter for text/html.
In normal english, this means it reads most of the web pages downloaded
to your browser. It also randomly alters some links in Google search
results to pages on umaxsearch.com and coolwebsearch.com. It claims
to be made by something called TMKSoft.
It is unknown if deleting the file has no side-effects, but using
CWShredder or running regsvr32 /u c:\windows\system32\xplugin.dll
(may vary depending on Windows version) fixes the hijack completely.
|
|
| CWS.Alfasearch |
Variant 19: CWS.Alfasearch - Child's Play
Approx date first sighted:
November 5, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=16730
Symptoms: IE pages changed to alfa-search.com,
possibly porn sites being redirected to 216.200.3.32 (alfa-search.com),
error message about a 'runtime error' at startup, 4 porn bookmarks
added to favorites (one possible child porn).
Cleverness: 1/10
Manual removal difficulty: Involves a little
Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://www.alfa-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://www.alfa-search.com/home.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.alfa-search.com/home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://www.alfa-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)
= http://www.alfa-search.com/search.html
O4 - Global Startup: MSupdate.exe |
Possibly the most simple CWS variant since
CWS.Datanotary, this hijack only does the basic stuff: changes
your IE homepage and search pages, adds porn bookmarks, and pops
up a bogus error message at startup.
Deleting MSupdate.exe from the All Users
Startup group, deleting the porn bookmarks and resetting the IE
homepage and search pages fixed the hijack.
The MSupdate.exe file is capable of installing
a hosts file hijack as well, but doesn't seem to do this. CWS.Alfasearch.2: A mutation of this variant
exists, that hijacks IE to www.find-itnow.com, drops 7 porn bookmarks
in the IE Favorites, and causes error messages concerning 'Win Min'
at system shutdown, as well as bogus runtime errors at system startup.
It drops a fake Winlogon.exe file in the
'All Users' Startup group of the Start Menu, or in the Startup group
of the current user. The file is always running, and hard to remove.
If CWShredder repeatedly reports removing this variant, it cannot
remove winlogon.exe. To remove this
file manually, move it out of the Startup folder, restart, and then
delete the file. CWS.Alfasearch.3: A mutation of this variant
exists, that hijacks IE to www.alfa-search.com, and reinstalls by
running an encryped VBS script from three places in the Registry,
named rundll32.vbe using the name
Windows Security Assistant. It also installs
a custom stylesheet named readme.txt in
the Windows sytem folder, drops 9 porn bookmarks in the IE Favorites
and 6 on the desktop, and installs a hosts file hijack of 8 major
search engines and one porn site to 64.124.222.169 (alfa-search.com).
|
|
| CWS.Loadbat |
Variant 20: CWS.Loadbat - Dastardly
Approx date first sighted:
November 1, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=16132
Symptoms: DOS window flashing by at system startup,
IE pages being hijacked to ie-search.com, redirection to 'FLS' or
Umaxsearch when mistyping URLs or visiting porn sites
Cleverness: 9/10
Manual removal difficulty: Involves some Registry
editing and deleting a few files
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://ie-search.com/srchasst.html
(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://ie-search.com/home.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = c:\windows\hp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://ie-search.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://ie-search.com/srchasst.html (obfuscated)
O1 - Hosts: 206.161.200.105 auto.search.msn.com
O1 - Hosts: 206.161.200.105 sitefinder.verisign.com
O1 - Hosts: 206.161.200.105 sitefinder-idn.verisign.com
O1 - Hosts: 206.161.200.103 www.smutserver.com
O1 - Hosts: 206.161.200.103 www1.smutserver.com
O1 - Hosts: 206.161.200.103 www2.smutserver.com
[...]
O1 - Hosts: 206.161.200.103 www29.smutserver.com
O4 - HKLM\..\Run: [Windows Shell Library Loader] load
shell.dll /c /set -- by windows setup --
O4 - HKLM\..\Run: [Win64 Compatibility Check] load win64.drv
/c /set -- by windows setup -- |
Overlooked at first, this CWS variant used a clever way of reloading
the hijack by making it look like some other file (shell.dll or
win64.drv) was doing it, when in fact it was just a
LOAD.BAT file merging a .reg file.The second variant added a hosts file hijack of auto.search.msn.com
and the Verisign Sitefinder to something called 'FLS' that linked
to Umaxsearch, as well as hijacking smutserver.com domains to another
porn site. To remove this manually, killing the autostarts and removing
hp.htm , load.bat
and srch.reg from the Windows folder along
with resetting the IE homepage/search page is enough. |
|
| CWS.Qttasks |
Variant 21: CWS.Qttasks - Even more simple than CWS.Alfasearch
Approx date first sighted:
November 23, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=18331
Symptoms: IE pages being changed to start-space.com
Cleverness: 2/10
Manual removal difficulty: Involves some Registry
editing
Identifying lines in HijackThis log:
R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Start Page = http://www.start-space.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.start-space.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP
= http://www.start-space.com/
O4 - HKCU\..\Run: [QuickTime Task] c:\windows\qttasks.exe
|
Mimicking the legit 'QuickTime Task' autorun entry in the Registry
(which is in the HKLM hive), this variant loaded at startup and
changed only the Start Page to start-space.com. That's it. I'm serious.
*Yawn* |
|
| CWS.Msconfd |
Variant 22: CWS.Msconfd - Finally using rundll32
Approx date first sighted:
November 26, 2003
Log reference: Reconstruction, local test
Symptoms: IE pages being changed to webcoolsearch.com,
bogus error message about msconfd.dll at startup, porn bookmarks
added to Favorites (some possibly childporn)
Cleverness: 7/10
Manual removal difficulty: Involves quite some
Registry editing and deleting porn bookmarks, plus struggling to
unload the dll which is always in memory
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet
Explorer,SearchURL = http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://webcoolsearch.com/
O4 - HKLM\..\RunServices: [Desktop] rundll32.exe msconfd,Restore
ControlPanel |
Additional line from StartupList log:
| Load/Run keys from
Registry: HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=msconfd.dll
|
This is the first variant to use a dll file together with the Windows
rundll32 file. This makes it a little harder to find the culprit
msconfd.dll, responsible for hijacking
IE to webcoolsearch.com and adding 11 adult bookmarks to IE, of
which 4 are possibly child porn sites.Deleting the autorun entry, resetting IE and deleting the porn bookmarks
fixes most of the hijack. Removing msconfd.dll
involves renaming the file, restarting the system and deleting the
renamed file. CWS.Msconfd.2: A mutation of this variant
exists, that uses the filename avpcc.dll
or ctrlpan.dll that hooks into Windows
in the same way as the first version. This version also deletes
all the bookmarks in the IE Favorites folder, before replacing
them with porn bookmarks. CWS.Msconfd.3: A mutation of this variant
exists, that uses the filename cpan.dll.
|
|
| CWS.Therealsearch |
Variant 23: CWS.Therealsearch - Misery travels in pairs
Approx date first sighted:
November 29, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=19137
Symptoms: IE pages changed to therealsearch.com,
porn bookmarks added to IE Favorites, porn sites appearing in IE
autocomplete
Cleverness: 4/10
Manual removal difficulty: Involves lots of Registry
editing, a process killer, and deleting bookmarks
Identifying lines in HijackThis log:
Running processes:
C:\WINDOWS\quicken.exe
C:\WINDOWS\editpad.exeR1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://www.therealsearch.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://www.therealsearch.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://www.therealsearch.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.therealsearch.com/hp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://www.therealsearch.com/sp.php
O4 - HKCU\..\Run: [quicken] C:\WINDOWS\quicken.exe
O4 - HKCU\..\Run: [editpad] C:\WINDOWS\editpad.exe
|
This variant of CWS appeared to be worse than it actually was at
first. Since it had two running processes, it looked like the
Peper virus, that was very hard to remove. Luckily these two
processes didn't behave like that. The smallest one
quicken.exe downloaded and ran the second
one editpad.exe (like
CWS.Aff.Iedll does) and hijacked IE to therealsearch.com, as
well as setting themselves to run at startup. To remove this variant a process killer is needed to kill
editpad.exe and quicken.exe
and deleting the files, as well as resetting the IE homepage/search
pages and possibly removing
CWS.Aff.Tooncomics.2 which can be downloaded by this variant.
CWS.Therealsearch.2: There is a mutation
of this variant that hijacks to my.search (sic), that also the filenames
c:\windows\winrar.exe and
c:\windows\waol.exe. |
|
| CWS.Control |
Variant 24: CWS.Control - Dude, where's my Control Panel?
Approx date first sighted:
December 7, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=23210
Symptoms: IE pages changed to windoww.cc, super-spider.com
and search2004.net
Cleverness: 3/10
Manual removal difficulty: Involves some Registry
editing, and restoring a file from the Windows Setup CD for Windows
9x/ME
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://www.windowws.cc/ sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://www.windowws.cc/ sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.windowws.cc/ hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP
= http://super-spider.com
O4 - HKCU\..\Run: [Windows Control] C:\WINDOWS\CONTROL.EXE
O4 - HKCU\..\RunServices: [Windows Control] C:\WINDOWS\CONTROL.EXE
|
This variant is fairly simple, if it wouldn't drop a file in the
Windows folder that overwrites a system file in Windows 9x/ME -
it is possible your Control Panel will not be functioning normally
after being infected with this CWS variant, and you need to use
the System File Checker (SFC.EXE) to restore
control.exe from your Windows Setup CD. Windows NT/2000/XP
does not have this problem with this variant. CWS.Control.2: A mutation of this variant
exists that is identical in every way, but where
control.exe always stays in memory.
CWS.Control.3: A mutation of this variant
exists that uses random filenames and random startups.
|
|
| CWS.Olehelp |
Variant 25: CWS.Olehelp - Who wants some bookmarks?
Approx date first sighted:
January 4, 2004
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=27573
Symptoms: IE hijacked to omega-search.com, lots
and lots of bookmarks added to IE Favorites
Cleverness: 3/10
Manual removal difficulty: Involves a little
bit of Registry editing, and deleting lots of files
Identifying lines in HijackThis log:
Running processes:
C:\WINDOWS\OLEHELP.EXE R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://www.omega-search.com/go/panel_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://www.omega-search.com/go panel_search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://www.omega-search.com/go/panel_search.html
O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\olehelp.exe
O4 - HKCU\..\Run: [svchost] C:\WINDOWS\olehelp.exe
|
This variant is pretty simple. It autoruns a file named
olehelp.exe at startup from the Registry,
which changes the IE homepage/search page to omega-search.com, and
adds a mind-boggling 107 bookmarks to the IE Favorites, of which
14 are porn.Killing the autostart and deleting the file + bookmarks fixes this.
|
|
| CWS.Smartsearch |
Variant 26: CWS.Smartsearch - Counter-counter-actions
Approx date first sighted:
January 7, 2004
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=26148
Symptoms: IE hijacked to smartsearch.ws, redirections
to smartsearch.ws when entering incomplete URLs into the address
bar, antispyware programs closing without reason only a few seconds
after opening them
Cleverness: 5/10
Manual removal difficulty: Involves a process
killer, lots of registry editing and deleting a few files.
Identifying lines in HijackThis log:
Running processes:
C:\Program Files\directx\directx.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://smartsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://smartsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://smartsearch.ws/?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://smartsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
= http://smartsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://smartsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://smartsearch.ws/?q=
O4 - HKLM\..\Run: [SystemEmergency] C:\Program Files\directx\directx.exe
O4 - HKLM\..\RunServices: [SystemEmergency] C:\Program
Files\directx\directx.exe
O4 - HKCU\..\Run: [SystemEmergency] C:\Program Files\directx\directx.exe
O4 - HKLM\..\Run: [UserSystem] C:\Windows\iexplorer.exe
O4 - HKLM\..\RunServices: [UserSystem] C:\Windows\iexplorer.exe
O4 - HKCU\..\Run: [UserSystem] C:\Windows\iexplorer.exe
O13 - DefaultPrefix: http://smartsearch.ws/?q=
O13 - WWW Prefix: http://smartsearch.ws/?q= |
This variant is mostly hard to spot since it can use over a dozen
different filenames, luckily all with the same registry value. The
file is always running and reinstalls the hijack to smartsearch.ws
every 10 seconds. Killing the trojan process, deleting/restoring
all the Registry values it added or changed and deleting its files
fixed the hijack.CWS.Smartsearch.2: A mutation of this variant
exists that attempts to close CWShredder, HijackThis, Ad-Aware,
Spybot S&D and the SpywareInfo forums when they are opened.
It uses the filename IEXPLORER.EXE (note
the extra 'R') and a different Registry value. It drops a hosts
file that blocks over two dozen anti-spyware sites. CWShredder
has been updated to circumvent this. CWS.Smartsearch.3: A mutation of this variant
exists that uses the startup 'coolwebprogram', and attempts to
close CWShredder, HijackThis, Ad-Aware, Spybot S&D and the SpywareInfo
forums when they are opened. It also drops
notepad32.exe and hijacks the .txt and
.log filetypes to open with this file (before showing it in the
real Notepad), reinstalling the hijack. CWS.Smartsearch.4: A mutation of this variant
exists that hijacks to magicsearch.ws
instead of smartsearch.ws, uses the startup 'MicrosoftWindows' and
also drops the notepad32.exe Notepad hijacker
like CWS.Smartsearch.3. It also hijacks the DefaultPrefix and WWW
Prefix to magicsearch.ws like
CWS.Vrape and attempts to kill several firewalls, including
(but not limited to) ZoneAlarm and Kerio Personal Firewall.
Known filenames used by this variant:
C:\Program Files\directx\directx.exe
C:\Program Files\Common Files\System\systeem.exe
C:\Windows\explore.exe (note the missing 'r')
C:\Windows\System\internet.exe
C:\Windows\Media\wmplayer.exe
C:\Windows\Help\helpcvs.exe
C:\Program Files\Accessories\accesss.exe
C:\Games\systemcritical.exe
C:\Documents Settings\sistem.exe
C:\Program Files\Common Files\Windows Media Player\wmplayer.exe
C:\Windows\Start Menu\Programs\Accessories\Game.exe
C:\Windows\sistem.exe
C:\Windows\System\RunDll16.exe
C:\Windows\iexplorer.exe (note the extra 'i' or the extra 'r')
C:\y.exe
C:\x.exe c:\funny.exe
c:\funniest.exe
c:\Windows\notepad32.exe
C:\Windows\system\kazaa.exe
C:\Windows\system32\kazaa.exe
C:\Program Files\Common Files\Services\iexplorer.exe
C:\Program Files\Common Files\Services\explore.exe
C:\Program Files\Common Files\Services\exploreer.exe
C:\Program Files\Common Files\Services\sistem.exe
C:\Program Files\Common Files\Services\critical.exe
C:\Program Files\Common Files\Services\directx.exe
C:\Program Files\Common Files\Services\internet.exe
C:\Program Files\Common Files\Services\window.exe
C:\Program Files\Common Files\Services\winmgnt.exe
C:\Program Files\Common Files\Services\clrssn.exe
C:\Program Files\Common Files\Services\explorer32.exe
C:\Program Files\Common Files\Services\win32e.exe
C:\Program Files\Common Files\Services\directx32.exe
C:\Program Files\Common Files\Services\uninstall.exe
C:\Program Files\Common Files\Services\volume.exe
C:\Program Files\Common Files\Services\autorun.exe
C:\Program Files\Common Files\Services\users32.exe
C:\Program Files\Common Files\Services\notepad.exe
C:\Program Files\Common Files\Services\win64.exe
C:\Program Files\Common Files\Services\inetinf.exe
C:\Program Files\Common Files\Services\time.exe
C:\Program Files\Common Files\Services\systeem.exe c:\Windows\system32\iexplorer.exe
c:\Windows\system32\explore.exe
c:\Windows\system32\exploreer.exe
c:\Windows\system32\sistem.exe
c:\Windows\system32\critical.exe
c:\Windows\system32\directx.exe
c:\Windows\system32\internet.exe
c:\Windows\system32\window.exe
c:\Windows\system32\winmgnt.exe
c:\Windows\system32\clrssn.exe
c:\Windows\system32\explorer32.exe
c:\Windows\system32\win32e.exe
c:\Windows\system32\directx32.exe
c:\Windows\system32\uninstall.exe
c:\Windows\system32\volume.exe
c:\Windows\system32\autorun.exe
c:\Windows\system32\users32.exe
c:\Windows\system32\win64.exe
c:\Windows\system32\inetinf.exe
c:\Windows\system32\time.exe
c:\Windows\system32\systeem.exe
|
|
| CWS.Yexe |
Variant 27: CWS.Yexe - Whatever
Approx date first sighted:
January 17, 2004
Log reference:
http://forums.tomcoyote.org/index.php?showtopic=3174
Symptoms: IE start page hijacked to search.thestex.com
Cleverness: 2/10
Manual removal difficulty: Involves deleting
some Registry values and keys, deleting one folder and restoring
the IE homepage
Identifying lines in HijackThis log:
F1 - win.ini: run=C:\WINNT\system32\services\y.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3}
- C:\WINDOWS\System\services\1.00.07.dll
O4 - HKLM\..\Run: [xpsystem] C:\WINNT\system32\services\y.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINNT\system32\services\y.exe
|
This variant uses a filename often seen as installer for either
CWS or Lop.com (y.exe), but uses it as the actual hijacker file.
It loads from win.ini as well as system.ini in a weird way that
shouldn't even work, and installs a BHO with seemingly the purpose
to react to certain keywords on webpages. Removing the BHO and the
autorunning y.exe file fixes this hijack.CWS.Yexe.2: Possibly a mutation of this
variant exists that uses the filename services.exe
instead of y.exe. |
|
| CWS.Gonnasearch |
Variant 28: CWS.Gonnasearch - Three for the price of one
Approx date first sighted:
January 18, 2004
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=28344
Symptoms: IE hijacked to gonnasearch.com
Cleverness: 2/10
Manual removal difficulty: Involves deleting
some registry keys and values
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://www.gonnasearch.com/
iesearch.php?ref=sb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://www.gonnasearch.com/?ref=sp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://www.gonnasearch.com/ iesearch.php?ref=sb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://www.gonnasearch.com/?ref=sp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
= http://www.gonnasearch.com/ iesearch.php?ref=sb
O2 - BHO: SearchAddon - {799A370D-5993-4887-9DF7-0A4756A77D00}
- C:\PROGRA~1\INTERN~1\Toolbar\SEARCH~1.DLL
O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342}
- C:\PROGRA~1\INTERN~1\Toolbar\AUTOSE~1.DLL
O2 - BHO: (no name) - {E7AFFF2A-1B57-49C7-BF6B-E5123394C970}
- C:\PROGRA~1\INTERN~1\Toolbar\webinfo.dll |
This variant differs from the others in that it installs not one,
but three (!) BHOs. Their exact purpose is unknown. Killing the
three BHOs and restoring the IE pages fixed this hijack. |
|
| CWS.Smartfinder |
Variant 29: CWS.Smartfinder - Turning over new stones
Approx date first sighted:
January 11, 2004
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=27673
Symptoms: IE hijacked to nkvd.us and smart-finder.biz,
redirections to nkvd.us and smart-finder.biz when typing incomplete
URLs into address bar.
Cleverness: 10/10
Manual removal difficulty: Involves some registry
editing, and renaming the trojan file, restarting, and deleting
it
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet
Explorer,SearchURL = http://www.nkvd.us/s.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://www.nkvd.us/s.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://www.nkvd.us/s.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.nkvd.us/1507/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
= http://www.nkvd.us/s.htm
O13 - DefaultPrefix: http://www.nkvd.us/1507/
O13 - WWW Prefix: http://www.nkvd.us/1507/
O13 - Home Prefix: http://www.nkvd.us/1507/
O13 - Mosaic Prefix: http://www.nkvd.us/1507/ |
Additional line in StartupList log:
| Enumerating ShellServiceObjectDelayLoad
items: DDE Control Module: C:\WINDOWS\SYSTEM\mtwirl32.dll
|
This variant was surprisingly smart: it used two startup methods
(ShellServiceObjectDelayLoad and SharedTaskScheduler) that have
to be the absolutely rarely used ones seen ever - and it used them
differently on Windows 9x/ME and Windows NT/2k/XP. On top of that,
both methods ensure that the file is loaded when Explorer is loaded,
making it always in memory like
CWS.Msconfd. Additionally, the actual responsible files are
invisible in HijackThis, and only one shows in a StartupList logfile
(ShellServiceObjectDelayLoad). The responsible file is
mtwirl32.dll, and to delete it manually
you need to rename it (deleting is impossible since it is in use),
restart the system, and then delete the file and its Registry key.
CWS.Smartfinder.2: a second version of
this variant exists, that is harder to remove but basically uses
the same method of loading, as well as the same CLSID. In addition,
it uses a BHO to restore any of the autostarting regkeys you delete
to remove this. The BHO looks like this in a HijackThis log:
| O2 - BHO: OsbornTech
Popup Blocker - {FF1BF4C7-4E08-4A28-A43F- 9D60A9F7A880}
- C:\WINDOWS\System32\mshelper.dll |
Deleting this BHO prevents it from restoring the autostarting regkeys,
which can then be deleted safely.
Note that this BHO is NOT the real Osborntech Popup Blocker, which
uses the CLSID {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}, and a
mshelper.dll file located in a separate
folder in the Program Files folder. |
|
| CWS.Winproc32 |
Variant 30: CWS.Winproc32 - I can't think of anything snappy
to say here
Approx date first sighted:
January 23, 2004
Log reference:
http://forums.net-integration.net/index.php?showtopic=10128
Symptoms: IE being hijacked to icanfindit.net
or 4-counter.com, hijack returning on system restart or possibly
sooner
Cleverness: 2/10
Manual removal difficulty: Involves using a process
killer and some Registry editing
Identifying lines in HijackThis log:
Running processes:
C:\WINDOWS\SYSTEM32\WINPROC32.EXE R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://4-counter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://4-counter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://4- counter.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://4-counter.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://4- counter.com/?a=2
O4 - HKCU\..\Run: [Windows Internet Protocol] C:\WINDOWS\SYSTEM32\WINPROC32.EXE
|
A very simple variant. Winproc32.exe loads
at startup, and hijacks IE. The file stays in memory so a process
killer is needed to remove it. It drops 4 porn bookmarks in the
IE Favorites folder. It also tries to hijack the default user (HKEY_USERS\.DEFAULT)
but fails to do so. |
|
| CWS.Msconfig |
Variant 31: - CWS.Msconfig - Payload plus one
Approx date first sighted:
February 5, 2004 (also a nice example of how frustrating these
things can be to people)
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=31324
Symptoms: IE pages being hijacked to www.31234.com
on system startup and when changing homepage back, continuous errors
about an invalid Registry script in temp2.txt, extra item in right-click
menu of webpages named '??????'
Cleverness: 2/10
Manual removal difficulty: Involves a process
killer, some Registry editing and restoring a Windows system file
from CD
Identifying lines in HijackThis log:
Running processes:
C:\WINDOWS\SYSTEM\MSCONFIG.EXER0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.31234.com/www/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.31234.com/www/homepage.html
O4 - HKLM\..\Run: [msconfig] C:\WINDOWS\SYSTEM\msconfig.exe
O4 - HKCU\..\Run: [msconfig] C:\WINDOWS\SYSTEM\msconfig.exe
O8 - Extra context menu item: ?????? - C:\WINDOWS\system32\openme.htm
|
This variant uses the filename msconfig.exe
which overwrites the real Windows file in Windows 98/98SE/ME. The
temp2.txt file it drops is actually a
Registry script, but since it's in the wrong format, Windows 9x/ME
will throw up an error about an invalid Registry script. Windows
2000/XP will import it without complaining, creating the '??????'
item in the IE right-click menu. The msconfig.exe
file will always stay in memory, reinstalling the hijack every 5
seconds. Killing the process, deleting the file and restoring the
IE homepages/search pages fixes this hijack. The real Windows file msconfig.exe can
be download
here, if you can't restore it from your Windows Setup CD for
some reason. |
|
| CWS.Xxxvideo |
Variant 32: CWS.Xxxvideo - What, you mean it's not an xxx video?
Approx date first sighted:
February 11, 2004
Log reference:
http://www.spywareinfo.com/forums/index.php?showtopic=32381
Symptoms: IE pages changed to enjoysearch.info,
4 bookmarks added to Favorites, all returning when system is restarted
Cleverness: 3/10
Manual removal difficulty: Involves some Registry
editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,SearchURL = http:// www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http:// www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http:// www.enjoysearch.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http:// www.enjoysearch.info/
O4 - HKLM\..\Run: [xxxvid] C:\WINDOWS\system32\xxxvideo.hta
O4 - HKCU\..\Run: [xxxvid] C:\Documents and Settings\<username>\My
Documents\xxxvideo.hta |
A very simple variant, with a encrypted script file running at startup,
reinstalling the hijack. Killing the autorun entries, deleting the
two .hta files and the four bookmarks fixes this. |
|
| CWS.Winres |
Variant 33: CWS.Winres - About:blank hacked
Approx date first sighted:
February 10, 2004
Log reference:
http://www.spywareinfo.com/forums/index.php?showtopic=32204
Symptoms: IE pages changed to 2020search.com,
about:blank page changed to search engine
Cleverness: 7/10
Manual removal difficulty: Involves some Registry
editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http:// www.2020search.com/search/9884/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page_bak = about:blank
O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494}
- C:\WINDOWS\winres.dll
O15 - Trusted Zone: *.i-lookup.com
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: *.teensguru.com |
This variant is the first to achieve a remarkable result: it changes
the about:blank page itself to look like a search engine. This is
later seen in the
CWS.Xmlmimefilter variant, using a different method. The variant
possibly adds three domains to the Trusted Zone and adds two bookmarks
to the desktop.
Deleting the BHO, resetting the IE homepage, and removing the sites
and bookmarks fixes this. |
|
| CWS.Xmlmimefilter |
Variant 34: CWS.Xmlmimefilter - About:blank hacked v2.0
Approx date first sighted:
February 29, 2004
Log reference:
http://computercops.biz/postt21263.html
Symptoms: IE homepage changed to about:blank,
which is changed to a search engine named 'Microsoft Search the
Web', mistyped URLs being redirected to this same search engine
Cleverness: 10/10
Manual removal difficulty: Involves quite some
Registry editing
Identifying lines in HijackThis log:
O1 - Hosts: 213.159.117.235
auto.search.msn.com
O18 - Protocol: about - {53B95211-7D77-11D2-9F80-00104B107C96}
- C:\WINDOWS\System32\msxmlpp.dll |
Though the hijacking of the about:blank page was also done by the
CWS.Winres variant, this new variant accomplishes it in a much
more elegant way. The DLL itself used for handling the 'about:'
protocol is changed to a malicious msxmlpp.dll
one, displaying a search engine instead of a blank page filled with
links to 66.117.38.91.
Changing the CLSID of the about protocol back to the default
{3050F406-98B5-11CF-BB82-00AA00BDCE0B},
deleting the file and removing the hosts file hijack fixes this.
|
|
| CWS.Aboutblank |
Variant 35: CWS.Aboutblank - It's just a fad
Approx date first sighted:
March 2, 2004
Log reference:
Reconstruction
Symptoms: IE pages changed to about-blank.ws
and 213.159.118.226 (1-se.com), hijack returning on system restart
Cleverness: 5/10
Manual removal difficulty: Involves some Registry
editing and deleting a randomly named file
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,SearchURL = http://about-blank.ws/page/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://about-blank.ws/page/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://about-blank.ws/page/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page_bak = http://about-blank.ws/
O1 - Hosts: 213.159.118.226 1-se.com
O1 - Hosts: 213.159.118.226 58q.com
O1 - Hosts: 213.159.118.226 aifind.cc
O1 - Hosts: 213.159.118.226 aifind.info
O1 - Hosts: 213.159.118.226 allneedsearch.com
O1 - Hosts: 213.159.118.226 approvedlinks.com
[..]
O1 - Hosts: 213.159.118.226 www.wazzupnet.com
O1 - Hosts: 213.159.118.226 www.websearch.com
O1 - Hosts: 213.159.118.226 www.windowws.cc
O1 - Hosts: 213.159.118.226 www.xgmm.com
O1 - Hosts: 213.159.118.226 xwebsearch.biz
O1 - Hosts: 213.159.118.226 yourbookmarks.ws
O4 - HKLM\..\Run: [Network Service] C:\WINNT\svchost.exe-sr
-0
O4 - HKCU\..\Run: [Network Service] C:\WINNT\svchost.exe-sr
-0
O19 - User stylesheet: C:\WINNT\system32\xea2108l.9zt
|
This variant does everything in its powers to redirect you to a
domain owned by 1-se.com. IE is hijacked to it, the hosts file is
replaced to redirect about 100 porn and CWS domains to 1-se.com,
and a randomly named stylesheet is dropped that redirects to 1-se.com
when certain keywords appear in webpages.
Restoring the IE pages by searching the Registry for about-blank.ws,
removing the hosts file, the svchost.exe file in the Windows directory
(the one in the System32 folder is legit) and the randomly named
stylesheet (1079 or 1087 bytes in size) fixed this. |
|
| CWS.Systeminit |
Variant 35: CWS.Systeminit - Actual size
Approx date first sighted:
March 21, 2004
Log reference:
http://www.spywareinfo.com/forums/index.php?showtopic=35845
Symptoms: IE pages changed to your-search.info,
redirections to search-dot.com, hijack returning on system reboot,
URL shortcuts appearing on desktop and in favorites
Cleverness: 2/10
Manual removal difficulty: Involves some Registry
editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://www.your- search.info/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.your- search.info/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
= http:// www.your-search.info/start.html
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
O4 - Global Startup: sytem32.exe
O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)
|
A small variant, using two files to reinstall the hijack. The stylesheet
links to search-dot.com, the two autostarting files set the IE homepage/search
pages to your-search.info. A backup of the systeminit.exe file is
kept at C:\Documents And Settings\sys.exe
(this location is hardcoded into the trojan file). Deleting the
three trojan files, the stylesheet, the bookmarks and restoring
the IE pages fixes this hijack. |
|
| CWS.Sounddrv |
Variant 36: CWS.Sounddrv - Boring, yet sneaky
Approx date first sighted:
March 12, 2004
Log reference:
http://boards.cexx.org/viewtopic.php?t=4542
Symptoms: IE pages changed to defaulsearching.com,
hijack returning on system reboot.
Cleverness: 3/10
Manual removal difficulty: Involves some Registry
editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://defaultsearching.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://defaultsearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://defaultsearching.com
O4 - HKCU\..\RunOnce: [sounddrv] C:\WINDOWS\SYSTEM\SNDBDRV3104.EXE
|
This variant is very small, but its sneakiness lies in the filename
used, which was originally mistaken for a sound card driver (by
me as well). Apart from that, this hijack is really simple. Deleting
the file and restoring the IE pages fixes this hijack. |
|
| CWS.Searchx |
Variant 38: CWS.Searchx - About:blank seems popular lately
Approx date first sighted:
April 6, 2004
Log reference:
http://forums.techguy.org/t217853.html
Symptoms: IE pages changed to about:blank (which
is changed to a search portal linking to searchx.cc) and a search
page inside a DLL on the system, hijack returning on system reboot
Cleverness: 8/10
Manual removal difficulty: Involves lots of Registry
editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html
(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html
(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= res:// C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP
= about:blank
O2 - BHO: (no name) - {48918FB4-1FD5-4DF3-87F0- 12C36350039D}
- C:\WINDOWS\System32\gfmnaaa.dll |
This variant is not very hard to spot, but slightly harder to troubleshoot
since its symptoms look a lot like those of
CWS.Xmlmimefilter. It drops a randomly named DLL in the system
folder and sets the IE homepage/search pages to it. A BHO is also
added pointing to the same DLL. The about:blank page is modified
by creating two new protocol filters for text/html
and text/plain which allows the DLL to
control most of the content flowing through the IE browser as web
pages. The trojan keeps a record of all actions in a log file at
c:\filter.log. Removing the two filters
in the Registry, deleting the BHO, the DLL and the logfile and restoring
the IE pages fixes this hijack. Note: The
CWS.Realyellowpage has been sighted together with this variant
sometimes, causing CWShredder to not be able to remove this one.
Refer to the manual removal method for that variant to delete the
offending dll, then run CWShredder again to remove CWS.Searchx.
|
|
| CWS.Realyellowpage |
Variant 39: CWS.Realyellowpage - Inducing homocidal tendencies
Approx date first sighted:
March 16, 2004
Log reference:
(not visible in HijackThis log)
Symptoms: IE pages changed to real-yellow-page.com,
drxcount.biz, list2004.com or linklist.cc, hijack inexplicably returning
on reboot with no file seemingly responsible
Cleverness: Where's my infinity character button?
Manual removal difficulty: Battle axe or chainsaw
recommended
Identifying lines in HijackThis log:
|
(not visible in HijackThis)
|
This variant is a nightmare. If you come across an infected machine
that keeps changing back to the aforementioned sites over and over
again for no visible reason, you've probably seen this one. It's
like whoever is reponsible for this hired some blackhat coder and
told him to make the most complex, invisible and devious hijacker
he could think of. And he did.
The file is randomly named, and normally hooks into the IE process,
loading itself as a module into it. And then it hides the host process
from the process list. Yes, you read that right, the process hosting
the dll disappears from the task list and most process viewers/managers
we tried.
At first it was only visible with FAR Explorer, later we found
PrcView also shows it, and has some nice command-line options
which makes for nice scripting to aid in manual removal. For Windows
95/98/ME, booting the system into Safe Mode will prevent the file
from loading, allowing for even easier manual removal:
* MANUAL REMOVAL INSTRUCTIONS *
Tech info: Win9x/ME: Known to use the HKLM RunServicesOnce key to
load, which is deleted by Windows after loading the file and recreated
by the dll when Windows shuts down. Visible in Safe Mode, dll file
is not loaded then and can be deleted.
WinNT/2000/XP: Known to use the HKLM AppInit_DLLs value to load,
possibly more Registry keys. The 'delete file on reboot' function
can be used (KillBox does this), provided the filename is known.
File is heavily encrypted using an unknown packer, has a modified
PE header and crashes most (if not all) memory dumpers when attempted
to dump the file from memory. Hides the dll as well as the host
process (IEXPLORE.EXE, RUNDLL32.EXE, CONTROL.EXE, REGSVR32.EXE,
whichever one is used) by an unknown method.Right now [17/04/04], CWShredder does not
remove this variant. As soon as I figure out how to do it, I will
update CWShredder for it. |
|
| Affiliate variants - not directly related to CWS, but sighted
together with it very often |
|
| CWS.Aff.Iedll |
Affiliate variant: iedll - Bad coder
Approx date first sighted:
August 18, 2003
Log reference:
http://boards.cexx.org/viewtopic.php?t=1499
Symptoms: Errors in a file 'iedll.exe' or 'loader.exe'
on Windows startup. Sighted a lot together with other CWS variants.
Cleverness: 3/10
Manual removal difficulty: Involves a process
killer and a bit of Registry editing.
Identifying lines in HijackThis log:
Running processes:
C:\WINDOWS\IEDLL.EXE
C:\WINDOWS\LOADER.EXEO4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe
O4 - HKCU\..\Run: [loader] C:\WINDOWS\loader.exe
|
This affiliate variant, with unknown origin, consists of two files.
The first one, loader.exe downloads the
second one, iedll.exe and runs it. Both
files are set to autostart when Windows starts. The 'hijack' becomes
obvious when iedll.exe crashes - and it
does this frequently. Apparently, this program is programmed so
badly, it won't even carry out its payload and does not hijack IE.
It is only displayed here because it has been sighted together with
other CWS variants on very numerous occasions.CWS.Aff.iedll.2: A mutation of this variant
exists, that has the same files iedll.exe
and loader.exe located at
C:\Program Files\Windows Media Player.
|
|
| CWS.Aff.Winshow |
Affiliate variant: Winshow - Comes in two flavours
Approx date first sighted:
July 13, 2003
Log reference: Reconstruction
Symptoms: Changed IE pages to youfindall.com,
BHO added to IE named 'winshow.dll'. Second variant hijacks to searchv.com
and also redirects mistyped URLs to a porn site, and reloads the
hijack on a reboot, or even sooner.
Cleverness: 5/10, second variant 8/10
Manual removal difficulty: Involves lots and
lots of Registry editing, a bit of hosts file editing and deleting
one file.
Identifying lines in HijackThis log:
O2 - BHO: WinShow
module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINDOWS\WINSHOW.DLL
|
Second variant CWS.Aff.Winshow.2:
O1 - Hosts file:
209.66.114.130 sitefinder.verisign.com
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A}
- C:\Documents And Settings\username\Application Data\winshow\Winshow.dll
O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
O4 - Global Startup: MSUpdater.exe |
This affiliate variant originally was quite innocent, consisting
only of one Browser Helper Object (BHO) named 'Winshow', with unknown
goal. It was frequently sighted together with other CWS variants.CWS.Aff.Winshow.2: The second variant of
this one also used the BHO and filename, but added a hosts file
hijack that redirected mistyped domains/URLs to a porn site, and
reloaded a IE hijack to searchv.com on reboot using a Registry command
file. One file named MSUpdater.exe was
sitting in the 'All Users' startup folder in the Start Menu, and
also reloaded the hijack. Deleting both files fixed the hijack.
It is still unknown what the BHO actually does. CWS.Aff.Winshow.3: A third version of this
variant exists, that uses the filename winlink.dll
for the BHO. It hijacks to both searchv.com and thesten.com. It
does not have the additional files the second version has. CWS.Aff.Winshow.4: A third version of this
variant exists, that adds an uninstall entry in Add/Remove Software
labelled Winshow, and auto-updates from
a Registry value named WinShowUpdate.
CWS.Aff.Winshow.5: A third version of this
variant exists, that uses the filename iefeatsl.dll,
hijacks to search-click.com and auto-updates from a Registry value
named iefeatslUpdate. It also downloads
and installs a BHO named SubmitHook. CWS.Aff.Winshow.6: A third version of this
variant exists, that uses a random string for its filename and folder,
with the same CLSID as the previous two variants, {587DBF2D-9145-4c9e-92C2-1F953DA73773}.
It also downloads and installs a BHO named SubmitHook and autoupdates
from a Registry value named Updater.
|
|
| CWS.Aff.Madfinder |
Affiliate variant: Madfinder - Kinda like ClientMan
Approx date first sighted:
October 15, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=14977
Symptoms: IE homepage changed to madfinder.com,
BHO with filename 'BrowserHelper.dll', hijack returning on reboot,
or even sooner.
Cleverness: 5/10
Manual removal difficulty: Involves a process
killer and lots of Registry editing.
Identifying lines in HijackThis log:
Running processes:
C:\WINDOWS\System32\svc.exeO1 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB}
- C:\WINDOWS\System32\BrowserHelper.dll
O4 - HKCU\..\Run: [svc] C:\WINDOWS\System32\svc.exe
|
This variant seems to consist of two files that support each other.
svc.exe runs invisible, downloads the
second BrowserHelper.dll and installs
it as a BHO. However, this BHO file also contains the first file
and probably puts it back when it is deleted. The variant is always
accompanies by a hijack to madfinder.com. |
|
| CWS.Aff.Tooncomics |
Affiliate variant: Tooncomics - Changing the Internet
Approx date first sighted:
September 18, 2003
Log reference:
http://boards.cexx.org/viewtopic.php?p=11617#11617
Symptoms: IE hijacked to tooncomics.com, targets
of hyperlinks on websites changed to porn sites
Cleverness: 9/10
Manual removal difficulty: Involves really lots
of Registry editing, and some hosts file editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://tooncomics.com/main/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://tooncomics.com/main/hp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP
= http://66.250.130.194/main/hp.php
O1 - Hosts: 66.40.16.131 livesexlist.com
O1 - Hosts: 66.40.16.131 lanasbigboobs.com
O1 - Hosts: 66.40.16.131 thumbnailpost.com
O1 - Hosts: 66.40.16.131 adult-series.com
O2 - BHO: DNSErr object - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F}
- C:\WINDOWS\DNSErr.dll |
This variant seems to be in the league of
CWS.Vrape, hijacking to porn sites, redirecting other porn sites
to itself, and even using a BHO to change the target of hyperlinks
to porn sites like eZula Toptext does. Some users even reported
being unable to download CWShredder because the links at the bottom
of this article were altered to point to porn sites. Manual removal
is pretty hard, because the DNSErr.dll
file responsible for the latter part of the hijack has no uninstall
built-in like most dlls. However, flat-out deleting the file has
no side effects.CWS.Aff.Tooncomics.2: There is a second
version of this hijack that Uses the filename
dnse.dll as the BHO, and a second file
ld.exe that is always running, reloading the hijack. In this
version, the IE homepage and search pages are changed to fastwebfinder.com.
A process killer is needed to get rid of ld.exe.
|
|
| Epilogue - The Fix Known As CWShredder |
| After reading all
of this, you must be under the impression that a CoolWebSearch hijack
is near impossible to fix since there are so many variants. Though
it is true that the conventional tools like Ad-Aware, Spybot S&D
and HijackThis won't fix all of the variants, there is one tool
that will. After about the 3rd CWS variant, I realized this particular spyware
company moved faster than any other I'd seen before, and that the
anti-spyware programs wouldn't be able to keep up with it. So I
decided to write a separate program dedicated to removing CoolWebSearch.
It's called CWShredder and can be downloaded
here, in several forms:
This removal tool will be updated for any new variants of CoolWebSearch,
as well as new affiliates that are sighted. It can remove all of
the variants mentioned above. Note that CWShredder is update very often.
If you have a copy that's more than a week old,
check for an update first before emailing me it's not working well.
|
|
| Epilogue - The Origin |
We are pretty sure
now CoolWebSearch is part of a new strain of trojans that have recently
been identified that all have one thing in common: they install
through the
ByteVerify exploit in the MS Java VM and change the IE homepage,
search page, search bar, etc. Take a look at this snippet from the
description of the
Java.Shinwow trojan:
This is a growing
family of trojans that exploits the
ByteCodeVerifier vulnerability in the Microsoft
Virtual Machine to execute unauthorized code on an affected
machine.
The variants of this trojan that we have seen in
the wild have been functionally diverse; the common
factor amongst them has been the use of the ByteVerify
exploit to achieve their goals. Some variants may
do little more than change the user's default Internet
Explorer home page and/or search page via modifications
to the registry. |
We strongly recommend you install the patch, available from
this MS security bulletin. If you have Windows XP with Service
Pack 1a, your system has no MS Java VM. Information on removing
the MS Java VM completely and replacing it with the newer, safer
Sun Java VM can be found
here. An a side note, some of the affiliates (Search-Meta has been verified)
use another Java exploit to install their malware. It's classified
as the
JS.Exception.Exploit, and a patch can be downloaded from this
MS security bulletin. In general, it's a good idea to keep your system up-to-date from
WindowsUpdate!! It has also been confirmed that 'Index.dat Viewer' changes your
IE search pages to superwebsearch.com, a CWS affiliate page, after
installing it. Uninstalling Index.Dat Viewer will not restore
your search pages. |
|
| Donate / Contact Me |
If you find this page helpful or helps you remove CWS from your
system, we would very much appreciate a donation:
If you have any problems, questions or comments concerning this
document, you can email me if you like.
Merijn,
However, if you want to send me a flame email or a class action
lawsuit notice, don't bother. I didn't
create Coolwebsearch or install it onto your browser
. If I would have, why would I detail this entire thing
and provide you with a fix for free?
|
|
The following domains belong to CWS affiliates
and can be found on infected systems. This list is included to help people find
this page. You should not be reading it. :) \blank.html \homepage.htm \hp.htm \notfound.html \search.htm \searchbar.htm
\sec32.html \sec64.html \secure.html \secure32.html \securityid \sb.htm 008k.com
008i.com 00hq.com 0calories.net 1-domains-registrations.com 1-se.com 100gal.net
100sexlinks.com 101lottery.com 10money.us 123keno.com 130.94.72.17 143f*ck.com 157.238.62.14
193.125.201.50 1check.us 1cost.us 1loss.us 1pill.us 1se.ru 1sexparty.com 1stfind.com
1stpagehere.com 1weight.us 356563.net 3624716320 2020search.com 205.177.124.66 209.8.161.53
209.66.114.130 213.159.118.226 216.65.3.68 216.65.101.250 24teen.com 30search.com
31234.com 36site.com 4-counter.com 4corn.net 4pokertips.com 64.237.45.18 64.237.57.215
64.246.33.179 64.246.33.191 65http.cc 66.117.14.138 66.117.38.91 66.197.100.83 66.250.107.99
66.250.107.100 66.250.107.101 66.250.130.194 66.250.130.200 66.250.170. 66.250.171.167
66.250.57.26 66.250.57.27 66.250.57.28 66.250.74.150 66.98.142.163 66.98.198.202
69.0.214.45 69.50.184.52 69.50.184.53 69.61.38.52 69teenage.com 75tz.com 777top.com
80pictures.com 81.211.105. 888net.net 8ad.com 99livecam.com a2zlinks.com aamhi.com
about-blank.biz about-blank.ws about:_blank aboutclicker.com abrp.net accessthefuture.net
acemedic.com achea.org acoolwebsearch.com actionbreastcancer.org activexupdate.com
ad25.com ad45.com ad77.com ad86.com adamsupportgroup.org adasearch.com adipics.com
adoptawaitingchild.org adspics.com adult-engine-search.com adult-erotic-guide.net
adult-friends-finder.net adulterotica4free.com adulthyperlinks.com adulttds.com
advert.exaccess.ru agentstudio.com africaspromise.org afterlifetelegrams.com aifind.cc
aifind.inf aifind.info akademyayadogru.org akril.com alcatel.ws aleateia.org alfa-search.com
alfreethought.org all-dating-secrets.com all-inet.com allabtcars.com allabtjeeps.com
allcybersearch.com allhyperlinks.com allinternetbusiness.com allneedsearch.com allsearch.ws
alltheweb.ru almarvideos.com amandamountains.com amigeek.com amisbusiness.com amisexyornot.co.uk
analmovi.com anin.org annaromeo.com antrocity.com any-find.com anything4health.com
approvedlinks.com apsua.com aregay.com arheo.com arizonaweb.org armitageinn.com
aroundweb.com art-func.com art-xxx.com artachnid.com ashenvale.xu.pl asiangirls.ss.ru
asiankingkong.com askgates.com ass-gals.com asuid.org athenrye.com audioseek.net
auto-parts.ws avian-ads.com awebfind.biz ayakawamura.com ayumitaniguchi.com baccarat.md
bad-credits.net bad-url.com bankruptcy-police.com bannedhost.net barbudafarms.com
barnandfence.com barnetshenkinbridge.com batsearch.com baygraphicsllc.com bb-search.com
bbbsearch.com bedhome.com bediadance.com bellabasketsfl.com bernaolatwin.com best-counter.com
best-hardpics.com best-offers-for-you.ws best-search.cc best-search.info best-searchengine.com
best-winning-casino.com bestbabekiss.com bestcrawler.com bestfor.ru bestfreepic.com
bestporngate.com bestteenagers.com bestxporno.com biblelifechurch.org bigpornguide.com
bitchonmydick.net biz-partner.org biz-partners.net bizonio.com blackjack.md blackjack-free.net
blender.xu.pl blussy.com bodaciousbabette.com boobdoll.com boobsandtits.com boobsclub.com
boredlife.com bowlofogumbo.com bradcoem.org brainbeat.net brandiyoung.com brookeburn.com
brutal-video.net bsnlbuldhana.com bucketbooks.com bucps.com buildhere.org burgerkingbigscreen.com
buscards.net business-cc.com bustyrussell.com buttejazz.org buymeds.com buyselldomain.net
calcioturris.com cameup.com canberracricketcoaching.com candyasians.com candycantaloupes.com
cantfind.com careers.dulcineasystems.net carsands.com carsrentals.net casino-007.com
casino-gambling-1.net casino-gambling-2.net casino-onlines.net casino.com.free.game.pogo.gratisdownloads.nl
casino2win.net casinomidas.net casinonline.net casinos-online.md catallogue.com
cataloweb.net catlist.com catsss.da.ru caxa.ru cc-debt.com cclebali.org ceewawires.org
certumgroup.com chelancatering.com chfela.org chicagocub.com childpaysite.com childrenvilla.com
china-design.org chipovka.ru chips-4-free.com chrisswasey.com chriswallace.net ciaclinton.com
cigarettes-directory-usa.com cimfel.com ckick4thumbs.com clackamasliteraryreview.com
clearsearch.cc clearsearch.net click2findnow.com clickaire.com clickfor-xxx.com
clickyestoenter.net closexxx.com clrsch.com club-super-sex.com clubasean.org cmtapestry.com
collcom.com conetka.com consumer-credits.com cool-homepage cool-homepage.co cool-homepage.com
cool-search.com cool-search.net cool-search.netfartpost.com cool-web-search.com
coolfetishsite.com coolfreehost.com coolfreepage.com coolfreepages.com coollocator.com
coolloud.org coolmoneysearch.com coolpornsearch.com coolsearcher.info coolsearcher.net
coolwebsearch. coolwebsearch.pay-sites.net coolwebsearsh.com coolwwwsearch. copmtraine.com
copyporn.com couldnotfind.com count-all.com cracks.me.uk cracks4u.com craps.md crawlermachine.com
creamedcutties.com creditsearchonline.com crestring.com crooder.com culvercountry.com
curvedspaces.com cvs.jps.ru cvsymphony.com cyberneedfulthings.com cydom.com daily-gals.com
daily-virgins.com dancingbabycd.com datanotary.com datareco.com datasearch.info
davemarshall.org dcfitusa.com dedmazai.com default-homepage-network.com defaultsearch.com
defaultsearch.net defaultsearching.com deftonsm.com desarrollocreativo.com detroitigers.com
dev.ntcor.com develip.com devilteensex.com dewis.h1.ru dewis.spb.ru dewis.us df809jow4wj2304lfd0sf9fsd0a2t4ldf809jow4wj2304lfd0sf9fsd0a2t4ld.biz
diamondsearch.info diannemackay.com dietpills4free.com dietpillz.org dietpussy.com
digistreamsa.com dionforvalleycouncil.org disavowed.net doctorwaldron.com document-not-found.pornpic.org
doggyaction.com domain-your-registration.com domains-for-you-online.com domains2003.net
domkrat.com dopestar.org dotmaniac.com download-crack.com downloads-mp3.net dp-host.com
dragqueen.gay-clan.com drug-interactions-reference.com drug-sources-exposed.com
drusearch.com drvvv.com drxcount.biz dsm.xu.pl dubolom.com dutch-sex.com dvdbank.org
e-localad.com e-plus.cc e-websitesolutions.com eameschairsandmore.com eases.net
easy-search.net easycategories.com easyteenies.com ebonybabeclub.com ebonyboom.com
ecbaonline.org ecosrioplatenses.org ecstasyporn.net effnetedge.com efim2003.org
efinder.cc ehttp.cc ehypercard.com eikokoike.com el-chiringuito.com enjoysearch.info
epornsex.com eroticwoman.net error.99fh.com euuu.com everythingonweb.net evidence-detector.biz
evilspidercomics.com ewcca.org ewebsearch.net excellentsckin.com exmoney.ru explore-it.org
extremeseek.net ez2seek.com f*ckdenniss.com f*cknicepics.com faithstevens.com famestation.com
family-incest-sex.net fanpmh.t.muxa.cc fantasiewelten.com farmsteadbandb.com fartpost.com
fastgoogle.com fastsearch.cc fastwebfinder.com faxporn.com filthlesbians.com finance-loans.com
financial-aid-refinance.com find.microgirls.com find-itnow.com find-online.net find-uk-health.co.uk
find4u.net findemnow.com finder2003.com findit-now.com findloss.com findonline.com
findsexxx.us findsx.com findthesite.com findthewebsiteyouneed.com findwhat.com finetimesearch.com
fionasteel.com firstbookmark.com firstbookmark.net fitness-free.com foodvacations.net
forex.jps.ru forexcredit.com forexcredit.ru formingfusions.com forsythfire.net forthline.com
fortleesaloon.com freddee.com free-chipes.com free-dating-free.com free-delivery-pharmacy.com
free-f*cking-video.com free-hardporno.com free-hit.com free-pics-and-movies.com
free-sex-movie-clips.net free4porno.net free64all.com freebookmark.net freebookmarks.net
freecategories.com freecoolhost.com freednshost.info freejuicysluts.com freepornisland.com
freerbhost.com freeshemalepics.net freewebs.com freeyaho.com freshseek.com freshteensite.com
freshvideogals.com f*cknicepics.com f*ckporn.com future-factory.org gabrielscott.com
gallview.com galpostgirls.com gals-for-free.com gals-for-free.com gambling-online4you.com
gameterror.net gaming.md gay50.com generalsmeltingofcanada.com german-club-manila.com
geteens.com getfound.com getpicshere.com gigafinder.com gimmezamore.com gimnasiaer.com
girls-porn-life.com girls.ss.ru gkicp.info glbdf.org global-finder.com globalhosting4u.co.uk
globe-finder.cc globe-finder.com globe-finder.net globesearch.com gocybersearch.com
gofreegalleries.com golftennis.net gonnasearch.com good-mortgages-calculator.com
good-mortgages.net goodsexs.com googlebar.jps.ru googlebrain.com googlf.com gotof*cks.com
gradforum.org gratis-porn-movie.com gratis-pornopics.com greg-search.com grokfusebox.org
gs-microdrive.com gsnh.org guzzycats.com gzphoenix.com hallnetaccolade.com hand-book.com
hangoutspot.com happy-money.net happyanal.com hard-gals.com hardbodytgp.com hardcore4ever.net
hardcoreover.com hardloved.com hardporndreams.com hardwareseek.net hardysex.com
harukaigawa.com haznegocios.com hccsolanonapa.org headinsurance.com health-protein.com
heartacheandmisery.com heartsmeeting.com hentai4u.net here4search.com heyrichy.com
hi-search.com hiddenguides.com hitlistlyrics.com hitq.com hits4biz.com hizen.org
holidayautostr.com home2ocean.org homematures.com homemortage.ws homepage.ru hostssp.com
hot-cartoon-sex.anime.american-teens.net hot-searches.com hotbookmark.com hotels-list.net
hotelxxxcams.com hotfreebies.com hotnetsearch.com hotpopup.com hotsearchbox.com
hotsex-series.com hotstartpage.com hotsurf.com hotwebsearch.com houstonfugitives.com
hq-search.com hqdick.com hqsex.biz http:/// http://startpage hugeporn4u.net hugesearch.net
hunacsa.com hunteros.com hupacasath.com hyperpaths.com hzsx.com i--search.com i-lookup.com
icanfindit.net icansearch.net iciinfo.com idgsearch.com ie-search.com iefeadsl.com
ieplugin.com ifinditall.com images.extreme-virgins.com images.hard-virgins.com images.only-virgins.com
imaginedp.net incestporngate.com indie.ru infodigger.net infoglobus.com inherhole.com
insertthiscock.com insurance-flood.net insurance-quotes-search.net insuranceall.net
interactive-forum.org inter-casinos.net internetsearch.ru inwardhouse.org ionichost.com
ionomist.com iplsolo.org ipsex.net isacasa.org itchytushy.com itsanal.com itseasy.us
iweb-commerce.com iwebland.com javascript:window.close() jeannineoldfield.com jengadss.com
jennilyn.com jethomepage.com jetseeker.com jewsformckinney.org jmhgallery.org joannelatham.com
johnsonsausage.com judin.ru junkysex.com karleyt.narod.ru kathisomers.com kazaa-lite.ws
keithgreenpro.com kenmccaul.com keno.md kiev.ua kilosex.com kimhines.com kinoru.com
kissebony.com kitasearch.com kliksearch.com klodcash.com kloun.com klounada.com
ksdspups.org landrape.com laopen.org lastories.net lauraroebuck.com leannalovelace.com
lesbianporndreams.com lesbisite4u.com lesobank.ru libertyonlinehosting.com lickingorgy.com
lickingpalace.com liferowboys.com lingerie-mania.com linklist.cc linkph.com lisamatthew.com
list2004.com list666.com litmagkiosk.com liveholio.com livenewspaper.com look.com
lookfor.cc looking-for.cc looksa.com louiseleeds.com love-pix.com lovelas.com lovelysearch.com
low-taxes.com luckysearch.net lunitaweb.net lustful-porno.com mackinnonsbrook.org
madfinder.com madisonmoons.com madisonoilco.com madonalive.com magicsearch.ws majuozawa.com
make-online-biz.com make-search.com makin-do.com male4free.com maltayellowpages.com
mannixforgovernor.com mano.ru map-quest.org marilynchamber.com martfinder.com massearch.com
matetrava.com mature50.com matureporngate.com maturesincest.pictures1.net maturs.com
maxdzines.com maximumsearch.net maxxxhosters.com mcgeeforlabor.com mdstunisie.org
mediatracker.org medicare-insurance.net medicare-supplemental.com medicine-matters.com
mega-dating.net mega-dating-tips.com megumikanzaki.com meshalynn.com meta-adult.com
meta-casino.com meta-mobile.com meta-porn.com meta-shop.com metafora.ru metapoisk.ru
michiyonakajima.com miconsultamedica.com microgirls.com mig29here.com mikasakamoto.com
mikoni.com militarygods.porn4porn.net millennialpeople.org millergames.net mintorphone.com
mipham.org missingcommand.com mommykiss.com moneybg.com moneyhunters.com montgomeryhospitalanesthesia.com
moremagicsoftware.com morflot.com mortgage-debt.net mortismaximus.com moscowwhores.com
mostsexygirls.com motor-search.info moviecategories.com mp3--songs-security.com
mp3-pix.com mrtg.jps.ru mshp.dll msie.cc msn-info.net multigals.com multioffers.com
multipussy.com mundopolar.com museodeartecostarricense.com mustv.com muxa.cc mvp.org
my.search my-find.com my-viagra.org myfastsearch.net myhandysearch.com mypoisk.com
mypoiskovik.com mysearch-results.com mysearchnow.com myselfsearch.com mysticalchristmas.com
mywebsearch.net nativehardcore.com naturalspy.com nbasportsbook.net needf*cknow.com
nellyslyrics.com nepgyan.com nesrecords.com netshastra.net nettime.ru nettracker.jps.ru
netyellowpages.info new.pictures1.net new-incest.com newcategories.com newcracks.com
newcracks.net newlife-lajolla.com newsexgate.com newtonsracks.com newxpics.com nfire.org
ngasaw.com nhlsportsbook.net niagaracapital.com niche-tv.com niddabeilles.com nkvd.us
nmrba.com nnsearch.biz noblindlinks.com nocalories.net nocensor.com nonelarai.com
normandcompany.com norsty.net novaf*ck.com nsbabes.com ntsearch.com nuclearwitness.org
nudefreebabes.com nudematuresite.com nudestar.org nursemania.com nvntour.com nvphall.org
oborot.com ocalalivestockmarket.com ocsff.com oeatlanta.com oharrowsearch.com ok-search.com
okulta.com omega-search.com omegabrains.net online--gambling.com online-casino-1.net
online-casino-bonus.info online-casinos-x.com online-gambling.md online-winning.net
onlineserverz.com onlinetradings.net only18plus.com onlycunt.com onlyinsured.com
onlyrandom.com oopsearch.com operanabuco.com opsex.com oregoncharters.org otrlives.com
outrageousorgy.net ozawamadoka.com paigesummer.com pamelacollections.com panamcup.com
pantygirls4u.com pantyhoserealm.com pantyplace.com parenting-directory.com partnersinpeace.org
pastubes.com paulapage.com paulhoover.com payfortraffic.net pedo.ws pentameter.org
people.1gb.ru perfect-search.info perfectseeker.com pervertbot.com pharma-diet-pills.com
pharmacy2003.com pharmalocator.com phendimetrazine-tenuate-adipex.com pics-videos.com
picsdir.com picsforbucks.com picsofseductiveladies.com pictures1.net pills-birth-control.com
pillsbook.com pillsmall.com pilotronix.com pixpox.com planemusic.com poiska.net
poker-casino-free.com poker-games-free.net polradiologia.com pooi.net popuptoast.com
porn-mix.com porn-teacher.com porncamz.com pornclon.com porncross.com pornfree.info
pornnightdreams.com pornokopec.com porntetris.com porntwist.com power-search.info
powerwebsearch.com prblitz.com pretypics.com pribalt.com privacy-support.biz privatediet.com
privateporn.net prn.ru prostactive.com prostol.com protect-yourself.biz prsainlandempire.org
purescans.com put-your-link-here.com pyrocorp.com quertysearch123.biz quick-search.ws
quickreplies.net quiksearchgenealogy.com qwertysearch123.biz radfrall.org radiomillon.com
ramgo.com ranafrog.ne rapegate.com real-yellow-page.com redbudbmx.com refinance-help.com
refinance-mortgage-now.com removeearthkeepers.org rightfinder.net riviera.cc robbsproshop.com
robertferencz.com robertferencz.com rotocasters.com royalsearch.net rugbydoctors.com
running-pages.com runsearch.com russiansponsor.com russogay.com s2.exocrew.com sacitylife.com
sama.ru samplegals.com satisf*cktion.net savehits.com savvysecretary.com sbssurvivor.com
sbssurvivor.com scanthenet.com scarypix.com sccdnet.com sceauxbasket.com scents4centsonline.com
scholarstones.com schoolforest.com scienceweek-tas.org scin-care-drugs.com search-1.net
search-2003.com search-about.net search-aid.com search-and-find.net search-and-go.com
search-click.com search-company.com search-direct.net search-dot.com search-hawk.com
search-internet.net search-log.com search-meta.com search-safe.com search-space.com
search-town.com search.psn.cn search.scourweb.net search.xrenoder.com search2004.net
search47.com searchable-sex.com searchadultweb.com searchall.info searchallhere.com
searchbutler.com searchbuttler.com searchbutler.org searchcentral.cc searchclub.ws
searchcomplete.com searchdesire.com searchdot.net searched.cc searchengine2000.com
searchexpander.com searchfastnet.com searchfeed.com searchforge.com searchhtg.com
searching-the-net.com searchinn.com searchmeta.md searchmeta.net searchmeta.ru searchmeta.webhost.ru
searchmeup.com searchmyrequest.com searchnow.ws searchonfly.com searchreply.com
searchscore.net searchscreens.com searchv.com searchvph.com searchweb.ws searchx.cc
searchxl.com searchxp.com sebot.com securenp.org security-warning.biz seehardcore.com
seek-all.com seekaround.com seekwell.net selfbookmark.com selfbookmark.info selfbookmark.net
server224.smartbotpro.net sesupport.com sex.free4porno.net sex-coach.com sex-everyday.com
sex-festival.com sex-melody.com sex-true.com sex-video-galleries.com sexfilms.ru
sexgalleries4all.com sexhits.org sexinside.net sexjc.com sexmoviesnet.com sexpatriot.net
sexy18.cc sexycat.adult-host.org sexysgirls.com sfbayfolkboats.com sgirls.net sharempeg.com
shopcards.net shopknights.com sic02.com sintrader.com site1.ru sites-in-web.com
sitevictoria.com sixroads.com skakalka.ru slawsearch.com sleazydream.com slot.md
slotch.com smart-finder.biz smartbotpro.net smartsearch.ws smartsumo.com smutarchive.net
solongas.com sonomaevents.com soul-killer.com spermatrix.com spicyebonysex.com sportbooks-free4you.com
spros.com spyass.com spyorgy.net sqwire.com staceyowens.com stacistaxx.com stacystaxx.com
stardomthemovie.com start-search.com start-space.com steamycock.com sterva.com stevecashdollar.com
stickylist.com stop-tracking.biz stopvotefraud.com stopxxxpics.com strekoza.com
studiothirteen.net stuffstore.com stuphome.com styleclickink.com summercollins.com
summitcross.com super-spider.com super-websearch.com superwebsearch.com superbookmark.com
supersexmachine.com superstarved.com superwebsearch.com supret.com surfast.info
suzannebrecht.com sweetasiansex.com sweeteenz.com sweeties.teensfestival.com sweetpornfantasies.com
swift-look.com syspage.com systemupdate.ws t.rack.cc t34rulit.com tabi-tv.com tacil.org
tamquangtemple.org tangounion.com tastethemusic.com tax-refund4you.com tech-jobs.ws
technology-related.com teen-biz.com teen-pic-post.com teenagepic.com teenagesecrets.biz
teenhqpics.com teenpornosex.com teens4free.net teensact.com teensgate.com teensguru.com
teenshells.com teenstouch.com teenswamp.com teenysexx.com tehranzamin.com telaquente.com
terrorist-prep-info.com testosterone-birth-control.com the-exit.com the-huns-yellow-pages.com
the-right-start.com theadultgate.com thebestse.com thefakejournal.com thehuy.net
theproxy.org therealsearch.com thesearchs.com thestas.com thesten.com thestex.com
thethumbsite.com thinkoctopus.com thornleygroup.com tings.org tinybar.com tit-x.com
titanvision.com titsianna.com tobiasjenny.com toddhayes.com toon-comics.com tooncomics.com
topfivesearch.com toprefsys.com topsearcher.com toteen.com traffcash.com trafficback.com
trafficswitcher.com trans4u.net travel.picture-posters.com triplexlist.com tropotun.com
true-counter.com true-portal.com trumble-trumbull.com trytechnical.com ufindall.click-now.net
ulovesex2.com ultralinks.info umaxsearch.com une-autre-france.com uni-porn.com unigays.com
unipages.cc up2you.ru urlstat.com urlstat.ru uralitel.ru ursie.net usatodayradionews.com
uspninternet.com utahsweet.com utopicportal.com uusocialjustice.org v61.com vaginpics.com
valmyers.com vegas-free.com vegbuy.com veloventures.com verzila.com victoriaadam.com
videocategories.com videsee.com viewpornkey.com vitamins-for-each.com votehowe.org
vxebony.com wakeupdick.com warnomore.org watersport-specialties.com web-1000.com
web-4-design.com web-homepage.net web-search.tk webacedialer.com webcoolsearch.com
webcounter.cc webeasyfind.com webforhumans.com webraing.ru websearch.net websearch4u.com
websearch4u.net websearchdot.com websearchup.com weekend-movies.com weekly-teens.com
weeklytop.net wetpornostars.com wetsearch.ws what2find.com whatsyoursearch.com white-pages.ws
whittierblvd.com whopass.com win-in-casino.com windowws.cc winshow.biz wiresearch.com
wmmse.com wolfpacracing.com wordlist.jps.ru worldmpeg.com wpc2001.org wspzone.sexpornonline.com
wwwbet.net wwwbetting.net wwwhellomoto.com wwwpokergames.com wwwpokerplayers.com
wwwroulette.net x-library.com x-webdesign.com xcomics4u.com xic-bs.com xldr.com
xp18.com xrenosearch.com xtragay.com xu.xu.pl xwebsearch.biz xxxcategories.com xxxemailxxx.com
xxxxxx.com.ru xyesearch.com y-e-l-l-o-w.com yandex.ws yeah.com yellow500.com yezol.com
you-search.com you-search.com.ru youfindall.com youfindall.net young-erotic.com
your.com your-prescriptions.net your-search.cc your-search.info yourbookmarks.info
yourbookmarks.ws yoursearch247.com youthpassagenet.org ypir.com ysa-info.net yudacollege.org
yukohamano.com ywebsearch.info zambeel.com zapros.com zesearch.com zetta-search.com
ziportal.com zipportal.com znext.com zonebest.com zoneoffreeporn.com zoomegasite.com
zvimigdal.com zyban-zocor-levitra.com
Society
Groupthink :
Two Party System
as Polyarchy :
Corruption of Regulators :
Bureaucracies :
Understanding Micromanagers
and Control Freaks : Toxic Managers :
Harvard Mafia :
Diplomatic Communication
: Surviving a Bad Performance
Review : Insufficient Retirement Funds as
Immanent Problem of Neoliberal Regime : PseudoScience :
Who Rules America :
Neoliberalism
: The Iron
Law of Oligarchy :
Libertarian Philosophy
Quotes
War and Peace
: Skeptical
Finance : John
Kenneth Galbraith :Talleyrand :
Oscar Wilde :
Otto Von Bismarck :
Keynes :
George Carlin :
Skeptics :
Propaganda : SE
quotes : Language Design and Programming Quotes :
Random IT-related quotes :
Somerset Maugham :
Marcus Aurelius :
Kurt Vonnegut :
Eric Hoffer :
Winston Churchill :
Napoleon Bonaparte :
Ambrose Bierce :
Bernard Shaw :
Mark Twain Quotes
Bulletin:
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient
markets hypothesis :
Political Skeptic Bulletin, 2013 :
Unemployment Bulletin, 2010 :
Vol 23, No.10
(October, 2011) An observation about corporate security departments :
Slightly Skeptical Euromaydan Chronicles, June 2014 :
Greenspan legacy bulletin, 2008 :
Vol 25, No.10 (October, 2013) Cryptolocker Trojan
(Win32/Crilock.A) :
Vol 25, No.08 (August, 2013) Cloud providers
as intelligence collection hubs :
Financial Humor Bulletin, 2010 :
Inequality Bulletin, 2009 :
Financial Humor Bulletin, 2008 :
Copyleft Problems
Bulletin, 2004 :
Financial Humor Bulletin, 2011 :
Energy Bulletin, 2010 :
Malware Protection Bulletin, 2010 : Vol 26,
No.1 (January, 2013) Object-Oriented Cult :
Political Skeptic Bulletin, 2011 :
Vol 23, No.11 (November, 2011) Softpanorama classification
of sysadmin horror stories : Vol 25, No.05
(May, 2013) Corporate bullshit as a communication method :
Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
History:
Fifty glorious years (1950-2000):
the triumph of the US computer engineering :
Donald Knuth : TAoCP
and its Influence of Computer Science : Richard Stallman
: Linus Torvalds :
Larry Wall :
John K. Ousterhout :
CTSS : Multix OS Unix
History : Unix shell history :
VI editor :
History of pipes concept :
Solaris : MS DOS
: Programming Languages History :
PL/1 : Simula 67 :
C :
History of GCC development :
Scripting Languages :
Perl history :
OS History : Mail :
DNS : SSH
: CPU Instruction Sets :
SPARC systems 1987-2006 :
Norton Commander :
Norton Utilities :
Norton Ghost :
Frontpage history :
Malware Defense History :
GNU Screen :
OSS early history
Classic books:
The Peter
Principle : Parkinson
Law : 1984 :
The Mythical Man-Month :
How to Solve It by George Polya :
The Art of Computer Programming :
The Elements of Programming Style :
The Unix Hater’s Handbook :
The Jargon file :
The True Believer :
Programming Pearls :
The Good Soldier Svejk :
The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society :
Ten Commandments
of the IT Slackers Society : Computer Humor Collection
: BSD Logo Story :
The Cuckoo's Egg :
IT Slang : C++ Humor
: ARE YOU A BBS ADDICT? :
The Perl Purity Test :
Object oriented programmers of all nations
: Financial Humor :
Financial Humor Bulletin,
2008 : Financial
Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related
Humor : Programming Language Humor :
Goldman Sachs related humor :
Greenspan humor : C Humor :
Scripting Humor :
Real Programmers Humor :
Web Humor : GPL-related Humor
: OFM Humor :
Politically Incorrect Humor :
IDS Humor :
"Linux Sucks" Humor : Russian
Musical Humor : Best Russian Programmer
Humor : Microsoft plans to buy Catholic Church
: Richard Stallman Related Humor :
Admin Humor : Perl-related
Humor : Linus Torvalds Related
humor : PseudoScience Related Humor :
Networking Humor :
Shell Humor :
Financial Humor Bulletin,
2011 : Financial
Humor Bulletin, 2012 :
Financial Humor Bulletin,
2013 : Java Humor : Software
Engineering Humor : Sun Solaris Related Humor :
Education Humor : IBM
Humor : Assembler-related Humor :
VIM Humor : Computer
Viruses Humor : Bright tomorrow is rescheduled
to a day after tomorrow : Classic Computer
Humor
The Last but not Least Technology is dominated by
two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt.
Ph.D
Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org
was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP)
without any remuneration. This document is an industrial compilation designed and created exclusively
for educational use and is distributed under the Softpanorama Content License.
Original materials copyright belong
to respective owners. Quotes are made for educational purposes only
in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains
copyrighted material the use of which has not always been specifically
authorized by the copyright owner. We are making such material available
to advance understanding of computer science, IT technology, economic, scientific, and social
issues. We believe this constitutes a 'fair use' of any such
copyrighted material as provided by section 107 of the US Copyright Law according to which
such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free)
site written by people for whom English is not a native language. Grammar and spelling errors should
be expected. The site contain some broken links as it develops like a living tree...
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or
referenced source) and are
not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness
of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be
tracked by Google please disable Javascript for this site. This site is perfectly usable without
Javascript.
Last modified:
March 12, 2019
