Here we go.. the "coolwebsearch" nasty guys have escalated their efforts and now even are blocking access to some security sites by altering people's hosts files once again. It appears that cwshredder hasn't been updated to catch this yet.. Please read this thread by Tom Coyote.
http://forums.tomcoyote.org/index.php?showtopic=3053

there are only two entries in that thread so far, so I'll quote them (both made by Tom)


Jan 15 2004, 09:07 PM
This is to inform that there is a version of CWS going around that will block your access to anti-spyware sites

There will be an email soon to all members of this board so that you know what to do in order to regain control over this problem

Pass this information on to your friends as they may not be able to get here without your help

Jan 15 2004, 09:19 PM
Are you having difficulty accessing security-related websites ?

You could have been hit by one of the latest hosts file scam by the Not-Coolwebsearch people...

Easy enough to fix this.

Get this program called Hosts File Reader. It will show the hosts file wherever it is located.

http://members.shaw.ca/techcd/VB_Projects/HostsFileReader.exe

Run the program and look at the bottom part of the window, if an entry is there, double click it.

You should see the contents of that file appear in the top part of the window. You can then change, delete, append, do what you want to the file using that utility.

If you do not consciously use a hosts file, you can choose to delete it. If you do use a hosts file, then you probably know how to deal with the entries listed.

If you aren't sure, there is the "Enable/Disable" function you can use. Disabling, will backup the current hosts and create a new default one. By doing this, you should be able to access those sites again.

The current (partial) list of sites blocked by this latest malicious hosts file is:

forums.spywareinfo.com
www.spywareinfo.com
www.merijn.org
merijn.org
spywareinfo.com
www.computercops.biz
computercops.biz
dslreports.com
www.dslreports.com
www.lavasoftsupport.com
lavasoftsupport.com
forums.net-integration.net
www.tomcoyote.org
tomcoyote.org
www.wilderssecurity.com
wilderssecurity.com
www.lavasoftusa.com
lavasoftusa.com
security.kolla.de
www.security.kolla.de
www.lavasoft.de
lavasoft.de


If you haven't heard of CWS, then you should read the info at this link.
Document last updated: January 5, 2004
http://www.spywareinfo.com/~merijn/cwschronicles.html

HiJackThis (http://tomcoyote.org/hjt/)...Zipped version of CWShredder (http://www.merijn.org/files/cwshredder.zip)--
If you get a virus warning for W32/Generic.worm!p2p, try this link instead: Unpacked version of CWShredder (http://www.merijn.org/files/cwshredder_u.zip)
If you get a message saying 'A required dll, MSVBVM60.DLL, was not found', install this first:
Visual Basic 6 runtime libraries from Microsoft (http://download.microsoft.com/download/vb60pro/Redist/sp5/WIN98Me/EN-US/vbrun60sp5.exe)

At least AO didn't end up there.. :D

That's very clever of them blocking some of our favorite sites.... I do wonder though if that could be construed as interfering with business? I also wonder what the websites on the list would say if they knew they were being blacklisted?

Hmmm... I thnk I may have to drop a couple emails a little later, just to see what they say. Good find jenjen.

Surely Lavasoft have some case against them considering it will affect users of Ad-Aware?

These guys go way to far when it comes to Spyware methinks.

My parents never loved me, :cry:

and now CW won't put my favourite website on their hitlist....and IT IS A HITLIST!! with all the ramifications? This is war?...I cannot choose a proper security site? who the hell do they think that they are. ::hide-beh

Well like groovicus I have a bit of mailing to do, the main site is here:

http://www.usdoj.gov/criminal/cybercrime/reporting.htm

I will start the European trouble tomorrow.

As William Shakespeare said: "Cry Havock! and unleash the dogs of war"

MsM..........can you get me the components for an old Remington computer with a 3006 processor? Just a few bits (bytes) at a time :D .......I will find the mercury (errr...memory?)

Good luck to all

appears that cwshredder hasn't been updated to catch this yet
It looks like the guy who makes CWShredder at Merijn.org has been on vacation from Jan 9 to Jan 19. So, that is probably why it does not take care of this new version.
But he is back tomorrow, I would look for an update to CWShredder soon.

OK, I am not sure how the system handles this, so I am trying a new post?

Your Article has been received...

Thanks for your submission!

We will check your submission in the next few hours, if it is interesting and relevant we will publish it soon.
At this moment we have 1 submissions waiting to be published.

I am a member of "Computer Cops"...might be good to bring in people from another "precinct"

I am sure that they will be highly amused?

I will now revert to my original intentions..............

Good luck and god bless

EDIT: I have now contacted a couple of organisations with interests along Pennsylvania Avenue.......I await responses, but my e-mail is a bit sporadic, so if anyone in the States wants to try, please do :)

Man that is some shit. So does anyone remember the line between spyware and a virus?



New from Gator The FDISK 1000!

Thats right, the company you have know and loved has realeased its best product to date! After our program takes all your important information and sells it on the ad company black market, it then performs a full system Format and replaces your precious files with softcore porn. All while we flash you ad after ad of Viagra and Viagra based products. So why wait...just kidding you don't have to, we have incorporated our product with every major software product in existance so we know for a fact that you have at least 4 versions of our product running on your computer at any given moment.

So have fun while we dig up your grandparents and sell their precious jewlery to the nearest pawn shop!

Gator - We **** your Life"

BTW.... trojan.startpage.... once it affects ur system change the default page to mycoolwebsearch...

Now are this two things connected in any manner... If yes.. I think that is absolutely unethical....

You cannot force people to mark ur site as their start page by playing a havoc with there systems...

Is a legal recourse possible for such type of activities......

Regards

Hi folks, I must say that the "THIS IS NOT AN AUTOMATED RESPONSE" from Supervisory Special Agent David.N.Rushing was a little "limp" IMHO :(

However, perhaps the "B" Team can deliver?

This is what I sent them:

Hello,

I am an IT professional in Europe, and belong to a number of security orientated websites. I was most disturbed to encounter the following:

new version of "coolwebsearch" blocks access to some security sites posted Yesterday 10:42 PM
(post #1)

Here we go.. the "coolwebsearch" nasty guys have escalated their efforts and now even are blocking access to some security sites by altering people's hosts files once again. It appears that cwshredder hasn't been updated to catch this yet.. Please read this thread by Tom Coyote.
http://forums.tomcoyote.org/index.php?showtopic=3053

there are only two entries in that thread so far, so I'll quote them (both made by Tom)

quote:

Jan 15 2004, 09:07 PM
This is to inform that there is a version of CWS going around that will block your access to anti-spyware sites

There will be an email soon to all members of this board so that you know what to do in order to regain control over this problem

Pass this information on to your friends as they may not be able to get here without your help


quote:
Jan 15 2004, 09:19 PM
Are you having difficulty accessing security-related websites ?

You could have been hit by one of the latest hosts file scam by the Not-Coolwebsearch people...

Easy enough to fix this.

Get this program called Hosts File Reader. It will show the hosts file wherever it is located.

http://members.shaw.ca/techcd/VB_Pr...sFileReader.exe

Run the program and look at the bottom part of the window, if an entry is there, double click it.

You should see the contents of that file appear in the top part of the window. You can then change, delete, append, do what you want to the file using that utility.

If you do not consciously use a hosts file, you can choose to delete it. If you do use a hosts file, then you probably know how to deal with the entries listed.

If you aren't sure, there is the "Enable/Disable" function you can use. Disabling, will backup the current hosts and create a new default one. By doing this, you should be able to access those sites again.

The current (partial) list of sites blocked by this latest malicious hosts file is:

forums.spywareinfo.com
www.spywareinfo.com
www.merijn.org
merijn.org
spywareinfo.com
www.computercops.biz
computercops.biz
dslreports.com
www.dslreports.com
www.lavasoftsupport.com
lavasoftsupport.com
forums.net-integration.net
www.tomcoyote.org
tomcoyote.org
www.wilderssecurity.com
wilderssecurity.com
www.lavasoftusa.com
lavasoftusa.com
security.kolla.de
www.security.kolla.de
www.lavasoft.de
lavasoft.de


Now, if a scumware provider can do that....what could they do in terrorist hands...assuming that they are not already? I feel that cyberterrorism is the next threat, and if people like this are allowed to continue in their greed it threatens US National and Global security?

I would be very interested in your assurances that this matter is being dealt with........I will be raising it in Europe within the next few hours

God Bless
Johnno


That was to the US Secret Service :)

Good luck......waiting to hear on my local efforts

Damn nihil you go for the jugguler.

/note to self don't piss of nihil

LOL.. nihil.. I can't believe you actually wrote to the USSS and not the FBI.. :rolleyes: hehe
I have a hard time believing that they'll respond to your email. Frankly, I think they won't care.
I'm glad you, at least, didn't include my nick or the site you found it on. Hopefully, they'll not search google to find out where it was posted.. I'm paranoid enough. :D

on this topic of CWS.. I found a nice, neat, simple little page.. simplicity is a good thing sometimes.
http://www.mvps.org/sramesh2k/Defend_CWS.htm

slightly off topic but..
On the topic of the FBI or the US secret service and having feds breathing down your neck, take a look at this guys blog. He, I guess.. was suspected in the theft of the half-life2 code being stolen. I was going to post it in the cosmos or tech humor forum but this thread now has a "fed slant" to it.
The whole surreal story (http://squeedlyspooch.com/blog/archives/000072.html)
I hope they don't come knocking at my door, I have some text files on security/hacking and I think they wouldn't care if I was a good hacker or not.. it would be "sieze my computers first and ask questions later"..

*jenjen rigs some c4 to her hard drives.. :D

Just for anybody thatis still interested... I wrote to some of the vendors the other day. I recieved the following response this morning:


Hi,

Didn't see the one with the hosts file lock yet, but I've already
reacted to the new CWS one that's closing down Spybot and others
(application and website both):
http://www.safer-networking.org/minifiles.html

--
Best regards,
Patrick Kolla

(I got a nice letter from the FBI too:) )

LOL, I'm seriously surprised to hear that the FBI responded :). (Glad too). I'm wondering though, for how long people are going to be patient with these companies? I sure am losing my patience when they DARE to install their programs on my computer without my permition, eat away my bandwith that i pay for, significantly slow down my computer, show porn to my little brother while he's using the computer for educational purposes ( i dont have a lil bro, just an example), Send my information to who knows were, force me to have to reformat my HDD and lose all my hard work? Seriously WHY ON EARTH WOULD I WANT TO TAKE THIS SHIT?

I'm seriously getting VERY VERY upset with them and i hope it doesn't go to the point where people start taking this in their own hands. Quite frankly i dont know how the hell do these people think out of their asses and install this shit everywhere? This stuff is worse than a virus or a trojan. A virus infects you, does its damage but it can be fixed. coolwebsearch is just plain offensive. I'm sure a lawyer would like to get a piece of this. If the Government wont do anything about this, then i would at least ask them about the location of the owners of coolwebsearch and then let us take care of it.

My 2cent

<shameless plug> Half the spyware problems would be solved if people didn't use Internet Exploder. Use Mozilla FireBird instead.</shameless plug> If you have to use IE, change the Download ActiveX Object setting to ask and update the damn thing.
Cheers,
cgkanchi

jenjen I wrote to them both I got a nice personal response from the FBI, and they suggested I go to the IFCC ( http://www.ifccfbi.gov ) who would forward the information to "the appropriate investigative agency"

I filled out a Secret Service form 4017 as well, because I think that there are peripheral homeland security issues? like how would the government like their computers getting the new coolwebsearch crap? As Cybr1d questioned the government inactivity? Maybe they will do something when they realise that they are in the firing line. :(

Don't worry about the Feds, they know who I am, where I live, my phone number, passport number, social security number and all that. So do MI6 and Scotland Yard Special Branch....I wouldn't have got full MoD, DoD and NATO security clearance without positive vetting............anyways, your post was positively security orientated :) I was more concerned about the coolwebsearch scum, but I would say that they have gone way too far with this one?

Cheers

winblows strikes again doesnt seem to bother my LINUX box,you know what they say talk to the hand cause linux aint listening!!!

reaper44,

I think that this is more of an Internet Explorer issue than an operating system one. These guys are a commercial organisation and will only bother to target the most common browser? I think cgkanchi has a good point.

Cheers

ahhh.. so you did email both, nihil. It's interesting that the FBI gave you a timely response.
I realized how paranoid I sounded in that other post.. mostly it was due to reading about that kid who got raided.. I'm not so worried today.. in fact, they'll never find me.. I've got my new cloaking device stolen from the romulans installed.. :D

OH CRAP, they gave you one too? Stupid Romulans..... LOL. Can someone please post calmly what the exact effects of the new coolwebsearch are? I.E. What does it do to the user's PC and also the illegal aspects of it.

cheers,

Cybr1d, as for the legality of it.. it's unknown..

but the best description of all the flavors/changes/modifications done by the authors of CWS was posted in my first post.

http://www.spywareinfo.com/~merijn/cwschronicles.html

it's quite detailed..

Hey nihil just a question...but what do you do?

Don't worry about the Feds, they know who I am, where I live, my phone number, passport number, social security number and all that. So do MI6 and Scotland Yard Special Branch....I wouldn't have got full MoD, DoD and NATO security clearance without positive vetting


And just a little side post to get some more conversation started up:

In my opinion, the Half Life 2 source code wasn't stolen, Vavle leaked it so they could buy more time to work on the game....And Gg!

Hi lansing.......nothing really exciting.......

Project management, systems analysis, business analysis, systems design, applications support, hardware support , systems testing, applications training , systems architecture.......you may use different terms?


In the defence industry, you need to be cleared to the highest level, because you have to be able to go anywhere? Also done a bit for the cops.

Cheers

if u guys want 2 remove coolwebsearch with Ad-Aware, use the tool in the zip provided.

much as I hate to say this... as no scripting/DDOS or other things are nice...
but since coolwebsearch keeps playing nasty and downright dirty, Id love to see some of the kiddiots focus thier attention that way for a while. Now I know, I know... two wrongs dont make a right.... but COME ON. Enough is enough, coolweb....
they are basically hacking at this point. Hijacking is taking someone somewhere they dont want to go... so If I hijack a plane, I expect to be punished. They hijack browsers, they should be punished. Hope the government kicks thier asses in. but you and I know that is a lengthy process... and because its profitable to pop up ads, and get hits by redirection, no matter how the redirection should happen, someone esle will do it after the fall of coolwebsearch. there are plenty of them out there, just not as bold as coolweb.
Denying access to sites? hmmm, well in america anyway that sure flys in the face of freedom. Why should anyone restrict me on where I can and can not go on the internet?
I hate the whole site, mostly because I often get stuck mucking up the mess it makes of a PC.
I hope they burn in Hell.
ARGH

Coolwebsearch is doing a lot more than only denying access to sites, it doesn't belong on any computer!

I'm pretty sure I don't have this latest version of CWS.. and my hosts file has just what I put in it.. but I'll be damned if I can get to ANY of the links that jenjen posted..

http://www.merijn.org
http://www.spywareinfo.com
http://forums.tomcoyote.org/index.php?showtopic=3053

at this last one.. or just even http://forums.tomcoyote.org

you'll see this..
"This domain has had massive attacks against it and the FBI has been notified with all IP's related to the attacks. We are not for sale by the way. "

can anyone else access these links ? I think not.. another box of mine gives the same results.. this is WAR.. these bastards truly HAVE "upped the stakes"..

:mad:

edit : I was searching news for anything about this.. didn't find much.
but I did find a nice article about hijacks.
http://www.pcmag.com/article2/0,4149,1443678,00.asp

Yeah I am unable to acces merijn.org and spyware site too....

For time being I thought whether it was one more cruel attack of CWS but than checked the Hosts file .. it just had all the entries I have put....

But what could be the reasons for Merijn and spyware site to be down.... ?????

the reasons ? DDOS.. :(

/sdg starts the chant..

"hackers and crackers unite.. give CWS something back to them"

the scumsuckers.. :mad:

thats what Im saying, all you idiots who want to "make a name" for yourself... if your gonna go to prison anyway at least let some good come from it...

Spywareinfo.com is back up & faster than ever! :D

Flush your DNS (run ->cmd -> enter in 'ipconifg /flushdns' minus the 's and with the space) if you are having problems viewing the site.


EDIT: To reach merjin.org enter the folowing into your hosts file :D

216.40.225.12 merijn.org
216.40.225.12 www.merijn.org

constantly removing their scumware is not an acceptable alternative as far as im concerned. i dont think the government agencys can do anything about them. hell does anyone even know who they really are to do something about them?

why dont we make this thread a repository for information we can gather about this curse and formulate a plan.


ping coolwebsearch.com ->66.250.74.150

from tracert:

16 190 ms 201 ms 200 ms HyperSpace_Communications.demarc.cogentco.com [66.250.5.30]
17 191 ms 200 ms 180 ms 66.250.74.150

the ip block is owned by:

Trying 66.250.74 at ARIN

OrgName: Cogent Communications
OrgID: COGC
Address: 1015 31st Street, NW
City: Washington
StateProv: DC
PostalCode: 20007
Country: US

Registrant:
Cogent Communications (COGENTCO-DOM)
1015 31st St. NW
Attention Legal
Washington, DC 20007
US

66.250.0.0 - 66.250.255.255



domain name is registered to Inter Web Solutions Inc. at PO Box 326, Tortola, IO, 65113

the country code "IO" is British Indian Ocean Territory but Tortola is an Island in the British Virgin Islans can anyone shed some insight on this? is there a british indian ocean territorry named tortola?

Hi Tedob1,

British Indian Ocean Territory

http://www.cia.gov/cia/publications/factbook/geos/io.html

Courtesy of "the good ol boys at Langley" :cool:

I am guessing that the scum have registered the IP in BIOT but are operating out of the Virgin Islands.

We have a "joint facility" at Diego Garcia?............................................

My local Member of Parliament is a "shadow cabinet member"..........he is also a lawyer with a speciality in IT.......................time I had a word with him I guess.............yes I am a party member and he did send a Christmas card.............so did our leader of the opposition...............

British jurisdiction?.............I guess it is up to us limeys to start it off?

Wish me luck guys :)

Cheers

will be interesting if you can find anything out about that po box...which is probably all that it is...but who owns it?

the host cogentco.com seems to specialize in sleeze. along with coolwebsearch, which i have to guess right now is connected to coolfreehost.com. coolfreehost.com offers free hosting of adult content. its home to other great sites:

Russian Kiss

rosexxxgarden.com

EUROPEAN HOLES

teensparadise.com

3D erotica

and thats just on 66.250.74.* so far.

one of the main advertisers is the "evidence eliminator" amybe a good emailing campaign could put some pressure on them to remove any ads on sites hosted by Cogent Communications.

if it can be proven that these so called programs are indeed trojans/virus then micro soft would have to give us the bounty they offer for virus writers

Hmmm,

Good info Tedob1,

We are heading towards an election year...............could make a nice byline?..........neither like nor trust politicos, but there are times when I am prepared to make exceptions........if only to "prove the rule".

However, If I could just link one kiddie prOn site to them they are history.................guess they will be too careful for that :(

Still it would be nice to get a question asked by a front bench spokesman in our Houses Of Parliament? (our equivalent of Congress I guess?).............might rattle their cages a bit?

"Time to chip away at the boulder folks"??

It would be nice to see the AO gang get a result :D

MAXIMUMHOST.COM which seems to have all these ip addys will throw someone off for spamming. their pretty careful to stay inside the law (barely legal teens type of thing) i dont think any kiddie port found on a related site could be pinned to them

from what ive gathered cogento communications inc is a major player with large investors. this kind of publicity could really hurt (Cogent Communications Group Inc (COI))

Cogent Communications is headquartered at 1015 31st Street, NW, Washington, D.C. 20007. For more information, Cogent Communications can be reached at (202) 295-4264 or via email at info@cogentco.com.

would something like this be legal to send?

While investigating a despicable product that is distributed from your network, coolwebsearch which is made to ravage personal computer world wide. It was brought to my attention that a great many of your customers deal in porn.

I don’t believe people investing in your company are fully aware of this.

Kind of funny that on Cogent Communications' website, under their "Acceptable Use Policy"

it lists the following prohibited uses:

6. Introduction of malicious programs into the Cogent network or servers or other products and services of Cogent (e.g., viruses, trojan horses and worms).

11. Using any program/script/command, or sending messages of any kind, designed to interfere with, or to disable a user's terminal session.


In my thinking CWS is exactly the above.

Hmmm

How about:

"Whilst restoring control of a private PC to its rightful owner, it has come to my attention that the offending software, coolwebsearch, is apparently being distributed from your network?

It also appears that a significant number of the customers that you host, manage pornographic websites? I wonder if you appreciate the effect that this information might have on your stockholders. Or indeed, if you are aware of this situation at all?

Assuming that you are not, might I ask if you are prepared to fully co-operate with the Federal Bureau of Investigation, the United States Secret Service, and the British Authorities in resolving this matter?

If so, perhaps you would be so good as to provide the names and contact details of your corporate officers who will deal with the matter.

Naturally, I would not wish to authorise the continuation of a process that may damage a respectable organisation, endanger the employment of its staff, or financially harm its respectable investors.

However, if it transpires that your security has been compromised, I do insist upon your fullest co-operation. I assure you that this will remain a discrete process involving my organisation and the appropriate authorities."

The reply to that should be very interesting :D

Cheers

EDIT: Nice one Meeeeeeeeee...........we now have them under their own terms and conditions?

Spyware has become increasingly agressive in the revenue making schemes for popular free apps and web sites that run (or try to run) campaigns for you to buy more shit. Not too long ago, I installed a shareware/freeware app without any protection and OMG...

pop up's from hell (Gator)
This Casino game that takes the entire screen and shows up over and over again...
Your homepage is changed (Mine went from Google to MySearch)
...and the performance of the machine dwindled along with IE taking forever to paint.

Asswipes I tell you. Asswipes :(

ok so here's a place to start:

info@cogentco.com?subject=Dave Schaeffer, CEO

cut and paste or write your own...just click on it even if you only say "Stop coolwebsearch" it might make them nervous enough to kick coolwebsearch.

Subject: Attn: Dave Schaeffer, CEO

BTW i just sent mine and ended it telling dave he wasn't a very nice man :-)

gee, this is both good and bad. At the time I first posted this, I didn't think CWS would take it this far. To ddos sites ? Could it be proved that it was cws behind the ddos attacks ? I wonder what tom coyote has collected for info, wouldn't he be a good contact for info ? An organized assault on things like this is the best.. right ? Why can't alliances be formed with the groups already looking into this ? Surely a combined effort would make a greater impact.

tried even flushing the DNS... but these sites (merijin and spyware) cannot be still connected.. is this a problem with this part of world (i.e. INDIA .. ASIA sub-continent)

Seriously I believe some very serious action should be taken against the people behind CWS trojans..... It is a menance.... and it cooly forces you to visit the site of their preferences....

I hear lot of people have alre initiated some action... It would be great if we get an update on it....Any replies from FBI ????

Is there any other global forum where we as individual users who have suffered under this trojan complain abt it.

I still guess that none of the antivirus were able to delete the trojan.. in that case why are those companies not initiating a legal action against the culprits....

Again this has mercilessly targetted Internet Explorer... again wonder why Microsfot is unable to take an action.. will it make any sense for AO to write a letter and apprise the companies with the destructions casued by this trojan and request them to take strick actions against those behind this nasty trojan......

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=253625#post723215) by anjali
tried even flushing the DNS... but these sites (merijin and spyware) cannot be still connected.. is this a problem with this part of world (i.e. INDIA .. ASIA sub-continent)


Apparently they are still having some propblems. Just checked and they expect the site to be up and down today. :( Hopefully just server issues not more DDoS.

is it working now? it's working fine for me right now.