new version of "coolwebsearch" blocks access to some security sites

[jenjen]

Here we go.. the "coolwebsearch" nasty guys have escalated their efforts and now even are blocking access to some security sites by altering people's hosts files once again. It appears that cwshredder hasn't been updated to catch this yet.. Please read this thread by Tom Coyote.
http://forums.tomcoyote.org/index.php?showtopic=3053

there are only two entries in that thread so far, so I'll quote them (both made by Tom)

Jan 15 2004, 09:07 PM
This is to inform that there is a version of CWS going around that will block your access to anti-spyware sites

There will be an email soon to all members of this board so that you know what to do in order to regain control over this problem

Pass this information on to your friends as they may not be able to get here without your help

Jan 15 2004, 09:19 PM
Are you having difficulty accessing security-related websites ?

You could have been hit by one of the latest hosts file scam by the Not-Coolwebsearch people...

Easy enough to fix this.

Get this program called Hosts File Reader. It will show the hosts file wherever it is located.

http://members.shaw.ca/techcd/VB_Pro...FileReader.exe

Run the program and look at the bottom part of the window, if an entry is there, double click it.

You should see the contents of that file appear in the top part of the window. You can then change, delete, append, do what you want to the file using that utility.

If you do not consciously use a hosts file, you can choose to delete it. If you do use a hosts file, then you probably know how to deal with the entries listed.

If you aren't sure, there is the "Enable/Disable" function you can use. Disabling, will backup the current hosts and create a new default one. By doing this, you should be able to access those sites again.

The current (partial) list of sites blocked by this latest malicious hosts file is:

forums.spywareinfo.com
www.spywareinfo.com
www.merijn.org
merijn.org
spywareinfo.com
www.computercops.biz
computercops.biz
dslreports.com
www.dslreports.com
www.lavasoftsupport.com
lavasoftsupport.com
forums.net-integration.net
www.tomcoyote.org
tomcoyote.org
www.wilderssecurity.com
wilderssecurity.com
www.lavasoftusa.com
lavasoftusa.com
security.kolla.de
www.security.kolla.de
www.lavasoft.de
lavasoft.de

If you haven't heard of CWS, then you should read the info at this link.
Document last updated: January 5, 2004
http://www.spywareinfo.com/~merijn/cwschronicles.html

HiJackThis...Zipped version of CWShredder --
If you get a virus warning for W32/Generic.worm!p2p, try this link instead: Unpacked version of CWShredder
If you get a message saying 'A required dll, MSVBVM60.DLL, was not found', install this first:
Visual Basic 6 runtime libraries from Microsoft

[MrLinus]

At least AO didn't end up there..

[groovicus]

That's very clever of them blocking some of our favorite sites.... I do wonder though if that could be construed as interfering with business? I also wonder what the websites on the list would say if they knew they were being blacklisted?

Hmmm... I thnk I may have to drop a couple emails a little later, just to see what they say. Good find jenjen.

[Ennis]

Surely Lavasoft have some case against them considering it will affect users of Ad-Aware?

These guys go way to far when it comes to Spyware methinks.

[nihil]

My parents never loved me,

and now CW won't put my favourite website on their hitlist....and IT IS A HITLIST!! with all the ramifications? This is war?...I cannot choose a proper security site? who the hell do they think that they are.

Well like groovicus I have a bit of mailing to do, the main site is here:

http://www.usdoj.gov/criminal/cybercrime/reporting.htm

I will start the European trouble tomorrow.

As William Shakespeare said: "Cry Havock! and unleash the dogs of war"

MsM..........can you get me the components for an old Remington computer with a 3006 processor? Just a few bits (bytes) at a time .......I will find the mercury (errr...memory?)

Good luck to all

[omalakai]

appears that cwshredder hasn't been updated to catch this yet

It looks like the guy who makes CWShredder at Merijn.org has been on vacation from Jan 9 to Jan 19. So, that is probably why it does not take care of this new version.
But he is back tomorrow, I would look for an update to CWShredder soon.

[nihil]

OK, I am not sure how the system handles this, so I am trying a new post?

Your Article has been received...

Thanks for your submission!

We will check your submission in the next few hours, if it is interesting and relevant we will publish it soon.
At this moment we have 1 submissions waiting to be published.

I am a member of "Computer Cops"...might be good to bring in people from another "precinct"

I am sure that they will be highly amused?

I will now revert to my original intentions..............

Good luck and god bless

EDIT: I have now contacted a couple of organisations with interests along Pennsylvania Avenue.......I await responses, but my e-mail is a bit sporadic, so if anyone in the States wants to try, please do

[Lansing_Banda]

Man that is some ****. So does anyone remember the line between spyware and a virus?

New from Gator The FDISK 1000!

Thats right, the company you have know and loved has realeased its best product to date! After our program takes all your important information and sells it on the ad company black market, it then performs a full system Format and replaces your precious files with softcore porn. All while we flash you ad after ad of Viagra and Viagra based products. So why wait...just kidding you don't have to, we have incorporated our product with every major software product in existance so we know for a fact that you have at least 4 versions of our product running on your computer at any given moment.

So have fun while we dig up your grandparents and sell their precious jewlery to the nearest pawn shop!

Gator - We **** your Life"

[anjali]

BTW.... trojan.startpage.... once it affects ur system change the default page to mycoolwebsearch...

Now are this two things connected in any manner... If yes.. I think that is absolutely unethical....

You cannot force people to mark ur site as their start page by playing a havoc with there systems...

Is a legal recourse possible for such type of activities......

Regards

[nihil]

Hi folks, I must say that the "THIS IS NOT AN AUTOMATED RESPONSE" from Supervisory Special Agent David.N.Rushing was a little "limp" IMHO

However, perhaps the "B" Team can deliver?

This is what I sent them:

Hello,

I am an IT professional in Europe, and belong to a number of security orientated websites. I was most disturbed to encounter the following:

new version of "coolwebsearch" blocks access to some security sites posted Yesterday 10:42 PM
(post #1)

Here we go.. the "coolwebsearch" nasty guys have escalated their efforts and now even are blocking access to some security sites by altering people's hosts files once again. It appears that cwshredder hasn't been updated to catch this yet.. Please read this thread by Tom Coyote.
http://forums.tomcoyote.org/index.php?showtopic=3053

there are only two entries in that thread so far, so I'll quote them (both made by Tom)

quote:

Jan 15 2004, 09:07 PM
This is to inform that there is a version of CWS going around that will block your access to anti-spyware sites

There will be an email soon to all members of this board so that you know what to do in order to regain control over this problem

Pass this information on to your friends as they may not be able to get here without your help


quote:
Jan 15 2004, 09:19 PM
Are you having difficulty accessing security-related websites ?

You could have been hit by one of the latest hosts file scam by the Not-Coolwebsearch people...

Easy enough to fix this.

Get this program called Hosts File Reader. It will show the hosts file wherever it is located.

http://members.shaw.ca/techcd/VB_Pr...sFileReader.exe

Run the program and look at the bottom part of the window, if an entry is there, double click it.

You should see the contents of that file appear in the top part of the window. You can then change, delete, append, do what you want to the file using that utility.

If you do not consciously use a hosts file, you can choose to delete it. If you do use a hosts file, then you probably know how to deal with the entries listed.

If you aren't sure, there is the "Enable/Disable" function you can use. Disabling, will backup the current hosts and create a new default one. By doing this, you should be able to access those sites again.

The current (partial) list of sites blocked by this latest malicious hosts file is:

forums.spywareinfo.com
www.spywareinfo.com
www.merijn.org
merijn.org
spywareinfo.com
www.computercops.biz
computercops.biz
dslreports.com
www.dslreports.com
www.lavasoftsupport.com
lavasoftsupport.com
forums.net-integration.net
www.tomcoyote.org
tomcoyote.org
www.wilderssecurity.com
wilderssecurity.com
www.lavasoftusa.com
lavasoftusa.com
security.kolla.de
www.security.kolla.de
www.lavasoft.de
lavasoft.de


Now, if a scumware provider can do that....what could they do in terrorist hands...assuming that they are not already? I feel that cyberterrorism is the next threat, and if people like this are allowed to continue in their greed it threatens US National and Global security?

I would be very interested in your assurances that this matter is being dealt with........I will be raising it in Europe within the next few hours

God Bless
Johnno


That was to the US Secret Service

Good luck......waiting to hear on my local efforts