read this it's possible?
CoolWebSearch is a trojan that hijacks Internet Explorer start and search settings to one of several different web sites (see below). Most of these web sites appear to have an affiliate relationship with coolwebsearch.com in which coolwebsearch pays them for every visitor they refer. There could be other domains involved in the future.
This hijack is similar to the datanotary.com hijack discovered within the last couple of months. As with datanotary, the CoolWebSearch hijack sets Internet Explorer to use a custom style sheet containing javascript that opens a pop up window. In fact, it is believed that: the trojan involved with CoolWebSearch is an updated version of the same malware involved with datanotary.
In the original variant, the start and search settings were changed to an address in which the letters are converted into an unreadable mess of numbers and % symbols to hide the domain name from the user. It also made it difficult to blacklist the domain. Internet Explorer is able to translate the symbols and load the hijacker's web site.
An executable file named bootconf.exe is copied to the \windows\system32\ folder and set to load at startup. Even if you fix the hijack, this file will reinstall it the next time it is loaded.
More current variants also install a small web server, contained in a file named svchost32.exe. It adds several google addresses (google.de, google.ch, google.ca, etc) search.yahoo.com, and search.msn.com to the HOSTS file, telling windows that the IP addresses for those sites is 127.0.0.1, and that's where it's webserver is listening.
Yet another variant hijacks Internet Explorer's SearchHook setting with a file named dnsrelay.dll. This redirects all search and start page settings to allhyperlinks.com.
Finally, CoolWebSearch lists the hijacker's web site in Internet Explorer's trusted security zone. Domains listed in the trusted security zone have no restrictions on what they can do. This allows that web site to have virtually unlimited access to the infected computer's file system.
The source of the infections might be activex drive by installers located on pornographic web sites, or possibly trojan programs pretending to be illegal serial number generators. Unfortunately, this is just speculation for now.
Best Bet:
1. Back up your personal files.
2. Do a complete format (not quick) on your hard drive.
.
some useful info here
www.spywareinfo.com/~merijn/downloads.html
hope it helps ?
Hybrid Mode
