Home Rogue Websites Coolsearchserver.com


Posted: September 16, 2011

Coolsearchserver.com is a mirror for the CC Search website and, like other CC Search mirrors, is affiliated with browser hijackers and the ZeroAccess rootkit. Even though the search engine features that Coolsearchserver.com pretends to offer may seem to be useful at first, SpywareRemove.com malware researchers have investigated and found that Coolsearchserver.com is designed to offer fraudulent search results that funnel money back to Coolsearchserver.com's webmasters. The primary symptom of a Coolsearchserver.com-related infection is a redirect attack that forces your web browser to Coolsearchserver.com; this should be considered a warning sign to run to your best anti-malware program and immediately scan your PC to get rid of your Coolsearchserver.com infection, before other and additionally serious attacks occur.

What's Not So Cool About Coolsearchserver.com

Coolsearchserver.com pretends to be a search engine that's similar to Google (which Classysearchserver.com's legion of browser hijackers will redirect you away from), but as a marked deviation from Google-level standards, Coolsearchserver.com specializes in providing results that only benefit itself. Links that are proffered by Coolsearchserver.com may redirect you to blank websites, to advertisements or even to malicious websites that present misleading information or try to attack your PC. Even accidental contact with Coolsearchserver.com should be considered a clarion call to scan your computer for potential infections.

Coolsearchserver.com is essentially identical to other CC Search mirrors such as 2dayoftheweek.com, 7dayoftheweek.com, classysearchserver.com,excellentsearchserver.com and noblesearchserver.com. Besides looking the same, these Coolsearchserver.com clones also use similar attacks and should be considered just as harmful to your PC if you happen to come into contact with any of them. Browser hijackers may even treat these websites as identical with respect to redirecting efforts and may redirect you to Coolsearchserver.com or one of Classysearchserver.com's clones; this can be determined in a random fashion each time.

The Not-So-Accidental Landing at Coolsearchserver.com

Although it's possibly to come across Coolsearchserver.com by normal channels, SpywareRemove.com malware experts have found that the majority of Coolsearchserver.com's visitors are forced towards Classysearchserver.com by browser hijacker infections. These infections are especially associated with the ZeroAccess rootkit, a sophisticated PC threat that launches itself automatically by associating its code with normal system processes. ZeroAccess rootkit can be used to steal private information or install rogue security programs, but a ZeroAccess rootkit's Coolsearchserver.com-related functions are browser-oriented, as shown below:

  • ZeroAccess rootkit may redirect you to Coolsearchserver.com after you try to use a website, especially a search engine.
  • ZeroAccess rootkit may lock your homepage to Coolsearchserver.com.
  • ZeroAccess rootkit may create pop-ups or otherwise degrade your browser's performance in serious ways.

SpywareRemove.com malware researchers recommend that you use Safe Mode and powerful anti-malware programs to remove Coolsearchserver.com infections such as ZeroAccess, from your computer. Manual removal methods, although possible, are prone to failure when used against rootkit-level PC threats and may damage Windows.

Technical Details

File System Modifications

The following files were created in the system:

C:\Windows\system32\DRIVERS\mrxsmb.sys File name: C:\Windows\system32\DRIVERS\mrxsmb.sys
File type: System file
Mime Type: unknown/sys
C:\Windows\system32\consrv.dll File name: C:\Windows\system32\consrv.dll
File type: Dynamic link library
Mime Type: unknown/dll

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\..\..{Subkeys}SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4