Coolwebsearch (“The Search Engine you Trust”) posted on their website a list of affiliates that have been terminated. One of them was

Coolwebsearch (aka CWS) has been fairly vehement on clearing its name, so this is of interest.

A few days ago, Senior Spyware Researcher Patrick Jordan ran across some stuff which I’m posting today as a “Seen in the Wild”.

It starts with a known CWS infester using files from another site that will hijack users to The known CWS infester has links that will open to, but it is the path it passes through before it opens that is unusual.


The above links show the following transmissions before opening to


Notice the second entry:


Notice the URL: has always been one of the IP ranges to open to But the last transmission to get to is, which uses a Coolwebsearch template that matches the one above.


Now in the hijacking page at we can see the entry where is on the list.



Now, is listed on their website. However, infoglobus doesn’t seem to care. They just use to get around the whole thing, while using a CWS template.

Tut tut tut.

Alex Eckelberry