aifind.com and xwebsearch.biz GO TO HELL

October 17, 2003 · 37 comments

Update, 4/04: I see I’m getting TONS of hits from folks infected with the AIFIND browser hijacker and searching for a way to ditch it. Go NOW to http://www.spywareinfo.com/~merijn/downloads.html — scan down the page to the Unable to Download section, and download CWShredder. This is what we used to make aifind / coolwebsearch go away.
I’ve still got a nasty virus and I can’t do anything on my computer until it’s fixed — I’m using my mom’s machine now.
AVOID AT ALL COSTS a search engine called AIFIND.COM — two of their affiliates are spreading a browser hijacker that, no matter what url you type in, sends you to their AIFIND affiliate portal at XWEBSEARCH.BIZ — the name of the portal is Cool Web Search.
The company that owns AIFIND.COM is in Scottsdale, AZ. They refused to answer any questions, so I referred the issue to the Scottsdale Police Dept., who sent me to the FBI. I filed a complaint with the Internet Fraud Complaint Center and they are supposed to be contacting the local FBI office in Arizona.
The bad guys who run this portal, though, are most likely not Americans. XWEBSEARCH.BIZ is registered in Estonia (where IS that, anyway?). But the fact is, AIFIND.COM is a US company, and they’re going to have to cooperate with law enforcement to cut off the accounts of these two affiliates.
The web browser hijacker is new, it’s insidious, and it can’t be weeded out easily. A site called http://www.spywareinfo.com has some info on it (they call it the Cool Web Search Chronicles) — the program (virus, trojan, whatever ya call it) has been mutating and spreading since I think April. The form I have is a new mutation (hey, lucky me!).
If you have the virus, you probably aren’t reading this. You can’t GET to any other website when your browser keeps friggin’ redirecting to these assholes. We’ve tried every program we can think of to get rid of it, and it won’t go away. I have no suggestions for you whatsoever if you have it.
If you DO start getting redirected to Cool Web Search and you’re not using a web-based email, please mail me here at comparerewards@yahoo.com and let me know. Maybe by pooling info we can figure out how this thing got onto our computers.
Take care and hope to talk to you again in the next few days.
Becky

Share this:
Facebook Twitter Pinterest Plusone Digg Stumbleupon Email

{ 37 comments… read them below or add one }

BuckEyeDuo October 18, 2003 at 1:54 pm
Anonymous November 4, 2003 at 5:12 pm

suggestion #1:) 2 websites that might help follow. #2) I installed BlackIce. I made a short-cut to my ‘Local Area Connections’ on my desktop. Everytime that dang * * * * * * * xwebsearch.biz * * * * * * * started taking over I would double click the short-cut then click disable… in effect killing my connection (this could also have been done pulling the cable out of my network card in the middle of their pop-up parade. !!!Black Ice would immediatley tell me that ‘I’ or possibly ‘a program’ is trying to connect to * * * * * * * * IP* * * * * * 213.159.117.233 * * * * * * * * . Time and time again, disconnecting would result in the attempt at this address connection. (BECKY, !! please file this number with the authorities you’ve contacted.) Searching google for this IP resulted in some discussion boards, mainly in Spanish, which Google readily translated. ******I have now added both the IP 213.159.117.233, and the website xwebsearch.biz to my block list… here’s how: Tools> Internet Options> Privacy> Edit (under website)> at this point i typed in both of the above listed and clicked block. I have thus far experienced ~24 hours of relief!!
Sorry about the dreadfully long run-ons!!
Good Luck!!
Don’t forget the links, and may they be hyper for you!
p.p.s.: The second link seems to be so much more descriptive of PERSCRIPTIVE acciones! Ole!
ppss: I have also found using ad-aware by http://www.lavasoft.nu helpful for some pop-ups.
http://translate.google.com/translate?hl=en&sl=es&u=http://usuarios.saulo.net/lista/consultas/archivo/indice/2901/msg/2908/&prev=/search%3Fq%3D%2522213.159.117.233%2522%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26sa%3DG
http://216.239.37.104/translate_c?hl=en&u=http://www.vsantivirus.com/qhosts.htm&prev=/search%3Fq%3D%2522213.159.117.233%2522%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26sa%3DG

Reply

frustrated January 4, 2004 at 12:42 pm

Ah! I am so relieved to find some info about this! I have been having trouble with the same stuff. Does anyone know anything about searchcentrix.com? I get a loop from the 213.159.117.223 to the searchcentrix and then my connection drops. I’m going to try some of your suggestions. Thanks for that! I already ran Norton antivirus and it identified 4 adware files that I can’t delete. When I click on the threat description, it takes me directly to the 213…..223 loop again. Any suggestions here? Anything would help, I can only go online via my dialup but this has wreaked havoc with my DSL and it is inoperable! Please help!

Reply

exorcised January 8, 2004 at 9:24 am

Hello
I unfortunately HAD the aifind hijacker on my PC and my search to get rid of it led me to this wonderfull little program that got rid of it. Two thumbs up to the guy/girl who made it.
http://www.merijn.org/files/CWShredder.exe

Reply

RichMan January 8, 2004 at 10:51 am

I had the same problem (startpage modified to aifind and some strange favorites) like the others and was able to fix it with the CWShredder! A great tool!
Many Thanx and Greetz from Austria!!!
RichMan

Reply

Bosnaian_guy_69 January 8, 2004 at 7:31 pm

i had problems with those aifind losers and their popups. i installed norton internet security. and now the problem is gone

Reply

Bosnaian_guy_69 January 8, 2004 at 7:32 pm

i had problems with those aifind losers and their popups. i installed norton internet security. and now the problem is gone

Reply

Gerald January 9, 2004 at 9:46 am

I have been having trouble with “aifind.info” for just the last few days (also known as “coolwebsearch”).
I have to come clean and admit that it seems to have arrived via an adult web-site called “voyeurweb.com”, but no doubt other sites are affected.
Thanks for the info on how to remove it. I will in particular try the “merijn”, as it seems to have good results.
Cheers, Gerald.

Reply

Anonymous January 9, 2004 at 1:09 pm

Merijn, the person who made this wonderfull piece of software, thAnks! it really really works!!

Reply

KENT January 17, 2004 at 12:54 am

GO TO SYMANTEC AND FOLLOW THEIR INSTRUCTIONS FOR REMOVAL OF THE AIFIND.INFO TROJAN HORSE WHICH REDIRECTS YOUR BROWSER TO PORNO SITES.
http://securityresponse.symantec.com/avcenter/venc/data/trojan.bookmarker.b.html

Reply

nathan April 22, 2004 at 6:18 pm

yes this screwed me up. i got the virus twice. i found the regedit had been changed. i deleted it but found my homepage still hijacked. none of the programs that were supposed to fight it worked. wound up reinstalling windows to get rid of it.

Reply

Thomas April 24, 2004 at 12:08 am

My home page is set to “about blank” then is rdirected to aifind.info. I have tryed millions of times to uninstall this via a link at teh bottom of that page but it just takes me back to the same page i have downloaded CWShredder but it didnt work. If i open IE it takes me to aifind.info (as mentioned before) but if i type in another website it will go there, the only time it changes back to this stupid website is if i try to go to my inbox on hotmail. I would appreciate any information on fixing this problem

Reply

Randy April 24, 2004 at 2:55 am

Thomas I also am having the same trouble as you. The only time I get redirected is when I try to access my hotmail accounts. The CWShredder does not do a thing to help. any suggestions would be greatly apprerciated

Reply

Marc April 24, 2004 at 4:33 pm

The same thing is happening to me that happens to Thomas and Randy. How would I have gotten infected then? I don’t open the attachments in my e-mail box.

Reply

Paul April 26, 2004 at 6:05 am

Same problem here!!
The CW Shedder removes CSW.Svchost32 but the next connectionto the internet sees it returned.
Is this a new variant?

Reply

rony April 26, 2004 at 9:17 am

hey guys i just clicked on the uninstall link on the aifind.info site and it just went away may be due to you guys efforts the website developers might have posted the links to uninstall.
cheers
rony

Reply

Tim April 27, 2004 at 10:50 am

I was having the same problem as the last few people. I deleted all of the favorites that it put there, then manually changed back my homepage (this seems to work the first time after you do it, but goes back to aifind.info the next time you sign on), opened a new browser window (which then went to aifind.info) and clicked the uninstall link. Then I closed both and opened explorer again and my homepage was no about: blank. I closed it and then went to internet options where I changed my security setting to high, blocked aifind.info and manually reset my homepage to my isp’s default. Now the problem seems to have gone away. I hope that following this procedure helps someone.
Tim

Reply

Bert April 28, 2004 at 12:49 am

having the same problem with aifind.info, and the e-mail they give is bogus, the uninstal is just a loop and it seems that norton is the only thing that clears it off…but it seems whatever varient this is it keeps reintalling itself over and over….

Reply

Mike May 1, 2004 at 4:21 am

Ive got the aifind bug too. Tried the CW Shredder, said it was fixed, but it wasnt. I get redirected when I try to go to my email, and when I try to browse support forums. This rots!

Reply

sam May 1, 2004 at 11:07 am

i am having the same problem as sam, randy and mark. will try some of the ideas. if i type symantech web site address, some other website for ink cartridge, takes over.

Reply

John May 1, 2004 at 12:17 pm

Hey all we need to hack this one apart. I promise I will not give up till I find a solution and I will post it here. I am using Opera now to surf and check my hotmail and it works fine. Anyway back to work. I got this Hijacker yesterday at some point and so I did a file search on my HD’s to list all files modified yesterday. So I am guessing if there is an exe or dll installed it should be in there. Also note that your registry is modified in both CURRENT USER and LOCAL MACHINE and then Software – Microsoft – Internet Explorer – Main. Changing it unfortunatly does’nt work.

Reply

John May 1, 2004 at 1:29 pm

OK heres what I did and so far so good. I knew approximatlly when I got this trojan so what I did was searched for all files modified on April 30. This produces a list of all the files that were changed or added. I ordered them by time and found a group that ranged from about 2:30 till 3:00PM. This is when I got the trojan. You will want to delete these files but be carefull they may not all be bad so check them and use your own descrision. Two in particular I think were the culprit one was index[1].exe the other mysys.com. Delete all of your cookies and the favorites that they stuck in there on you. Delete everything in your temporary internet files. I whent and deleted all for all users. btw I am running win 2000. Then go into regedit and delete the start page entries as mensioned above. when I reboot and open IE I got about:blank and a blank page. I then changed the home page option to google and so far it works out ok…

Reply

Latency May 2, 2004 at 3:11 pm

i still cant get rid of the stupid aifind.info virus….any suggestions?

Reply

Anonymous May 3, 2004 at 10:07 am

the cwshedder only seems to work for the coolwebsearch variant, this freak’n aifind thing is invulnerable.ad-aware detects acouple of keys and cookies. I delete those but they just come back. (I’m running Win2k)I tried to follow symantec’s removal steps, and aside from being a moron, i could find the files it says this hi-jacker creates %System%\Cpan.dll or %Windir%\hh.htt… running out of patients, i’ll never understand why people think these things are funny.

Reply

Anonymous May 3, 2004 at 1:04 pm

i just found a way to kill this stupid thing. run your virus software and spy ware killing devices and cwshedder if you want to clear all the crap. then boot into safe mode with command promp. (i’m still using win2k) navagate to winnt\system32\ebh.dll rename this pain in the @$$ like so.
ren ebh.dll ebh.deleteme (or whatever you want)
you can now delete it. del ebh.deleteme. restart normally and things should be back to normal. hope this helps

Reply

G May 3, 2004 at 9:05 pm

I just wanted to thank you guys for creating this “AIFIND” Terminator. AIFIND creators should be fined heavily and possibly jail sentencing for what they do. I have a child who uses this computer and I had to check it everytime he turned it on, because it would go straight to the AIFIND homepage where it lists adult sites. With just one click they could have caused alot of damage to my childs mind. Thank you so much!!!!

Reply

Anonymous May 4, 2004 at 11:35 pm

how do I get rid of aifind.info! I can’t read my yahoo mail — it takes me to ainfo!!

Reply

Ted May 7, 2004 at 6:01 am

I got the AIFinder stupid trojan today (07/May/2004). My SYMANTEC did detect two virus files, but can only clean one of them. I think the possible way it infected my computer is oriented from a stocking adult website.

Reply

GK May 8, 2004 at 8:25 am

I got the one of the nasty variants of this virus. I tried several approaches and anti viruses (cwshedder included) to get rid off it with no success BUT

Reply

Phil May 8, 2004 at 4:06 pm

I recently got this stupid virus from a warez site, and now i dont appear to be able to get rid of it i tried most of the things listed above, but to no avail. i still have it everytthing i do it seems to prevail and seems to outsmart every stupid program i use! If someone can make this virus/trojan then someone must be able to destroy it!

Reply

will May 10, 2004 at 6:34 pm

I’ve tried everything I’m capable of that is suggested on this page and others, and am still unable to rid myself of the aifind.info homepage/hotmail redirection. Help, please..
(I use Windows ME)

Reply

Kelsey May 11, 2004 at 9:38 pm

okay im 14 and i did this. the post the read :
I got the one of the nasty variants of this virus. I tried several approaches and anti viruses (cwshedder included) to get rid off it with no success BUT

Reply

Ashish May 12, 2004 at 7:43 am

ive got the same problem . its happening with yahoo, hotmail and rediffmail, nothing seems to work .
I tried CWSHREDDER but it doesnt help it . HELP ME !!!!!

Reply

spyros May 13, 2004 at 10:05 am

Three thumbs up for the guys who made the program crushing AI find (shit) virus. I ve faced viruses before but this almost made me desperate being the most resistant of all
Bravo guys!!!
Spyros, Athens, Greece

Reply

cristin May 20, 2004 at 6:28 pm

I have tried everything on this page and still can’t get rid of aifind! Any other suggestions????

Reply

Harley September 20, 2014 at 4:21 pm

Hello There. I discovered your weblog tthe use of msn. That is an extremely well written article.
I will make sure to bookmark it and come back
to reaqd mor oof your helpful information. Thank you for
the post. I’ll certainly return.

Reply

Kellie September 22, 2014 at 10:41 pm

This is my first time visit at here and i am reeally impressed to
read everthing att alone place.

Reply

Leave a Comment