Home Page The Script Download Launch
Points
Terms
of Use
Proceduresclick on an item in the list Thanksclick on an item in the list SAXPAR Win 8
Install
Contact

CoolWebSearch (CWS) Removal Procedure

… in 4 steps
for Windows NT 4.0 - Windows 2000 - Windows XP

by Rossano Ferraris & Andrew Aronoff

Before using this procedure, ensure that your system is only infected with CWS.
A general disinfection procedure can be found here.

CoolWebSearch is a particularly malevolent form of ad-ware with several different infection methods. The worst variant is characterized by a stubborn BHO (Browser Helper Object).

The BHO it installs changes your Internet Explorer home page and breeds innumerable popup ads. (BHO's are found at locations 50 and 51.)

If you use Silent Runners, you'll notice a BHO with a strange file name and a DLL extension. If you delete the BHO registry key, delete the DLL file and reboot, you'll find that a new BHO with a different strange name has taken its place. No matter how many times you delete it, it keeps coming back under a different name. Unfortunately, Silent Runners doesn't identify any other suspicious program.

These trademark symptoms are caused by a shield-DLL that CWS installs at a particularly powerful point in the Registry: the AppInit_DLLs value (locations 85 and 86).

The purpose of the AppInit_DLLs value is described in Microsoft Knowledge Base article 197571. According to Microsoft, a DLL file listed there is “loaded by each Windows-based application running within the current logon session.” In other words, any DLL listed there runs concurrently with every program launched.

The CWS shield-DLL perfoms the following functions:
  1. It prevents almost all registry editors from displaying it in the AppInit_DLLs value — the editor will show an empty value instead. The list of affected registry editors includes, but is not limited to: Regedit.exe (Microsoft), Regedt32.exe (Microsoft), Reg.exe (Microsoft), Autoruns (Sysinternals – Microsoft), HijackThis (Trend Micro), and Silent Runners. The only program known to display it is the freeware Registrar Lite 2.0 (Resplendence).

  2. It prevents all Windows and command line tools from listing or deleting the DLL file. The list of tools includes, but is not limited to: Windows Explorer, DIR, ATTRIB, CACLS, and DEL.

  3. It confers eccentric security permissions to the DLL file and further protects the file with the READ-ONLY file attribute. Once the shield-DLL is removed from memory, an Administrator still can't delete the file without taking special steps.

  4. It confers a unique name to the DLL file on every system it infects.

  5. At every boot, it ensures that a BHO is present to start up with Internet Explorer.

  6. If the BHO is deleted, it restores the BHO under a new name at the next boot.

We've developed a simple, four-step removal procedure for NT-type operating systems (i.e., Windows NT 4.0, Windows 2000 Professional, Windows XP Home & Windows XP Professional).

The AppInit_DLLs value doesn't exist in the registry of Windows 95, Windows 98, Windows 98 SE, or Windows Millennium, so the procedure doesn't apply.

Like any disinfection procedure, it's a bit risky — it deletes the infecting files and then the registry is edited to remove the (non-functional) launch points. If something goes wrong, and depending on what other changes CWS has made, your PC may no longer work normally.

This procedure only removes the “stubborn-BHO” variant of CWS.
Before using it, you must get rid of any other malware!
Click here for a general disinfection method.

You use this procedure at your own risk!

  1. Download Registrar Lite 2.0, install it and run it. Navigate to this key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    and look at the AppInit_DLLs value.

    Write down the name of the DLL file that's displayed!

    (If you see several values separated by commas or spaces, which is unlikely, use Windows Explorer to search for each one in the Windows\System32 or Winnt\System32 directory. The one you can't find is the one to remember!)

    Exit Registrar Lite.


    Note #1:   In “Regsitrar Lite”, if you see a blank AppInit_DLLs value like this:

    blank AppInit_DLLs value in Registrar Lite

    … then double-click it. (One user has reported that the shield-DLL name was only visible after double-clicking this way.)

    Note #2:   If the AppInit_DLLs value is missing (it's not required to be present), then you do not have this CWS variant and you cannot use this procedure.

    Note #3:   Do not concern yourself with what you find at the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows
     
    Here, you'll see “AppInit_DLLs” with a value of “SYS:Microsoft\Windows NT\CurrentVersion\Windows”
    This is completely normal and this is not the right place to look!

  2. Download and run the CWS Shield Dropper script. It will delete the CWS AppInit_DLLs value and reboot Windows. After the reboot, the shield-DLL file is still on the hard disk, but it's no longer a threat to your PC.

  3. Download Silent Runners. Run it and look at the list of Browser Helper Objects. One of them will have a very strange name. Write down the the file name, including the full path.

    (If you're not sure which BHO was installed by CWS, reboot into Safe Mode and follow steps 5, 7 & 8 on this page. Commercial programs, such as PestPatrol, are also available to identify and delete BHO pests.)


  4. Download and run the CWS File Cleaner script to delete the infecting agents.

    Reset your Internet Explorer home page. Your PC should now run normally.

If you're still infected, there are several other ways to get rid of whatever you've got, but they're more complicated. My help is available for a fee. You may contact me here.


Copyright 2018 by Andrew Aronoff