CoolWebSearch (CWS) Removal Procedure
… in 4 steps
for Windows NT 4.0 - Windows 2000 - Windows XP
by Rossano Ferraris & Andrew Aronoff
Before using this procedure, ensure that your system
is only infected with CWS.
A general disinfection procedure can be found here. |
CoolWebSearch is a particularly malevolent form of ad-ware with several different infection methods.
The worst variant is characterized by a stubborn BHO (Browser Helper Object).
The BHO it installs changes your Internet Explorer home page and breeds innumerable
popup ads. (BHO's are found at locations 50 and 51.)
If you use Silent Runners, you'll notice a BHO with a strange file name
and a DLL extension. If you delete the BHO registry key, delete the DLL file and reboot, you'll find that
a new BHO with a different strange name has taken its place. No matter how many times you delete it,
it keeps coming back under a different name. Unfortunately, Silent Runners doesn't identify
any other suspicious program.
These trademark symptoms are caused by a shield-DLL that CWS installs
at a particularly powerful point in the Registry: the AppInit_DLLs value
(locations 85 and 86).
The purpose of the AppInit_DLLs value is described in Microsoft Knowledge Base article
197571.
According to Microsoft, a DLL file listed there is “loaded by each Windows-based
application running within the current logon session.” In other words, any DLL listed there
runs concurrently with every program launched.
The CWS shield-DLL perfoms the following functions:
- It prevents almost all registry editors from displaying it in the AppInit_DLLs value —
the editor will show an empty value instead. The list of affected registry editors includes, but is not limited to:
Regedit.exe (Microsoft), Regedt32.exe (Microsoft), Reg.exe (Microsoft),
Autoruns (Sysinternals – Microsoft),
HijackThis (Trend Micro),
and Silent Runners. The only program known to display
it is the freeware
Registrar Lite 2.0 (Resplendence).
- It prevents all Windows and command line tools from listing or deleting the DLL file. The list of tools includes,
but is not limited to: Windows Explorer, DIR, ATTRIB, CACLS, and DEL.
- It confers eccentric security permissions to the DLL file and further protects the file with the READ-ONLY
file attribute. Once the shield-DLL is removed from memory, an Administrator still can't delete the file
without taking special steps.
- It confers a unique name to the DLL file on every system it infects.
- At every boot, it ensures that a BHO is present to start up with Internet Explorer.
- If the BHO is deleted, it restores the BHO under a new name at the next boot.
We've developed a simple, four-step removal procedure for NT-type operating systems (i.e.,
Windows NT 4.0, Windows 2000 Professional, Windows XP Home
& Windows XP Professional).
The AppInit_DLLs value doesn't exist in the registry of Windows 95, Windows 98, Windows 98 SE,
or Windows Millennium, so the procedure doesn't apply.
Like any disinfection procedure, it's a bit risky —
it deletes the infecting files and then the registry is edited to remove the (non-functional) launch points.
If something goes wrong, and depending on what other changes CWS has made, your PC may no longer work
normally.
This procedure only removes the “stubborn-BHO” variant of CWS.
Before using it, you must get rid of any other malware!
Click here for a general disinfection method.
You use this procedure at your own risk!
- Download
Registrar Lite 2.0,
install it and run it. Navigate to this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
and look at the AppInit_DLLs value.
Write down the name of the DLL file that's displayed!
(If you see several values separated by commas or spaces, which is unlikely, use Windows Explorer to search
for each one in the Windows\System32 or Winnt\System32 directory. The one you can't find is the one
to remember!)
Exit Registrar Lite.
Note #1: |
In “Regsitrar Lite”, if you see a blank AppInit_DLLs value like this:
… then double-click it. (One user has reported that the shield-DLL name was only visible
after double-clicking this way.)
|
Note #2: |
If the AppInit_DLLs value is missing (it's not required to be present), then you do not have this CWS variant and
you cannot use this procedure.
|
Note #3: |
Do not concern yourself with what you find at the following registry key:
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows
|
|
Here, you'll see “AppInit_DLLs” with a value of
“SYS:Microsoft\Windows NT\CurrentVersion\Windows”
This is completely normal and this is not the right place to look! |
- Download and run the
CWS Shield Dropper script.
It will delete the CWS AppInit_DLLs value and reboot Windows. After the reboot, the shield-DLL
file is still on the hard disk, but it's no longer a threat to your PC.
- Download
Silent Runners. Run it and look at the
list of Browser Helper Objects. One of them will have a very strange name.
Write down the the file name, including the full path.
(If you're not sure which BHO was installed by CWS, reboot into Safe Mode and follow steps 5, 7 & 8
on this page. Commercial programs, such as
PestPatrol, are also available to identify and delete BHO pests.)
-
Download and run the CWS File Cleaner script
to delete the infecting agents.
Reset
your Internet Explorer home page. Your PC should now run normally.
If you're still infected, there are several other ways to get rid of whatever you've got,
but they're more complicated. My help is available for a fee.
You may contact me here.
|