Jump to content

- - - - -

CWS, CoolWebSearch removal procedure...

  • This topic is locked This topic is locked
12 replies to this topic

#1 Dexter


    Boy Genius

  • Forum Mods
  • PipPipPipPip
  • 144 posts

Posted 04 October 2004 - 05:13 PM

Got this off of a mailing list... don't know if it really works or is just a scam but figured I might as well post it here incase anyone needs help.


CWS, CoolWebSearch, is a particularly nasty incarnation of ad-ware.
Rossano Ferraris ([email protected]) and I have
collaborated to develop a simple procedure to remove it from an
NT4-W2K-WXP box.

CWS is widely discussed on the web, but it's poorly understood and
procedures to remove it are often lengthy, cumbersome and ineffective.
Users are sometimes forced to reformat the hard disk to remove it. CWS
comes in a variety of flavors. This post will only consider the most
insidious, which involves two components: a shield-DLL and a BHO
(Browser Helper Object).


The shield-DLL installs itself to the following registry value in
NT4-type systems:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls

Per MSKB 197571, a .DLL listed there is "loaded by each Windows-based
application running within the current logon session." IOW, any
ad-ware found here runs concurrently with _every_ program launched. It
is truly astonishing that such a registry location exists.

Here's what the CWS shield-DLL manages to do:

1. It prevents almost all registry editors from displaying it as an
AppInit_Dlls value. This list includes, but is not limited to:
Regedit.exe (even if renamed), Regedt32.exe, Reg.exe, Autoruns,
HijackThis, and, my favorite (because I wrote it), the "Silent
Runners.vbs" script. The _only_ program known to display it, for
unknown reasons, is the freeware Registrar Lite 2.0, available
here: http://www.resplendence.com/reglite/

2. It prevents all GUI and command line tools from listing it or
deleting it. This list includes, but is not limited to: Windows
Explorer, DIR, ATTRIB, CACLS, and DEL.

3. The .DLL file has eccentric security permissions (SYNCHRONIZE
and FILE_EXECUTE) and is READ-ONLY. Once the shield-DLL is removed
from memory, an Admin must reset security to delete the file.

4. It has a unique name on every system it infects.

5. It ensures that a BHO starts up with IE at every boot.

6. If the BHO is deleted, it restores the BHO under a new name at
the next boot.

This combination of features makes it a formidable adversary.


This is a .DLL that installs itself as a subkey of the following key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

The BHO is responsible for the ad-ware symptoms: change of home page,
profusion of popups, and anything else that foments the users' wrath.
The BHO registry key and the file are not protected; both can be
deleted. The BHO will simply be reloaded under a new name at the next

To eliminate CWS, we have developed a relatively simple procedure
(compared to everything else that's out there) that involves using
Registrar Lite 2.0 to record the name of the shield-DLL, a VBS script
to remove it from AppInit_Dlls, the "Silent Runners" script to
identify the BHO, and, after reboot, a second VBS script to delete the
shield-DLL and BHO files. The procedure and scripts can be found here:

MS please take note:

AppInit_Dlls is a gaping security hole. Unfettered access to this
value should be removed ASAP from NT4/W2K/WXP.

regards, Andrew Aronoff & Rossano Ferraris

Want to know every program (well, almost every program -- CWS being
the exception) that starts up with Windows?
Download "Silent Runners.vbs":

NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
Dexter, Advanced-Basic.Com
[root:/usr/src]$make buildworld
make: Please wait 6-8 weeks for your world to be built and shipped to you. Thank you for your order!

#2 Guest_guestolo_*

  • Guests

Posted 04 October 2004 - 06:39 PM

That seems like an interesting procedure

There's also FAL's FindnFix method
There is also another script you can use do show the offending .dll
written by Mosaic

There is also a little program called DLLCompare that will show the offending .dll
which, if it is the newer variant will be about 56kb in size
the older variant will be roughly 26kb in size

After the hidden .dll is identified, Mosaic has written a script that will expose it on reboot and delete it.
Always good to run CWShredder and Ad-Aware afterwards

That is for this variant of About:blank and CoolWeb

Another variant will add an extra service in services.msc
RubberDucky has written a little program that may help at most times
to disinfect the offending files and service called About:Buster
This may not always rid you of it, sometimes the execution of About:buster
and a simple registry deletion will help.....
Some files may be deleted or altered from the infection

The HOSTS file
Active X settings may be altered
If Spybot is installed on a machine--SDHelper.dll may be missing

#3 Guest_Jayant_*

  • Guests

Posted 24 January 2005 - 09:47 AM

This is my first post here.

CWS hijack is a typical problem. It basically hijacks your browser. CWS Trojan hijacks Internet Explorer start and search settings of several websites. These websites have an affiliate relationship with coolwebsearch.com in which coolwebsearch pays them for every visitor they refer.

If you want more information, please visit


with best regards


#4 Guest_zeroc_*

  • Guests

Posted 26 March 2005 - 01:37 AM

Here I found a website where Users discusses removal of various Coolwebsearch variants.

#5 Guest_jrtech1_*

  • Guests

Posted 15 April 2005 - 04:00 PM

I'm curious about something here. Given the incredible cost of the effects of these malicious programs, (it must be in the millions or higher anually) why isn't someone working on destroying the source of these programs? If there's money to be made writing this crap there must be money in eradicating the source. Lets make these wayward boyscouts real criminals that we can put behind a rock wall for 50 years or so. this should include the entities that contract such people to write this crap for their profit. Remove the motivation (profit) and the problem goes away or at least becomes managable. As long as this problem remains a cat and mouse game of who is smarter, the writer or the detector, it will continue to escalate. You can't get rid of a hornet's nest by treating the stings.

#6 Guest_Dragan_*

  • Guests

Posted 16 April 2005 - 02:25 PM


I have a big problem with CoolWebSearch... I remember having the same problem, maybe one year ago, I just had to download and run that CWShredder and the problems were over. This time the same thing doesnt help. I used CWS, didnt work. I tried to use the new version, the same. It would find and delete some .dll but after I restart, or even without restarting, it would find it again. So it doesnt solve the problem. Then I tried Spybot search and destroy, didnt help. I think I tried one more program, but dont remember the name. In the beginning I would have the start page set to CWS, and couldnt change it, also some pop-up windows offering some stupid downloads. Now somehow, I dont know why, maybe because of some of these programs that I used, I dont have this startpage set to CWS, even after many restartings. But I still get pop-ups, even if IE is not open at all. I also found some instructions by someone how to remove CWS in 4 easy steps with the help of some registry program, which can list the critical .dll file, but it doesnt help with windows millenium, that is installed on my computer. The last thing, that I just did is scanning with HijackThis, and now I am including the log in my post here, hoping someone will help. Here it is:

Logfile of HijackThis v1.99.1
Scan saved at 10:08:26 PM, on 4/16/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ALiSndMgr] ALiSndMg.exe
O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [THotkey] C:\WINDOWS\SYSTEM\THotkey.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {10101010-1010-1111-1010-101010101011} - mhtml:C:\\WIN.MHT!
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab

Please help me, I am desperate, :(


#7 Guest_Guest_*

  • Guests

Posted 17 April 2005 - 07:23 PM

Dragan copy and paste the hijackthis log here: http://www.help2go.com
this will give this result
These entries have been positively identified as malicious programs. In the HijackThis program, place a check mark next to the following entries.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
(Description: Home page or search page hijacker (running from temp folder))

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
(Description: Home page or search page hijacker (running from temp folder))

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
(Description: Program running on startup from a temporary folder.)

#8 guestolo


    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 17 April 2005 - 07:31 PM

Dragan, if you need a hand with your log
Please, Read This

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here

#9 Guest_Guest_*

  • Guests

Posted 22 May 2005 - 12:01 AM

Try this Spyware Guide Database - Spyware, Malware and Adware. Seems to work very well for most. Regards

#10 Guest_Guest_*

  • Guests

Posted 23 May 2005 - 02:39 AM

Easy parasite removal instructions:

Remove CWS
Remove CoolWebSearch

#11 Guest_PearShaped_*

  • Guests

Posted 04 June 2005 - 02:50 AM

Even better prevent the Malware from loading in the first place.
Regdefend www.ghostdecurity.com
ProcessGuard: www.diamondcs.com.au

#12 Guest_Guest_*

  • Guests

Posted 03 July 2005 - 12:59 PM

newest coolwebsearch removal instructions can be found here.

#13 Guest_amanda_*

  • Guests

Posted 05 August 2005 - 09:37 AM

hi all,

im on the verge of tears because i'm so frustrated with a virus that was sent through msn messenger.

it's on C: drive as g.exe and I can't seem to remove it.

caused my norton to be disabled and my computer is now left unprotected.

really at my wits end and i really want to avoid a system reformat.

please help! i'm really horrible with computers and