Copyright © 1999 - 2006, Sandra Hardmeier, All
Rights Reserved Worldwide
Last updated
20/08/2006
A complete list of coolwebsearch hijack domains can be found here:
http://www.spywareinfo.com/~merijn/junk/cws_domains.txt
Check this URL out for a comprehensive history and a removal tool - http://www.spywareinfo.com/~merijn/cwschronicles.html
Coolwebsearch is nasty stuff. So nasty that Merjin's web site (above) was the victim of a sustained Denial of Service attack, which just goes to show how successful, and how effective, his cwshredder tool was. Three cheers for Merjin (Note: Merjin no longer owns cwshredder - its been through a few sets of hands now and is current owned by Trend Micro http://www.trendmicro.com/cwshredder/)
Coolwebsearch malware (so named if malware directs a computer to a known coolwebsearch registered domain) is the most persistent malware I have come across yet.
Historical data
Datanotary (also known as coolwebsearch) worked by generating a (hidden) pop-up window that is triggered when a victim tries to type into a form on a web page. Go to IE tools, internet options, accessibility. If the option to 'format documents using my style sheet' is turned on, turn it off AFTER noting down the path to the CSS file being used. Search for and rename that css file.
Causes errors involving psapi.dll - psapi.dll not found... psapi.dll file is linked to missing export ntdll.dll
The file bootconf.exe may exist on your system, which is used by a hijacker related to coolwwwsearch, coolwebsearch, youfindall.net, ok-search.com and white-pages.ws. Check the troubleshooting advice above for guidance on finding and getting rid of such hijackers.
Advice specific to iedll.exe and loader.exe bundle
With MUCH thanks to Rick from "The MacKinzie Family" (who sent me a copy of iedll.exe for examination) and Galen (aka KGIII and GotRoot etc) who took pity on me, decompiled the file and told me what it does........
Its a BHO ("browser helper object"), affecting Internet Explorer, that tries to write to the registry "..looks like a fragmented version of SearchBar.."
The problem: error message when starting Windows - " C:\windows\IEDLL.EXE\ file appears to be corrupt. Reinstall the file and try again."
Search engine/option hijackings:
global-finder.com (in the registry as out.true-counter.com/.../?344012)
searchalot.com
coolwebsearch (appearing in the registry as approvedlinks.com/hp.htm)
The cleanup: Use Task Manager (ctrl, alt, del) to make sure iedll.exe is not
running. If it is, shut it down. Rename iedll.exe to iedll.old.
Export then delete the following registry keys:
HKCU\Software\Microsoft\Internet Explorer\SearchURL
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKCU\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar
HKCU\Software\Microsoft\Internet Explorer\Main\HomeOldSP
HKCU\Software\Microsoft\Internet Connection Wizard\Shellnext
HKLM\Software\Microsoft\Internet Connection Wizard\Shellnext
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run [iedll]
C:\WINDOWS\iedll.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run [loader]
C:\WINDOWS\LOADER.EXE
NOTE: Loader.exe can be a legitimate Windows file. Do NOT delete or rename the file - just delete the entry above from the registry!!