Copyright © 1999 - 2006, Sandra Hardmeier, All Rights Reserved Worldwide
Last updated 20/08/2006

A complete list of coolwebsearch hijack domains can be found here:

http://www.spywareinfo.com/~merijn/junk/cws_domains.txt

 

Check this URL out for a comprehensive history and a removal tool - http://www.spywareinfo.com/~merijn/cwschronicles.html

 

Coolwebsearch is nasty stuff.  So nasty that Merjin's web site (above) was the victim of a sustained Denial of Service attack, which just goes to show how successful, and how effective, his cwshredder tool was. Three cheers for Merjin (Note: Merjin no longer owns cwshredder - its been through a few sets of hands now and is current owned by Trend Micro http://www.trendmicro.com/cwshredder/)

 

Coolwebsearch malware (so named if malware directs a computer to a known coolwebsearch registered domain) is the most persistent malware I have come across yet.

Historical data

Datanotary (also known as coolwebsearch) worked by generating a (hidden) pop-up window that is triggered when a victim tries to type into a form on a web page.  Go to IE tools, internet options, accessibility.  If the option to 'format documents using my style sheet' is turned on, turn it off AFTER noting down the path to the CSS file being used.  Search for and rename that css file.

Causes errors involving psapi.dll - psapi.dll not found... psapi.dll file is linked to missing export ntdll.dll

The file bootconf.exe may exist on your system, which is used by a hijacker related to coolwwwsearch, coolwebsearch, youfindall.net, ok-search.com and white-pages.ws.  Check the troubleshooting advice above for guidance on finding and getting rid of such hijackers.

 

Advice specific to iedll.exe and loader.exe bundle

 

With MUCH thanks to Rick from "The MacKinzie Family" (who sent me a copy of iedll.exe for examination) and Galen (aka KGIII and GotRoot etc) who took pity on me, decompiled the file and told me what it does........

 

Its a BHO ("browser helper object"), affecting Internet Explorer, that tries to write to the registry  "..looks like a fragmented version of SearchBar.."

 

The problem: error message when starting Windows - " C:\windows\IEDLL.EXE\ file appears to be corrupt.  Reinstall the file and try again."

 

Search engine/option hijackings:

 

global-finder.com (in the registry as out.true-counter.com/.../?344012)

searchalot.com

coolwebsearch (appearing in the registry as approvedlinks.com/hp.htm)


The cleanup: Use Task Manager (ctrl, alt, del) to make sure iedll.exe is not running. If it is, shut it down. Rename iedll.exe to iedll.old.

 

Export then delete the following registry keys:

 

HKCU\Software\Microsoft\Internet Explorer\SearchURL
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKCU\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar
HKCU\Software\Microsoft\Internet Explorer\Main\HomeOldSP
HKCU\Software\Microsoft\Internet Connection Wizard\Shellnext
HKLM\Software\Microsoft\Internet Connection Wizard\Shellnext

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run [iedll] C:\WINDOWS\iedll.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run [loader] C:\WINDOWS\LOADER.EXE

 

NOTE: Loader.exe can be a legitimate Windows file. Do NOT delete or rename the file - just delete the entry above from the registry!!

 

See here for Merijn's CWS domain list