Saturday 02 October 2004

Why CoolWebSearch is difficult to remove

Back in June 2004, I couldn't understand why Merijn, the author of CWShredder (the only tool known to safely remove CoolWebSearch) ceased development of his software. I couldn't understand why he found it difficult to hunt down the Trojan on infested PCs (I took it for granted that he is a clever guy and I didn't appreciate the difficulties involved in battling CoolWebSearch). I haven't had a personal acquaintance with CoolWebSearch on my PC but I have been called to fix PCs infested with CoolWebSearch and CWShredder has always been a great help so I was disappointed with his decision at the time.

However, in How to Remove CoolWebSearch from a Windows NT based PC, Rossano Ferraris and Andrew Aronoff mentions a file called "shield-DLL" which CWS stores in a sensitive location of the registry: the AppInit_Dlls value.

According to Rossano Ferraris and Andrew Aronoff, Shield-DLL:

The above should explain why anti-spyware tools such as Spybot Search and Desroy, Adware etc may not be able to remove CoolWebSearch - they can see the BHO but they cannot see "shield-dll" which creates a new BHO at the next boot and then renames it!

Rossano Ferraris and Andrew Aronoff offer a four step approach to removing Coolwebsearch from Windows NT based PCs (Windows 9x PCs don't have the AppInit_Dlls value) but perhaps more importantly, I can now appreciate the uphill task Merijn had in battling CoolWebSearch.

However, unless I am mistaken, Rossano Ferraris and Andrew Aronoff's four step approach relies on Registrarlite being able to see what is stored at the AppInit_Dlls value. I wonder what will happen when the next version of "Shield-DLL" becomes invisible to Registrarlite?

Related Reading