CoolWebSearch details

  • Description

    DataNotary, BootConf, MSInfo variants For these variants, start by opening Tools->Internet Options->Accessibility and make sure the ‘user style sheet’ option is turned off. You should then be able to delete the user stylesheet from the Windows folder. With DataNotary it is called ‘default.css’; with MSInfo it is called ‘oslogo.bmp’; with Bootconf it may be either. MSInfo variant only Next, open the file ‘win.ini’ from the Windows folder in a text editor. Delete the line “run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\msinfo.exe” and save. (This line may change a little on different systems, but will always point to msinfo.exe.) Open the ‘Common Files’ folder inside ‘Program Files’, and delete the ‘MSInfo’ folder directly inside here (not the one in the ‘Microsoft Shared’ folder, which is a valid system folder). BootConf, SvcHost variants Next, open the registry (Start->Run->regedit), find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, and delete the bootconf.exe or svchost.exe entry. You can then delete the bootconf.exe or svchost32.exe file from the System folder (which is inside the Windows folder, and called ‘System32’ on Windows NT/2000/XP) BootConf, SvcHost, MSInfo variants From the System folder, open the drivers->etc folders and find the file named ‘HOSTS’, with no extension. Either edit it to remove the hijacker entries, or simply delete the file. PnP variant Open the registry (Start->Run->regedit) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the ‘SysPnP’ entry, and the ‘oemsyspnp.inf’ file from the ‘inf’ folder (which is inside the Windows folder). KeyMgr variant Open the registry (Start->Run->regedit) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the ‘keymgrldr’ entry, and the ‘keymgr3.inf’ file from the ‘inf’ folder (which is inside the Windows folder). MSSPI variant Removing a Layered Service Provider by hand is tricky and if you get it wrong you’ll lose your internet connection. If you really want to try, open the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2 \Parameters\Protocol_Catalog9\Catalog_Entries, delete the subkeys starting with the path of msspi.dll, renumber the remaining subkeys, and set the Num_Catalog_Entries value in the Protocol_Catalog9 key to match the highest numbered subkey left. Normally it is better to get a program (eg. CWShredder, HijackThis or LSPFix to remove an LSP for you. Having done that, open the registry and check the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run for an ‘msupdate’ entry; delete it if you find it. Restart the computer and you should be to delete msspi.dll in the System folder (which is inside the Windows folder, and called ‘System32’ on Windows NT/2000/XP), along with msupdate.exe if you have it. DNSRelay variant Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands: cd "%WinDir%\System" regsvr32 /u dnsrelay.dll Restart and you should be able to delete the file ‘dnsrelay.dll’ in the System folder (which is inside the Windows folder, and called ‘System32’ on Windows NT/2000/XP). ASTCtl variant Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands: cd "%WinDir%\System" regsvr32 /u astctl32.dll Restart and you should be able to delete the file ‘dnsrelay.dll’ in the System folder (which is inside the Windows folder, and called ‘System32’ on Windows NT/2000/XP). WinUpd variant Open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and select the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the entry on the right called ‘winupd’ pointing to winupd.exe. Restart the computer and you should be able to delete the file winupd.exe from the System32 folder (inside the Windows folder; called just ‘System’ on Windows 95/98/Me). XPlugin variant Open a command prompt window (from Start->Programs->Accessories; called DOS Prompt under Windows 95/98/Me) and enter the following commands: cd "%WinDir%\System" regsvr32 /u xplugin.dll For Windows NT/2000/XP/2003, open the registry and select the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. Right-click the ‘DataBasePath’ entry on the right and choose ‘Delete’. The right-click again to create a ‘New’ ‘String Value’. Call it ‘DataBasePath’ then double-click it to edit. Set the value to ‘%SystemRoot%\System32\drivers\etc’. Restart the machine and you should be able to delete the files ‘xplugin.dll’, ‘tksrv99.exe’ and ‘tmksrvu.exe’ from the System32 folder (inside the Windows folder; called just System on Windows 95/98/Me). tmksrvu is likely to be hidden, so make sure your Folder Options are set to ‘Show hidden files and folders’. If you use a web proxy, you should also open Internet Options->Connections and remove the domains lender-search.com and hot-searches.com from the ‘Exceptions’ list for each internet connection. BlankFilter variant Open a Command Prompt window (from Start->Programs->Accessories; called DOS Prompt under Windows 95/98/Me) and enter the following commands, for when the filename used is madopew.dll: cd "%WinDir%\System" regsvr32 /u "..\madopew.dll" Or, for mindep.dll: cd "%WinDir%\System" regsvr32 /u "..\mindep.dll" Or, for openwin.dll: cd "%WinDir%\System" regsvr32 /u "..\mindep.dll" You should get an error message, but the software should be stopped nonetheless. Reboot the computer and you should be able to delete the relevant file from the Windows folder. ResFilter, RndFilter variants Open the registry (click ‘Start’, choose ‘Run’, then enter the command ‘regedit’) and select the key HKEY_CLASSES_ROOT\Protocols\Filter\text/plain. Note down the value given in the ‘CLSID’ entry on the right, then delete the text/plain and text/html subkeys. Open the HKEY_CLASSES_ROOT\CLSID key and its subkey with the same number as above. Select the InprocServer32 key and note down the (Default) value given on the right. This is the filter filename. For the ResFilter variant this might be protect32.dll, mcicdb.dll or cdae.dll; for the RndFilter variant it will be completely random. Now delete the long number subkey you selected. Select the My Computer root at the top of the registry and press ctrl-F to open the search box. Search the registry for the filter filename you found above. You should find one more subkey of HKEY_CLASSES_Root\CLSID whose InprocServer32 corresponds to the same file. Again, note down the long number then delete the numbered subkey. Finally, open the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects. Find the last number in the list of subkeys and delete it. Reboot the computer and you should be able to delete the file whose name you found above from the System32 folder (inside the Windows folder; called just ‘System’ under Windows 95/98/Me). msbho variant Open the registry (click ‘Start’, choose ‘Run’, then enter the command ‘regedit’) and open the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects. For each {long-hex-number} subkey, open the subkey of the same name inside the key HKEY_CLASSES_ROOT\CLSID, and select the InprocServer32 subkey. On the right, check the filename pointed to by the ‘(Default)’ entry; for one of the class IDs, the filename will be msXXX.dll. Open a Command Prompt window (from the Accessories submenu in [All] Programs on the Start menu) and enter the following commands: cd %WinDir%\System regsvr32 /u msXXX.dll replacing the XXX in the filename with the filename you found in the InprocServer32 key. Restart the computer and you should be able to delete this file from the System32 folder (inside the Windows folder; called just ‘System’ on Windows 95/98/Me). Open the registry and select the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. On the right, delete the entry sp2chk.exe pointing to the file sp2chk.exe. Restart the computer and two files should become visible in the System32 folder, sp2chk.exe and hdXXX.dll (where XXX is another three random lower-case letters). Delete these files. You can also delete the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\hdXXX and the entries emanger, emanelif and emandislc inside the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion to clean up. To remove the Trusted Site backdoor, open the Control Panel’s Internet Options and, on the Security tab, choose Trusted Sites Zone and click the Sites button. Remove the entry http://*.63.219.181.7/ from the sites list. To remove the DNS hijack, open the Control Panel’s Network Connections list, and open the Properties of each connection in turn. Select Internet Protocol (TCP/IP) and click Properties. Set the addresses of your usual DNS servers to replace the hijack. Unfortunately the hijacker does not save the original addresses. If you don’t know what they should be, try using ‘Obtain DNS server address automatically’ which will work for many typical internet providers. If you have a router try using its IP address. DOMPeek variant Open the Task Manager (press ctrl-alt-delete). On the ‘Processes’ list, select ‘MSMSGSVC.exe’ and click ‘End process’. Next, open a command prompt window (from Start->Programs->Accessories; called DOS Prompt under Windows 95/98/Me) and enter the following commands: cd "%WinDir%\System" regsvr32 /u "..\dpe.dll" Restart the computer and you should be able to delete the dpe.dll and msmsgsui.exe files in the Windows folder, along with MSMSGSVC.exe in the System folder (inside the Windows folder, called System32 in Windows NT/2000/XP/2003). InetDoor variant Unless you have an anti-virus program that specifically knows how to remove the import table entries from startup programs affected by InetDoor, removal is difficult. You can delete the file, but then any of the affected programs will refuse to run. A short term workaround is to replace the InetDoor DLL with a dummy version that does nothing. You can then uninstall and reinstall each program with a component set to run on startup. To do this, download InetDummy.dll and restart the computer in Safe Mode. To get the menu for Safe Mode, press F8 just as Windows starts to boot — on the NT boot loader menu if you have one, else just hammer it as the computer starts up. Open the System32 folder (inside the Windows folder; called just ‘System’ on Windows 95/98/Me) and find the InetDoor file. It will be called msNNNNNN.dll, where NNNNNN is a six-digit hexadecimal number. There will also be .cfg and .da0 files with the same name. Rename msNNNNNN.dll to msNNNNN.bak, then drop the InetDummy.dll file into this folder and rename it msNNNNNN.dll (the same name as the original DLL). Reboot the computer and if all goes well you can delete msNNNNNN.bak, .cfg and .da0. mshelp variant Open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and select the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. On the right, delete the entry ‘mshelp32’ or ‘Microsoft Help System’ pointing at mshelp32.exe. Restart the computer and you should be able to delete the file mshelp32.exe inside the System32 folder (inside the Windows folder; called just ‘System’ under Windows 95/98/Me). svnhost variant Open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and select the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad. On the right, delete the entry ‘System’ pointing at dx90vb.dll. You can also delete the key HKEY_CLASSES_ROOT\CLSID\{AC1ED322-946E-478A-8FF2-55EE5A0861CD}. Restart the computer and you should be able to delete the files dx90vb.dll and svñhost.exe inside the System32 folder (inside the Windows folder; called just ‘System’ under Windows 95/98/Me). InternetMgr variant The internetmgr.exe file normally cannot be found to delete in the System32 folder, or found to kill in the process list, and it constantly monitors its registry startup entry to stop it being deleted. However, if you open a Command Prompt window (Start->Programs->Accessories) and issue the command cd %WinDir%\System32 (or just ‘System’ on Windows 95/98/Me) and then dir internet* you can see the missing files. To stop it running, boot the computer in Safe Mode by pressing F8 as Windows begins to run (at the boot menu if you have one, otherwise just hit F8 as the computer boots up) and choosing Safe Mode from the menu. You can then delete the internetmgr.exe and internetdef.dll files from the System32 folder (inside the Windows folder; jsut ‘System’ on Windows 95/98/Me), and remove the startup entry by opening the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’), selecting the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and, on the right, deleting the entry ‘SystemRequired’ pointing at internetmgr.exe. DownCom variant Open a Command Prompt window (from the Accessories submenu in [All] Programs on the Start menu) and enter the following commands: cd %WinDir%\System regsvr32 /u "..\Downloaded Program Files\ipreg32.dll" Restart the computer, open the Downloaded Program Files folder (inside the Windows folder) and remove the ‘CDownCom Class’ entry.