The common variants of CoolWebSearch install themselves on your system when you visit any Web site affiliated with CoolWebSearch.com. Pop-up ads at these sites exploit a known security vulnerability in the ByteCodeVerifier component of the Microsoft Virtual Machine, which comes bundled with Windows 98/Me/2000/XP/Server 2003, and Windows Small Business Server 2003. You are most likely to acquire CoolWebSearch when you visit pornography sites.

How To Tell If CoolWebSearch Is Present On Your System

Most CoolWebSearch variants reset the start page to CoolWebSearch.com, but some variants reset the start page to Allhyperlinks.com, Datanotary.com, True-counter.com, a particular pornographic site, or another type of site. Other symptoms include unusual browser behavior, poor browser performance, and error messages when you start your computer.

How To Get Rid Of CoolWebSearch With CWShredder

The most effective tool at removing all variants of CoolWebSearch is an antispyware utility called CWShredder, which is available as a free download at cwshredder.net/bin/CWShredder.exe.

After downloading the CWShredder.exe file, locate it on your system and double-click it to display the CWShredder window. Click the Fix button. CWShredder will systematically scan your system for each variation of CoolWebSearch and, upon finding one or more, will remove it from your PC. When the scan is complete, click Next and Exit to close CWShredder.

WARNING: The following section includes step-by-step information on how to edit the Windows Registry, a large database containing system and program settings that are essential to how the OS (operating system) operates. Follow Registry-editing instructions to the letter and be sure to make a backup of your Registry before you begin. (Registry errors can render your computer inoperable if you don't have a backup.) This procedure differs depending on the OS you use. For more information on backing up and editing the Registry, see these articles: "Protect Yourself" and "Register Here."

How To Get Rid Of CoolWebSearch Manually

Each CoolWebSearch variant affects your system in a unique way and, therefore, requires a different method of removal. Moreover, the spyware has become increasingly sophisticated in its manner of infiltrating PCs, making manual removal an extraordinarily difficult task for even hard-core computer users. For this reason, we strongly encourage you to download and install CWShredder if you believe CoolWebSearch or one of its variants infected your system.

Nevertheless, it is possible to manually remove some variants of CoolWebSearch. For illustrative purposes, we will describe how to remove three of the most common variants: CWS/Datanotary (the original CoolWebSearch variant), CWS/Msinfo, and CWS/Oemsyspnp. The first step is to identify which one you have. You can recognize the Datanotary variant by the fact that it resets the start page to DataNotary.com, whereas the Msinfo variant resets the start page to True-counter.com or Global-finder.com, and the Oemsyspnp variant resets the start page to Allhyperlinks.com or a particular pornographic site. After identifying your CoolWebSearch variant, you can take specific steps to remove it.

To remove CWS/Datanotary, open the Tools menu in IE and select Internet Options. On the General tab of the resulting Internet Options dialog box, click the Accessibility button. An Accessibility dialog box will appear on-screen. Deselect the Format Documents Using My Style Sheet option and click OK.

Next, open the Windows search utility. WinXP users can access it by opening the Start menu, choosing Search, and clicking All Files And Folders in the Search Results window. WinMe users will need to open the Start menu, choose Search, and click For Files And Folder. Or, if you use Win98, open the Start menu, choose Find, and click Files Or Folders.

Use the resulting search utility to locate the Default.css file on the Windows drive. When you find it, right-click the file in the list of results and select Delete from the pop-up menu. Click Yes to verify that you want to remove the file.

The process of removing CWS/Msinfo is slightly more complicated. Start by accessing the Internet Options dialog box and deselecting the Format Documents Using My Style Sheet option. Then, use the Windows search utility to find the Oslogo.bmp file and delete it. When you finish that, you'll need to edit the contents of the Win.ini file. You can do so in WinXP and WinMe by opening My Computer and locating the WINDOWS\Win.ini file on the Windows drive. Right-click the file, click Open With, select Notepad from the resulting list, and click OK. In Win98, however, you'll need to access Notepad from the Start menu by burrowing through the Programs and Accessories submenus. From the Notepad window, click Open from the File menu, set the Files Of Type field to All Files (*.*), and locate the Win.ini file in the WINDOWS folder. Select the Win.ini file and click Open.

Either way, the contents of the Win.ini file will appear inside a text editor. Peruse the contents of the file for a Run= line that refers to a file called Msinfo.exe. Highlight the line and press the DELETE key. Open the File menu, select Save, and close Notepad. Next, open My Computer, locate the PROGRAM FILES\COMMON FILES\MSINFO folder, and delete it. Finally, search your system for a Hosts file—this file, which may carry a .SAM file extension, is most likely located somewhere inside the WINDOWS, WINDOWS\SYSTEM, or WINDOWS\SYSTEM32 folder—and delete it. (NOTE: You may discover another MSINFO folder located inside the PROGRAM FILES\COMMON FILES\MICROSOFT SHARED folder. This is a legitimate system folder, so don't delete it.)

You can remove our third variant example, CWS/Oemsyspnp, by editing the Registry. Open the Registry Editor (from the Start menu, select Run, type regedit in the field, and click OK) and locate the HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN key. Peruse the contents of this key for a value that refers to SysPnP. Right-click the corresponding value and select Delete. Verify that you want to remove the file by clicking Yes and then close the Registry Editor. Next, open My Computer. Open its Tools menu (the View menu in Win98) and select Folder Options. On the View tab of the resulting Folder Options dialog box, select Show Hidden Files And Folders (Show All Files in Win98) and deselect Hide Extensions For Known File Types (Hide File Extensions For Known File Types in WinMe and Win98). Click OK to save your changes. Now burrow through the WINDOWS\INF folder to locate the Oemsyspnp.info file. Delete this file.

The last step you need to take for each of the processes we just described is to reset the start page and other browser settings to their default position. Open the Internet Options dialog box in IE, select the Programs tab, click the Reset Web Settings button, and click OK. Clean out your Favorites folder, too, by opening the Favorites menu, selecting the Organize Favorites option, and deleting unwanted shortcuts in the resulting Organize Favorites dialog box.