Back in June 2004, I couldn't understand why Merijn, the author of CWShredder (the only tool known to safely remove CoolWebSearch) ceased development of his software. I couldn't understand why he found it difficult to hunt down the Trojan on infested PCs (I took it for granted that he is a clever guy and I didn't appreciate the difficulties involved in battling CoolWebSearch). I haven't had a personal acquaintance with CoolWebSearch on my PC but I have been called to fix PCs infested with CoolWebSearch and CWShredder has always been a great help so I was disappointed with his decision at the time.
However, in How to Remove CoolWebSearch from a Windows NT based PC, Rossano Ferraris and Andrew Aronoff mentions a file called "shield-DLL" which CWS stores in a sensitive location of the registry: the AppInit_Dlls value
.
According to Rossano Ferraris and Andrew Aronoff, Shield-DLL:
cloaking devicewhich renders it invisible to these tools therefore, all editors show an empty AppInit_Dlls value except for the freeware Registrar Lite 2.0 which, for unexplained reasons, can see the AppInit_Dlls value.
The above should explain why anti-spyware tools such as Spybot Search and Desroy, Adware etc may not be able to remove CoolWebSearch - they can see the BHO but they cannot see "shield-dll" which creates a new BHO at the next boot and then renames it!
Rossano Ferraris and Andrew Aronoff offer a four step approach to removing Coolwebsearch from Windows NT based PCs (Windows 9x PCs don't have the AppInit_Dlls value) but perhaps more importantly, I can now appreciate the uphill task Merijn had in battling CoolWebSearch.
However, unless I am mistaken, Rossano Ferraris and Andrew Aronoff's four step approach relies on Registrarlite being able to see what is stored at the AppInit_Dlls value. I wonder what will happen when the next version of "Shield-DLL" becomes invisible to Registrarlite?