CoolWeb virus hijacking home page

  Meirion 15:11 02 May 2004

My PC is infected with the CoolWeb virus. I have run several anti virus programs but cannot get rid of it. CWShredder rids it for about 24 hours. It then returns trying to hijack my home page. I have discovered that it generates a dll file to do the dirty work. I am unable to delete this file but I can rename it and change it to a txt file. My home page cannot then be changed. However a new dll file is then generated and the whole process starts again. These dll files are randomly named eg. edlaai.dll or cmppkka dll.andappear in C:|Windows\System32.

Can anyone please help?


  GANDALF <|:-)> 15:14 02 May 2004

Have you turned off system restore and then turned it back on?


  Meirion 17:29 02 May 2004

System restore is off. I appear to have exactly the same problem as second best posted at 01 00 this am. Nellie2 has posted a fix, however I am, unable to access XP recovery mode although I am the computor administrater with no password set. The system asks for a password but I don't have one. I have tried just pressing enter to no avail.


  SANTOS7 18:18 02 May 2004


Terminating CWS:

Please be careful when attempting to remove CWS, some variants such as CWS.Msspi will hook the LSP chain. Incorrect removal (simply deleting the inserted dll) will result in lost network and Internet connections. Courtesy of PestPatrol

To fully remove the CWS trojan and all of its variants the best solution is a program called CoolWebShredder. Manual removal can be close to impossible with some variants but if you feel adventurous please visit the Cool Web Chronicles which details each variant in great length. For these reasons manual removal instructions are not provided here.

To remove CWS and its variants you can download the CoolWebShredder program here: click here. If you find his program useful please donate so that Merign can continue his work.
There are a few known problems with removing this, so read the following carefully if you're still having troubles:

If you are unable to visit Merijn's site the direct download link for the program is **click here** This link is currently not working as the site changes hosts. I will update this with a current link when it becomes available.
This problem is caused by a CWS variant known as either CWS.Aff.Tooncomics or CWS.Dreplace.

If your anti-spyware removal program is closing before starting you will have to download and run PepiMK's CoolWWWSearch.SmartKiller removal tool first before running the CoolWebShredder program to remove CWS variants.

If you get an error in Windows stating that the "MSVBVM60.DLL missing" you'll need to get the updated runtime libraries for Microsoft Visual Basic 6 first.

After removing the program you may also have to restore your Internet Explorer settings to return your PC to its operating state before the CWS variant hijacked your browser. In order to do this, please follow the steps below:

Open up Internet Explorer.
Select "Tools> Internet Options" from the Internet Explorer menu.
Navigate and choose the "Programs" tab.
Select the "Reset Web Settings" button. After choosing this button the "The Reset Web Settings" dialog box will appear.
Scroll down and make sure that "Also reset my home page" box is checked.
Select "Yes" and click "Ok".
The above procedure will reset all of the default settings in Internet Explorer including the default home page. This will reset Internet Explorer's default home page and search page. Please note that this will not nessarily reset your homepage to a customized site. If you had previously chosen another site you will have to reset these settings.

  Meirion 19:17 02 May 2004

Thankyou all. I hope I have now defeated CoolWeb but I am not entirely confident.. CWS would remove it for a while, but it always returned. I have tried Nellie2s fix and followed Santo57s advice.

Thank you for your time


  Nellie2 19:47 14 May 2005

Merion if you are still having problems then please post back... Cool Web is fairly easy to sort out now but the fix can be computer specific, depending on which variant you have.

  stalion 20:07 14 May 2005

Also try a scan scan with adaware it is now geared for some of the coolweb problems

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

AMD Radeon Adrenalin release date, new features, compatible graphics cards

8 brilliant character artists speaking at Pictoplasma 2018

iMac Pro release date, UK price & specs

Football : comment regarder la Ligue 1 en direct ?