When the Microsoft Antispyware beta came out I downloaded it, and have been runniing it each day automatically as MS suggests (I also use Ad-Aware and Spybot, but not daily).
Each day for the last week, the scan tells me that I have the Cool Web Search browser hijacker, and each day it tells me it has deleted it. The next day it’s there again. Today, I re-ran the scan immediately after it told me it deleted CWS, and guess what? It’s there again.
So, I downloaded CWShredder, which is specifically designed to get rid of CWS. CWShredder told me it couldn’t find CWS and gave me a clean bill of health. Reran MS Antispyware, and it tells me I have CWS on my system.
What can I look for to find if I really have this or not? This is getting annoying.
Thanks. I downloaded the zip version on this page, since the other link didn’t work for me. It looks like this is the same CWShredder I downloaded and ran earlier, but this one is version 2.00 and the one I already had is version 2.12. Neither one of them could find CWS on my system, but Microsoft still insists that it’s there.
BTW I am running Windows Server 2003 if that makes any difference.
Do you have an up to date virus scanner? Have you ran it?
I just got done dealing with a computer that had a CWS look alike on it. CWShredder came up with nothing. It turns out it was a strain of a virus.
You could also download HijackThis from the makers of CWShredder and post the log it gives you. Be careful with HijackThis though. You can make a mess with that if you randomly start deleting things.
More information. When MS Antispyware identifies CoolWebSearch, it identifies the suspicious file as C:\Windows\System32 apicfg.exe, which Google tells me is indeed one of the components of CWS. If I delete tapicfg.exe it instantly reappears, so there is something evil going on here. I did a search in my registry for “tapicfg” and it came up blank. I also have not noticed anything being hijacked in my browser (although I normally use Firefox, so I probably wouldn’t see it anyway).
If anyone has other suggestions on removing this I would appreciate it.
Yeah, both my GF and I use Mozilla. She noticed the IE hijack only because it affected her control panel.
You probably have a DLL loading up. To check, use Prompt and go to c:\windows\system32 and do a ‘dir /as’
You’ll probably find several .dll files, they should be roughly the same size and today’s date. Hijackthis should also show this dlls as being loaded. Use Hijackthis and remove those start ups, delete the files and reboot.
You should be clear at that point.
If that doesn’t work, post a hijackthis log.
I went to safe mode and deleted tapicfg.exe, and it stayed deleted. After rebooting I checked again and it was still gone, and AntiSpyware is not reporting it anymore.