How to delete CoolWebSearch - Removal tool, fix instructions

Name: CoolWebSearch

Aliases: CoolWebSearch, Cool Web Search, CoolWWWSearch, CWS, WebCoolSearch, Web Cool Search

Type: Spyware (subtype: adware)

Size: 178176

First appeared on: 26.01.2004

Damage: High

Brief Description:
CoolWebSearch is adware. Adware is a license form for using programs, which offers the application at the only cost of viewing a series of advertisements. However, these programs sometimes collect data on Internet usage habits, pages viewed, inventory of the applications installed in the computer, etc.
Then, this information can be sent to Internet advertising companies.

Visible Symptoms:

CoolWebSearch carries out the following actions:

  • It collects user details, such as Internet usage, pages viewed, phone connection details, inventory of the applications installed in the computer, etc.
  • It uses this information to display pop-up advertisements.

Technical description:

When Adware.CoolWebSearch is executed, it performs the following actions:

  1. Copies itself as %System%\Services\<executed filename>.
    Note: %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
  2. Creates the following entry in the file %Windir%\System.ini:
    load=%sysdir%\services\<executed filename>
  3. Adds the value:
    "xpsystem"="%System%\services\<executed filename>"

    to the following registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run

    so that the adware runs when Windows is started.

  4. Adds the value:

    "run"="%Sysdir%\services\<executed filename>"

    to the registry key:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\Windows

    so that the adware runs when Windows NT/2000/XP is started.

  5. Registers itself as a Browser Helper Object, by adding the subkey:


    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Explorer \Browser Helper Objects

    and setting multiple values in the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {5321E378-FFAD-4999-8C62-03CA8155F0B3}

  6. Adds the values:

    ProxyEnabled = 0
    MigrateProxy = 1
    ProxyEnabled = 0

    to the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Internet Settings

  7. Adds the value:

    ProxyBypass = 1
    IntranetNames = 1
    UNCAIntranet = 1

    to the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\ windows\CurrentVersion\ Internet Settings\ZoneMap

  8. May redirect search queries made in Microsoft Internet Explorer to an advertising Web site.


CoolWebSearch does not use any specific means to spread. It can reach computers through any of the means normally used by viruses: CD-ROMs, e-mail messages with infected attachments, Internet downloads, FTP, etc.

Removal tool and instruction:

You can try to use HijackThis Removal Tool. Click here to download the tool.