Manual Removal Guide for CoolWWWSearch.SmallM

Friday · Nov 30, 2008

The following instructions have been created to help you to get rid of "CoolWWWSearch.SmallM" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

Entries named "AutoLoadermsvcp60" and pointing to "<$PROGRAMFILES>\PLATFORMTHAT\TWO.EXE".
Entries named "winactive" and pointing to "<$PROGRAMFILES>\WINDOW ACTIVE\WINACTIVE.EXE".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries.

Products that have a key or property named "ActiveDesktop".
Products that have a key or property named "CopyDebugTwo".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

The file at "<$FAVORITES>\ Adult Entertainment\Adult Dvd.url".
The file at "<$FAVORITES>\ Adult Entertainment\Dvd.url".
The file at "<$FAVORITES>\ Adult Entertainment\Fetish.url".
The file at "<$FAVORITES>\ Adult Entertainment\Gay.url".
The file at "<$FAVORITES>\ Adult Entertainment\Hardcore.url".
The file at "<$FAVORITES>\ Adult Entertainment\Lesbian.url".
The file at "<$FAVORITES>\ Adult Entertainment\Live Video Feeds.url".
The file at "<$FAVORITES>\ Adult Entertainment\Matchmaking.url".
The file at "<$FAVORITES>\ Adult Entertainment\Photos.url".
The file at "<$FAVORITES>\ Adult Entertainment\Sex Movies.url".
The file at "<$FAVORITES>\ Adult Entertainment\Sex Toys.url".
The file at "<$FAVORITES>\ Adult Entertainment\Shemale Sex.url".
The file at "<$FAVORITES>\ Adult Entertainment\Viagra.url".
The file at "<$FAVORITES>\ Adult Entertainment\Dating\Christian dating.url".
The file at "<$FAVORITES>\ Adult Entertainment\Dating\Dating Agency.url".
The file at "<$FAVORITES>\ Adult Entertainment\Dating\Dating Service.url".
The file at "<$FAVORITES>\ Adult Entertainment\Dating\Internet Dating.url".
The file at "<$FAVORITES>\ Adult Entertainment\Dating\Jewish Dating.url".
The file at "<$FAVORITES>\ Adult Entertainment\Dating\Online Dating.url".
The file at "<$FAVORITES>\ Adult Items\Adult Education.url".
The file at "<$FAVORITES>\ Adult Items\Adult Personals.url".
The file at "<$FAVORITES>\ Adult Items\Adult Toys.url".
The file at "<$FAVORITES>\ Adult Items\Breast Enhancement.url".
The file at "<$FAVORITES>\ Adult Items\Buy Adipex.url".
The file at "<$FAVORITES>\ Adult Items\Buy Viagra.url".
The file at "<$FAVORITES>\ Adult Items\Diet Pill.url".
The file at "<$FAVORITES>\ Adult Items\Penis Enlargement.url".
The file at "<$FAVORITES>\ Adult Items\Personals.url".
The file at "<$FAVORITES>\ Computers\Antivirus.url".
The file at "<$FAVORITES>\ Computers\Communication Technology.url".
The file at "<$FAVORITES>\ Computers\Computer Jobs .url".
The file at "<$FAVORITES>\ Computers\Computer Programming.url".
The file at "<$FAVORITES>\ Computers\Domain Hosting.url".
The file at "<$FAVORITES>\ Computers\Dvd.url".
The file at "<$FAVORITES>\ Computers\Hosting.url".
The file at "<$FAVORITES>\ Computers\Inkjet Cartridge.url".
The file at "<$FAVORITES>\ Computers\Instant Messenger.url".
The file at "<$FAVORITES>\ Computers\Internet.url".
The file at "<$FAVORITES>\ Computers\Working From Home.url".
The file at "<$FAVORITES>\ Computers\Games\Computer game.url".
The file at "<$FAVORITES>\ Computers\Games\Gamecube.url".
The file at "<$FAVORITES>\ Computers\Games\Microsoft.url".
The file at "<$FAVORITES>\ Computers\Games\Playstation.url".
The file at "<$FAVORITES>\ Computers\Games\Quake.url".
The file at "<$FAVORITES>\ Computers\Games\Sega Dreamcast.url".
The file at "<$FAVORITES>\ Computers\Games\Xbox.url".
The file at "<$FAVORITES>\ Cool Stuff\Dating.url".
The file at "<$FAVORITES>\ Cool Stuff\Descrambler.url".
The file at "<$FAVORITES>\ Cool Stuff\Dvd To Cd.url".
The file at "<$FAVORITES>\ Cool Stuff\Mp3.url".
The file at "<$FAVORITES>\ Cool Stuff\Online Pharmacy.url".
The file at "<$FAVORITES>\ Cool Stuff\Pass Drug Test.url".
The file at "<$FAVORITES>\ Cool Stuff\Printer Cartridge.url".
The file at "<$FAVORITES>\ Cool Stuff\Satellite Television.url".
The file at "<$FAVORITES>\ Cool Stuff\Scratch Card.url".
The file at "<$FAVORITES>\ Cool Stuff\Video Surveillance.url".
The file at "<$FAVORITES>\ Home\Adjustable Bed.url".
The file at "<$FAVORITES>\ Home\Food Nutrition.url".
The file at "<$FAVORITES>\ Home\Health Plan.url".
The file at "<$FAVORITES>\ Home\Home Equity Loan.url".
The file at "<$FAVORITES>\ Home\Home Improvements.url".
The file at "<$FAVORITES>\ Home\Home Refinancing.url".
The file at "<$FAVORITES>\ Home\Home Security.url".
The file at "<$FAVORITES>\ Home\Interior Decorating .url".
The file at "<$FAVORITES>\ Home\Office Space.url".
The file at "<$FAVORITES>\ Home\Outdoor Cooking.url".
The file at "<$FAVORITES>\ Home\Outdoor Furniture.url".
The file at "<$FAVORITES>\ Home\Phone System.url".
The file at "<$FAVORITES>\ Home\Satellite Television.url".
The file at "<$FAVORITES>\ Home\Sleep Aids.url".
The file at "<$FAVORITES>\ Home\Timeshare.url".
The file at "<$FAVORITES>\ Home\Working From Home.url".
The file at "<$FAVORITES>\ Internet\Domain Registrations.url".
The file at "<$FAVORITES>\ Internet\Firewall.url".
The file at "<$FAVORITES>\ Internet\Flowers.url".
The file at "<$FAVORITES>\ Internet\Free Long Distance.url".
The file at "<$FAVORITES>\ Internet\Hosting.url".
The file at "<$FAVORITES>\ Internet\Internet Business.url".
The file at "<$FAVORITES>\ Internet\Investing Money.url".
The file at "<$FAVORITES>\ Internet\Jokes.url".
The file at "<$FAVORITES>\ Internet\Newsgroup.url".
The file at "<$FAVORITES>\ Internet\Online Football Games.url".
The file at "<$FAVORITES>\ Internet\Online Gaming.url".
The file at "<$FAVORITES>\ Internet\Spyware.url".
The file at "<$FAVORITES>\ Internet\Starting A Business.url".
The file at "<$FAVORITES>\ Internet\Web Marketing.url".
The file at "<$FAVORITES>\ Internet\Education\Adult Education.url".
The file at "<$FAVORITES>\ Internet\Education\Book.url".
The file at "<$FAVORITES>\ Internet\Education\College.url".
The file at "<$FAVORITES>\ Internet\Education\Community.url".
The file at "<$FAVORITES>\ Internet\Education\Education.url".
The file at "<$FAVORITES>\ Internet\Education\Essay.url".
The file at "<$FAVORITES>\ Internet\Education\School.url".
The file at "<$FAVORITES>\ Online Gaming\Bingo.url".
The file at "<$FAVORITES>\ Online Gaming\Black Jack Poker.url".
The file at "<$FAVORITES>\ Online Gaming\Casino Online.url".
The file at "<$FAVORITES>\ Online Gaming\Craps.url".
The file at "<$FAVORITES>\ Online Gaming\Gamble.url".
The file at "<$FAVORITES>\ Online Gaming\Jackpot.url".
The file at "<$FAVORITES>\ Online Gaming\Roulette Gambling.url".
The file at "<$FAVORITES>\ Online Gaming\Slots.url".
The file at "<$FAVORITES>\ Online Gaming\Sport Betting.url".
The file at "<$FAVORITES>\ Online Gaming\Sport Book.url".
The file at "<$FAVORITES>\ Online Gaming\Time Cards.url".
The file at "<$FAVORITES>\ Online Pharmacy\Buy Adipex.url".
The file at "<$FAVORITES>\ Online Pharmacy\Buy Celebrex.url".
The file at "<$FAVORITES>\ Online Pharmacy\Buy Fidrex.url".
The file at "<$FAVORITES>\ Online Pharmacy\Buy Ionamin.url".
The file at "<$FAVORITES>\ Online Pharmacy\Buy Meridia .url".
The file at "<$FAVORITES>\ Online Pharmacy\Buy Phentermine.url".
The file at "<$FAVORITES>\ Online Pharmacy\Buy Propecia.url".
The file at "<$FAVORITES>\ Online Pharmacy\Buy Soma.url".
The file at "<$FAVORITES>\ Online Pharmacy\Buy Tenuate.url".
The file at "<$FAVORITES>\ Online Pharmacy\Buy Ultram Online.url".
The file at "<$FAVORITES>\ Online Pharmacy\Buy Viagra.url".
The file at "<$FAVORITES>\ Online Pharmacy\Buy Xenical.url".
The file at "<$FAVORITES>\ Online Pharmacy\Consumer Consulting.url".
The file at "<$FAVORITES>\ Online Pharmacy\Doctor.url".
The file at "<$FAVORITES>\ Online Pharmacy\Mexican Pharmacy.url".
The file at "<$FAVORITES>\ Online Pharmacy\Pass Drug Test.url".
The file at "<$FAVORITES>\ Online Pharmacy\Pet Med.url".
The file at "<$FAVORITES>\ Online Pharmacy\Pharmacy Online.url".
The file at "<$FAVORITES>\ Shopping Gifts\Birthday Gift.url".
The file at "<$FAVORITES>\ Shopping Gifts\Cellular.url".
The file at "<$FAVORITES>\ Shopping Gifts\Christmas Gift.url".
The file at "<$FAVORITES>\ Shopping Gifts\Corporate Gift.url".
The file at "<$FAVORITES>\ Shopping Gifts\Digital Cameras.url".
The file at "<$FAVORITES>\ Shopping Gifts\Dress Fashion.url".
The file at "<$FAVORITES>\ Shopping Gifts\DVD Players.url".
The file at "<$FAVORITES>\ Shopping Gifts\Gift Basket.url".
The file at "<$FAVORITES>\ Shopping Gifts\Jewelry.url".
The file at "<$FAVORITES>\ Shopping Gifts\Leather Jackets.url".
The file at "<$FAVORITES>\ Shopping Gifts\Perfume.url".
The file at "<$FAVORITES>\ Shopping Gifts\Sexy Lingerie.url".
The file at "<$FAVORITES>\ Shopping Gifts\Shoes.url".
The file at "<$FAVORITES>\ Shopping Gifts\Smoke Shop.url".
The file at "<$FAVORITES>\ Shopping Gifts\Underwear.url".
The file at "<$FAVORITES>\ Shopping Gifts\Video Surveillance.url".
The file at "<$FAVORITES>\ Shopping Gifts\Watches.url".
The file at "<$FAVORITES>\ Shopping Gifts\Wedding Gifts.url".
The file at "<$FAVORITES>\ Shopping Gifts\Wine Gifts.url".
The file at "<$FAVORITES>\ Shopping Gifts\Womens Clothing.url".
The file at "<$FAVORITES>\ Travel\Air Travel.url".
The file at "<$FAVORITES>\ Travel\Cancun vacation.url".
The file at "<$FAVORITES>\ Travel\Car Rental.url".
The file at "<$FAVORITES>\ Travel\Cruises.url".
The file at "<$FAVORITES>\ Travel\Discount Travel.url".
The file at "<$FAVORITES>\ Travel\Europe Travel.url".
The file at "<$FAVORITES>\ Travel\Family Vacation.url".
The file at "<$FAVORITES>\ Travel\Hawaii Travel.url".
The file at "<$FAVORITES>\ Travel\Hotels.url".
The file at "<$FAVORITES>\ Travel\Las Vegas Hotel.url".
The file at "<$FAVORITES>\ Travel\London Hotel.url".
The file at "<$FAVORITES>\ Travel\New York.url".
The file at "<$FAVORITES>\ Travel\Orlando Hotel.url".
The file at "<$FAVORITES>\ Travel\Resort.url".
The file at "<$FAVORITES>\ Travel\Skiing.url".
The file at "<$FAVORITES>\ Travel\Timeshare.url".
The file at "<$FAVORITES>\ Travel\Travel Agent.url".
The file at "<$FAVORITES>\ Travel\Travel Insurance.url".
The file at "<$FAVORITES>\ Travel\Vacation.url".
The file at "<$FAVORITES>\ Travel\World Travel.url".
The file at "<$DESKTOP>\Bingo .lnk".
The file at "<$DESKTOP>\Card Games.lnk".
The file at "<$DESKTOP>\Casino Online.lnk".
The file at "<$DESKTOP>\Internet .lnk".
The file at "<$DESKTOP>\Travel .lnk".
The file at "<$DESKTOP>\Investing .lnk".
The file at "<$DESKTOP>\Printer Cartridges.lnk".
The file at "<$DESKTOP>\Website Hosting.lnk".
The file at "<$FAVORITES>\ Antivirus.url".
The file at "<$FAVORITES>\ Casino Online.url".
The file at "<$FAVORITES>\ Computers.url".
The file at "<$FAVORITES>\ Games.url".
The file at "<$FAVORITES>\ Instant Messaging.url".
The file at "<$FAVORITES>\ Internet.url".
The file at "<$FAVORITES>\ Movie.url".
The file at "<$FAVORITES>\ Web Hosting.url".
The file at "<$WINDIR>\TEMP\HXDLFAAA.exe".
The file at "<$WINDIR>\TEMP\RemA6.exe".

Make sure you set your file manager to display hidden and system files. If CoolWWWSearch.SmallM uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

The directory at "<$PROGRAMFILES>\Alset\HelpExpress".
The directory at "<$PROGRAMFILES>\dent great".
The directory at "<$PROGRAMFILES>\Window Active".
The directory at "<$FAVORITES>\ Adult Entertainment".
The directory at "<$FAVORITES>\ Adult Entertainment\Dating".
The directory at "<$FAVORITES>\ Adult Items".
The directory at "<$FAVORITES>\ Computers".
The directory at "<$FAVORITES>\ Computers\Games".
The directory at "<$FAVORITES>\ Cool Stuff".
The directory at "<$FAVORITES>\ Home".
The directory at "<$FAVORITES>\ Internet".
The directory at "<$FAVORITES>\ Internet\Education".
The directory at "<$FAVORITES>\ Online Gaming".
The directory at "<$FAVORITES>\ Online Pharmacy".
The directory at "<$FAVORITES>\ Shopping Gifts".
The directory at "<$FAVORITES>\ Travel".

Make sure you set your file manager to display hidden and system files. If CoolWWWSearch.SmallM uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

Delete the registry key "WinActive" at "HKEY_CURRENT_USER\Software\".
A key in HKEY_CLASSES_ROOT\ named "Bin.proxyAmen", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Bin.proxyAmen.1", plus associated values.
Delete the registry key "{B7A8405E-9A6B-AC58-B383-993B58E8B15B}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry value "{B7A8405E-9A6B-AC58-B383-993B58E8B15B}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\".

If CoolWWWSearch.SmallM uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.

Please check your bookmarks for links to "contexualsearch.com".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

Please read these instructions before requesting assistance,
Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

Manual Removal Guide for CoolWWWSearch.SmallM

Friday

Active member