Welcome to Merijn.nu

Several variants of the CoolWebSearch trojan are overwriting Windows system files with copies of the trojan itself, reinstalling it whenever this infected file is called by Windows.

CWShredder detects and removes these infected copies. You can download the files replaced by the trojan here, if the version for your Windows version is available. Note that these are all for US-English Windows versions.

If the file is not available for your Windows version, you can always restore it from your Windows Setup CD!

Note: The files available for download on this page are taken from US English versions of Windows (unless noted otherwise). If you have a Windows version in any other language, you should not use these files.

Files available here:

• rundll32.exe
• control.exe
• wmplayer.exe
• msconfig.exe
• notepad.exe
• shell.dll
• sdhelper.dll

Note: if you have a version of the file not listed here, please be so kind as to send it to me. Thanks!

Note: all files are zipped and can be opened with a file compression program like WinZip if you don't have one already.

To see what Windows version you have, right-click the 'My Computer' icon on the desktop and click 'Properties'.

Windows 95/98/98SE:
Download the copy for your Windows version and unzip it into the folder it needs to go for your Windows version.

Windows ME:
Download the copy for your Windows version and unzip it first into the folder C:\WINDOWS\Options\cabs (overwriting any existing copy), then into the folder it needs to go for your Windows version.

Windows NT4/2000:
Download the copy for your Windows version and unzip it first into the folder C:\WINNT\System32\dllcache (overwriting any existing copy), then into the folder it needs to go for your Windows version.

Windows XP:
Download the copy for your Windows version and unzip it first into the folder C:\WINDOWS\System32\dllcache (overwriting any existing copy), then into the folder it needs to go for your Windows version.

Windows Vista:
Download the copy for your Windows version and unzip it first into the folder C:\WINDOWS\System32\dllcache (overwriting any existing copy), then into the folder it needs to go for your Windows version.

Located in:
Windows 95/98/98SE/ME: C:\Windows
Windows NT4/2000: C:\Winnt\System32
Windows XP/Vista: C:\Windows\System32
Deleted by: Unknown CWS trojan
Purpose: Opening icons in the Control Panel, loading certain dll files.
Symptoms: Error message 'Cannot find file RUNDLL32.EXE', or 'Access to the specified device, path or file is denied', or empty black command windows titled 'rundll32.exe'.

Get the file:

• Windows 95: Download
• Windows 98/98SE: Download
• Windows ME: Download
• Windows NT4: Download
• Windows 2000: Download
• Windows XP: Download
• Windows Vista SP1: Download

Located in:
Windows 95/98/98SE/ME: C:\WINDOWS
Windows NT4/2000: C:\WINNT\System32
Windows XP/Vista: C:\WINDOWS\System32
Deleted by: CWS.Control
Purpose: Opening the Control Panel in certain cases.
Symptoms: Errors trying to open the Control Panel.

Get the file:

• Windows 95: Download
• Windows 98/98SE: Download
• Windows ME: Download
• Windows NT4: Download
• Windows 2000: Download
• Windows XP: Download
• Windows Vista SP1: Download

Located in:
All Windows versions: C:\Program Files\Windows Media Player
Deleted by: Possibly by any variant using LD.EXE like CWS.Aff.Tooncomics
Purpose: Main Windows Media Player executable, required to run it.
Symptoms: Nothing happens when trying to start Windows Media Player or an audio/video file.

Get the file:

• Windows Media Player 7: Download
• Windows Media Player 8: Download
• Windows Media Player 9: Download
• Windows Media Player 10: Download
• Windows Media Player 11: Download

Located in:
Windows 95: N/A
Windows 98/98SE/ME: C:\WINDOWS\System
Windows NT4/2000: N/A
Windows XP: C:\WINDOWS\PCHealth\HelpCtr\Binaries Windows Vista: C:\WINDOWS\System32
Deleted by: CWS.Msonfig.
Purpose: Main MS Configuration tool executable, required to run it.
Symptoms: Error messages 'Cannot find file MSCONFIG.EXE' or 'MSCONFIG.EXE' is not a valid Win32 application'.

Get the file:

• Windows ME: Download
• Windows XP: Download
• Windows XP SP1: Download
• Windows Vista SP1: Download

Located in:
Windows 95: C:\WINDOWS
Windows 95/98/98SE/ME: C:\WINDOWS
Windows NT4/2000: C:\WINNT and C:\WINNT\System32
Windows XP/Vista: C:\WINDOWS and C:\WINDOWS\System32
Deleted by: CWS.Googlems, and most browser hijackers that use the ADODB.Stream exploit.
Purpose: Notepad application executable, required to run it.
Symptoms: Error messages 'Cannot find file NOTEPAD.EXE' or 'NOTEPAD.EXE' is not a valid Win32 application'.

Get the file:

• Windows 95: Download
• Windows 98/98SE: Download
• Windows ME: Download
• Windows NT4: Download
• Windows 2000: Download
• Windows XP: Download
• Windows Vista SP1: Download

Located in:
Windows 95/98/98SE/ME: C:\Windows\System
Windows NT4/2000: C:\Winnt\System32
Windows XP/Vista: C:\Windows\System32
Deleted by: Iefeadsl browser hijacker strain.
Purpose: Part of 16-bit Windows shell, handles OLE functions, drag and drop functionality.
Symptoms: Error message 'File not found'.

Get the file:

• Windows 95: Download
• Windows 98/98SE: Download
• Windows NT4/2000/XP: Download
• Windows Vista SP1: Download

Located in:
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (depending on where Spybot S&D is installed)
Deleted by: Iefeadsl browser hijacker strain.
Purpose: Spybot S&D resident IE protection, bad download blocker (BHO).
Symptoms: Spybot S&D IE protection not working properly.

Get the file:

• Spybot S&D Helper 1.3: Download
• Spybot S&D Helper 1.4: Download
• Spybot S&D Helper 1.6.2: Download