;Issue this address: replaces various files that can become corrupt after CWS infects the system
;Date: Feb 19, 2004
;Created by: SA Sherwood

;NOTES: *** Please read the instructions for the OS you're working on BEFORE replacing files ***

;More info: http://www.spywareinfo.com/~merijn/winfiles.html

Updated: Dec 27, 2004 - Added more explanations and updates .txt format - SA Sherwood


--------------
How to Install
--------------
Windows 95/98/98SE:
Download the copy for your Windows version and unzip it into the folder it needs to go for your Windows version.

Windows ME:
Download the copy for your Windows version and unzip it first into the folder C:\WINDOWS\Options\cabs (overwriting any existing copy), then into the folder it needs to go for your Windows version.

Windows NT4/2000:
Download the copy for your Windows version and unzip it first into the folder C:\WINNT\System32\dllcache (overwriting any existing copy), then into the folder it needs to go for your Windows version.

Windows XP:
Download the copy for your Windows version and unzip it first into the folder C:\WINDOWS\System32\dllcache (overwriting any existing copy), then into the folder it needs to go for your Windows version.

-----------
control.exe
-----------
Located in:
Windows 95/98/98SE/ME: C:\WINDOWS
Windows NT4/2000: C:\WINNT\System32
Windows XP: C:\WINDOWS\System32
Deleted by: CWS.Control
Purpose: Opening the Control Panel in certain cases.
Symptoms: Errors trying to open the Control Panel.

------------
rundll32.exe
------------
Located in:
Windows 95/98/98SE/ME: C:\WINDOWS
Windows NT4/2000: C:\WINNT\System32
Windows XP: C:\WINDOWS\System32
Deleted by: Unknown, but confirmed to be deleted by CWS trojan.
Purpose: Opening icons in the Control Panel, loading certain applets at system startup.
Symptoms: Error message 'Cannot find file RUNDLL32.EXE', or 'Access to the specified device, path or file is denied', or empty black command windows titled 'rundll32.exe'. 

------------
wmplayer.exe
------------
Located in: C:\Program Files\Windows Media Player
Deleted by: Possibly by any variant using LD.EXE like CWS.Aff.Tooncomics, and by CWS.Therealsearch.
Purpose: Main Windows Media Player executable, required to run it.
Symptoms: Nothing happens when trying to start Windows Media Player or a audio/video file.

------------
msconfig.exe
------------
Located in:
Windows 95: N/A
Windows 98/98SE/ME: C:\WINDOWS\System
Windows NT4/2000: N/A
Windows XP: C:\WINDOWS\PCHealth\HelpCtr\Binaries
Deleted by: CWS.Msonfig.
Purpose: Main MS Configuration tool executable, required to run it.
Symptoms: Error messages 'Cannot find file MSCONFIG.EXE' or 'MSCONFIG.EXE' is not a valid Win32 application'.

-----------
notepad.exe
-----------
Located in:
Windows 95: C:\WINDOWS
Windows 95/98/98SE/ME: C:\WINDOWS
Windows NT4/2000: C:\WINNT and C:\WINNT\System32
Windows XP: C:\WINDOWS and C:\WINDOWS\System32
Deleted by: CWS.Googlems.
Purpose: Notepad application executable, required to run it.
Symptoms: Error messages 'Cannot find file NOTEPAD.EXE' or 'NOTEPAD.EXE' is not a valid Win32 application'.

------------
SDHelper.dll
------------
Located in: C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (depending on where Spybot S&D is installed)
Deleted by: Unidentified malware.
Purpose: Spybot S&D resident IE protection, bad download blocker (BHO).
Symptoms: Spybot S&D IE protection not working properly.

---------
Shell.dll
---------
Located in:
Windows 95/98/98SE/ME: C:\Windows\System\shell.dll
Windows NT4/2000: C:\Winnt\System32\shell.dll Windows XP: C:\Windows\System32\shell.dll
Deleted by: Iefeadsl browser hijacker.
Purpose: Part of 16-bit Windows shell, handles OLE functions, drag and drop functionality.
Symptoms: Error message 'File not found'.