Here's a definite fix. It's a little in depth but it works. I've attempted to use Spybot, Adaware and CWShredder and none of those worked to remove CWS. This finally did the trick. Enjoy!

http://www.bleepingcomputer.com/forums/tutorial85.html

p.s. Print the tutorial FIRST! Download all necessary programs listed in the tutorial FIRST! Have patience and do NOT skip a step.

Good luck;)

This is a good one to use and to learn by. Very detailed. Would help a beginner as it is easy to understand. The HighJack This download shows version 1.98. So when downloading make sure you have the latest version.

If anyone tries this as a result of a Cool Search infection I would appreciate hearing if the procedure elimininates the latest varient.

Thanks. :)

It worked for me yesterday (12-29-04). I'm assuming it was the lastest varient. It was a pain in the butt...I can tell you that much!

Would you happen to remember it or did you make a copy of a log that shows them by chance?

I had trouble a few months ago with getting rid of a couple of Cool Search entries when I got hit. Had to dig to find them as they were hidden. At the time it was just another irritant and I made no copies.

I think the people behind this one are making money as they are coming up with new "stuff" all the time. If there was a way to break that by denying them the capability to get into peoples computers they would probably disappear.

And these forums are just the place to swap information as well as ask questions. :)

According to the instructions...this is what I cleaned with HijackThis. Also when I ran Adbuster...it found the following filenames: zyjgi, qjipa, lwsaj, ojhcx. I deleted ANY and ALL occurances of these filenames on C:. Hope all of this helps!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jsaxa.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jsaxa.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jsaxa.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jsaxa.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jsaxa.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jsaxa.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com

O2 - BHO: (no name) - {A181ACFF-FFBD-E523-A66B-69B29278B02A} - C:\WINDOWS\system32\ntqy32.dll

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SpartaCom Client Pop-up] SPPopUp.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [cuagent] C:\PROGRA~1\COMMAN~1\COMMAN~1\cuagent.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [sdkha32.exe] C:\WINDOWS\system32\sdkha32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

Thanks very much and it does help. :)

good stuff this will come in handy

I've moved this to this spyware forum so it won't get buried.