Understanding the Instructions
 

Hi People

I have run Bazooka on my system to find the spyware thats bothering me on my home PC, it has found it and instructed me how to remove as per below:


CoolWebSearch.xpsystem

Overview
CoolWebSearch.xpsystem is a browser hijacker redirecting your Internet Explorer browser to search.thestex.com, t.rack.cc or awebfind.biz.

Classification
Adware

Files
SERVICES.EXE, y.exe, 1.00.07.dll

Log references
Log 53

Vendor
CoolWebSearch.com whois

Privacy policy
No privacy policy available.

Detection
Bazooka Adware and Spyware Scanner detects CoolWebSearch.xpsystem. Bazooka is freeware and detects spyware, adware, foistware, trojan horses, viruses, worms and other potentially unwanted applications. Read more »

Manual removal
Please follow the instructions below if you would like to remove CoolWebSearch.xpsystem manually. Please notice that you must follow the instructions very carefully and delete everything that is mentioned. In most cases the removal will fail if one single item is not deleted. If CoolWebSearch.xpsystem remains on your system after stepping through the removal instructions, please double-check by stepping through them again.
Start your computer in safe mode.
Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)
Browse to the key:
'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'
In the right pane, delete the value called 'xpsystem', if it exists.
Browse to the key:
'HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'
In the right pane, delete the value called 'xpsystem', if it exists.
Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ {5321E378-FFAD-4999-8C62-03CA8155F0B3}', if it exists.
Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Browser Helper Objects \ {5321E378-FFAD-4999-8C62-03CA8155F0B3}', if it exists.
Exit the registry editor.
Start Windows Explorer and delete:
%SySystemDir%\SERVICES\1.00.07.dll
Note: %SystemDir% is a variable (?). By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows stemDir%\SERVICES\SERVICES.EXE
%SystemDir%\SERVICES\Y.EXE
%X P).
Start Microsoft Internet Explorer.
In Internet Explorer, click Tools -> Internet Options.
Click the Programs tab -> Reset Web Settings.


The bit i do not get is:

Start Windows Explorer and delete:
%SySystemDir%\SERVICES\1.00.07.dll
Note: %SystemDir% is a variable (?).
By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows stemDir%\SERVICES\SERVICES.EXE
%SystemDir%\SERVICES\Y.EXE
%X P).

Does this meen i need to delete the entire Windows/Systen folder? (Im on 98 Version) If not then what as ido not feel happy deleating such a large folder.

Thanks
YYZ

YYZ - the 'C:\Windows\System (Windows 95/98/Me)' bit is to tell you where to look for the files '1.00.07.dll' and 'Y.EXE' - as it says
'Note: %SystemDir% is a variable.
By default, this is......'

ie operating system dependent.

The easiest way to find a file is to use the search facility from the start menu. If you do not have this, press the windows key on your keyboard and F at the same time. This will bring up the search box. Type in the exact file name and do a search. You can also delete the file from the resutls. BE CAREFUL ONLY TO DELETE THE REQUIRED FILE ! ! ! ! !


Mike

Thanks for the help guys/girls, ill give it a go tonight.

YYZ

Yes - the same search advice applies to the registry items, but firstly back-up the registry. Secondly, ensure that it's taken you to the right registry location. Some of these DSO Exploit jobbies use similar (or the same) filenames as genuine files.

Think I killed the b@stards this tme?

Thanks for the help
YYZ:ok: