went through all steps by chalang to get rid of only the best/hijack problem

It does not look to me like you did all the steps correctly. You should have two about:Buster logs (steps 13k and 16). You only have one. Did you have any problems at all along the way? Like finding or deleting any of the files? Editing the file with notepad and saving a blank file? Changing the file attribute to read only? Etc.

But let's quickly try something. A new about:Buster (vers 2.11) just came out with some improvements added to cleaning up hidden registry keys. Download the new about:Buster and let's try the instructions that come with it:

Run it, Hit start and then Ok. The program should start scanning. Then hit exit and reboot.
Once rebooted run about:Buster once more to make sure everything is ok.

I believe the new one automatically creates a log. I'm not sure if it will overwrite on the second run or if they give you an option to save the logs to a filename of choice. If possible, save both logs and post them back here when finished.

See how it is running now but opening and closing a few Internet Explorer sessions.

Edited: Since writing this About:Buster changed from 2.10 to 2.11, so I updated the text above to reflect that.

 

About:Buster was JUST updated, per the author, theres a new variant You may want to re-download and try it again. Now back to Chaslang...

"the sons of B*tches released a new version of the virus.. whole registry part just for them... "

 

Yeah, would love to get these guys pictures up on the world's most wanted *ss*oles.

These new versions of the hijacker are the reason I revived and modified my Generic Solution. The simple running or HSremove and/or About:Buster would not fix any of them. But my longer step by step (along with those two tools) has worked everytime. Sometimes easier then others.

Note: I had said About:Buster 2.10 in my previous message. I just edited it to 2.11 since it updated twice today.

 

If notepad closes all by itself, it is a sign of some of the CWS variants. Info direct from Merijn:

"Several variants of the CoolWebSearch trojan are overwriting Windows system files with copies of the trojan itself, reinstalling it whenever this infected file is called by Windows.

CWShredder detects and removes these infected copies. You can download the files replaced by the trojan here, if the version for your Windows version is available. Note that these are all for US-English Windows versions. "

You should download and run CWshredder from: http://www.majorgeeks.com/download4086.html
Start CWShredder, close all windows and hit fix ->. Let it run and fix objects. Then hit next and exit. Restart your computer now. When you come back continue below.

You can download the correct notepad program for your OS (for any OS actually) from Merijn's website. http://www.spywareinfo.com/~merijn/winfiles.html That link will tell you where to put the file too (i.e., where your notepad.exe file runs from).

You did not follow the directions for about:Buster (I'm going to call it AB from now on). You were suppose to run it reboot and run it again. That would have resulted in your giving me two logs each having two scans in it.

By the way did you notice all the bad things AB was finding. That is why this problem is so hard to fix. It keeps mutating and spreading everytime you run Internet Explorer and when you boot your PC. Also, your notepad file was helping to spread the infection.

After running CWShredder and getting a correct notepad.exe on your PC, I would run AB again and save the log. Then reboot and immediately run AB again and save the log. Now open an Internet Explorer session and then open another one. Now close the Internet Explorer sessions and run another AB scan and save a third log. If this log does not come up clean, reboot to safe mode and run AB again (a fourth log). Now reboot normal mode and run AB again (a fifth log). All of this becomes necessary to try to find all the files and methods by which this hijacker keeps respawning itself.

Now come back here and post all 5 AB logs (in 1 - 5 order) and a new HJT log. Get the latest HJT here: http://www.majorgeeks.com/download3155.html Today version 1.98.2 came out.

 

Please consider using Firefox or doing some preventive mainteance:

http://forums.majorgeeks.com/showthread.php?t=25834

 

Okay! Let's us know if it comes back.
You should seriously considered running FireFox as Major has suggested. It can help you avoid problems like these.