I just cleaned these and more from a machine today. Microsoft Antispyware
did most of the heavy lifting, but in the end, there was a coolwebsearch
piece underlying all the rest. For that, Trend Micro's online scanner ID'd
the main executable, and a boot to the recovery console to remove that was
the main trick. Safe mode didn't help. There was a piece (nail.exe)
referenced on the SHELL line in the registry, as well as a randomly named
third piece whose process name started with TODO: which was easily visible
in Microsoft Antispyware's system explorers, but regenerated each time it
was killed, with a new name.
