Re posted from merijn's site for info as cwshredder doesn't fix this one yet If your browser has been hijacked to drxcount.biz, real-yellow-page.com or list2004.com: We are working on a fix for this one and drawing near to a solution. This is by far the most sophisticated CWS variant seen to date, and it will take some time before CWShredder will be able to remove it automatically. So far, the following manual fix should work: First download FAR explorer from here: http://www.rarlab.com/far/Far1705.exe Install it, then start FAR. Hit Alt-F1 and drive list should come up, go to '0 process list'. Scroll to Iexplore.exe in the left panel, highlight it and hit F5. Now go to the right pane of FAR and double click 'iexplore.exe.txt', it should open in notepad. Look for a file with this size and beginning to it. The filename will always be different: 61C00000 F000 c:\windows\system32\wingn.dll This part indicates the bad file: 61C00000 F000 It will always start with that header. Write down the filename behind it. Now download KillBox: http://download.broadbandmedic.com/ Unzip and run it. Paste the filename you wrote down into the white kill line, then hit the bottom green arrow button to move the file to the bottom of killbox. Hit the 'remove on reboot' button and reboot. Once it reboots, make sure the file is gone.