HELP ME PLEASE!!!! THAT COOL WEB SEARCH

[mano]

okay i cant get rid of it i have used cw shredder and have used ad aware but it keeps coming back when i go on the net ARRRGH! Here is my hijack this log:

Logfile of HijackThis v1.97.7
Scan saved at 01:21:48, on 22/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\ntwq32.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe
C:\WINDOWS\system32\winzm.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cdrif.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cdrif.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cdrif.dll/sp.html#96676
O2 - BHO: (no name) - {80E8CD34-35DC-961E-EADE-11A17381D170} - C:\WINDOWS\system32\atlck.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\System32\MSZTCE.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [ntwq32.exe] C:\WINDOWS\system32\ntwq32.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {11111111-1111-1111-1111-111111111157} - file://C:\Program Files\Internet Explorer\Q330994.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...ector/swdir.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binar...er.cab28578.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.co...v45/yacscom.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...StatsClient.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instantservice.com/jars...erxsigned40.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...7896.2649074074
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pu...ash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

[fpantovich]

sometimes Spybot gets what others don't, give it a whirl...

http://www.download.com/Spybot-Searc...ml?tag=lst-4-1

[mano]

ive tried spy bot and no success

[John Prophet]

there is a new variant that shuts down cwshredder and adaware etc...but there is a tool to beat it....maybe try that ...http://www.spywareinfo.com/~merijn/downloads.html

the one that says "CWShredder or HijackThis closes immediately after opening? " (smartkiller removal tool)

[mano]

res://C:\WINDOWS\system32\cdrif.dll/sp.html#96676 i think the cdrif.dll is the problem but i am not sure can some1 check my hjack this log and tell me plz

[twistedbrntucker]

never mind saw it was answered.

[mano]

i deleted the res://C:\WINDOWS\system32\cdrif.dll files but the thing is they keep coming back!!!!! i dunno what to do now?

[mr.jiggyfly]

Here's what is on your to do list:

1. Ditch Internet Explorer. Use something else.
2. Understand and follow safe computing practices. Examples: not clicking "ok" on everything you see, and not downloading software that is spyware/trojan/virus prone.
3. Get a good firewall and antivirus program if you don't already have them installed. Also, be sure to keep them updated.

#2 and 3 are the basic things any computer user should know.

Anyways I just googled "cool web search" and hit the first link I saw. According to this you have to download and use a program from this link http://www.safer-networking.org/files/delcwssk.zip

and then get "cool web shredder'" from www.merijn.org. So use the first program followed by the second. The last thing to do is to reset your internet explorer settings.

If that doesn't work I don't know what to tell you, as I have never had these problems personally.

[Kuasimodem]

Also, don't forget to shut off system restore before running the removal programs. Many of these nasties hide backups of themselves in the restore files that reinstall themselves when you reboot

When you shut off system restore it deletes the restore files, thereby deleting the spyware/malware backups. After your system has been cleaned, then you can re enable system restore.

[zen]

Just dealt with this today. I found mkpo.dll as the offender in c:\windows\system32. Renamed it and moved it to a blank directory and all was well.