Another CoolWebSearch Variant That Won't Go Away, Could You Take A Look, Please?

Hello.
Have a machine here that appears to have a CoolWebSearch variant that won't go away with Ad-Aware and Spy-Bot.
I have run both of these programs and chosen to remove the CWS, but it reappears after a reboot.
I have also run the newest version of CWShredder and Stinger.
A full virus scan was also performed with Norton AV.
Here is the log from HijackThis right after running the above tools and rebooting, any input would be greatly appreciated.

Logfile of HijackThis v1.98.2
Scan saved at 11:57:16 PM, on 11/6/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\DELL\AccessDirect\DadTray.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Iomega\Tools\IMGICON.EXE
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\cmd.exe
C:\Tools\HijackThis.exe
C:\WINNT\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ukkkm.dll/sp.html#22776
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ukkkm.dll/sp.html#22776
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.linkfind.com/iebar/%s
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9882897A-3A03-7E2E-B9C0-766D1C6A7FA1} - C:\WINNT\addtj.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtiom98.exe
O4 - Global Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Global Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Global Startup: QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QUIKSYNC.EXE
O4 - Global Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{DAE40EEF-9504-439F-AA6B-BC894E24F570}: NameServer = 68.168.96.5,68.168.96.2
EdeneyeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SheharyaarSaahilCommented:
Hello Edeneye =)

You are infected with that res:// hijacker, plzz follow the complete instructions here to get rid of it >> http://www.pchell.com/support/onlythebest.shtml
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SheharyaarSaahilCommented:
And for u Log analysation, u can use this website now >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
To Fix, check the lines in Hijackthis scan and click on Fix Checked !!

HJT Log Tutoriol >> http://aumha.org/a/hjttutor.php

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
0
SheharyaarSaahilCommented:
And Remember whenever u run the removal tools, run them in safemode and Disable ur system Restore before cleaning the system :)
And dont forget to delete ur Temp Internet Files and Histroy and running Disk Cleanup to delete the temp and junk files from ur system.... check if after doing all these, u still get the problem ??

Good Luck =)
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

Asta CuTechnical consultant & graphic designCommented:
It might he helpful to ask a Moderator to remove your IP address .... O17 - HKLM\System\CCS\Services\Tcpip\..\{DAE40EEF-9504-439F-AA6B-BC894E24F570}: NameServer = 68.168.96.5,68.168.96.2
http://www.experts-exchange.com/Community_Support/askQuestion.jsp
0
Asta CuTechnical consultant & graphic designCommented:
From this link..... you don't need more problems, IMHO; and this is a public forum.  If I'm out to lunch with my concern, tell me.

Asta
0
EdeneyeAuthor Commented:
It's not my ip, it's the DNS entries for my ISP.
0
SheharyaarSaahilCommented:
yeah, actually the O17 line shows the address of ur ISP always.... but this information is included in hijackthis, coz sometimes malwares's domains, e.g Lop.com, hijacks the domain and thus we can check from this line that if they are safe or not.
Hope u dont mind me bugging right in between 8-)
0
Asta CuTechnical consultant & graphic designCommented:
We're here as a TEAM, and teamwork works best.  ":0) Asta
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.