0

I keep getting this About:Blank homepage which turns out to be some sort of search engine or sumtin.. and then i get a lot of pop-ups saying adaware and u have a parasite in ur computer and things like that... so i tried changing my homepage and it went back to About:Blank ... so i kept tryin that.. and that didnt work.. i tried using Spybot SEACH & Destroy... that didn't work either... this is my hijack this log:
Logfile of HijackThis v1.97.5
Scan saved at 8:56:13 PM, on 6/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\WINDOWS\System32\msgked.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Pop Blocker\updatedl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Salih\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.socom2battles.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - C:\WINDOWS\System32\mskceo.dll
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll
O2 - BHO: (no name) - {0B9B83D5-AF96-46A3-9224-A96944F99FF4} - C:\WINDOWS\System32\fgkohba.dll
O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - C:\WINDOWS\System32\msglji.gif
O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINDOWS\System32\mseggo.gif
O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\msjfbl.dll
O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINDOWS\System32\msfaol.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\System32\msnkmi.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: zSearch Bar - {5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} - C:\Program Files\zSearch\zSearch.dll
O3 - Toolbar: Updated.Toolbar - {9F6A22E6-1682-4F82-9B72-6314794CB253} - C:\Program Files\Pop Blocker\Updated.dll
O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe
O4 - HKCU\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

and also.. a die note... when i try to go to other sites.. sometimes i get redirected to some site taht is sumtin like www.flashlightsearch.com then a lot of numbers and then the site i wanted .. i.e. www.flashlightsearch.com/202348/2083234&@)Q#&#*www.google.com/

8
Contributors
42
Replies
43
Views
13 Years
Discussion Span
Last Post by Dulaithol
0

we're in the same boat. this is a version of the coolwebsearch virus. i'm hoping to get help for the same problem, so you might want to keep an eye on that thread as well as this one.

0

adaware6.0... i ran that...:

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Tuesday, June 22, 2004 8:58:35 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R298 20.04.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry


6-22-2004 8:58:35 PM - Scan started. (Smart mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 6-23-2004 12:24:25 AM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 6-23-2004 12:24:32 AM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-23-2004 12:24:37 AM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 8/29/2002 2:00:00 AM
Last accessed : 6/23/2004 12:24:37 AM
Last modified : 8/29/2002 2:00:00 AM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-23-2004 12:24:37 AM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 8/29/2002 2:00:00 AM
Last accessed : 6/23/2004 12:24:37 AM
Last modified : 8/29/2002 2:00:00 AM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-23-2004 12:24:43 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/29/2002 2:00:00 AM
Last accessed : 6/23/2004 12:24:43 AM
Last modified : 8/29/2002 2:00:00 AM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 6-23-2004 12:24:45 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/29/2002 2:00:00 AM
Last accessed : 6/23/2004 12:24:43 AM
Last modified : 8/29/2002 2:00:00 AM

#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-23-2004 12:24:57 AM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 8/29/2002 2:00:00 AM
Last accessed : 6/23/2004 12:24:57 AM
Last modified : 8/29/2002 2:00:00 AM

#:8 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 6-23-2004 12:24:57 AM
BasePriority : Normal
FileSize : 309 KB
FileVersion : 1.03.4
ProductVersion : 1.03.4
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Event Manager
Created on : 11/13/2002 11:44:02 PM
Last accessed : 6/23/2004 12:24:58 AM
Last modified : 11/13/2002 11:44:02 PM

#:9 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 6-23-2004 12:25:11 AM
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 8/29/2002 2:00:00 AM
Last accessed : 6/23/2004 12:26:56 AM
Last modified : 8/29/2002 2:00:00 AM

#:10 [cisvc.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-23-2004 12:25:12 AM
BasePriority : Normal
FileSize : 5 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
OriginalFilename : cisvc.exe
ProductName : Microsoft
Created on : 8/29/2002 2:00:00 AM
Last accessed : 6/23/2004 12:25:12 AM
Last modified : 8/29/2002 2:00:00 AM

#:11 [hpconfig.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-23-2004 12:25:14 AM
BasePriority : Normal
FileSize : 148 KB
FileVersion : 3, 0, 1, 8
ProductVersion : 3, 0, 1, 8
Copyright : Hewlett-Packard Copyright (C) 1999-2002
CompanyName : Hewlett-Packard
FileDescription : HPConfig Module
InternalName : HPConfig
OriginalFilename : HPConfig.EXE
ProductName : HPConfig Module
Created on : 5/22/2003 11:24:52 PM
Last accessed : 6/23/2004 12:25:14 AM
Last modified : 8/15/2002 5:11:00 PM

#:12 [hpwirelessmgr.exe]
FilePath : C:\Program Files\HPQ\Notebook Utilities\
ThreadCreationTime : 6-23-2004 12:25:15 AM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 1, 0, 0, 7
ProductVersion : 1, 0, 0, 7
Copyright : Hewlett-Packard Copyright 2002
CompanyName : Hewlett-Packard Co.
FileDescription : HPWirelessMgr Module
InternalName : HPWirelessMgr
OriginalFilename : HPWirelessMgr.EXE
ProductName : HPWirelessMgr Module
Created on : 5/22/2003 11:25:03 PM
Last accessed : 6/23/2004 12:25:15 AM
Last modified : 1/14/2003 9:12:14 PM

#:13 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ThreadCreationTime : 6-23-2004 12:25:17 AM
BasePriority : Normal
FileSize : 113 KB
FileVersion : 9.05.1015
ProductVersion : 9.05.1015
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 11/15/2002 2:41:26 AM
Last accessed : 6/23/2004 12:25:17 AM
Last modified : 11/15/2002 2:41:26 AM

#:14 [carpserv.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 6-23-2004 12:25:32 AM
BasePriority : Normal
FileSize : 4 KB
FileVersion : 5.03.09.00
ProductVersion : 5.03.09.00
Copyright : Copyright
CompanyName : Conexant Systems
FileDescription : carpserv
InternalName : carpserv
OriginalFilename : carpserv.exe
ProductName : Conexant carpserv
Created on : 5/22/2003 9:58:23 PM
Last accessed : 6/23/2004 12:25:32 AM
Last modified : 4/15/2003 1:00:02 AM

#:15 [mm_tray.exe]
FilePath : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\
ThreadCreationTime : 6-23-2004 12:25:37 AM
BasePriority : Normal
FileSize : 116 KB
FileVersion : 8.20.0130
ProductVersion : 8.20.0130
Copyright : Copyright
CompanyName : MUSICMATCH, Inc.
FileDescription : mm_tray
InternalName : mm_tray
OriginalFilename : mm_tray.exe
ProductName : MUSICMATCH JUKEBOX
Created on : 4/30/2004 8:57:08 PM
Last accessed : 6/23/2004 12:25:37 AM
Last modified : 4/20/2004 8:50:16 PM

#:16 [onetouch.exe]
FilePath : C:\Program Files\HPQ\One-Touch\
ThreadCreationTime : 6-23-2004 12:25:38 AM
BasePriority : Normal
FileSize : 104 KB
FileVersion : 1.6.8.0
ProductVersion : 1.6.8.0
Copyright : Copyright
CompanyName : Dritek System Inc.
FileDescription : One-Touch
InternalName : OneTouch
OriginalFilename : OneTouch.exe
ProductName : Dritek System Inc. OneTouch 01.30.2003 ( VC60 )
Created on : 1/30/2003 10:53:10 PM
Last accessed : 6/23/2004 12:25:38 AM
Last modified : 1/30/2003 10:53:10 PM

#:17 [syntplpr.exe]
FilePath : C:\Program Files\Synaptics\SynTP\
ThreadCreationTime : 6-23-2004 12:25:39 AM
BasePriority : Normal
FileSize : 108 KB
FileVersion : 7.4.2 13Mar03
ProductVersion : 7.4.2 13Mar03
Copyright : Copyright (C) Synaptics, Inc. 1996-2002
CompanyName : Synaptics, Inc.
FileDescription : TouchPad Driver Helper Application
InternalName : SynTPLpr
OriginalFilename : SynTPLpr.exe
ProductName : Progressive Touch
Created on : 5/22/2003 11:27:13 PM
Last accessed : 6/23/2004 12:25:39 AM
Last modified : 3/14/2003 12:56:46 PM

#:18 [syntpenh.exe]
FilePath : C:\Program Files\Synaptics\SynTP\
ThreadCreationTime : 6-23-2004 12:25:39 AM
BasePriority : Normal
FileSize : 620 KB
FileVersion : 7.4.2 13Mar03
ProductVersion : 7.4.2 13Mar03
Copyright : Copyright (C) Synaptics, Inc. 1996-2002
CompanyName : Synaptics, Inc.
FileDescription : Synaptics TouchPad Enhancements
InternalName : Scrolleroo
OriginalFilename : SynTPEnh.exe
ProductName : Progressive Touch
Created on : 5/22/2003 11:27:13 PM
Last accessed : 6/23/2004 12:25:39 AM
Last modified : 3/14/2003 12:56:10 PM

#:19 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 6-23-2004 12:25:44 AM
BasePriority : Normal
FileSize : 53 KB
FileVersion : 1.0.10.006
ProductVersion : 1.0.10.006
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client CC App
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 2/12/2004 9:30:48 PM
Last accessed : 6/23/2004 12:25:44 AM
Last modified : 12/2/2003 9:11:04 PM

#:20 [directcd.exe]
FilePath : C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\
ThreadCreationTime : 6-23-2004 12:25:45 AM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 5.3.5.10
ProductVersion : 5.3.5.10
Copyright : Copyright (c) 2001-2003, Roxio, Inc.
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
OriginalFilename : Directcd.exe
ProductName : DirectCD
Created on : 3/26/2003 6:15:24 PM
Last accessed : 6/23/2004 12:25:46 AM
Last modified : 3/26/2003 6:15:24 PM

#:21 [hpztsb05.exe]
FilePath : C:\WINDOWS\System32\spool\drivers\w32x86\3\
ThreadCreationTime : 6-23-2004 12:25:46 AM
BasePriority : Normal
FileSize : 184 KB
FileVersion : 2,121,0,0
ProductVersion : 2,121,0,0
Copyright : Copyright (c) Hewlett-Packard Company 1999-2002
CompanyName : HP
ProductName : HP DeskJet
Created on : 1/6/2004 1:49:29 AM
Last accessed : 6/23/2004 12:25:46 AM
Last modified : 3/28/2002 8:50:30 AM

#:22 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ThreadCreationTime : 6-23-2004 12:25:46 AM
BasePriority : Normal
FileSize : 76 KB
FileVersion : 6.4
ProductVersion : QuickTime 6.4
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
OriginalFilename : QTTask.exe
ProductName : QuickTime
Created on : 1/28/2004 1:41:01 AM
Last accessed : 6/23/2004 12:25:47 AM
Last modified : 1/28/2004 1:41:01 AM

#:23 [mmtask.exe]
FilePath : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\
ThreadCreationTime : 6-23-2004 12:25:47 AM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
Copyright : TODO: (c) <Company name>. All rights reserved.
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
InternalName : mmtask.exe
OriginalFilename : mmtask.exe
ProductName : TODO: <Product name>
Created on : 4/30/2004 8:57:28 PM
Last accessed : 6/23/2004 12:25:47 AM
Last modified : 4/20/2004 8:50:16 PM

#:24 [aim.exe]
FilePath : C:\Program Files\AIM\
ThreadCreationTime : 6-23-2004 12:25:48 AM
BasePriority : Normal
FileSize : 60 KB
FileVersion : 5.5.3572
ProductVersion : 5.5.3572
Copyright : Copyright
CompanyName : America Online, Inc.
FileDescription : AOL Instant Messenger
InternalName : AIM
OriginalFilename : AIM.EXE
ProductName : AOL Instant Messenger
Created on : 2/10/2004 2:03:32 AM
Last accessed : 6/23/2004 12:45:02 AM
Last modified : 2/4/2004 8:29:24 PM

#:25 [msnmsgr.exe]
FilePath : C:\Program Files\MSN Messenger\
ThreadCreationTime : 6-23-2004 12:25:50 AM
BasePriority : Normal
FileSize : 4572 KB
FileVersion : 6.1.0211
ProductVersion : Version 6.1
Copyright : Copyright (c) Microsoft Corporation 1997-2003
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msnmsgr
OriginalFilename : msnmsgr.exe
ProductName : Messenger
Created on : 12/18/2003 4:02:22 AM
Last accessed : 6/23/2004 12:25:50 AM
Last modified : 3/4/2004 7:01:00 PM

#:26 [nclaunch.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 6-23-2004 12:25:51 AM
BasePriority : Normal
FileSize : 40 KB
FileVersion : 2, 2, 0, 67
ProductVersion : 2, 2, 0, 67
Copyright : Copyright
CompanyName : Northcode Inc.
FileDescription : NCLaunch
InternalName : NCLaunch
OriginalFilename : NCLaunch.exe
ProductName : Northcode NCLaunch
Created on : 3/9/2004 12:02:41 AM
Last accessed : 6/23/2004 12:25:51 AM
Last modified : 3/9/2004 12:02:41 AM

#:27 [msgked.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 6-23-2004 12:25:51 AM
BasePriority : Normal
FileSize : 46 KB
Created on : 6/17/2004 3:03:12 PM
Last accessed : 6/23/2004 12:25:52 AM
Last modified : 8/23/2001

#:28 [airplus.exe]
FilePath : C:\Program Files\D-Link AirPlus\
ThreadCreationTime : 6-23-2004 12:25:54 AM
BasePriority : Normal
FileSize : 256 KB
FileVersion : 3, 0, 2, 0
ProductVersion : 3, 0, 2, 0
Copyright : Copyright (C) 2002
CompanyName : D-Link
FileDescription : WLAN Adapter Utility
InternalName : WLANMON
OriginalFilename : AIRPLUS.EXE
ProductName : D-Link AirPlus
Created on : 9/4/2003 2:32:51 AM
Last accessed : 6/23/2004 12:21:50 AM
Last modified : 3/5/2003 10:37:06 PM

#:29 [updatedl.exe]
FilePath : C:\Program Files\Pop Blocker\
ThreadCreationTime : 6-23-2004 12:27:18 AM
BasePriority : Normal
FileSize : 108 KB
FileVersion : 1.00
ProductVersion : 1.00
CompanyName : Global Information Technology
InternalName : UpdatedL
OriginalFilename : UpdatedL.exe
ProductName : Updated Lite
Created on : 10/28/2002 12:29:06 AM
Last accessed : 6/23/2004 12:27:18 AM
Last modified : 10/28/2002 12:29:06 AM

#:30 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 6-23-2004 12:43:56 AM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 8/29/2002 2:00:00 AM
Last accessed : 6/23/2004 12:44:16 AM
Last modified : 8/29/2002 2:00:00 AM

#:31 [hijackthis.exe]
FilePath : C:\Documents and Settings\Salih\Desktop\hijackthis\
ThreadCreationTime : 6-23-2004 12:55:49 AM
BasePriority : Normal
FileSize : 156 KB
FileVersion : 1.97.0005
ProductVersion : 1.97.0005
CompanyName : Soeperman Enterprises Ltd.
FileDescription : HijackThis
InternalName : HijackThis
OriginalFilename : HijackThis.exe
ProductName : HijackThis
Created on : 11/10/2003 1:00:22 AM
Last accessed : 6/23/2004 12:55:49 AM
Last modified : 11/10/2003 1:00:22 AM

#:32 [notepad.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-23-2004 12:56:14 AM
BasePriority : Normal
FileSize : 64 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Notepad
InternalName : Notepad
OriginalFilename : NOTEPAD.EXE
ProductName : Microsoft
Created on : 8/29/2002 2:00:00 AM
Last accessed : 6/23/2004 12:56:14 AM
Last modified : 8/29/2002 2:00:00 AM

#:33 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ThreadCreationTime : 6-23-2004 12:56:31 AM
BasePriority : Normal
FileSize : 1456 KB
FileVersion : 4.7.2009
ProductVersion : Version 4.7
Copyright : Copyright (c) Microsoft Corporation 1997-2003
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
OriginalFilename : msmsgs.exe
ProductName : Messenger
Created on : 4/14/2003 11:30:14 PM
Last accessed : 6/23/2004 12:34:14 AM
Last modified : 4/14/2003 11:30:14 PM

#:34 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ThreadCreationTime : 6-23-2004 12:58:07 AM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 5/21/2004 3:06:39 AM
Last accessed : 6/23/2004 12:58:07 AM
Last modified : 7/13/2003 1:00:20 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

AdDestroyer Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\app management\arpcache\addestroyer


AdDestroyer Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\addestroyer


AdDestroyer Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CURRENT_USER
Object : software\vb and vba program settings\addestroyer


ClientMan Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : AppID\C22A6AF2-C946-4EBF-861C-62252458827F


ClientMan Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : AppID\{026E4B83-1BF7-41CB-8233-4AF35341BC69}


ClientMan Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{00A0A40C-F432-4C59-BA11-B25D142C7AB7}


ClientMan Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{0982868C-47F0-4EFB-A664-C7B0B1015808}


ClientMan Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{0BA1C6EB-D062-4E37-9DB5-B07743276324}


ClientMan Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{25F7FA20-3FC3-11D7-B487-00D05990014C}


ClientMan Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{94927A13-4AAA-476A-989D-392456427688}


ClientMan Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{CC916B4B-BE44-4026-A19D-8C74BBD23361}


ClientMan Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}


ClientMan Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : dnsrep.dnsrepobj


ClientMan Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : dnsrep.dnsrepobj.1


ClientMan Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{A679DB3C-6A3C-49D7-9D03-5D2F88715DB7}


ClientMan Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{A7370377-E217-4467-8448-9845270CD4A3}


ClientMan Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\iPend


ClientMan Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A0A40C-F432-4C59-BA11-B25D142C7AB7}


ClientMan Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0982868C-47F0-4EFB-A664-C7B0B1015808}


ClientMan Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ba1c6eb-d062-4e37-9db5-b07743276324}


ClientMan Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{25F7FA20-3FC3-11D7-B487-00D05990014C}


ClientMan Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{94927a13-4aaa-476a-989d-392456427688}


ClientMan Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CC916B4B-BE44-4026-A19D-8C74BBD23361}


ClientMan Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}


ClientMan Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : TypeLib\{026E4B83-1BF7-41CB-8233-4AF35341BC69}


ClientMan Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : TypeLib\{C22A6AF2-C946-4EBF-861C-62252458827F}


ClientMan Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : urlcli.UrlCliObj


ClientMan Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : urlcli.UrlCliObj.1


DyFuCA Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4}


DyFuCA Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{cea206e8-8057-4a04-ace9-ff0d69a92297}


DyFuCA Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : dyfuca_bh.sinkobj


DyFuCA Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : dyfuca_bh.sinkobj.1


DyFuCA Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : TypeLib\{0BE10B0D-B4DB-4693-9B1F-9AEAD54D17DC}


Favoriteman Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}


IBIS Toolbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{339BB23F-A864-48C0-A59F-29EA915965EC}


IBIS Toolbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{8952A998-1E7E-4716-B23D-3DBE03910972}


IBIS Toolbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{F1616B86-9288-489D-B71A-0CCF2F1A89DA}


IBIS Toolbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{FF76A5DA-6158-4439-99FF-EDC1B3FE100C}


IBIS Toolbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : PROTOCOLS\Handler\tpro


IBIS Toolbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : PROTOCOLS\Name-Space Handler\res\toolbar.ResProtocol


IBIS Toolbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : toolbar.ResProtocol


istbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : ISTactivex.Installer


istbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : istactivex.installer.2


istbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\IST


Jeired Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{707e6f76-9ffb-4920-a976-ea101271bc25}


VirtualBouncer Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\VB and VBA Program Settings\VBouncer


CoolWebSearch Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Main
Value : HOMEOldSP


Favoriteman Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows
Value : Counter


Favoriteman Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows
Value : Server


Favoriteman Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows
Value : Object


IBIS Toolbar Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
Value : {339BB23F-A864-48C0-A59F-29EA915965EC}


Omi-Update Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Run
Value : msmc


Windows Object recognized!
Type : RegData
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value : Shell
Data :


Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 53
Objects found so far: 53


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 53


¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Tracking Cookie Object recognized!
Type : File
Data : [email]salih@180solutions[1].txt[/email]
Object : C:\Documents and Settings\Salih\Cookies\

Created on : 6/21/2004 1:39:52 PM
Last accessed : 6/23/2004 12:26:53 AM
Last modified : 6/21/2004 1:40:04 PM

Tracking Cookie Object recognized!
Type : File
Data : [email]salih@2o7[2].txt[/email]
Object : C:\Documents and Settings\Salih\Cookies\

Created on : 6/21/2004 9:56:18 PM
Last accessed : 6/23/2004 12:26:53 AM
Last modified : 6/21/2004 9:56:18 PM

Tracking Cookie Object recognized!
Type : File
Data : [email]salih@bilbo.counted[2].txt[/email]
Object : C:\Documents and Settings\Salih\Cookies\

Created on : 6/21/2004 1:40:03 PM
Last accessed : 6/23/2004 12:29:42 AM
Last modified : 6/23/2004 12:29:42 AM

Tracking Cookie Object recognized!
Type : File
Data : [email]salih@clickbank[1].txt[/email]
Object : C:\Documents and Settings\Salih\Cookies\

Created on : 6/21/2004 9:52:07 PM
Last accessed : 6/23/2004 12:26:54 AM
Last modified : 6/21/2004 9:52:07 PM

Tracking Cookie Object recognized!
Type : File
Data : [email]salih@edge.ru4[2].txt[/email]
Object : C:\Documents and Settings\Salih\Cookies\

Created on : 6/22/2004 1:47:18 PM
Last accessed : 6/23/2004 12:26:54 AM
Last modified : 6/22/2004 1:47:18 PM

Tracking Cookie Object recognized!
Type : File
Data : [email]salih@fastclick[1].txt[/email]
Object : C:\Documents and Settings\Salih\Cookies\

Created on : 6/21/2004 9:44:36 PM
Last accessed : 6/23/2004 12:35:36 AM
Last modified : 6/23/2004 12:35:36 AM

Tracking Cookie Object recognized!
Type : File
Data : [email]salih@qksrv[1].txt[/email]
Object : C:\Documents and Settings\Salih\Cookies\

Created on : 6/21/2004 7:28:10 PM
Last accessed : 6/23/2004 12:26:56 AM
Last modified : 6/21/2004 7:28:10 PM

Tracking Cookie Object recognized!
Type : File
Data : [email]salih@questionmarket[2].txt[/email]
Object : C:\Documents and Settings\Salih\Cookies\

Created on : 6/22/2004 5:16:16 PM
Last accessed : 6/23/2004 12:26:57 AM
Last modified : 6/22/2004 5:16:17 PM

Tracking Cookie Object recognized!
Type : File
Data : [email]salih@revenue[1].txt[/email]
Object : C:\Documents and Settings\Salih\Cookies\

Created on : 6/22/2004 1:15:29 AM
Last accessed : 6/23/2004 12:26:57 AM
Last modified : 6/22/2004 1:15:29 AM

Tracking Cookie Object recognized!
Type : File
Data : [email]salih@server.iad.liveperson[1].txt[/email]
Object : C:\Documents and Settings\Salih\Cookies\

Created on : 6/21/2004 9:02:41 PM
Last accessed : 6/23/2004 12:26:57 AM
Last modified : 6/21/2004 9:02:41 PM

Tracking Cookie Object recognized!
Type : File
Data : [email]salih@tribalfusion[1].txt[/email]
Object : C:\Documents and Settings\Salih\Cookies\

Created on : 6/23/2004 12:39:06 AM
Last accessed : 6/23/2004 12:39:06 AM
Last modified : 6/23/2004 12:39:06 AM

Tracking Cookie Object recognized!
Type : File
Data : [email]salih@z1.adserver[1].txt[/email]
Object : C:\Documents and Settings\Salih\Cookies\

Created on : 6/23/2004 12:44:27 AM
Last accessed : 6/23/2004 12:44:27 AM
Last modified : 6/23/2004 12:44:27 AM


¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Favoriteman Object recognized!
Type : File
Data : im64.dll
Object : C:\WINDOWS\System32\
FileSize : 1 KB
Created on : 6/16/2004 2:16:33 AM
Last accessed : 6/23/2004 1:03:44 AM
Last modified : 6/21/2004 12:01:47 AM

SahAgent Object recognized!
Type : File
Data : lsp.dll
Object : C:\WINDOWS\System32\
FileSize : 52 KB
FileVersion : 1, 1, 1, 20
ProductVersion : 1, 1, 1, 20
Copyright : Copyright
CompanyName : ITForum
FileDescription : LSP
InternalName : LSP
OriginalFilename : LSP.DLL
ProductName : ITForum LSP
Created on : 6/16/2004 2:16:49 AM
Last accessed : 6/23/2004 1:03:59 AM
Last modified : 11/13/2003 9:35:00 AM

SahAgent Object recognized!
Type : File
Data : sahagent1019.exe
Object : C:\WINDOWS\System32\
FileSize : 53 KB
Created on : 6/16/2004 2:16:42 AM
Last accessed : 6/23/2004 1:04:29 AM
Last modified : 6/16/2004 2:16:42 AM

SahAgent Object recognized!
Type : File
Data : sahhtml.exe
Object : C:\WINDOWS\System32\
FileSize : 54 KB
FileVersion : 1, 1, 1, 5
ProductVersion : 1, 1, 1, 5
Copyright : Copyright
CompanyName : VGroup
FileDescription : Html
InternalName : Html
OriginalFilename : Html.exe
ProductName : VGroup Html
Created on : 6/16/2004 2:16:50 AM
Last accessed : 6/23/2004 1:04:29 AM
Last modified : 1/27/2004 9:35:24 AM


Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

AdDestroyer Object recognized!
Type : Folder
Object : c:\program files\AdDestroyer


AdDestroyer Object recognized!
Type : File
Data : addestroyer.wav
Object : c:\program files\addestroyer\
FileSize : 1 KB
Created on : 6/18/2004 1:54:33 AM
Last accessed : 6/23/2004 1:04:50 AM
Last modified : 7/11/1997 9:37:00 AM

AdDestroyer Object recognized!
Type : File
Data : ~glh000a.tmp
Object : c:\program files\addestroyer\

Created on : 6/18/2004 1:54:33 AM
Last accessed : 6/23/2004 1:04:50 AM
Last modified : 6/18/2004 1:54:33 AM

AdDestroyer Object recognized!
Type : File
Data : popoops.dll
Object : c:\windows\system32\
FileSize : 24 KB
FileVersion : 2, 1, 0, 3
ProductVersion : 2, 1, 0, 3
CompanyName : Shahin Gasanov
FileDescription : PopOops
InternalName : PopOops
OriginalFilename : PopOops.dll
ProductName : PopOops
Created on : 6/18/2004 1:54:31 AM
Last accessed : 6/23/2004 1:04:22 AM
Last modified : 3/18/2003 9:00:00 AM

AdDestroyer Object recognized!
Type : File
Data : popoops2.dll
Object : c:\windows\system32\
FileSize : 40 KB
FileVersion : 1.01.0001
ProductVersion : 1.01.0001
CompanyName : Shahin Gasanov
FileDescription : PopOops2
InternalName : PopOops2
OriginalFilename : PopOops2.dll
ProductName : PopOops2
Created on : 6/18/2004 1:54:30 AM
Last accessed : 6/23/2004 1:04:22 AM
Last modified : 7/30/2003 8:07:16 PM

AdDestroyer Object recognized!
Type : File
Data : swlad1.dll
Object : c:\windows\system32\
FileSize : 40 KB
FileVersion : 1.00
ProductVersion : 1.00
CompanyName : Globes
InternalName : SWLAD1
OriginalFilename : SWLAD1.dll
ProductName : PopOops2
Created on : 6/18/2004 1:54:32 AM
Last accessed : 6/23/2004 1:04:36 AM
Last modified : 8/25/2003 6:29:50 PM

AdDestroyer Object recognized!
Type : File
Data : swlad2.dll
Object : c:\windows\system32\
FileSize : 24 KB
Created on : 6/18/2004 1:54:32 AM
Last accessed : 6/23/2004 1:04:36 AM
Last modified : 8/25/2003 6:29:26 PM

ClientMan Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : AppID\dnsrep.DLL


DyFuCA Object recognized!
Type : File
Data : nem218.dll
Object : c:\windows\
FileSize : 33 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 2002
FileDescription : DyFuCA_BH Module
InternalName : DyFuCA_BH
OriginalFilename : DyFuCA_BH.DLL
ProductName : DyFuCA_BH Module
Created on : 6/21/2004 12:18:08 PM
Last accessed : 6/23/2004 1:04:50 AM
Last modified : 6/21/2004 12:18:08 PM

Favoriteman Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : TypeLib\{EF100007-F409-426A-9E7C-CB211F2A9786}


Favoriteman Object recognized!
Type : File
Data : v.dat
Object : c:\windows\system32\
FileSize : 169 KB
Created on : 6/16/2004 2:16:50 AM
Last accessed : 6/23/2004 1:04:50 AM
Last modified : 6/16/2004 2:17:11 AM

Favoriteman Object recognized!
Type : File
Data : vg.dat
Object : c:\windows\system32\
FileSize : 2 KB
Created on : 6/16/2004 2:16:50 AM
Last accessed : 6/23/2004 1:04:50 AM
Last modified : 6/16/2004 2:17:12 AM

IBIS Toolbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\STO


IBIS Toolbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TTOOL_UNINSTALL


IBIS Toolbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\Toolbar


IBIS Toolbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Toolbar


IBIS Toolbar Object recognized!
Type : Folder
Object : c:\program files\Toolbar


IBIS Toolbar Object recognized!
Type : File
Data : cursors
Object : c:\program files\toolbar\

Created on : 6/17/2004 11:51:47 PM
Last accessed : 6/22/2004 8:11:27 PM
Last modified : 6/17/2004 11:51:47 PM

IBIS Toolbar Object recognized!
Type : File
Data : iexploreskins.exe
Object : c:\program files\toolbar\
FileSize : 6 KB
Created on : 6/17/2004 11:51:44 PM
Last accessed : 6/23/2004 1:04:51 AM
Last modified : 3/19/2004 8:21:54 AM

IBIS Toolbar Object recognized!
Type : File
Data : rw.wzg
Object : c:\program files\toolbar\
FileSize : 6 KB
Created on : 6/17/2004 11:52:13 PM
Last accessed : 6/23/2004 1:04:51 AM
Last modified : 6/21/2004 1:40:03 PM

IBIS Toolbar Object recognized!
Type : File
Data : skins
Object : c:\program files\toolbar\

Created on : 6/17/2004 11:51:47 PM
Last accessed : 6/22/2004 8:11:27 PM
Last modified : 6/17/2004 11:51:47 PM

IBIS Toolbar Object recognized!
Type : File
Data : temp
Object : c:\program files\toolbar\

Created on : 6/17/2004 11:52:09 PM
Last accessed : 6/22/2004 8:11:27 PM
Last modified : 6/17/2004 11:52:09 PM

IBIS Toolbar Object recognized!
Type : File
Data : toolbar.dll
Object : c:\program files\toolbar\
FileSize : 621 KB
Created on : 6/17/2004 11:51:46 PM
Last accessed : 6/23/2004 1:04:51 AM
Last modified : 6/8/2004 2:49:46 PM

IBIS Toolbar Object recognized!
Type : File
Data : xlmurin.wzg
Object : c:\program files\toolbar\

Created on : 6/17/2004 11:51:54 PM
Last accessed : 6/23/2004 1:04:51 AM
Last modified : 6/21/2004 1:51:32 PM

IBIS Toolbar Object recognized!
Type : File
Data : xzxsv.wzg
Object : c:\program files\toolbar\
FileSize : 22 KB
Created on : 6/17/2004 11:52:13 PM
Last accessed : 6/23/2004 1:04:51 AM
Last modified : 6/21/2004 1:40:03 PM

IBIS Toolbar Object recognized!
Type : File
Data : yildhvi.olt
Object : c:\program files\toolbar\
FileSize : 3 KB
Created on : 6/21/2004 7:32:12 PM
Last accessed : 6/23/2004 1:04:51 AM
Last modified : 6/21/2004 9:12:52 PM

IBIS Toolbar Object recognized!
Type : File
Data : frequently asked questions.url
Object : c:\documents and settings\all users\start menu\programs\web search tools\

Created on : 6/17/2004 11:51:47 PM
Last accessed : 6/23/2004 1:04:51 AM
Last modified : 6/17/2004 11:51:47 PM

IBIS Toolbar Object recognized!
Type : File
Data : home.url
Object : c:\documents and settings\all users\start menu\programs\web search tools\

Created on : 6/17/2004 11:51:47 PM
Last accessed : 6/23/2004 1:04:51 AM
Last modified : 6/17/2004 11:51:47 PM

IBIS Toolbar Object recognized!
Type : File
Data : privacy policy.url
Object : c:\documents and settings\all users\start menu\programs\web search tools\

Created on : 6/17/2004 11:51:47 PM
Last accessed : 6/23/2004 1:04:51 AM
Last modified : 6/17/2004 11:51:48 PM

IBIS Toolbar Object recognized!
Type : File
Data : terms of use.url
Object : c:\documents and settings\all users\start menu\programs\web search tools\

Created on : 6/17/2004 11:51:47 PM
Last accessed : 6/23/2004 1:04:51 AM
Last modified : 6/17/2004 11:51:47 PM

istbar Object recognized!
Type : Folder
Object : c:\documents and settings\salih\favorites\Adult Sites


istbar Object recognized!
Type : Folder
Object : c:\documents and settings\salih\favorites\Free Adult Content


istbar Object recognized!
Type : Folder
Object : c:\program files\ISTsvc


istbar Object recognized!
Type : File
Data : amateur
Object : c:\documents and settings\salih\favorites\adult sites\

Created on : 6/21/2004 12:17:57 PM
Last accessed : 6/22/2004 8:23:10 PM
Last modified : 6/21/2004 12:17:57 PM

istbar Object recognized!
Type : File
Data : anal
Object : c:\documents and settings\salih\favorites\adult sites\

Created on : 6/21/2004 12:17:57 PM
Last accessed : 6/22/2004 8:23:10 PM
Last modified : 6/21/2004 12:17:58 PM

istbar Object recognized!
Type : File
Data : asian
Object : c:\documents and settings\salih\favorites\adult sites\

Created on : 6/21/2004 12:17:58 PM
Last accessed : 6/22/2004 8:23:10 PM
Last modified : 6/21/2004 12:18:03 PM

istbar Object recognized!
Type : File
Data : bisexual
Object : c:\documents and settings\salih\favorites\adult sites\

Created on : 6/21/2004 12:18:03 PM
Last accessed : 6/22/2004 8:23:10 PM
Last modified : 6/21/2004 12:18:03 PM

istbar Object recognized!
Type : File
Data : black
Object : c:\documents and settings\salih\favorites\adult sites\

Created on : 6/21/2004 12:17:58 PM
Last accessed : 6/22/2004 8:23:10 PM
Last modified : 6/21/2004 12:18:03 PM

istbar Object recognized!
Type : File
Data : cartoon
Object : c:\documents and settings\salih\favorites\adult sites\

Created on : 6/21/2004 12:18:03 PM
Last accessed : 6/22/2004 8:23:10 PM
Last modified : 6/21/2004 12:18:03 PM

istbar Object recognized!
Type : File
Data : cumshots
Object : c:\documents and settings\salih\favorites\adult sites\

Created on : 6/21/2004 12:17:58 PM
Last accessed : 6/22/2004 8:23:10 PM
Last modified : 6/21/2004 12:18:03 PM

istbar Object recognized!
Type : File
Data : fetish
Object : c:\documents and settings\salih\favorites\adult sites\

Created on : 6/21/2004 12:17:58 PM
Last accessed : 6/22/2004 8:23:10 PM
Last modified : 6/21/2004 12:18:03 PM

istbar Object recognized!
Type : File
Data : gang bang
Object : c:\documents and settings\salih\favorites\adult sites\

Created on : 6/21/2004 12:17:58 PM
Last accessed : 6/22/2004 8:23:10 PM
Last modified : 6/21/2004 12:17:58 PM

istbar Object recognized!
Type : File
Data : gay
Object : c:\documents and settings\salih\favorites\adult sites\

Created on : 6/21/2004 12:17:58 PM
Last accessed : 6/22/2004 8:23:10 PM
Last modified : 6/21/2004 12:17:58 PM

istbar Object recognized!
Type : File
Data : hardcore
Object : c:\documents and settings\salih\favorites\adult sites\

Created on : 6/21/2004 12:17:58 PM
Last accessed : 6/22/2004 8:23:10 PM
Last modified : 6/21/2004 12:17:59 PM

istbar Object recognized!
Type : File
Data : interacial
Object : c:\documents and settings\salih\favorites\adult sites\

Created on : 6/21/2004 12:17:59 PM
Last accessed : 6/22/2004 8:23:10 PM
Last modified : 6/21/2004 12:17:59 PM

istbar Object recognized!
Type : File
Data : latin
Object : c:\documents and settings\salih\favorites\adult sites\

Created on : 6/21/2004 12:17:59 PM
Last accessed : 6/22/2004 8:23:09 PM
Last modified : 6/21/2004 12:17:59 PM

istbar Object recognized!
Type : File
Data : lesbian
Object : c:\documents and settings\salih\favorites\adult sites\

Created on : 6/21/2004 12:17:59 PM
Last accessed : 6/22/2004 8:23:09 PM
Last modified : 6/21/2004 12:17:59 PM

istbar Object recognized!
Type : File
Data : mature
Object : c:\documents and settings\salih\favorites\adult sites\

Created on : 6/21/2004 12:17:59 PM
Last accessed : 6/22/2004 8:23:09 PM
Last modified : 6/21/2004 12:17:59 PM

istbar Object recognized!
Type : File
Data : peeing
Object : c:\documents and settings\salih\favorites\adult sites\

Created on : 6/21/2004 12:18:03 PM
Last accessed : 6/22/2004 8:23:09 PM
Last modified : 6/21/2004 12:18:03 PM

istbar Object recognized!
Type : File
Data : reality
Object : c:\documents and settings\salih\favorites\adult sites\

Created on : 6/21/2004 12:17:59 PM
Last accessed : 6/22/2004 8:23:09 PM
Last modified : 6/21/2004 12:18:04 PM

istbar Object recognized!
Type : File
Data : teen
Object : c:\documents and settings\salih\favorites\adult sites\

Created on : 6/21/2004 12:17:59 PM
Last accessed : 6/22/2004 8:23:09 PM
Last modified : 6/21/2004 12:18:00 PM

istbar Object recognized!
Type : File
Data : teen hardcore
Object : c:\documents and settings\salih\favorites\adult sites\

Created on : 6/21/2004 12:18:00 PM
Last accessed : 6/22/2004 8:23:09 PM
Last modified : 6/21/2004 12:18:00 PM

istbar Object recognized!
Type : File
Data : tits
Object : c:\documents and settings\salih\favorites\adult sites\

Created on : 6/21/2004 12:18:00 PM
Last accessed : 6/22/2004 8:23:09 PM
Last modified : 6/21/2004 12:18:03 PM

istbar Object recognized!
Type : File
Data : transexual
Object : c:\documents and settings\salih\favorites\adult sites\

Created on : 6/21/2004 12:18:03 PM
Last accessed : 6/22/2004 8:23:09 PM
Last modified : 6/21/2004 12:18:03 PM

istbar Object recognized!
Type : File
Data : upskirt
Object : c:\documents and settings\salih\favorites\adult sites\

Created on : 6/21/2004 12:18:03 PM
Last accessed : 6/22/2004 8:23:09 PM
Last modified : 6/21/2004 12:18:03 PM

istbar Object recognized!
Type : File
Data : video
Object : c:\documents and settings\salih\favorites\adult sites\

Created on : 6/21/2004 12:18:00 PM
Last accessed : 6/22/2004 8:23:09 PM
Last modified : 6/21/2004 12:18:00 PM

istbar Object recognized!
Type : File
Data : voyeur
Object : c:\documents and settings\salih\favorites\adult sites\

Created on : 6/21/2004 12:18:00 PM
Last accessed : 6/22/2004 8:23:09 PM
Last modified : 6/21/2004 12:18:00 PM

istbar Object recognized!
Type : File
Data : daily movies
Object : c:\documents and settings\salih\favorites\free adult content\

Created on : 6/21/2004 12:18:02 PM
Last accessed : 6/22/2004 8:23:07 PM
Last modified : 6/21/2004 12:18:03 PM

istbar Object recognized!
Type : File
Data : daily pictures
Object : c:\documents and settings\salih\favorites\free adult content\

Created on : 6/21/2004 12:18:00 PM
Last accessed : 6/22/2004 8:23:06 PM
Last modified : 6/21/2004 12:18:04 PM

istbar Object recognized!
Type : File
Data : free live chat
Object : c:\documents and settings\salih\favorites\free adult content\

Created on : 6/21/2004 12:18:03 PM
Last accessed : 6/22/2004 8:23:04 PM
Last modified : 6/21/2004 12:18:03 PM

Jeired Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\UrlSearchHooks
Value : {707E6F76-9FFB-4920-A976-EA101271BC25}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : PROTOCOLS\Filter\text/html


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : PROTOCOLS\Filter\text/plain


Omi-Update Object recognized!
Type : File
Data : cfg.dat
Object : c:\windows\system32\

Created on : 8/23/2001
Last accessed : 6/23/2004 12:25:58 AM
Last modified : 8/23/2001

Omi-Update Object recognized!
Type : File
Data : msmc.exe
Object : c:\windows\system32\
FileSize : 46 KB
Created on : 6/16/2004 2:16:03 AM
Last accessed : 6/23/2004 1:04:07 AM
Last modified : 6/16/2004 2:16:03 AM

SahAgent Object recognized!
Type : File
Data : sahuninstall.exe
Object : c:\windows\
FileSize : 29 KB
FileVersion : 2, 0, 0, 2
ProductVersion : 2, 0, 0, 2
Copyright : Copyright
FileDescription : SAHUninstall
InternalName : SAHUninstall
OriginalFilename : SAHUninstall.dll
ProductName : SAHUninstall
Created on : 6/16/2004 2:16:50 AM
Last accessed : 6/23/2004 1:04:51 AM
Last modified : 1/27/2004 9:34:48 AM

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 66
Objects found so far: 135


9:04:53 PM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:06:16:10
Objects scanned :45720
Objects identified :135
Objects ignored :0
New objects :135

after i delted all the files... i changed my homepage... and then i watied a couple of minutes... and it went back to about:blank and i got my pop-ups please help asap

0

most of the programs can't catch all of this one. i'm going to give you a thread. in it is a specific set of instructions that may help some. try it and see if it works for you. my system is better, but i still find elements of this virus lingering and i am waiting for more help to destroy the remaining hidden files.

http://daniweb.com/techtalkforums/thread5531.html

there is a post from Iced on 6/18/04 at 5:17 pm that describes in detail what to try. good luck

0

i tried that site.. but cws shredder didnt pick anythng up... and then when i went to the regedit and i did all that stuff it said.. nothing was in the binary thing... it was just 0's

0

I don't normally give direct help with HJT logs, but I am in this case because I've specifically run into this one, and it is a nasty to remove. First off, I know these entries are bad:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.socom2battles.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =


And some of these look random, which would make me a little suspicious:

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - C:\WINDOWS\System32\mskceo.dll
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll
O2 - BHO: (no name) - {0B9B83D5-AF96-46A3-9224-A96944F99FF4} - C:\WINDOWS\System32\fgkohba.dll
O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - C:\WINDOWS\System32\msglji.gif
O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINDOWS\System32\mseggo.gif
O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\msjfbl.dll
O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINDOWS\System32\msfaol.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\System32\msnkmi.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: zSearch Bar - {5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} - C:\Program Files\zSearch\zSearch.dll
O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe
O4 - HKCU\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

Now, with this information, let me ask you: Do you use any P2P programs, like Kazaa or iMesh, or Limewire? These are some of the biggest sources of this stuff. Also, make sure you're running Windows Update on a regular basis, as these hijacks are often prevented by patches available through the Windows Update service.

0

no i dont ahve any p2p programs... so do i have to fix all those programs listed above?

0

this is my hjt log after reboot:

Logfile of HijackThis v1.97.7
Scan saved at 5:43:33 PM, on 6/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Pop Blocker\updatedl.exe
C:\Documents and Settings\Salih\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {E0C7F1AD-42DF-48CD-A367-172333D5B364} - C:\WINDOWS\System32\fgkohba.dll
O3 - Toolbar: Updated.Toolbar - {9F6A22E6-1682-4F82-9B72-6314794CB253} - C:\Program Files\Pop Blocker\Updated.dll
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

0

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {E0C7F1AD-42DF-48CD-A367-172333D5B364} - C:\WINDOWS\System32\fgkohba.dll

Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm

Close all windows except HijackThis and fix the lines above.

In the upper window of APM select explorer.exe
In the lower window find and rightclick the BHO from the HijackThis log
Select Unload DLL and click OK on the prompts that follow.

Reboot and scan with AdAware to remove the txt and html protocol association.

Download & instal Adaware from here
& update it B4 scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
In 'tweaks' under 'scanning engine' set it to 'unload recognised processes during scanning.'
Also in 'tweaks' under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion' & 'let Windows remove files in use at next reboot.'
Select 'activate in-depth scan' before starting scan.
When the scan is finished select 'next.'
Remove what it finds by placing a check in the box to the left of the object. Reboot

Download & instal Spybot S&D from here Update it B4 scanning.
After the scan is complete, have spybot fix everything marked RED.
On the page that first opens when you start Spybot there is an option to immunise, you should do this. In the immunise section there is also a link to download Spywareblaster. This program will prevent the install of bad activex controls that it has knowledge of. Download that & you can keep it updated by selecting the same link that you use to download it. Reboot

0

looks like it worked... ill tell u if it comes back...thanks a lot =)

0

it came back :( :( :( ... here is the hjt log:

Logfile of HijackThis v1.97.7
Scan saved at 9:29:19 PM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Pop Blocker\updatedl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Salih\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {497521A5-D8AB-4666-AF04-A3400E5CF854} - C:\WINDOWS\System32\cpojfj.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Updated.Toolbar - {9F6A22E6-1682-4F82-9B72-6314794CB253} - C:\Program Files\Pop Blocker\Updated.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\netda.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab

0

Download CWShredder from here & run it. Select the fix button & it will get rid of everything related to CoolWebSearch that is stored in it's database. Close ALL windows, including Iinternet Explorer, before running CWShredder. Reboot.

To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.

Reboot after doing this & post another log please.

0

sorry i wasnt here for a bit... here is the hjt log:


Logfile of HijackThis v1.97.7
Scan saved at 4:59:17 PM, on 7/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://socom2battles.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Salih\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O3 - Toolbar: Updated.Toolbar - {9F6A22E6-1682-4F82-9B72-6314794CB253} - C:\Program Files\Pop Blocker\Updated.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0.dll (file missing)
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab

0

Hi ,its a nasty one that im still trying to figure out how they remove it ,This is from another fourm ,same problem ,this is what they are telling the person to do if you want we can try there fix .may take some time as they are just starting the post .
do the following .for starters.

.Quote from other site
..............................................................................................
Your not going to get rid of this one with CWShredder. You have a hijack which can be removed using CWShredder but will be reinstalled by a hidden file. So first we have to find the hidden file and remove it.

Copy the contents of the quote box to Notepad.
Name the file Appinit.bat
Save as type All Files
Save on the Desktop.

Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
ren windows1.hiv windows.txt

Double click on Appinit.bat
This will create a file on the desktop named windows.txt
Attach the windows.txt file here to your next post please.

0

this is what the windows.txt said when it came up for me.. just if u cant open it properly or something:

regf Pugf hbin ¨ÿÿÿnk, i8o[Ä ÿÿÿÿ ÿÿÿÿÿÿÿÿ ø x ÿÿÿÿ 0 @ 0 x Windows ÿÿÿsk x x Ô €¸ È ¤ ! € ! ? ? Øÿÿÿvk @ fùAppInit_DLLsÖæG¸ÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ h l p m i d b . d l l N h ÿÿÿvk ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5 ( ðÿÿÿ9 0 ë=tÀÿÿÿvk €' zGDIProcessHandleQuota"þÿÿÿvk € °ºSpooler2ðÿÿÿy e s
Ñ_å h 0 ` ¨ ÿÿÿvk € 5swapdiskÿÿÿvk . TransmissionRetryTimeoutÿÿÿh 0 ` ¨ È ÿÿÿvk €' R USERProcessHandleQuota2 ¸

Attachments
0

ok that site is kinda confusing me... and when i looked for the thing in system32... i couldnt find it... and i searched it also... and if it's a hidden file.. is there a way to unhide all files in the computer/folder or an alternative way to get rid of it?

0

I've never used the program ,Never had the opertunity to have to use it .I just read about using it and i know it can get confusing!!Thats why i posted the link to it being explained better than i could explain it .Sorry

0

The Findnfix tool is only able to be used on authorized forums, so perhaps you can post to somewhere like TomCoyote, techguys, ComputerCops etc where it is authorised for use. It does fix the hijacker. To my knowledge nothing else does at the moment. (At least not permanently)

0

I got a tip from another reader and it is SOOOO Simple. I closed Ad/Subtract. That's it! I felt really stupid, but now I don't have this issue anymore.

Sibyl

0

whats ad/subtract? and i tried other forums... so far i have had a no-response...

0

Try this. It's been updated.

Download About:buster from http://malwarebytes.biz/AboutBuster.zip and unzip it to your desktop.

Download & instal Adaware from here
& update it before scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
In 'tweaks' under 'scanning engine' set it to 'unload recognised processes during scanning.'
Also in 'tweaks' under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion' & 'let Windows remove files in use at next reboot.'

Click here for instructions on how to boot into safe mode.

Boot up in safe mode.

Run About:buster, click OK, Start, and OK again to start the scan. Let it scan and fix everything it finds.

Still in safe mode, do a full system scan with Adaware. When the scan is finished select *next* & place a check in the boxes to the left of what is found & click *next* again. Let it delete those entries.

Reboot your computer in normal mode.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.