how to make it go away???!!!

I have done some cleaning with cwshredder, S&Dspybot, hijackthis...and everything seems to be ok...
but I've picked up this address:http://213.159.117.134/index.php

it is set up as my home address...
whenever I change it and reenter internet options it is there! i also tried to fix it with hijackthis...but nothing happens...it is still there

please help
here is the log:


Logfile of HijackThis v1.98.2
Scan saved at 00:49:31, on 2004.10.07
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SYSTIME.EXE
C:\WINDOWS\SYSTEM\SYSTIME.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mp3hi-fi.com/cgi-bin/l/lnk.cgi?l=searchdef
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - E:\ZELJKA\DAP\DAPBHO.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\jokes\destroy\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - E:\ZELJKA\DAP\DAPIEBAR.DLL
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [KaZaA Media Desktop] C:\Program Files\KaZaA\kazaa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [htntqqaph] C:\WINDOWS\SYSTEM\skwrml.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP1\WINAMPa.exe"
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: &Download with &DAP - E:\ZELJKA\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - E:\ZELJKA\DAP\dapextie2.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\ZACA\ZELJKA\YAHOO\MESSENGER\YHEXBMES0411.DLL (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\ZACA\ZELJKA\YAHOO\MESSENGER\YHEXBMES0411.DLL (file missing)
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - E:\ZELJKA\DAP\DAP.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .qt: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {3A46A070-5F27-11D8-B8D1-DCF157D20741} - http://www.saliu.com/Generator.CAB

Hi ivanapmf,

I see you have KaZaA Media Desktop installed. This can easily be the source of your problems. There are safer alternatives.

You might want to print these instructions for reference, as you will be off the internet while using HijackThis.

You have a coolwebsearch infection, among other things. Please download CWShredder written by Merijn Bellekom from Here Save it to a convenient location such as your Desktop

Press "Check for Update" and download any new updates available. The current version is 1.59.1

Close ALL browser windows or it may not work! Run CWShredder and select "Fix" (do not just Scan). It will automatically remove the infections.

Then....

Logoff your internet connection.Please press Ctrl-Alt-Delete and open Task Manager. End the following process by selecting it and pressing the End Process button and clicking Yes to the confirmation message:

SYSTIME.EXE it may be listed twice, so stop both processes.

Run HijackThis, click scan, place a checkmark next to the following items. Close all browsers and any other windows or the fix may not work! Click "fix checked". It is OK if some of these items are no longer listed.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mp3hi-fi.com/cgi-bin/l/lnk.cgi?l=searchdef
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O4 - HKLM\..\Run: [htntqqaph] C:\WINDOWS\SYSTEM\skwrml.exe
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe

Unless you have the Spybot Search & Destroy option 'Lock homepage from changes' active, or your system administrator put this into place, have HijackThis fix this:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

These are resource hogs that can be removed also:

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

Then....

Boot into Safe Mode. Reboot your computer, start tapping F8 when it first starts booting, select Safe Mode.

Make sure your computer is configured to show all files and folders.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders.
Uncheck the Hide Protected Operating System Files (recommended) option.
Click Yes to confirm.
Click OK.

Delete the following files:

C:\WINDOWS\SYSTEM\skwrml.exe
C:\WINDOWS\SYSTEM\systime.exe

Reboot normally and post a fresh log.

Tom

Done.
I think that everything is clean now. Here is the new log so you can confirm that too. Thanks a lot.

Logfile of HijackThis v1.98.2
Scan saved at 12:14:34, on 2004.10.11
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\WINAMP1\WINAMPA.EXE
C:\HJT\HIJACKTHIS.EXE

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - E:\ZELJKA\DAP\DAPBHO.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\jokes\destroy\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - E:\ZELJKA\DAP\DAPIEBAR.DLL
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP1\WINAMPa.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: &Download with &DAP - E:\ZELJKA\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - E:\ZELJKA\DAP\dapextie2.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\ZACA\ZELJKA\YAHOO\MESSENGER\YHEXBMES0411.DLL (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\ZACA\ZELJKA\YAHOO\MESSENGER\YHEXBMES0411.DLL (file missing)
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - E:\ZELJKA\DAP\DAP.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .qt: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {3A46A070-5F27-11D8-B8D1-DCF157D20741} - http://www.saliu.com/Generator.CAB

Great work!!! You are clean!

However, you are seriously behind on Windows Updates. You will not stay clean for long if you dont get these immeadiatly:

Please update Windows and Internet Explorer. Download each critical update one by one, rebooting when necessary.. Repeat this until you get the message "no critical updates available". http://v4.windowsupdate.microsoft.com/

Then....

These are tools that will help keep you from getting infected again:

SpywareBlaster prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restricts the actions of potentially dangerous sites in InternetExplorer.

http://www.javacoolsoftware.com/spywareblaster.html

SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.

http://www.wilderssecurity.net/spywareguard.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

All are very small free programs. Occasionally check for updates.

Check for updates for Windows and Internet Explorer every week or so. Download each critical update one by one, rebooting when necessary.. Repeat this until you get the message "no critical updates available" http://v4.windowsupdate.microsoft.com/

Please take a minute to read: So how did I get infected in the first place?

http://computercops.biz/postlite7736-.html

Tom