HijackThis! Help (was: C:\\Windows\System32....?)

[Shroom Man 777]

Which ones should I kill?

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchweb2.com/passthrough/index ... #058;blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.kvpbcjxmikkdwzngg.uk/oea0p3o ... n4lEs.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Window Bait] C:\PROGRA~1\DUMBCU~1\dartplatform.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [bias blah grid film] C:\Documents and Settings\All Users\Application Data\Fast Phone Bias Blah\funkwipe.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: CCAPP.lnk = C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50B9977B-AD4E-498E-8FA2-B4EE4C91E36F}: NameServer = 203.172.17.202 203.172.25.22

You've been here long enough to know that you should use descriptive title names - Phong

[Einhander Sn0m4n]

Could you post the whole log? Please don't remove the headers and make sure you have 1.98.0. L8a!

[Shroom Man 777]

How the hell do I get this new version of HijackThis? Got link?

BTW, do you have MSN Messenger?

[Einhander Sn0m4n]

How the hell do I get this new version of HijackThis? Got link?

BTW, do you have MSN Messenger?

http://209.133.47.12/~merijn/files/HijackThis.exe

sagittario81 @t hotmail d0t c0m

[Shroom Man 777]

What do I kill?

Logfile of HijackThis v1.98.0
Scan saved at 12:22:46 PM, on 8/8/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Mr. John Li\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchweb2.com/passthrough/index ... #058;blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yzmdjlmwtdtnxgpfutrcrhvzc.co ... n4lEs.html
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Window Bait] C:\PROGRA~1\DUMBCU~1\dartplatform.exe
O4 - Startup: CCAPP.lnk = C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50B9977B-AD4E-498E-8FA2-B4EE4C91E36F}: NameServer = 203.172.17.202 203.172.25.22
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

[Einhander Sn0m4n]

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchweb2.com/passthrough/index ... #058;blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.kvpbcjxmikkdwzngg.uk/oea0p3o ... n4lEs.html
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Window Bait] C:\PROGRA~1\DUMBCU~1\dartplatform.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [bias blah grid film] C:\Documents and Settings\All Users\Application Data\Fast Phone Bias Blah\funkwipe.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{50B9977B-AD4E-498E-8FA2-B4EE4C91E36F}: NameServer = 203.172.17.202 203.172.25.22

AND DO NOT USE IDIOT EXPLOITER!

[Shadowhawk]

These:

What do I kill?
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchweb2.com/passthrough/index ... #058;blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yzmdjlmwtdtnxgpfutrcrhvzc.co ... n4lEs.html
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Window Bait] C:\PROGRA~1\DUMBCU~1\dartplatform.exe

And if you didn't put these in yourself, and you're not using infocom.ph as your ISP, get rid of this:

O17 - HKLM\System\CCS\Services\Tcpip\..\{50B9977B-AD4E-498E-8FA2-B4EE4C91E36F}: NameServer = 203.172.17.202 203.172.25.22

[Shroom Man 777]

Alright, I've figured that a lot of this shit is coming from a file in Drive C. It's C:\WINDOWS\system32 and when I go into it, I can't see anything, it just tells me that the files are hidden and that "this folder contains files that keep your system working properly. you should not modify its concents".

Should I kill it?

What else should I kill? Frankly, I'm sick and tired of all of this shit with the pop-ups and whatever. I just want it to end. So should I kill this file?

[phongn]

C:\WINDOWS\SYSTEM32 is the directory in which the main system files are. If you somehow managed to delete it your system would be rendered unbootable.

[Shroom Man 777]

...phew! You just stopped me from making a big boo-boo. Now can anyone tell me how I can like delete the files these adwares are in so I can permanently cleanse my system? Is that possible? I've just switched to Firefox, so that could prevent the adware from sneaking back in.

[phongn]

You know, the very first thread on the forum links to tools that can help.

[Shroom Man 777]

They just keep on coming back. I've used HijackThis and it does diddly squat. I've used Ad-ware and Spybot. Nothing works!

[Dalton]

They just keep on coming back. I've used HijackThis and it does diddly squat. I've used Ad-ware and Spybot. Nothing works!

Did you actually check the stuff to be removed and click "Fix Checked"?

[Shroom Man 777]

Duh! Do you think I'm some kind of dumb orangutan with bad dental hygene?

[phongn]

There are more tools on that page.