StarDestroyer.Net BBS

Which ones should I kill?

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchweb2.com/passthrough/index ... #058;blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.kvpbcjxmikkdwzngg.uk/oea0p3o ... n4lEs.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Window Bait] C:\PROGRA~1\DUMBCU~1\dartplatform.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [bias blah grid film] C:\Documents and Settings\All Users\Application Data\Fast Phone Bias Blah\funkwipe.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: CCAPP.lnk = C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50B9977B-AD4E-498E-8FA2-B4EE4C91E36F}: NameServer = 203.172.17.202 203.172.25.22

You've been here long enough to know that you should use descriptive title names - Phong

Could you post the whole log? Please don't remove the headers and make sure you have 1.98.0. L8a!

How the hell do I get this new version of HijackThis? Got link?

BTW, do you have MSN Messenger?

Shroom Man 777 wrote:How the hell do I get this new version of HijackThis? Got link?

BTW, do you have MSN Messenger?

http://209.133.47.12/~merijn/files/HijackThis.exe

sagittario81 @t hotmail d0t c0m

What do I kill?

Logfile of HijackThis v1.98.0
Scan saved at 12:22:46 PM, on 8/8/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Mr. John Li\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchweb2.com/passthrough/index ... #058;blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yzmdjlmwtdtnxgpfutrcrhvzc.co ... n4lEs.html
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Window Bait] C:\PROGRA~1\DUMBCU~1\dartplatform.exe
O4 - Startup: CCAPP.lnk = C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50B9977B-AD4E-498E-8FA2-B4EE4C91E36F}: NameServer = 203.172.17.202 203.172.25.22
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchweb2.com/passthrough/index ... #058;blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.kvpbcjxmikkdwzngg.uk/oea0p3o ... n4lEs.html
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Window Bait] C:\PROGRA~1\DUMBCU~1\dartplatform.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [bias blah grid film] C:\Documents and Settings\All Users\Application Data\Fast Phone Bias Blah\funkwipe.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{50B9977B-AD4E-498E-8FA2-B4EE4C91E36F}: NameServer = 203.172.17.202 203.172.25.22

AND DO NOT USE IDIOT EXPLOITER!

These:

Shroom Man 777 wrote:What do I kill?
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchweb2.com/passthrough/index ... #058;blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yzmdjlmwtdtnxgpfutrcrhvzc.co ... n4lEs.html
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Window Bait] C:\PROGRA~1\DUMBCU~1\dartplatform.exe

And if you didn't put these in yourself, and you're not using infocom.ph as your ISP, get rid of this:

O17 - HKLM\System\CCS\Services\Tcpip\..\{50B9977B-AD4E-498E-8FA2-B4EE4C91E36F}: NameServer = 203.172.17.202 203.172.25.22

Alright, I've figured that a lot of this shit is coming from a file in Drive C. It's C:\WINDOWS\system32 and when I go into it, I can't see anything, it just tells me that the files are hidden and that "this folder contains files that keep your system working properly. you should not modify its concents".

Should I kill it?

What else should I kill? Frankly, I'm sick and tired of all of this shit with the pop-ups and whatever. I just want it to end. So should I kill this file?

C:\WINDOWS\SYSTEM32 is the directory in which the main system files are. If you somehow managed to delete it your system would be rendered unbootable.

...phew! You just stopped me from making a big boo-boo. Now can anyone tell me how I can like delete the files these adwares are in so I can permanently cleanse my system? Is that possible? I've just switched to Firefox, so that could prevent the adware from sneaking back in.

You know, the very first thread on the forum links to tools that can help.

They just keep on coming back. I've used HijackThis and it does diddly squat. I've used Ad-ware and Spybot. Nothing works!

Shroom Man 777 wrote:They just keep on coming back. I've used HijackThis and it does diddly squat. I've used Ad-ware and Spybot. Nothing works!

Did you actually check the stuff to be removed and click "Fix Checked"?

Duh! Do you think I'm some kind of dumb orangutan with bad dental hygene?

There are more tools on that page.