Ultimate Predator - HijackThis Log 01

[Ultimate Predator]

Ignoring ebay toolbar and the ebay startup, is my PC clean? Also, is HijackThis v1.99.1 the latest?

Refer to new one.

[Tarun]

Generated by Tarun's HijackThis Converter v0.44 Beta.

Default-color items are optional, red are known to be malicious.

Changed registry value

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.europe.yahoo.com/config/login.../mail.yahoo.com

Created registry value

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net

Changed registry value

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.htm

Created registry value

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tesco internet access

Enumeration of existing IE's BHO's

O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll

Enumeration of existing IE's toolbars

O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll

Enumeration of suspicious auto-loading registry entries

O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe

Extra IE context menu items

O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html

Extra "Tools" menu items and buttons

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll

O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Show website &list - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: &Suspend Webpage Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: &Deny this website - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: &Allow this website - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll

Changing of IERESET.INF

O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net

Downloaded Program Files item

O16 - DPF: PCPitstop-Tracks-Checker - http://www.pcpitstop.com/privacy/PCPTracks.cab

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (CwlscInstall Object) - https://scan.safety.live.com/resource/downl...lscbase2213.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

Enumeration of existing protocols and filters

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

[Ultimate Predator]

Could you please explain roughly what is wrong with the above? All the others I have left out I understand and want to keep.

[Tarun]

Could you please explain roughly what is wrong with the above? All the others I have left out I understand and want to keep.

Default-color items are optional, red are known to be malicious.

They're extras and not needed really.

[Ultimate Predator]

I think I'll keep them. Unless they are particually degarading my PC peformance, then I'll stick.

[Tarun]

Changed registry value

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.htm

The above should read "about:blank", not that path.

Created registry value

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tesco internet access

ISP adds on that to make it like they gave you IE, remove it. Not malicious but adds too much test to the IE titlebar.

Extra "Tools" menu items and buttons

Exactly what it says it is. Your IE gets cluttered with stuff that's pointless.

Changing of IERESET.INF

O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net

Resets your IE to what your ISP wants (usually the homepage and titlebar), but can often be malicious.

Enumeration of existing protocols and filters

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

Why keep something that isn't there?

[Ultimate Predator]

O.K, here's my new one:

Refer to new one.

I kept "Changed registry value

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.europe.yahoo.com/config/login...o.com" as that is the homepage I set it to, or is it trying to screw around with somehting else?

And I kept everything to do with ebay, my ebay toolbar and startup are things I need and use.

Is HijackThis - v1.99.1 the most up to date product?

[Tarun]

Yeah, 1.99.1 has been the latest for over a year now.

If you set it to that page then it's safe.

[Ultimate Predator]

Excellent, thanks for the help.