Hijack Log

[Zilva Zanga]

Can anyone tell me if anything on this HijackThis report is suspicious?

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://rl.webtracer.cc/-/?bayzm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - Global Startup: AudioDeck.lnk = C:\Program Files\VIA Technologies,
Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\vetredir.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\vetredir.dll
O12 - Plugin for .bcf: C:\Program Files\Internet
Explorer\Plugins\NPBelv32.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient
Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

 

[Dave Budd]

Can anyone tell me if anything on this HijackThis report is suspicious?

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://rl.webtracer.cc/-/?bayzm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - Global Startup: AudioDeck.lnk = C:\Program Files\VIA Technologies,
Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\vetredir.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\vetredir.dll
O12 - Plugin for .bcf: C:\Program Files\Internet
Explorer\Plugins\NPBelv32.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient
Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

I dunno much about HijackThis, but I don't like the look of the
1st R0 line or the O10 lines. And what's that plug-in in the
O12 line?
I'd have the microsoft antispyware tool reset all the IE
settings, and maybe run LSPfix to sort out WinSock, on general
principles.
There are other forums where the HijackThis experts live, but I
dunno the addresses/names

 

[David H. Lipman]

From: "Zilva Zanga" <[email protected]>

| Can anyone tell me if anything on this HijackThis report is suspicious?
|
| R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =


Wrong News Groups for posting HJT logs.

Dump the contents of the IE Temporary Internet Folder cache (TIF)

start --> settings --> control panel --> internet options --> delete files

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Ad-aware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Trend Sysclean Method 1
---------------------------------------
Create a directory.
On drive "C:\"
(e.g., "c:\sysclean")

Download SYSCLEAN.COM and place it in that directory.
Download the signature files (pattern files) by obtaining the ZIP file.
For example; lpt528.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.

Trend Sysclean Method 2
---------------------------------------
Download the utility SYSCLEAN_FE in "Procedure 1" at the following URL, SYSCLEAN_FE
automates the download and execution process of the Trend Sysclean Package.
http://www.ik-cs.com/got-a-virus.htm

2) Update Ad-aware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode and shutdown as many applications as possible.
5) Using both the Trend Sysclean utility and Ad-aware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point

* Please report back your results *

 

[Johnie]

Can anyone tell me if anything on this HijackThis report is suspicious?

Send your Hijack This report to the following webste :-

http://www.hijackthis.de/

and it will pick out any suspicious things running.