Re: Someone look at this HijackThis log, please?

From: Bart Bailey (
Date: 12/10/03

Date: Wed, 10 Dec 2003 10:28:01 -0800

In Message-ID:<> posted on Wed, 10 Dec
2003 14:14:08 GMT, Allen wrote:

>Thank you very much for the help. (Likewise to the other espondees.) I
>took your advice and ran the "big four" you mentioned (latest
>versions. Then I downloaded the latest version of HijackThis, and here
>is the new log file it produced (further comments on remaining
>problems seen below would be much appreciated):
>Logfile of HijackThis v1.97.7

good thing getting the latest version

>Scan saved at 14:08:21, on 10/12/03

and a recent scan which is far more relevant

>Platform: Windows 98 SE (Win9x 4.10.2222A)

probably better than XP or Longbow

>MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

this already has proven itself to be a source of trouble, and will
likely continue to be, recommend:
Of course you'll need a browser to replace it,
My preference is Opera v6.06, last good version prior to the
incorporation of DOM, another active vulnerability:
while on this subject, I'd recommend NOT browsing with any active
executable authorizations enabled in your browser, these include the
document object modeling as well as any other javascript or activeX
object permissions granted.
Another good, safe, and lightweight browser is OB1 (OffByOne):
There are quite a lot of advocates for the Mozilla variants in this
group, and I'm sure they will weigh in with their favorites.
>Running processes:

Leave all these alone, other than your antivirus, they are all part of
your system's necessary files.
*note - I'd set AVG to "On Demand" instead of "On Access"


I'd dump this unless you want RealMedia poking around in your realaudio
history so they can profile your tastes.


These two don't do as much for your browsing experience as clog your
system. here are some comments on their removal:


Loads on startup and hogs resources. if your USB works OK without it,
you don't need it at all. see what these folk say about it:


Don't mess with this unless you have printer problems.


DirectX graphics program,OK to leave it.


Just more clutter from Peachseed, read and decide if you "need" it:


Interesting to note that many systems would probably function faster
without the weight of all these accelerators.


Getting rid of IE will get rid of this.


Good news reader (my favorite)
what's it doing way over there on the E drive?
When you dump IE/OE,
Forte Agent will make an excellent replacement, save this one!

>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
>N1 - Netscape 4: user_pref("browser.startup.homepage",
>""); (C:\Program

Setting Netscape to start with a blank page means you don't have to wait
on their site to load every time you open an HTML file.

>N3 - Netscape 7: user_pref("browser.startup.homepage",
>""); (C:\WINDOWS\Application
>N3 - Netscape 7: user_pref("",
>""); (C:\WINDOWS\Application
>O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
>O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
>O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
>O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
>O4 - HKLM\..\Run: [SpyStopper] D:\WINUTILS\SPYSTOPPER\spystopper.exe
>O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
>O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\ANTIVI~1\AVG\avgcc32.exe
>O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\NETSEC~1\SYGATE~1\SMC.EXE
>O4 - HKLM\..\Run: [MCUpdateExe]

I'd not have anything checking for updates automatically, especially not
McAfee, you could end up with the gross system instabilities that McAfee
is historically known for, without even knowing what happened.

>O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
>O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
>O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
>O4 - HKLM\..\RunServices: [Avgserv9.exe]
>O4 - Startup: 12quick.lnk = F:\Smallprogs\12ghostsQ\12quick.exe
>O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions
>O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
>O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
>Object) -
>O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
>Control) -
>O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
>O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI
>Registry Information Class) -
>O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
>scanner) -
>O19 - User stylesheet: (file missing)
I'd select all the 016's to be "fixed" with HJT, if it were me.