Re: Someone look at this HijackThis log, please?

From: Bart Bailey (me2_at_privacy.net)
Date: 12/10/03


Date: Wed, 10 Dec 2003 10:28:01 -0800

In Message-ID:<3fd728e2.6609127@news.cis.dfn.de> posted on Wed, 10 Dec
2003 14:14:08 GMT, Allen wrote:

>
>Thank you very much for the help. (Likewise to the other espondees.) I
>took your advice and ran the "big four" you mentioned (latest
>versions. Then I downloaded the latest version of HijackThis, and here
>is the new log file it produced (further comments on remaining
>problems seen below would be much appreciated):
>
>Logfile of HijackThis v1.97.7

good thing getting the latest version

>Scan saved at 14:08:21, on 10/12/03

and a recent scan which is far more relevant

>Platform: Windows 98 SE (Win9x 4.10.2222A)

probably better than XP or Longbow

>MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

this already has proven itself to be a source of trouble, and will
likely continue to be, recommend: http://www.litepc.com/ieradicator.html
Of course you'll need a browser to replace it,
My preference is Opera v6.06, last good version prior to the
incorporation of DOM, another active vulnerability:
ftp://ftp.opera.com/pub/opera/win/606/en/
while on this subject, I'd recommend NOT browsing with any active
executable authorizations enabled in your browser, these include the
document object modeling as well as any other javascript or activeX
object permissions granted.
Another good, safe, and lightweight browser is OB1 (OffByOne):
http://www.offbyone.com/ob1_overview.htm
There are quite a lot of advocates for the Mozilla variants in this
group, and I'm sure they will weigh in with their favorites.
>
>Running processes:
>C:\WINDOWS\SYSTEM\KERNEL32.DLL
>C:\WINDOWS\SYSTEM\MSGSRV32.EXE
>C:\WINDOWS\SYSTEM\MPREXE.EXE
>C:\WINDOWS\SYSTEM\mmtask.tsk
>C:\WINDOWS\SYSTEM\MSTASK.EXE
>C:\PROGRAM FILES\ANTIVIRUS\AVG\AVGSERV9.EXE
>C:\WINDOWS\EXPLORER.EXE
>C:\WINDOWS\SYSTEM\SYSTRAY.EXE
>C:\WINDOWS\TASKMON.EXE
>C:\WINDOWS\RUNDLL32.EXE

Leave all these alone, other than your antivirus, they are all part of
your system's necessary files.
*note - I'd set AVG to "On Demand" instead of "On Access"

>C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

I'd dump this unless you want RealMedia poking around in your realaudio
history so they can profile your tastes.

>C:\PROGRAM FILES\COMMONNAME\ADDRESSBAR\WINNET.EXE
>C:\PROGRAM FILES\COMMONNAME\ADDRESSBAR\COMWIZ.EXE

These two don't do as much for your browsing experience as clog your
system. here are some comments on their removal:
http://www.hardwareanalysis.com/content/topic/10019/

>C:\WINDOWS\SYSTEM\WMIEXE.EXE

Loads on startup and hogs resources. if your USB works OK without it,
you don't need it at all. see what these folk say about it:
http://www.usbman.com/oldforum/forum9/messages/2584.html

>C:\WINDOWS\SYSTEM\SPOOL32.EXE

Don't mess with this unless you have printer problems.

>C:\WINDOWS\SYSTEM\DDHELP.EXE

DirectX graphics program,OK to leave it.

>F:\SMALLPROGS\12GHOSTSQ\12QUICK.EXE

Just more clutter from Peachseed, read and decide if you "need" it:
http://tinyurl.com/ymlj

>D:\WINUTILS\DLACCELERATOR\DAP.EXE

Interesting to note that many systems would probably function faster
without the weight of all these accelerators.

>C:\WINDOWS\SYSTEM\PSTORES.EXE

Getting rid of IE will get rid of this.

>E:\CABLE\AGENT\AGENT.EXE

Good news reader (my favorite)
what's it doing way over there on the E drive?
When you dump IE/OE,
Forte Agent will make an excellent replacement, save this one!

>C:\WINDOWS\NOTEPAD.EXE
>C:\WINDOWS\TEMP\HIJACKTHIS.EXE
>
>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
>about:blank
>N1 - Netscape 4: user_pref("browser.startup.homepage",
>"http://home.netscape.com/"); (C:\Program
>Files\Netscape\Users\default\prefs.js)

Setting Netscape to start with a blank page means you don't have to wait
on their site to load every time you open an HTML file.

>N3 - Netscape 7: user_pref("browser.startup.homepage",
>"http://home.netscape.com/"); (C:\WINDOWS\Application
>Data\Mozilla\Profiles\default\btqke1mp.slt\prefs.js)
>N3 - Netscape 7: user_pref("browser.search.defaultengine",
>"http://www.google.com/"); (C:\WINDOWS\Application
>Data\Mozilla\Profiles\default\btqke1mp.slt\prefs.js)
>O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
>O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
>O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
>O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
>powrprof.dll,LoadCurrentPwrScheme
>O4 - HKLM\..\Run: [SpyStopper] D:\WINUTILS\SPYSTOPPER\spystopper.exe
>O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
>O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\ANTIVI~1\AVG\avgcc32.exe
>/STARTUP
>O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\NETSEC~1\SYGATE~1\SMC.EXE
>-startgui
>O4 - HKLM\..\Run: [MCUpdateExe]
>C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE

I'd not have anything checking for updates automatically, especially not
McAfee, you could end up with the gross system instabilities that McAfee
is historically known for, without even knowing what happened.

>O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
>O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
>powrprof.dll,LoadCurrentPwrScheme
>O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
>O4 - HKLM\..\RunServices: [Avgserv9.exe]
>C:\PROGRA~1\ANTIVI~1\AVG\Avgserv9.exe
>O4 - HKCU\..\Run: [TClockEx] D:\WINUTILS\TCLOCKEX\TCLOCKEX.EXE
>O4 - Startup: 12quick.lnk = F:\Smallprogs\12ghostsQ\12quick.exe
>O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions
>present
>O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
>present
>O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
>Object) -
>http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
>O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
>Control) -
>http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
>O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
>http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37826.2640972222
>O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI
>Registry Information Class) -
>http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
>O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
>scanner) -
>http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
>O19 - User stylesheet: (file missing)
>
I'd select all the 016's to be "fixed" with HJT, if it were me.

-- 
Bart


Relevant Pages

  • Re: Are Java and JavaScript really so malicious for Windows system
    ... >> I was referring to ActiveX. ... >>> Whatever the browser, once you break out of the sandbox, your account is ... I use FF/TB in a limited account for everyday work. ... I use many extensions in FF/TB. ...
    (microsoft.public.security)
  • Re: field validation (was Re: COBOL/DB2 Date edit question)
    ... that amount of time on the "Cross Browser" problem.. ... My web site neither depends on nor uses ActiveX that would be downloaded ... a Client (I certainly use COM and ActiveX on the server). ...
    (comp.lang.cobol)
  • Re: field validation (was Re: COBOL/DB2 Date edit question)
    ... that amount of time on the "Cross Browser" problem.. ... My web site neither depends on nor uses ActiveX that would be downloaded to ... a Client (I certainly use COM and ActiveX on the server). ...
    (comp.lang.cobol)
  • mcafee firewall exception in CPD.exe
    ... DAT 4.0.4359 ... All windows update applied to OS and browser ... If you deny access to services.exe the firewall will report the following ... "McAfee Firewall caused an exception c0000005 at offset 4017c3 in CPD.EXE ...
    (comp.security.firewalls)
  • Re: WinFixer 2005
    ... Darlene, Sherri, and David. ... the Winfixer 2005 problem that keeps hijacking the browser to the winfixer ... >> | Can anyone tell me how to get rid of this piece of crap? ... >> end of the scan, it will be displayed in your browser. ...
    (microsoft.public.security.virus)