Result of my Hijackthis scan

Discussion in 'Computer Security' started by sponge, Dec 27, 2003.

  1. sponge

    sponge Guest

    On Sat, 27 Dec 2003 16:10:24 GMT, "todhunter5"
    <> wrote:

    >What entries should I delete and or fix and or ignore?
    >
    >Logfile of HijackThis v1.97.7
    >Scan saved at 11:05:08 AM, on 12/27/2003
    >Platform: Windows XP SP1 (WinNT 5.01.2600)
    >MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    >
    >Running processes:
    >C:\WINDOWS\System32\inetsrv\inetinfo.exe


    Probably unneeded

    >C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe


    I'd get rid of this. I'm not sure of MusicMatch's integrity but I've
    seen it on a lot of Dells. I know it's their versin of WMP, loosely
    speaking.

    >C:\WINDOWS\System32\dllhost.exe


    Toss-up. Can be a serious security risk (especially if you have not
    FULLY patched XP, but is needed for some things. It depends on how you
    use your system; probably unneeded if you're a home user.

    >C:\WINDOWS\System32\msdtc.exe
    >C:\Program Files\Outlook Express\MSIMN.EXE
    >C:\Program Files\Internet Explorer\IEXPLORE.EXE


    Your biggest single security risk is Internet Explorer (and Outlook).
    Any other modern browser is not only more secure, but has better
    cookie control and built-in pop-up stopping, so you can do away with
    your pop-up killer.

    >C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    >C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe


    Get rid of anything having to do with Realwhatever.

    >C:\Program Files\Microsoft Money\System\urlmap.exe


    Very spyware-ish:
    http://www.liutilities.com/products/wintaskspro/processlibrary/urlmap/

    >Settings,ProxyServer = http=127.0.0.1:6711


    Is this required for your pop-up killer?

    >C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll


    Looks like RealNetworks/ProgressiveNetworks is getting into the
    "toolbar" craze. Again, do not allow anything "real" to run on the
    background; it will work just fine if these are removed.

    >C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe


    Probably not needed to use your HP product.

    >O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    >Files\Real\Update_OB\realsched.exe" -osboot


    See above.

    >O4 - HKCU\..\Run: [Popup & Privacy Defender for IE] "C:\Program

    Files\Popup
    >& Privacy Defender for IE\pdie.exe" Minimize


    You won't need this (at least the pop-up blocking option) if you use
    Mozilla, Opera, Firebird, etc.

    >O4 - Global Startup: file.exe.vir


    Probably a virus. The fact that it's in your startup menu means it's
    running. I know that some Magistrate series of virii often append the
    ..vir extension.

    >http://www.spankingchat.com/Java/cs4ms086.cab
    >O16 - DPF: ChatSpace Java Client 2.1.0.95 -
    >http://www.spankingchat.com/Java/cs4ms095.cab


    Um, I checked out that link and it's pretty sick stuff. While I don't
    give a hoot what you do online or pass judgment on what consentual
    adults do, I'm wondering why Java applets are being downloaded and run
    from a porn-ish site. That's not good.

    >O16 - DPF: DigiChat Applet -
    >http://host.digichat.com/DigiChat/DigiClasses/Client_IE.cab
    >O16 - DPF: DigiChat Applet -
    >http://host.digichat.com/DigiChat/DigiClasses/Client_IE.cab
    >O16 - DPF: Yahoo! Chat -
    >http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    >O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
    >https://support.dell.com/systemprofiler/SysPro.CAB
    >O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) -
    >http://www.drivershq.com/DD_v4.CAB



    >O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office

    Template
    >and Media Control) -

    http://office.microsoft.com/templates/ieawsdc.cab
    >O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate

    Crescendo) -
    >O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX

    Control) -
    >http://www.ipix.com/download/ipixx.cab
    >O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash

    Class) -
    >http://www.rovion.com/Controls/Rovion.cab


    Vedry likely ISP-bundled spyware.

    >O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} -
    >http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    >O16 - DPF: {2C52AF58-B9B1-11D5-9DF6-00508B755B44} (AXClientUtil2

    Control) -
    >http://www.smartforce.com/v2.1/applications/liveplay/Activex/AXClientUtil.cab
    >O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter

    Class) -
    >http://download.yahoo.com/dl/installs/yinst0309.cab
    >O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update
    >Installation Engine) -
    >http://office.microsoft.com/officeupdate/content/opuc.cab
    >O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
    >http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    >O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep)

    -
    >https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    >O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
    >http://207.188.7.150/26f03b14ca49ac6a6023/netzip/RdxIE601.cab
    >O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class)

    -
    >http://office.microsoft.com/productupdates/content/opuc.cab
    >O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP

    Client
    >Control (redist)) - http://12.223.201.5/tsweb/msrdp.cab
    >O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) -
    >http://ftp.us.dell.com/fixes/PROFILER.CAB
    >O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
    >http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37651.7162037037
    >O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B}

    (WebResponseAttachments
    >Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
    >O16 - DPF: {B2BE75F3-9197-11CF-ABF4-08000996E931} (Autodesk WHIP!

    Control) -
    >http://www.cityofnoblesville.org/codebase/cabs/whip.cab


    I'd get rid of this. Whip! is not necessary, and this (yours?) town's
    website apparently offers city maps in PDF format.

    >O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash

    Object) -
    >http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    >O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office

    Tools on
    >the Web Control) -
    >http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    >O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} -
    >http://download.abacast.com/download/files/abasetup141.cab


    Just so you know, you are aware that you're running Abacast?

    >O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
    >http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_0_2_7.cab


    The Yahoo toolbar isn't much better than that of any spyware or
    parasite vendor. I'd definitely get rid of it, even if you are
    planning on using another browser.

    >O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data
    >Class) - http://www29.compaq.com/falco/SysQuery.cab


    I'm wondering why Compaq software is running on a Dell. Probably not
    needed.

    I would get rid of all the O16 entries and their associated software.
    Most of it isn't bad, but it suggests that you are a bit fast and
    loose with installation of stuff and a lot of it is fairly obscure
    stuff, so I question that value of it. This is just my opinion tho.

    Sponge
    Sponge's Secure Solutions
    www.geocities.com/yosponge
    My new email: yosponge2 att yahoo dott com
     
    sponge, Dec 27, 2003
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Charlie

    Help with HijackThis scan

    Charlie, Jan 12, 2005, in forum: Computer Support
    Replies:
    2
    Views:
    1,899
    Bill P
    Jan 12, 2005
  2. jack lift
    Replies:
    7
    Views:
    1,911
    Waterperson77
    Dec 9, 2003
  3. todhunter5

    Result of my Hijackthis scan

    todhunter5, Dec 27, 2003, in forum: Computer Security
    Replies:
    1
    Views:
    711
    \(-_-\)
    Dec 28, 2003
  4. Lloyd Jones
    Replies:
    0
    Views:
    976
    Lloyd Jones
    Aug 5, 2004
  5. SilverR1_04

    HiJackThis Scan

    SilverR1_04, Aug 29, 2004, in forum: Computer Information
    Replies:
    7
    Views:
    546
    Jim Berwick
    Aug 30, 2004
Loading...

Share This Page