Is it generally safe to have HJT "fix" O16 - DPF and "(file missing)" items?

Hello, security gurus.

Assuming one's sytem is free of malware and is running smoothly, is it generally safe to have HJT "fix" Download Program Files (016 - DPF) items and "(file missing)" items?

For example these are items I am considering having HJT "fix ":

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093270777734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155357443671

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
(This one is apparently a result of me uninstalling Spy Sweeper awhile back.)

This is the forum thread on Bleeping Computer that led me to tentatively conclude it is generally safe to remove these items.

I don't understand though why the "fixed" HJT items described in that thread actually made the person's computer run better though. I didn't recognize any malware traces anyway.


Also in regards to the 016 - DPF items and (file missing) items, if it is safe to remove them via HJT, what alternate methods are there to do so? Im guessing registry key deletions would be one option but that isn't a desirable one for me at present (at least not manual registry edits). I'm thinking in terms of a simple, generally safe method.

I deleted my Temporary Internet Files via IE (including offline content) and that didn't do the trick for the O16 - DPF items. They still show up in HJT.

 

HI
This is what is told at the schooling I am doing...

About (file Missing) and what it means. It doesn't always mean the file is really missing!!

You will see (file missing) in some of the lines in different sections. You can only rely on that to be true in the sections for BHOs and Toolbars (02s & 03s)

When you see (file missing) in other sections, it may really NOT be missing. You will see it in the 09's and the 023s especially. The only time you should fix the (file missing) in those sections is IF AND ONLY IF you see a *bad* file there. Be aware that "fixing" doesn't remove the malware either. It's important to have them manually delete the file as well (plus any other recommended removal methods)

Except for the 02 & 03 Sections, good items listed with (file missing) should be left alone. Most often they ARE there but HJT doesn't see the file.

Geri

 

Hi, Pete and Geri.

Thanks for responding. I appreciate it. I'll leave those entries alone. I'll try to resist tinkering and live by the "If it ain't broke, don't fix it. " motto.

I admit I had already removed an entry that exactly matched an entry in the BC thread I referenced:
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - (which was blank to the right of the string).
I shouldn't have removed it without consulting but, so far, my machine hasn't faltered.

I think this particular entry is related to Java because I seem to recall the palindrome order of the sets of letters and "CAFEEFAC" which, in my mind, ties to "coffee" which ties to Sun's Java logo. However, I searched for that string at CastleCops' CLSID database and came up empty.

Later:

I searched my registry and found the {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} string as the key value in
HKCR\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\TreatAs

I Googled {08B0E5C0-4FCB-11CF-AAA5-00401C608501} and the first Google result was CastleCops' CLSID database entry for Sun Java Console.

It's good to know my memory still seems to work.

I don't use Java often so I can't be certain I didn't mudge something. Time will tell, I guess.

Thanks again for your informative responses. I learned some more.

Did I overkill with the emoticons in this message?

 

I'll chime in and say you can delete all the 016s if you like, they are ActiveX and will be installed the next time you visit the site that requires ActiveX to install.

Many HJT analysts use SpywareBlaster to check for rogue ActiveX using the CLSID.

Open SB, select the 'Internet Explorer' tab then set your pointer into the database listing, right-click, select 'Find' and enter the CLSID. It will either show up or display 'not found'.

 

Thanks, Tom!

Whew! Glad to know I'm OK with removing the O16 item that I did remove. I'll still leave the other ones alone however since I'll likely need them again.

Thanks for the ActiveX info. I wasn't aware that O16's are ActiveX.

Thanks for the tip! I'll use SB as another tool when I study/investigate HJT logs.

If I understand you correctly, one should interpret those SpywareBlaster CLSID searches as follows:

• "Not found" means "possibly good" although apparently some malware-related O16 CLSIDs are not in SB's list
  ({DECEAAA2-370A-49BB-9362-68C3A58DDC62} = Win32.Adverts.TrojanDownloader apparently according to Ad-Aware, for example)
• "Found" means "definitely bad ".

EDIT: I assume those SpywareBlaster searches are effective for only O16 entries (and not for O9 entries for example, since O9s are not AxtiveX).

Correct?

 

Yes.....yes...........and yes.

 

Those ActiveX controls can (and should IMO) be viewed via Internet Options>Settings button in Temporary Internet Files section>View Objects button. Look at the status. While HijackThis shows only whether the DPF file is present, here you will see if it's installed, corrupted, damaged, etc. (in most cases), and can be dealt with accordingly.