New User? Need help? Click here to register for free! Registering removes the advertisements.

Computer Cops
image image image image image image image image
Donations
If you found this site helpful, please donate to help keep it online
Don't want to use PayPal? Try our physical address
image
Prime Choice
· Head Lines
· Advisories (All)
· Dnld of the Week!
· CCSP News Ltrs
· Find a Cure!
· Ian T's (AR 24)
· Marcia's (CO8)
· Bill G's (CO12)
· Paul's (AR 5)
· Robin's (AR 2)
· Ian T's Archive
· Marcia's Archive
· Bill G's Archive
· Paul's Archive
· Robin's Archive
image
Security Central
· Home
· Wireless
· Bookmarks
· CLSID
· Columbia
· Community
· Downloads
· Encyclopedia
· Feedback (send)
· Forums
· Gallery
· Giveaways
· HijackThis
· Journal
· Members List
· My Downloads
· PremChat
· Premium
· Private Messages
· Proxomitron
· Quizz
· RegChat
· Reviews
· Google Search
· Sections
· Software
· Statistics
· Stories Archive
· Submit News
· Surveys
· Top
· Topics
· Web Links
· Your Account
image
CCSP Toolkit
· Email Virus Scan
· UDP Port Scanner
· TCP Port Scanner
· Trojan TCP Scan
· Reveal Your IP
· Algorithms
· Whois
· nmap port scanner
· IPs Banned [?]
image
Survey
How much can you give to keep Computer Cops online?
$10 up to $25 per year?
$25 up to $50 per year?
$10 up to $25 per month?
$25 up to $50 per month?
More than $50 per year?
More than $50 per month?
One time only?
Other (please comment)



Results
Polls

Votes: 1155
Comments: 21
image
Translate
English German French
Italian Portuguese Spanish
Chinese Greek Russian
image
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin 

Dancing URL SearchHook!

 
Post new topic   Reply to topic       Computer Cops Forum Index -> Spyware Tools
View previous topic :: View next topic  
Author Message
fimoulia

Corporal
Corporal



Joined: Apr 14, 2004
Posts: 50
Location: Belgium
PostPosted: Thu May 27, 2004 7:27 pm    Post subject: Dancing URL SearchHook!
Reply with quote
Hello to all! Here is my story.

Once I had: R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file) in HijThis scan. Was told to fix it. Fixed it - doesn't go.
Shortly I took the value of this key out from HKCUser\Software\Microsoft\Internet Explorer\URL SearchHooks with help of the Registrar Lite. OK. Then run HijThis and it says: R3 - Default URL SearchHook is missing.
Have to fix it. I do. And this value is back right there where it was. I repeat the procedure and procedure repeats itself...

This value {CFBFAE00-17A6-11D0-99CB-00C04FD64497} is in CLSID list in HKCR and indicates as Microsoft URL Search Hook. Its InProcServer 32 shows default location as System32\Shdocvw.dll

Is this thing legitimate? Can someone pour cold water on my head?
Back to top
View users profile Send private message
Mariner

Site Moderator
Site Moderator
Premium Member
Premium Member


Joined: Aug 25, 2003
Posts: 1904
PostPosted: Fri May 28, 2004 9:27 am    Post subject:
Reply with quote
Hi fimoulia,

Tell you what, throw up a HJT log and lets get your system cleaned right out/up. I know you have been taking steps to secure your system but, if there is already bad stuff on it, it must be removed first for security applications to be effective.

You appear to have a bad and persistent 'Hook' buried in there, lets get rid of it.

OK, Standard instructions coming up, please follow carefully.


Please read these messages
Virus=Read This: http://www.computercops.biz/postt8864.html
HiJack= Read This: http://www.computercops.biz/postt911.html

Then
Download: HiJack This!

Create and Unzip to a folder not your Desktop or the Temp folder, doubleclick HijackThis.exe, and press "Scan".
Unzip the download (using a piece of software like: Winzip)


When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log in a text file, and post it in the CCSP "Spyware - Hijack Related" forum:

http://computercops.biz/forum67.html


Most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.


*Please, be patient. An expert will examine your log and this does take time. Please, no 'Bumps' and no 'Dupes'. Thank you.*
Back to top
View users profile Send private message
fimoulia

Corporal
Corporal



Joined: Apr 14, 2004
Posts: 50
Location: Belgium
PostPosted: Sat May 29, 2004 9:13 pm    Post subject:
Reply with quote
Hi Mariner,

Thank you for replying on my post. Nice to be with you again. I realize now that my topic probably is not that relevant to this forum. My exuses! In regard to my HJT log I can assure you that it's abs. clean for now. I just had here my thread http://www.computercops.biz/postt43068.html
under exellent satchick's treatment and I posted my recent log. It's now exactly the same exept R3 of course.
I googled this value {CFBFAE00-17A6-11D0-99CB-00C04FD64497} and more than 5000 entries came up about HJT scan reads this value as (no name) ... (no file). Many recomendations to remove it (for keeping it from comihg back) from the HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks like this one which I followed. http://www.computercops.biz/postt42340.html
Though my case is without any underscore after the value.
After that the new log shows as I said: R3 - Default URL SearchHook is missing.
So this value is back in its place and recently doesn't show up in the new logs. But is this value a default value or a bad thing?
Seems to me I saw this value when I checked it some time ago in Tony Klein's CLSID list as a Parasite left from some baddie but not certain about that. Now it's not there.
If this thing is lawful and doesn't show up in HJT logs then I can sleep quietly but if not then we better put it in fire. Is there the way to verify the legitimity of it?
I greatly appreciate you assistance.
Back to top
View users profile Send private message
Mariner

Site Moderator
Site Moderator
Premium Member
Premium Member


Joined: Aug 25, 2003
Posts: 1904
PostPosted: Sat May 29, 2004 9:44 pm    Post subject:
Reply with quote
Hi fimoulia,

Yes, to be absolutely certain, post another log. If there is nothing to worry about, it will not take long to work through. You've come this far and it would be a pity to have to leave one unknown item remaining, especially as it may come back to haunt you later.

No matter how good your defences might be they are of little use if they are helping keep a bad guy within your system.

If the CLISD is an unknown quantity, then it should be looked at as it may be a new one and it's discovery will be of help to others. So, go ahead and post a new log.
Back to top
View users profile Send private message
fimoulia

Corporal
Corporal



Joined: Apr 14, 2004
Posts: 50
Location: Belgium
PostPosted: Sat May 29, 2004 10:48 pm    Post subject:
Reply with quote
Mariner,

OK. I'll post the log right now in HijackThis forum. Under the subject hmm... 'Chasing the CLSID'. Will you move this thread over there? I don't know how it works. Anyway, the log will be there.
Thanks A LOT!
Back to top
View users profile Send private message
Mariner

Site Moderator
Site Moderator
Premium Member
Premium Member


Joined: Aug 25, 2003
Posts: 1904
PostPosted: Sat May 29, 2004 11:11 pm    Post subject:
Reply with quote
No, i'll leave this thread where it is and your log will be treated separately.

Give it several days to gain some attention, please.
Back to top
View users profile Send private message
fimoulia

Corporal
Corporal



Joined: Apr 14, 2004
Posts: 50
Location: Belgium
PostPosted: Mon May 31, 2004 12:21 pm    Post subject:
Reply with quote
Hello Mariner, Smile

I've received confirmation from Yellowhammer that my HJT log is clean.
http://www.computercops.biz/postt45888.html

Many thanks for the assistance!

Last edited by fimoulia on Tue Jun 01, 2004 7:10 pm, edited 2 times in total
Back to top
View users profile Send private message
Mariner

Site Moderator
Site Moderator
Premium Member
Premium Member


Joined: Aug 25, 2003
Posts: 1904
PostPosted: Mon May 31, 2004 1:54 pm    Post subject:
Reply with quote
Hi fimoulia,

You're very welcome; glad we were able to help. Smile

Now, go check that your security apps are good and updated. Check out our Download section for programs to help keep you safe. Good luck and safe surfing. Been a pleasure helping you. Very Happy

NOTE: This thread is now closed. Should you need it reopened, please PM a mod.
Everyone else having a similar issue, please launch a new topic for yourselves.

Once in a ti ti while we get it right........ Wink

If you are happy with the help you received here, perhaps you would consider making a donation to help us keep helping you. It would be much appreciated. Thank you.
Back to top
View users profile Send private message
Display posts from previous:   
Post new topic   Reply to topic       Computer Cops Forum Index -> Spyware Tools All times are GMT - 5 Hours
Page 1 of 1

 
 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


Powered by phpBB 2.0.8a © 2001 phpBB Group

Version 2.0.6 of PHP-Nuke Port by Tom Nitzschner © 2002 www.toms-home.com
Version 2.2 by Paul Laudanski © 2003-2004 Computer Cops
Home · Topics · Submit News · Top 10
This entire site, Cops Themes, and Computer Cops are © 2002 - 2004 Computer Cops, LLC. All rights reserved.
You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0.
Acceptable Use Policy. Use signifies your agreement.
Engine Copyright © 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member.
Paul Laudanski, Member of Computer Cops, LLC
Server Load: 719 pages served in previous 5 minutes. Page Rendered: 0.379 seconds.