Dancing URL SearchHook!

fimoulia · Corporal Joined: Apr 14, 2004 Posts: 50 Location: Belgium

Hello to all of you! Smile

Here is my story.

Once I had: R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file) in HijThis scan. Was told to fix it. Fixed - it doesn't go.
Shortly I took the value of this key out from HKCUser\Software\Microsoft\Internet Explorer\URL SearchHooks with help of the Registrar Lite. OK. Then run HijThis and it says: R3 - Default URL SearchHook is missing.
Have to fix it. I do. And this value is back right there where it was. I repeat the procedure and procedure repeats itself...

This value {CFBFAE00-17A6-11D0-99CB-00C04FD64497} is in CLSID list in HKCR and indicates as Microsoft URL Search Hook. Its InProcServer 32 shows its location as System32\Shdocvw.dll

...I Googled this value {CFBFAE00-17A6-11D0-99CB-00C04FD64497} and more than 5000 entries (all about the trouble) came up about HJT scan reads this value as (no name) ... (no file). I also noticed that quite often those troubled logs include infections with ad/spyware so called 'TV Media' which I also had. Many recomendations are to remove this value (for keeping it from comihg back) from the HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks like this one which I followed. http://www.computercops.biz/postt42340.html
Though my case is without any underscore after the value.
After that the new log showed again: R3 - Default URL SearchHook is missing.
Fixed. So this value is back in its place and recently doesn't show up in the new logs. But is this value a default value or a bad thing?

If this thing is lawful and doesn't show up in HJT logs then I can sleep quietly but if not then we better put it in fire. Is there the way to verify the legitimity of it?

I've received confirmation from Yellowhammer that my HJT log is clean.
http://www.computercops.biz/postt45888.html
What's now?
As 5000+ entries with troubles came up after Googling this Key Value, I think something is cooking here and not very Kocher. Would be interesting to have an opinion of others - mere mortals and Experts - on this issue.

Many thanks for your assistance and participation! Smile

satchick · Posted: Tue Jun 01, 2004 4:50 pm Post subject:

Hi fimoulia,

That CLSID is lawful. It should be like a rash all over your registry. In the quote box is where I found it on my XP system.

fimoulia · Corporal Joined: Apr 14, 2004 Posts: 50 Location: Belgium

Hi satchick, Very Happy

Thank you for coming back to me. Nice to be with you again and to hear that probably we don't have to put anything in fire and peace will prevail.
I've checked all 8 entries you show me in my registries and should tell you they all look like yours exept the following two:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""
and
[HKEY_USERS\S-1-5-21-1871367453-176522532-3434827439-1004\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

They don't have this "="" in the end.
In both cases the Type is REG_SZ and in place of the Data there is nothing - just empty space.

satchick · Posted: Tue Jun 01, 2004 8:35 pm Post subject:

Sorry fimoulia, I didn't recognise your login name until just now. We had fun last time. Very Happy

I see your posts total is a lot higher. You've been busy!

To the problem at hand: You should repair your settings to look like mine. Somewhere along the line, either with HJT or the malware itself, the hooks settings have been damaged.

Copy and paste the following into notepad and save it as "hooks.reg". Then just double click to merge it into your registry:

fimoulia · Corporal Joined: Apr 14, 2004 Posts: 50 Location: Belgium

Hey satchick, Very Happy

Hopefuly with your generous help things will get into their right place. And I'm glad I dug the problem. Seems that many people have it and I hope this thread will be of use for others. Only one thing...hmm.
To be perfectly honest with you my HKEY_USERS number differs from yours. Mine is:
HKEY_USERS\S-1-5-21-1801674531-602162358-682003330-1004

Do I have to retype the number in the notepad? Maybe silly question but I am not much of experience in this.

I already owe you one Godzillion and two beers!

satchick · Posted: Tue Jun 01, 2004 9:50 pm Post subject:

Yes, keep your numbers. Not surprised they vary. I don't have another XP system here or I'd double check for you. Just back up your keys before making the change (just in case!)

Not sure what a Godzillion is, but I'll take all the beer I can get! Very Happy

fimoulia · Corporal Joined: Apr 14, 2004 Posts: 50 Location: Belgium

Hi satchick, Very Happy

Sorry for the break. Went out to town for family business. (No beer)
By now accomplished all moves according your instructions. And it's like this. I exported first these two existing keys into notepad. They look like this in notepad:

satchick · Posted: Wed Jun 02, 2004 6:24 pm Post subject:

Sorry fimoulia, I just re-read our thread here and I can see now that I misunderstood one of your earlier posts. Those CLSID's should have a nul value (=""). I thought when I first read your posts that those CLSID's were missing in those reg locations, and what you are actually saying is that they wern't missing, but were there with a nul value.

This is the crucial info from your post that I somehow missed:

fimoulia · Corporal Joined: Apr 14, 2004 Posts: 50 Location: Belgium

satchick,

ua-ua-ua-ua...aaaaaa...

If they were correct all the time then why this value was getting that disorientated. 5000 entries in Google. May look yourself. Showing like (no name) ... (no file) and comming back like that and after being deleted (many recomendations like that) and then with fixing in HJT: R3 - Default URL SearchHook is missing... seems like it regenerates itself into right shape. Well, too twisting...I'm loosing line myself...need some more Bow

beer.

I just thought that I was missing some Data or Undervalue for this value in the right pane. Anyway looks like were no trouble. And I don't have to know too much. I can sleep quietly now but before I go I need some more Bow

...

satchick · Posted: Wed Jun 02, 2004 8:39 pm Post subject:

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file) is a pretty common kind of 'damage' left over by hijackers (hense the 5000+ hits by google). Usually just removing all the entries in the HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks key and putting in the right one (with the null value) will clear them from your HJT log and fix the problem. In fact, I've never seen this not work before, but then I haven't been working in an anti-malware forum for very long either Very Happy

I love this weird stuff though! Glad your system is OK, and have a beer on me! Wine

fimoulia · Corporal Joined: Apr 14, 2004 Posts: 50 Location: Belgium

satchick,
Looks like case is close. It's a pity. Crying or Very sad

Was nice to be with you again! And we had some more fun Wink

Next time I'll try to come with tougher topic. To stay longer with you.
Anyway. I'd like to express my highest appreciation of your asistance and dedication to help others! Thumbs Up

You are worth your weight in gold!
Now let's party. Bananas

Champagne pour tout le monde!

PS. I'd rather stop drinking my money up and go to donate.

satchick · Posted: Thu Jun 03, 2004 8:11 am Post subject:

That would be great Very Happy

and you're most welcome. It has been a joy to share ideas with you again. Thumbs Up

lilliebet65 · Posted: Fri Jun 04, 2004 8:27 am Post subject:

Glad we were able to help. Smile

NOTE: This thread is now closed. Should you need it reopened, please PM a mod.
Everyone else having a similar issue, please launch a new topic for yourselves.

To reduce the chances of future Spyware/Hijacking problems, please follow the suggestions here: http://www.computercops.biz/postt7736.html


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 912 pages served in previous 5 minutes. Page Rendered: 0.438 seconds.