Websearch keeps re-installing

Hey All

Having a problem w/Websearch. PestPatrol keeps finding the following:

HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\activex compatibility\{8952a998-1e7e-4716-b23d-3dbe03910972}

It will stay gone until I run Spyware Dr-then it's back. I've gone to the PP website and seached for all the files indicated and come up empty. What's the deal w/this thing? Any help w/b appreciated - thanks

 

Kill bit might help you..


http://64.233.179.104/search?q=cach...910972}&hl=en&start=2&ie=UTF-8&client=googlet

and if you want someone to take a look at it then..

First do these steps

Guidelines for Posting in This Forum, READ THIS FIRST PLEASE


http://forum.gladiator-antivirus.com/index.php?showtopic=10517

Then post your hijackthis log in a new topic at this fourm


HELP! Think you are Infected?

http://forum.gladiator-antivirus.com/index.php?showforum=170


To use that forum you must first register at our Board.

Note: do not post your log here at wilders please..

 

Thanks Primrose, I'll check it out

 

How to remove Websearch
http://www.pchell.com/support/ibiswebsearch.shtml

 

Since that registry location is where valid ActiveX killbits are stored....and given the fact that is the CLSID of a Huntbar variant....given the fact that programs such as Spywareblaster has it listed in it's database....I'll wager it's a False Positive reporting by Pest Patrol of a valid entry placed there by Spyware Dr.

Edit:
Related thread in the Spywareblaster Forum concerning this entry and the False Positive by Pest Patrol

This thread---> IE protection for "Huntbar Variant" turns itself off

 

I also am having SB's protection for "Huntbar Variant" deactivated. I have noticed it being turned off after I do a scan with Pest Patrol and delete the detected item (what Pest Patrol calls "Websearch ToolBar" which has the same location and registry key as SB's "Huntbar Variant"). Consecutive Pest Patrol scans come up empty but after I reactivate SpywareBlasters Protection it will suddenly reappear again in the following Pest Patrol scan.

It is the only ActiveX CLSID showing un-protected in SpywareBlaster 3.3.
(It also shows up in an online scan from Pest Patrol http://home.ca.com/dr/v2/ec_main.en...lient=ComputerAssociates&sid=35715&CID=190325 )

I have looked for other items associated with HuntBar/WebSearch mentioned on the Pest Patrol Website http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453074933 and have found none. There are no other abnormalities, files or folders I have been able to find nor any Toolbars on my browser. The only red flag I have gotten has been Pest Patrols detection.

My Question is this: Is there anyway to determine if the Registry entry that is being detected is in fact the ActiveX Blocker CLSID that SpyWareBlaster installs in the Registry? Perhaps by reading it's Compatibility Flag which is 00000400 (1024). I only ask because I noted that same flag on Spywareguards block list http://64.233.179.104/search?q=cach...910972}&hl=en&start=2&ie=UTF-8&client=googlet . I'd appreciate anyone's advice (do you think it is a false positive and to disregard it or should I be concerned?) who might have understanding of ActiveX Blockers and registry entries and this issue. Thanks!

 

Having the same thing happen with pestpatrol I believe as others do that this is a false postive only happens after I run spywareblaster and enable all. Pestpatrol just needs to update its spyware files to exclude the spywareblaster registry component.

 

Im a registered user of PestPatrol and it happened to me too. but I find it awfull fishy because it first happened as above but then right away PestPatrol came out with another update and I thought oh they found the false positive if it was
declaired a false positive, but its still happening. Does anyone know why PestPatrol is removing spywareblasters active x Killbits?

 

An export of that key will look like this:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8952A998-1E7E-4716-B23D-3DBE03910972}]
"Compatibility Flags"=dword:00000400 (or 1024 as Captnhook pointed out)

if protection is enabled.

If any software detects the presence of the registry key alone as if the spyware (or other "unwanted"ware) was installed, it is not looking deep enough.

A mistake that has been made before and will probably be repeated in the near future.

Regards,

Pieter

 

Thx for all the great info