AdwareAway scan

After the Global Scan, AdwareAway found 1 object, viz., "IE UrlSearchHook(HKLM) : Default UrlSearchHook Missing=".

What does this mean, and how do I remove this?

My PC runs with XP-SP2, and I believe it is fully patched by MS updates.

Thanks,

 

Have you had an AboutBlank/SearchAssistant infection? Did you D/L AdawareAway to help with that?

I'm assuming you are using the trial version and you must pay to delete what is found.

Bring up Regedit and navigate to:-

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks

Do you have this Key, and if so what Names and Data appear in the respective columns in the right hand pane?

Malware does create/set values on this key, but I'm wondering at this stage whether AdawareAway has made a genuine finding.

It may be that you have a CLSID = , with nothing following it, in which case you could delete that value.

P.S. I don't recommend you make changes to your Registry just yet!

 

Thanks for your post.

The reason why I used AdwareAway trial version is that it was a step in several new protective measures I have initiated last few days, apart from basic AV and Broadband modem firewall which has been there.

a) AVG Free v 7.1.394 being used throughout. Updates are daily. Complete scan is weekly.
b) CCleaner utility used weekly.
c) Windows / IE / Office / MediaPlayer / SunJava / Adobe : Security patches and Service Packs regularly checked, downloaded, and installed.
d) Recent online scans : Trendmicro, Kaspersky, A-squared, spywareinfoforum.com/xscan.php
e) ewido anti-spyware 4.0.0.172 trial version installed recently. Updates are daily. Complete scan result : nothing found.
f) DiamondCS ProcessGuard Free v 3.405 also installed recently.
g) Other steps : AdwareAway and Ad-awareSe installed and scanned. SpywareBlaster installed. Trendmicro CWShredder ran. Sysinternals' RootkitRevealer ran and no discrepancies found.
CWShredder pointed to CWS.Msconfig; googled on same, and read about some false positives.

I have no knowledge about Registry. However, as instructed by you, tried to navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks, and found no UrlSearchHooks under IE there.
Searched for UrlsearchHooks, and pasting below :-

Key Name:
HKEY_USERS\S-1-5-21-1220945662-117609710-1801674531-500\Software\Microsoft\Internet Explorer\URLSearchHooks
Class Name: <NO CLASS>
Last Write Time: 29-Dec-05 - 12:37 PM
Value 0
Name: {CFBFAE00-17A6-11D0-99CB-00C04FD64497}
Type: REG_SZ
Data:

Key Name:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\
Regedit
Class Name: <NO CLASS>
Last Write Time: 04-Aug-06 - 3:08 AM
Value 0
Name: View
Type: REG_BINARY
Data:
00000000 2c 00 00 00 00 00 00 00 - 01 00 00 00 ff ff ff ff ,...........ÿÿÿÿ
00000010 ff ff ff ff ff ff ff ff - ff ff ff ff 06 00 00 00 ÿÿÿÿÿÿÿÿÿÿÿÿ....
00000020 05 00 00 00 06 03 00 00 - 17 02 00 00 d8 00 00 00 ............Ø...
00000030 fb 00 00 00 78 00 00 00 - 20 01 00 00 01 00 00 00 û...x... .......
Value 1
Name: FindFlags
Type: REG_DWORD
Data: 0xe
Value 2
Name: LastKey
Type: REG_SZ
Data: My Computer\HKEY_USERS\S-1-5-21-1220945662-117609710-1801674531-500\Software\Microsoft\Internet Explorer\URLSearchHooks

Key Name:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\
Regedit\Favorites
Class Name: <NO CLASS>
Last Write Time: 30-Dec-05 - 11:12 AM



Should I post my HJT log?

 

You found HKEY_USERS\S-1-5-21-1220945662-117609710-1801674531-500\Software\Microsoft\Internet Explorer\URLSearchHooks

and that has this CLSID on it:- {CFBFAE00-17A6-11D0-99CB-00C04FD64497}

that should refer to the microsoft Internet Explorer Browser UI Library IEFRAME.DLL, which is OK - so no infection problem there.

It's strange AdwareAway referred to the HKLM Key, but there is no reason you should have a have a UrlSearchHooks sub key there.

From what you've posted, I can't see anything wrong, however, if you have HijackThis you can run it and look for the following entry:-

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

if you find you have that on your system you can get HJT fix that particular line. If you do that though, please ensure you create a separate folder for HJT, and do not leave it in a temporary location - in that way it will create a backup that you can easily put back should you need to.

Please do not post a HJT log here because it is against Forum policy, but it's not necessary in any case. But if you find you have another R3 entry, instead of the above, you could post that - actually you shouldn't have any R3 entries at all.

After you've done that (assuming you have such a line) run AdawareAway and see if it still finds anything. At the moment though I'm inclined to think the problem might be with AdawareAway rather than your machine.

 

Thank you for the diagnosis. It's a big relief to an average user like me.

You are right ... I ran HJT, and there's no R3 entry.
I am also thinking AdwareAway generated a false positive, and in all subsequent global scans it keeps showing that one line ... scary in these times for a person who knows only a bit about computers.

So, I have submitted my AdwareAway logfile to their Support; let's see what they say.

Thank you again, and God Bless.

 

That's OK abanerji, but do let us know the outcome if you hear from AdwareAway Support.

It would be interesting to read their explanation in case someone else has the same problem.

 

Although I have not yet heard from AdwareAway Support, I had also posted at their Forum (http://chiawaikian.proboards78.com/index.cgi?board=log&action=display&thread=1154607403). The Forum Administrator feels that it "might be a false positive".

Hope this update helps.

Regards,