ASE Findings

Discussion in 'adware, spyware & hijack cleaning' started by mattyl, Mar 13, 2004.

Thread Status:
Not open for further replies.
  1. mattyl

    mattyl Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    83
    I have ran both ad-aware and spybot and have had my hijack log cleaned. However, I read about ASE and decided to see if it would find anything. It found two CoolWebSearch and two ClearSearch entries in my registry. Are these safe to remove or are coming up because of adaware and spybot? Plus, I have the free version so was wondering if I just delete the whole entry in my registy - I was able to find them all in the registy so could delete them if safe to delete. Thanks very much in advance.

    Matt
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Do you use IE-SpyAd? If you do, see here.

    Regards,
    Kent
     
  3. mattyl

    mattyl Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    83
    I do use IE-SpyAd. However, after reading the enclosed link it seems as though the files in my registry are not part of IE-SpyAd (they do not have the (4) next to them). The files found by ASE are located in the local and class CLSID folder. I'm not very experienced with the registy so am not sure if these are harmful. The name of the entry found is "default", type is "REG_SZ", and data is "Microsoft URL Search Hook". One of the coolwebsearch entries is located in:

    HKEY_CLASSES_ROOT|CLSID|{CFBFAE00-17A6-11D0-99CB-00C04FD64497}

    and the other in:

    HKEY_LOCAL_MACHINE|SOFTWARE|Classes|CLSID|{CFBFAE00-17A6-11D0-99CB-00C04FD64497}.

    The ClearSearch is located in the same locations with the same registry key ({CFBFAE00-17A6-11D0-99CB-00C04FD64497}). Thanks for any further advise.

    Matt
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Hi mattyl,

    I would think this should show up in a HJT log and be able to be removed from there. I cannot find any specific references to {CFBFAE00-17A6-11D0-99CB-00C04FD64497} except it has showed up in HJT logs with no name and no file and successfully removed.

    You might want to try a new HJT log.....

    Regards,
    Kent
     
  5. mattyl

    mattyl Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    83
    I ran another hijackthis scan. I can't seem to find any reference to the file but I've included it here:

    Logfile of HijackThis v1.97.7
    Scan saved at 4:18:10 PM, on 3/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\ibmpmsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\ibmsmbus.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\OLAP Services\Bin\msmdsrv.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\WINDOWS\System32\RegSrvc.exe
    C:\Program Files\Panasonic\SD-JukeboxV3\sdjbmgr.exe
    C:\WINDOWS\System32\sdpasvc.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\Program Files\Network Associates\VirusScan\Webscanx.exe
    C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\RunDll32.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Aluria Software\Spyware Scanner\ASEscanner.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\AIM\aim.exe
    C:\Documents and Settings\T40 USER\Desktop\New Folder (3)\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll__SpybotSDDisabled (file missing)
    O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-3.ibm.com/pc/support/IbmEgath.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37839.4208564815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0BE52E60-8109-4CA0-8363-6E5B20F28D5A}: Domain = union.edu
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0BE52E60-8109-4CA0-8363-6E5B20F28D5A}: NameServer = 149.106.160.3,149.106.160.14
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0BE52E60-8109-4CA0-8363-6E5B20F28D5A}: NameServer = 149.106.160.3,149.106.160.14
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0BE52E60-8109-4CA0-8363-6E5B20F28D5A}: Domain = union.edu
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0BE52E60-8109-4CA0-8363-6E5B20F28D5A}: NameServer = 149.106.160.3,149.106.160.14
    O17 - HKLM\System\CS3\Services\Tcpip\..\{0BE52E60-8109-4CA0-8363-6E5B20F28D5A}: Domain = union.edu
    O17 - HKLM\System\CS3\Services\Tcpip\..\{0BE52E60-8109-4CA0-8363-6E5B20F28D5A}: NameServer = 149.106.160.3,149.106.160.14

    Thanks for taking a look.
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi mattyl,

    Could you click Start > Run > regedit > OK
    That will open the Registry Editor.
    Navigate to this key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}

    Select it and cllick File Export.
    Open the saved file in notepad and post the content please.

    Regards,

    Pieter
     
  7. mattyl

    mattyl Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    83
    Hi Pieter,

    Thanks for taking a look. Here is the content from the file -

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}]
    @="Microsoft Url Search Hook"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\InProcServer32]
    @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
    00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,68,00,\
    64,00,6f,00,63,00,76,00,77,00,2e,00,64,00,6c,00,6c,00,00,00
    "ThreadingModel"="Apartment"
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Exactly as it should be.

    I exported mine for comparison:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}]
    @="Microsoft Url-zoeken Hook"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\InProcServer32]
    @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
    00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,68,00,\
    64,00,6f,00,63,00,76,00,77,00,2e,00,64,00,6c,00,6c,00,00,00
    "ThreadingModel"="Apartment"

    Apart form the difference due to this being a Dutch version, they are the same.

    That CLSID is the official Microsoft SearhHook and should only be fixed if it is listed like this:

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    Where the "_" is used to hide CWS.

    Regards,

    Pieter
     
  9. mattyl

    mattyl Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    83
    AH! So ASE is showing a false findings! Maybe they just want me to buy there product. Thank you very much for clearing that up Pieter. :D

    Mattyl
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    In their case I would sooner suspect an honest mistake. ;)
    I'll notify them.

    Regards,

    Pieter
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi mattyl,

    Should be taken care off after the next update:
    http://www.spywareeliminator.com/forum/index.php?showtopic=1045&st=0&#entry3117

    Regards,

    Pieter
     
  12. mattyl

    mattyl Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    83
    Glad to know! Thanks for looking into that and notifying them Pieter.

    mattyl
     
Thread Status:
Not open for further replies.