ASE Findings

I have ran both ad-aware and spybot and have had my hijack log cleaned. However, I read about ASE and decided to see if it would find anything. It found two CoolWebSearch and two ClearSearch entries in my registry. Are these safe to remove or are coming up because of adaware and spybot? Plus, I have the free version so was wondering if I just delete the whole entry in my registy - I was able to find them all in the registy so could delete them if safe to delete. Thanks very much in advance.

Matt

 

Do you use IE-SpyAd? If you do, see here.

Regards,
Kent

 

I do use IE-SpyAd. However, after reading the enclosed link it seems as though the files in my registry are not part of IE-SpyAd (they do not have the (4) next to them). The files found by ASE are located in the local and class CLSID folder. I'm not very experienced with the registy so am not sure if these are harmful. The name of the entry found is "default", type is "REG_SZ", and data is "Microsoft URL Search Hook". One of the coolwebsearch entries is located in:

HKEY_CLASSES_ROOT|CLSID|{CFBFAE00-17A6-11D0-99CB-00C04FD64497}

and the other in:

HKEY_LOCAL_MACHINE|SOFTWARE|Classes|CLSID|{CFBFAE00-17A6-11D0-99CB-00C04FD64497}.

The ClearSearch is located in the same locations with the same registry key ({CFBFAE00-17A6-11D0-99CB-00C04FD64497}). Thanks for any further advise.

Matt

 

Hi mattyl,

I would think this should show up in a HJT log and be able to be removed from there. I cannot find any specific references to {CFBFAE00-17A6-11D0-99CB-00C04FD64497} except it has showed up in HJT logs with no name and no file and successfully removed.

You might want to try a new HJT log.....

Regards,
Kent

 

I ran another hijackthis scan. I can't seem to find any reference to the file but I've included it here:

Logfile of HijackThis v1.97.7
Scan saved at 4:18:10 PM, on 3/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\ibmsmbus.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\OLAP Services\Bin\msmdsrv.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Panasonic\SD-JukeboxV3\sdjbmgr.exe
C:\WINDOWS\System32\sdpasvc.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Aluria Software\Spyware Scanner\ASEscanner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\T40 USER\Desktop\New Folder (3)\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll__SpybotSDDisabled (file missing)
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-3.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37839.4208564815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BE52E60-8109-4CA0-8363-6E5B20F28D5A}: Domain = union.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BE52E60-8109-4CA0-8363-6E5B20F28D5A}: NameServer = 149.106.160.3,149.106.160.14
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BE52E60-8109-4CA0-8363-6E5B20F28D5A}: NameServer = 149.106.160.3,149.106.160.14
O17 - HKLM\System\CS2\Services\Tcpip\..\{0BE52E60-8109-4CA0-8363-6E5B20F28D5A}: Domain = union.edu
O17 - HKLM\System\CS2\Services\Tcpip\..\{0BE52E60-8109-4CA0-8363-6E5B20F28D5A}: NameServer = 149.106.160.3,149.106.160.14
O17 - HKLM\System\CS3\Services\Tcpip\..\{0BE52E60-8109-4CA0-8363-6E5B20F28D5A}: Domain = union.edu
O17 - HKLM\System\CS3\Services\Tcpip\..\{0BE52E60-8109-4CA0-8363-6E5B20F28D5A}: NameServer = 149.106.160.3,149.106.160.14

Thanks for taking a look.

 

Hi mattyl,

Could you click Start > Run > regedit > OK
That will open the Registry Editor.
Navigate to this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}

Select it and cllick File Export.
Open the saved file in notepad and post the content please.

Regards,

Pieter

 

Hi Pieter,

Thanks for taking a look. Here is the content from the file -

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}]
@="Microsoft Url Search Hook"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,68,00,\
64,00,6f,00,63,00,76,00,77,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"

 

Exactly as it should be.

I exported mine for comparison:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}]
@="Microsoft Url-zoeken Hook"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,68,00,\
64,00,6f,00,63,00,76,00,77,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"

Apart form the difference due to this being a Dutch version, they are the same.

That CLSID is the official Microsoft SearhHook and should only be fixed if it is listed like this:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

Where the "_" is used to hide CWS.

Regards,

Pieter

 

AH! So ASE is showing a false findings! Maybe they just want me to buy there product. Thank you very much for clearing that up Pieter.

Mattyl

 

In their case I would sooner suspect an honest mistake.
I'll notify them.

Regards,

Pieter

 

Hi mattyl,

Should be taken care off after the next update:
http://www.spywareeliminator.com/forum/index.php?showtopic=1045&st=0&#entry3117

Regards,

Pieter

 

Glad to know! Thanks for looking into that and notifying them Pieter.

mattyl