Hello to all! Here is my story.

Once I had: R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file) in HijThis scan. Was told to fix it. Fixed it - doesn't go.
Shortly I took the value of this key out from HKCUser\Software\Microsoft\Internet Explorer\URL SearchHooks with help of the Registrar Lite. OK. Then run HijThis and it says: R3 - Default URL SearchHook is missing.
Have to fix it. I do. And this value is back right there where it was. I repeat the procedure and procedure repeats itself...

This value {CFBFAE00-17A6-11D0-99CB-00C04FD64497} is in CLSID list in HKCR and indicates as Microsoft URL Search Hook. Its InProcServer 32 shows default location as System32\Shdocvw.dll

Is this thing legitimate? Can someone pour cold water on my head?

Hi fimoulia,

Tell you what, throw up a HJT log and lets get your system cleaned right out/up. I know you have been taking steps to secure your system but, if there is already bad stuff on it, it must be removed first for security applications to be effective.

You appear to have a bad and persistent 'Hook' buried in there, lets get rid of it.

OK, Standard instructions coming up, please follow carefully.


Please read these messages
Virus=Read This: /postt8864.html
HiJack= Read This: /t911-Before_You_Post_Read_Follow_These_Rules_and_Guidelines.html

Then
Download: HiJack This!

Create and Unzip to a folder not your Desktop or the Temp folder, doubleclick HijackThis.exe, and press "Scan".
Unzip the download (using a piece of software like: Winzip)


When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log in a text file, and post it in the CCSP "Spyware - Hijack Related" forum:

/f67-Trend_Micro_HijackThis_Logs.html


Most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.


*Please, be patient. An expert will examine your log and this does take time. Please, no 'Bumps' and no 'Dupes'. Thank you.*

Hi Mariner,

Thank you for replying on my post. Nice to be with you again. I realize now that my topic probably is not that relevant to this forum. My exuses! In regard to my HJT log I can assure you that it's abs. clean for now. I just had here my thread /t43068-CWShredder_Enigma_Help_Take_2_35dayswithnoanyresponse.html
under exellent satchick's treatment and I posted my recent log. It's now exactly the same exept R3 of course.
I googled this value {CFBFAE00-17A6-11D0-99CB-00C04FD64497} and more than 5000 entries came up about HJT scan reads this value as (no name) ... (no file). Many recomendations to remove it (for keeping it from comihg back) from the HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks like this one which I followed. /t42340-Hijack_Log_Question.html
Though my case is without any underscore after the value.
After that the new log shows as I said: R3 - Default URL SearchHook is missing.
So this value is back in its place and recently doesn't show up in the new logs. But is this value a default value or a bad thing?
Seems to me I saw this value when I checked it some time ago in Tony Klein's CLSID list as a Parasite left from some baddie but not certain about that. Now it's not there.
If this thing is lawful and doesn't show up in HJT logs then I can sleep quietly but if not then we better put it in fire. Is there the way to verify the legitimity of it?
I greatly appreciate you assistance.

Hi fimoulia,

Yes, to be absolutely certain, post another log. If there is nothing to worry about, it will not take long to work through. You've come this far and it would be a pity to have to leave one unknown item remaining, especially as it may come back to haunt you later.

No matter how good your defences might be they are of little use if they are helping keep a bad guy within your system.

If the CLISD is an unknown quantity, then it should be looked at as it may be a new one and it's discovery will be of help to others. So, go ahead and post a new log.

Mariner,

OK. I'll post the log right now in HijackThis forum. Under the subject hmm... 'Chasing the CLSID'. Will you move this thread over there? I don't know how it works. Anyway, the log will be there.
Thanks A LOT!

No, i'll leave this thread where it is and your log will be treated separately.

Give it several days to gain some attention, please.

Hello Mariner,

I've received confirmation from Yellowhammer that my HJT log is clean.
/t45888-Chasing_the_CLSID_Need_Experts_opinion_about_my_HJT_log.html

Many thanks for the assistance!

Hi fimoulia,

You're very welcome; glad we were able to help.

Now, go check that your security apps are good and updated. Check out our Download section for programs to help keep you safe. Good luck and safe surfing. Been a pleasure helping you.

NOTE: This thread is now closed. Should you need it reopened, please PM a mod.
Everyone else having a similar issue, please launch a new topic for yourselves.

Once in a ti ti while we get it right........

If you are happy with the help you received here, perhaps you would consider making a donation to help us keep helping you. It would be much appreciated. Thank you.