Errors at Startup: ActiveSync and URL Search Hook

  • Thread starter Thread starter Rod
  • Start date Start date
R

Rod

I have a Win XP machine with two users defined and MS
AntiSpyware Beta 1 installed. When the admin user starts
I get no errors reported. However when the other user
starts two items are reported. I'd like to be able to
clean them both up, but can't track them down. Any help
greatly appreciated.

1. AntiSpyware reports that "A startup value (H/PC
Connection Agent:"C:\Program Files\Microsoft
ActiveSync\WCESCOMM.EXE") has been granted permission to
be added to your startup registry
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Run. Microsoft AntiSpyware has determined this program
to be free of known spyware"

2. AntiSpyware requires a response to allow or block (in
this case allowed) "The user xxxx, has decided to allow
the Internet Explorer URL Search Hook () to be added to
Internet Explorer."
 
wcescomm.exe file information
The process Connection Manager or ActiveSync Connection
Manager belongs to the software Microsoft ActiveSync or
Microsoft Windows CE Services by Microsoft Corporation
(www.microsoft.com).
Description: wcescomm.exe is located in a subfolder
of "C:\Program Files" - e.g. C:\Program Files\Microsoft
ActiveSync\. Known file sizes on Windows XP are 376912
bytes (22% of all occurrence), 413775 bytes, 401491 bytes,
401496 bytes, 405583 bytes, 401493 bytes, 442451 bytes,
1196032 bytes, 417871 bytes.
wcescomm.exe is not a Windows system file. The process
listens for or sends data on open ports to LAN or
Internet. The process starts when Windows starts (see
Registry key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run,
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersi
on\Run). The program is not visible. Therefore the
technical security rating is 6% dangerous, however also
read the users reviews.

There are different files with the same name:


"H/PC Connection Agent" can run at start up. Active sync
for use with Windows CE based palm PC
"WCESCOMM" is not required to run at start up. Active sync
for use with Windows CE based palm PC
Important: Some malware can camouflage themselves as
wcescomm.exe, particularly if they are located in
c:\windows or c:\windows\system32 folder. Thus check the
wcescomm.exe process on your pc whether it is pest. We
recommend Security Task Manager for verifying your
computer's security.


ShellExecute Hook: These modules are loaded every time you
launch a program (using Windows Explorer or by calling the
ShellExecute(Ex) function). The modules are notified of
the program you launch and can perform any additional task
before the the program is actually launched.

Location
ShellExecute Hooks are located in the registry under the
following key:
HKEY_LOCAL_MACHINE \Software \Microsoft \Windows
\CurrentVersion \Explorer \ShellExecuteHooks

Shell Delay Load Objects are located in the registry under
the following key:
HKEY_LOCAL_MACHINE \Software \Microsoft \Windows
\CurrentVersion \ShellServiceObjectDelayLoad

URL Search Hooks are located in the registry under the
following key:
HKEY_CURRENT_USER \Software \Microsoft \Internet Explorer
\URLSearchHooks

App Init DLLs are located in the registry under the
following key:
HKEY_LOCAL_MACHINE \Software \Microsoft \Windows NT
\CurrentVersion \Windows, AppInit_DLLs

Download Manager is located in the registry under one of
the following keys:
HKEY_LOCAL_MACHINE Software \Microsoft \Internet Explorer,
DownloadUI
HKEY_CURRENT_USER Software \Microsoft \Internet Explorer,
DownloadUI

Notification Packages are located in the registry under
the following key:
HKEY_LOCAL_MACHINE \Software \Microsoft \Windows NT
\CurrentVersion \Winlogon \Notify

The Disable Action
The disable action moves the module's registry entry from
its original registry key to a temporary location.

You may need to reboot for the action to take effect.

The Delete Action
The delete action (depending on the selected options):

Deletes the module registry entry, deletes the module
CLSID (if any) from the key: HKEY_CLASSES_ROOT \CLSID;
Deletes the module file;
Unregisters the module.

You may need to reboot for the action to take effect.

Properties

Name Short description of the module.
CLSID Class identifier (globally unique identifier - GUID)
associated with the module.
Publisher The developer (a company or a person) of the
module.
Program ID Programmatic identifier - human-readable
identifier of the module OLE class (if any).
Description The description of the module retrieved from
its file resources.
Type A type of the module: ShellExecute Hook, Shell Delay
Load Object, URL Search Hook, App Init DLL, Notification
Package or Download Manager
File A full path to the module file.
File Version File version information. The information is
retrieved from the file resources. Also includes product
version information if it differs from the file version.
File Size File size in bytes.
File CRC32 Cyclic Redundancy Checksum (Check) of the file.
File MD5 Message Digest 5 of the file.
File Creation Date The date the file was created.
Location The location (registry or a folder) of the item.
Safe Indicates whether the item in a safe or in a blocked
list. Yes - item is in a safe list. No - item is in a
blocked list. N/A - items is not in a safe nor in a
blocked list.
Status Indicates whether the item is enabled or disabled.
System Indicates whether the item is a system item, i.e.
originally shipped with Windows.
WARNING: Browser Sentinel does not always correctly
differentiate third-party items and system items, use this
property with care!
 
Back
Top