HiJackthis

  • Thread starter Thread starter Chuck Davis
  • Start date Start date
Chuck said:
One of our computer club members, reports that HijackThis
reports two "Nasty" entry that he claims is placed on the
system as a result of running MS AntiSpyware.

The two endtries read:
R1-HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://bfc.myway.com/search/de_srchlft.html

and
R1-HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
= http://bfc.myway.com/search/de_srchlft.html

Any comments?
Click to expand...

Those are nasty entries, but I don't see such registry entries on my
system (which has MS Anti-Spyware installed.) On my system those
registry values are:
R1-HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.google.com/ie
and
R1-HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
doesn't exist.

While it's possible that those entries appeared on your friend's machine
shortly after installing MS Anti-Spyware, I doubt that they were placed
there as a result of running MS Anti-Spyware. Did your friend install
any other software near the same time or visit any questionable web
sites about that time?
 
Have you also ran a scan in Safe Mode using Full System Scan? Its strange
the amount of crud the internet tries to install on your computer,
AntiSpyware caught this new one I have never seen before: NCase.
 
MS Anti-Spyware didn't catch it! HijackThis caught it! The
Club member that I referred to believes that MS
Anti-Spyware placed it on his machine!
 
-----Original Message-----
MS Anti-Spyware didn't catch it! HijackThis caught it! The
Club member that I referred to believes that MS
Anti-Spyware placed it on his machine!
Click to expand...

The process I used, was to initially have a "clean system"
as shown by Hijackthis.

Then install ms antispyware and perform a scan.

Then run Hijackthis and the two "myway" nasties showed up.

No intervening events occurred. These steps were run
sequentially.

Any ideas how they got into the system???
 
I don't have answers for you, but you've certainly got my attention. MSAS
agents have, a number of times caught myway trying to hijack my search
browser. Each time I've disallowed it and that works for a few days, then it
tries again. I'm interested in what you find out in this thread.
 
The process I used, was to initially have a "clean system"
as shown by Hijackthis.

Then install ms antispyware and perform a scan.

Then run Hijackthis and the two "myway" nasties showed up.

No intervening events occurred. These steps were run
sequentially.

Any ideas how they got into the system???
Click to expand...

These URL's are definitely not present in Microsoft Antispyware as
distributed by Microsoft.

HijackThis doesn't clean, and it doesn't make any statements about clean or
not clean--it just scans and optionally creates a log. Who asserted that
the log was clean? Can you post that log?
 
Bill,
Here is my guess on what is happening. It might be an issue Microsoft may
want to look at. In the Advanced Tools is the option for Browser Hijack
Restore. As you know, whatever is in the right hand column is what the
software believes to be the default that the user wants. My guess is that
if this user looks in that area he will find the My Way entries listed as
the default to restore to. So, after removal and reboot, the Anti-Spyware
is doing it's job and restoring them. The question is, how do those
defaults get set initially? I have not paid much attention to this and have
not run any tests, but if they somehow get set to a "bad url" then it will
be difficult to stop it until someone goes in manually and changes it.

--


Spider
http://web.tampabay.rr.com/spider1
http://spider1.blogspot.com/
 
I think you may be onto it. My machine is a new Dell. The first time I
remember getting the message, I checked my search bar, and it was a Dell
search, "powered by Myway". I changed my default, in advanced tools, to
Google, but it still came back (or at least tried to)several times, maybe a
half dozen.
 
I thought about posting that, but didn't want to muddy the issues. The
defaults in that list are those for the base OS install--which sometimes
includes for example, OEM preferences--but not those URL's for sure.

Issues surrounding that feature have been pretty common in this beta--Lots
of complaints about Microsoft Antispyware resetting the home page to MSN.

In my experience, there's a wizard that presents that table of URL's to the
user either as part of the configuration process on first run, or some time
later--perhaps while doing a remove. It does seem to be a little
asynchronous to the rest of the process, and many users find the whole
feature confusing, including me!
 
I'm not sure what to do with that info, but my current values are exactly as
you said for Default_Page_URL, but was slightly different for
Default_Search_URL, i.e. http://home.microsoft.com/search/search.asp . I
believe I set those in advanced tools in response to an attempted hijack by
Myway, which was flagged by MSAS.

Bob Dietz said:
I think it this part of the registry
*****************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

*****************************************************************

--
Bob Dietz
I think you may be onto it. My machine is a new Dell. The first time I
remember getting the message, I checked my search bar, and it was a Dell
search, "powered by Myway". I changed my default, in advanced tools, to
Google, but it still came back (or at least tried to)several times, maybe
a half dozen.
Click to expand...
Click to expand...
 
Hold on--I can check on a new dell, and see whether that is present. This
is an explanation I considered posting, but I wasn't clear on whether the
link was really an imposter or a genuine Dell link.

Hmm - can't tell. I see www.dell.com as the default for some URL's, but the
search stuff is all MSN.

This stuff is confusing--if you want specific search or home pages, you need
to put your preferences in there. And if you want to change them, you have
to make the change in Microsoft Antispyware too, or it'll accuse you of
hijacking your own machine!

I believe the initial defaults are those as set by the OEM or the OS,
depending on whether the OS is retail or OEM. In the case of a new Dell,
they'd be the defaults as set by Dell, unless the user makes their current
preferences known by explicitly changing them when a wizard brings up a
dialog to do so. I've seen that dialog on every machine I've worked with so
far, I believe, but I'm fuzzy about the timing of it--it isn't a part of the
initial options settings.

You don't want it to just accept the settings as it finds them, in case the
machine is already hijacked. It has to pick some set of "objective"
defaults, so they pick the initial settings which are in there
somewhere--and are either OEM or Retail Microsoft.

So this really hinges on whether that URL is "real" or not--I couldn't tell
by looking at it, and I haven't noticed it myself --I customarily change
that stuff imediately on a new install, so it might not stick in my memory.
 
I can't check anything quite that new. I've got a couple of systems that
are a few months old, but nothing that new that I can reach at the moment.

Can anybody reading this with a new Dell confirm that search page as
Original Equipment?
 
The system that started this string was a new Dell.

MyWay is installed by Dell. Check the Dell site for an explanation.
I just did work on a new Dell system and can affirm this. If you attempt
to uninstall it from Add/Remove Programs it will still leave an entry in
A/R. AFAIK, it is NOT a known spyware issue or site.
Chuck, what appears to be occurring on the system is that MSAS is
REVEALING the presence of MyWay, not installing it. Hijack This is
incapable of showing it until you run MSAS. As to why, wait for the next
version of HT, coming soon ... ;)

Steve Wechsler (akaMowGreen)
MS - MVP
Windows Server - Software Distribution
Windows - Security
 
Open Internet Options.
Home page address: http://www.site_of_your_choice.com
(Mine is set to http://www.google.com)
If you click on "Use Default" the registry value at
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"
gets copied into the edit box.
Click OK or Apply and your home page will be changed to the /default/.

I don't think there is a UI for
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Search_URL"
but the concept is the same.
 
Thanks. I'm hoping this feature (the browser hijack detection and
correction features) will get smarter during this beta. It's been the cause
of a pretty large number of confusions--primarily folks complaining that
their home page got reset to MSN.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Bob Dietz said:
Open Internet Options.
Home page address: http://www.site_of_your_choice.com
(Mine is set to http://www.google.com)
If you click on "Use Default" the registry value at
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"
gets copied into the edit box.
Click OK or Apply and your home page will be changed to the /default/.

I don't think there is a UI for
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Search_URL"
but the concept is the same.

--
Bob Dietz


Bill said:
Hold on--I can check on a new dell, and see whether that is present.
This is an explanation I considered posting, but I wasn't clear on
whether the link was really an imposter or a genuine Dell link.

Hmm - can't tell. I see www.dell.com as the default for some URL's, but
the search stuff is all MSN.

This stuff is confusing--if you want specific search or home pages, you
need to put your preferences in there. And if you want to change them,
you have to make the change in Microsoft Antispyware too, or it'll accuse
you of hijacking your own machine!

I believe the initial defaults are those as set by the OEM or the OS,
depending on whether the OS is retail or OEM. In the case of a new Dell,
they'd be the defaults as set by Dell, unless the user makes their
current preferences known by explicitly changing them when a wizard
brings up a dialog to do so. I've seen that dialog on every machine I've
worked with so far, I believe, but I'm fuzzy about the timing of it--it
isn't a part of the initial options settings.

You don't want it to just accept the settings as it finds them, in case
the machine is already hijacked. It has to pick some set of "objective"
defaults, so they pick the initial settings which are in there
somewhere--and are either OEM or Retail Microsoft.

So this really hinges on whether that URL is "real" or not--I couldn't
tell by looking at it, and I haven't noticed it myself --I customarily
change that stuff imediately on a new install, so it might not stick in
my memory.
Click to expand...
Click to expand...
 
Back
Top