SPYBOT RESULT-PLEASE COMMENT

[Guest]

Hi All,
I have found this results listed on my Spybot result page. I looked in my Hijack This log, I didn't see anything to resembling this. My other scans, Adware6, Pestpatrol, Spyweeper,ect,..produce a clean sweep.
The Spybot results read:
POSSIBLE EXTENSION HIJACK
Default command file handler
HKEY_CLASSESS_ROOT\cmdfile\shell\open\command\!="%1"%*
(Please note that the*at the end of the % substitutes for an x)

Please comment.

Also, in the Internet Options box, in the Advance tab, I have the BROWSING
"enable third-party brower extension (requires restart") unchecked., would that have something to do with this entry?

 

[LuckyStrike]

Bettyboop -

Google shows this which makes the Spybot Search and Destroy scan seem quite
possibly accurate in having detected something.

cmdfile\shell\open\command\!="%1"%*
http://snipurl.com/7lmj

Further investigations show these:
http://www.sophos.com/virusinfo/analyses/w32appixe.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_APPIX.B&VSect=T
http://vil.nai.com/vil/content/v_99785.htm
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=Pe_Appix.B

I would suggest the following: If Spybot shows this as an item displayed in
RED, it is doubtless a parasite of some sort. You can verify it by doing a
few online scans for Virus and Trojans first (some on-line virus scanners
can detect some Trojans as well.).

I would do that before removing the item via Spybot Search and Destroy. Also
FYI: although you have many good programs to detect such parasites, you
should realize that some things are scanner specific. In other words, not
all apps can detect all things. Lastly, you made no mention of any Antivirus
applications that you may have. Do you use an AV program? I hope you do.

OK, here are some on-line AV and Trojan scanners:

Quick and basic scans (hardly definitive, but a start)
Doxdesk parasite scan
http://doxdesk.com/parasite/
Jim Eshelmans WSC on-line quick scan
http://www.aumha.org/a/noads.htm

More In-Depth on-line scanners for parasites and Trojans:
GFI free on-line Trojan scanner
http://www.windowsecurity.com/trojanscan/
Sygate Technologies Trojanscan
http://scan.sygatetech.com/pretrojanscan.html
PestPatrol on-line scan
http://www.pestscan.com/home.asp
SpywareChecker on-line scan
http://www.spywareguide.com/txt_onlinescan.html

On-Line Virus scanners:

RAV Antivirus Online Virus Scan
http://www.ravantivirus.com/scan/
Command on Demand
http://www.authentium.com/solutions/cod/index.cfm
Freedom on-line virus check
http://www.freedom.net/viruscenter/onlineviruscheck.html
TrendMicro Housecall (also detects some Trojans)
http://housecall.trendmicro.com/
BitDefender Scan Online
http://www.bitdefender.com/scan/licence.php

Kapersky Online Virus Scanner
http://www.kaspersky.com/remoteviruschk.html
The above scanner works differently from most; it is a server based
scanner, and will only scan individual files, or directories which are
limited to 1 MB in total size. It will not do a full system scan.

Hauri LiveCall Online virus scanning
http://www.globalhauri.com/html/products/livecall.html
The above is also server based if I remember correctly

Panda on-line virus scan
http://www.pandasoftware.com/activescan/activescan.asp
I've only used this one once or twice, and don't particularly care for it.

McAfee FreeScan
http://us.mcafee.com/root/mfs/default.asp
Don't remember if I ever used this one. Not a big McAfee fan.

I've had trouble running Symantec's scanner though:

Symantec Security Check (page offers security and/or virus scan)
http://snipurl.com/7gz1


HTH -
--

LuckyStrike
(e-mail address removed)

How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm
http://home.satx.rr.com/badour/html/post.html
--------------------------------------------------------------------

Hi All,
I have found this results listed on my Spybot result page. I looked in my

Hijack This log, I didn't see anything to resembling this. My other scans,
Adware6, Pestpatrol, Spyweeper,ect,..produce a clean sweep.

The Spybot results read:
POSSIBLE EXTENSION HIJACK
Default command file handler
HKEY_CLASSESS_ROOT\cmdfile\shell\open\command\!="%1"%*
(Please note that the*at the end of the % substitutes for an x)

Please comment.

Also, in the Internet Options box, in the Advance tab, I have the BROWSING
"enable third-party brower extension (requires restart") unchecked., would

that have something to do with this entry?

 

[LuckyStrike]

Hi again BB -

I also forgot to mention (it's late... so excuse me for omitting this). No,
it is unlikely that the "enable third-party browser extension" (unchecked)
has anything to do with this.

Also, should you elect to remove (clean) the item via S-SD (Spybot search
and destroy...for future reference) you can always recover it by using the
recovery button on the main S-SD GUI interface.

HTH -
--

LuckyStrike
(e-mail address removed)
--------------------------------------------------------------------

Hi All,
I have found this results listed on my Spybot result page. I looked in my

Hijack This log, I didn't see anything to resembling this. My other scans,
Adware6, Pestpatrol, Spyweeper,ect,..produce a clean sweep.

The Spybot results read:
POSSIBLE EXTENSION HIJACK
Default command file handler
HKEY_CLASSESS_ROOT\cmdfile\shell\open\command\!="%1"%*
(Please note that the*at the end of the % substitutes for an x)

Please comment.

Also, in the Internet Options box, in the Advance tab, I have the BROWSING
"enable third-party brower extension (requires restart") unchecked., would

that have something to do with this entry?

 

[Guest]

LuckyStrike,
Thank you so much for your, response/ time/advice/Help.
I tried to post a reply immediately, but for some reason I was having a problem posting.
I followed all of your suggestions, visited every site as suggested, ran all of the suggested scan you suggested, unfortunately, they all found nothing. Spybot keeps picking it up.
I ran my Pestpatrol scan which gave me a clean scan, however, in the "Startup" menu log, this is the only thing that I see that might be related;

Registry - HKEY_CLASSES_ROOT\htafile\shell\open\command[MSHTA.EXE"%1"%*]
Registry - HKEY_LOCAL_MACHINE\software\classes\htafile\shell\open\command\[MSHTA.EXE"%1"%*]
(note: * substitutes for x)
Is this related in anyway?
Thanks in advance

 

[PA Bear]

Check your system for "hijackware":

Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm

CoolWebSearch Chronicles
http://www.spywareinfo.com/~merijn/cwschronicles.html

Run these tools in the following order with nothing else running in
background:

1. CWShredder (fix all found)

2. Ad-Aware (fix all found)

3. Spybot (RTFM but generally fix everything in red)

Important: You *must* seek updates for Ad-Aware, Spybot, etc., before each
and every use, even "right out of the box". But even they can't catch
everything, 24/7. When all else fails, HijackThis
(http://www.spywareinfo.com/~merijn/files/HijackThis.exe) is the preferred
tool to use. It will help you to both identify and remove any
hijackware/spyware. **Post your files to http://forums.spywareinfo.com/ or
http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.**

[Alternate download pages for many of the above tools may be found at
http://aumha.org/a/parasite.htm.]

Also:

1. Download and run Stinger (http://vil.nai.com/vil/stinger/); then...

2. Update your virus definitions, enable Show Hidden Files
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
and then run a full system scan in Safe Mode
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
with nothing else running in background. Note the files identified and
removed then find the corresponding page for the file at your AV maker's
online support pages (e.g.,
http://securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html)
and follow all Removal steps.

WinXP Only (WinME similar): If this scan finds anything, create a new
Restore Point then Disk Cleanup > More options > Delete all but the most
recent Restore Point.

So How Did I Get Infected Anyway?
http://boards.cexx.org/viewtopic.php?t=957

--
HTH - Please Reply to This Thread

~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

AumHa Forums
http://forum.aumha.org

Protect Your PC
http://www.microsoft.com/security/protect

LuckyStrike,
Thank you so much for your, response/ time/advice/Help.
I tried to post a reply immediately, but for some reason I was having a
problem posting.
I followed all of your suggestions, visited every site as suggested, ran
all of the suggested scan you suggested, unfortunately, they all found
nothing. Spybot keeps picking it up.
I ran my Pestpatrol scan which gave me a clean scan, however, in the
"Startup" menu log, this is the only thing that I see that might be
related;

Registry - HKEY_CLASSES_ROOT\htafile\shell\open\command[MSHTA.EXE"%1"%*]
Registry -
HKEY_LOCAL_MACHINE\software\classes\htafile\shell\open\command\[MSHTA.EXE"%1"%*]
(note: * substitutes for x)
Is this related in anyway?
Thanks in advance
--
bettyboop

Hi again BB -

I also forgot to mention (it's late... so excuse me for omitting this).
No,
it is unlikely that the "enable third-party browser extension"
(unchecked)
has anything to do with this.

Also, should you elect to remove (clean) the item via S-SD (Spybot search
and destroy...for future reference) you can always recover it by using
the
recovery button on the main S-SD GUI interface.

HTH -
--

LuckyStrike
(e-mail address removed)
--------------------------------------------------------------------

Hijack This log, I didn't see anything to resembling this. My other
scans,
Adware6, Pestpatrol, Spyweeper,ect,..produce a clean sweep.
that have something to do with this entry?

 

[LuckyStrike]

Hi bettyboop -

No, the two items shown by PestPatrol have no relation to the
HKEY_CLASSES_ROOT\cmdfile\shell\open\command\!="%1"%* Registry entry. Leave
them be.

Open Regedit>navigate to the above mentioned key>Highlight (select
it)>export that key (for safe measure)>then delete it from the Registry.
Remove the entire *command* key, not just the value. That will remove the
constantly returning detection that S-SD presents with each scan.

Run S-SD again. I am certain that this pesky Possible Extension Hijack will
no longer be detected and displayed.

For a more complete "armament" against future "Pestware" <g>, do the
following:

Disable ActiveX via IE Options. Do the same for Active Scripting as well. At
least set those two to Prompt, if you don't want to disable them. In the
Security tab>Internet>custom settings. Yes, you will get annoying reminders
about page may not display properly, and Scripts are usually safe do you
want to, etc. etc.

My settings are for Active X are:
Prompt
Disable
Disable
Prompt
Prompt

Then more info here:
How to surf the Internet more safely with Internet Explorer
http://www.windows-help.net/features/surf-safe-pf.html
http://www.infinisource.com/techfiles/surf-safe.html
http://www.bluekestrel.com/int_explor_setup.htm

Internet Explorer Security Zones by Scott Schnoll
http://www.nwnetworks.com/iezones.htm?
MICROSOFT SECURITY FAQ
http://securityadmin.info/noframes/faqget.asp

Then (although I know you already have some of these applications, this is a
copy and paste from my canned reply, so please forgive any duplications or
items you already have.) :

Check for Spyware - How - to's
First, install the respective programs and then update them immediately,
so that they have the current versions, and definitions. Read the Help
Files and Tutorials.
Run them one at a time. With Ad-Aware you may have it
generally clean whatever it finds. The same applies for CWShredder.
Spybot S&D requires special attention (listed below), as does HijackThis
(Only more so. Details listed below) The programs are listed in order of
their general strength, safety, and purpose. It is perhaps best to install
and run these in this order of appearance. All are freeware programs,
but if you are pleased with the results and quality of the utilities,
donations to the respective Authors are cheerfully accepted.

*Most important* - Before you try to remove spyware using any of the
following programs, realize that the process of cleaning and removing
certain spyware and malware may possibly interrupt and kill your internet
connection.
Therefore, you should obtain a copy of LSPFIX, which will then make it
possible for you to re-establish your internet connection should it be
terminated.

Download LSPFIX from either of the following sites:

http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html (For Win2k or XP)

Another thing to consider doing is to run a program (only run one program
at a time) a few times consecutively. The reason for this is that the first
pass may kill certain Spyware programs, but may not be able to terminate
and kill all files and programs which may be running at the time.
That is why a second pass > may be necessary to be thoroughly effective.

Also, under the most stubborn cases, running the programs in Safe-Mode
will allow for the best cleaning conditions, as there will be a minimum of
interference from processes running in the background.

Ad -Aware
http://www.lavasoftusa.com/support/download/
Ad-Aware Tutorial (might help if you look through this)
http://www.bleepingcomputer.com/forums/index.php?showtutorial=48

CWShredder (cleans all Cool Web Search malware)
http://www.majorgeeks.com/download4086.html
CWShredder Tutorial
http://www.bleepingcomputer.com/forums/index.php?showtutorial=47

Coolwebsearch Smartkiller
http://www.safer-networking.org/files/delcwssk.zip

The above item is sometimes necessary if CWShredder detects a SmartSearch2
variant on your PC.

Spybot S&D
http://www.safer-networking.org/index.php?page=download
Spybot Tutorial (Must Read)
http://www.safer-networking.org/index.php?page=tutorial
Other tutorials for Spybot S&D (Also must read)
http://www.bleepingcomputer.com/forums/index.php?showtutorial=43
http://tomcoyote.com/SPYBOT/index1.php
http://tomcoyote.com/SPYBOT/index2.php

The item below, SWB, is designed to *prevent* installation of malware and the
like by comparing known CLSID's of these "bad guys" with what is in its
definitions. By enabling a *Kill Bit* it prevents known malignant ActiveX
from being installed or run on your machine. It doesn't remove anything,
nor will it fix anything that is already in your PC. Rather, it will prevent
installation or re-installation of the item once it has been removed
either > manually, or by the use of another program which will perform
the duty of removing the spyware.

SpywareBlaster (prevents installation of spyware, Trojans, etc.)
http://www.javacoolsoftware.com/spywareguard.html
SpywareBlaster Tutorial
http://www.bleepingcomputer.com/forums/index.php?showtutorial=49

SpywareGuard (companion program to SWB, above)
http://www.javacoolsoftware.com/spywareguard.html
SpywareGuard Tutorial
http://www.bleepingcomputer.com/forums/index.php?showtutorial=50

If you use Spybot S & D, be sure to clean *ONLY* the items displayed in
*RED*. DO NOT clean any items displayed in Black or Green at this time.

Lastly there is HijackThis. Hijack this is a very powerful, last resort
type of program which is generally best used in conjunction with help from
those > who deal with the findings of the log created by the HijackThis scan.
It does nothing in the scan itself; it merely says what is in and running on
your PC. The items must be checked-marked to be "cleaned". You must
know *exactly* what you are checking-off before you proceed.
If you don't, you can quite possibly disable many useful and vital functions
of your PC. Remember; read the Tutorials, and seek help at SpywareInfo
Forums, Net-Integration, or TomCoyote forums for safety's sake.

HijackThis
http://www.spywareinfo.com/~merijn/downloads.html
If the preceding site is down, you may get HijackThis from Major Geeks
(amongst other sites as well)
Hijack This (from Major Geeks)
http://www.majorgeeks.com/download3155.html

HijackThis Tutorials **(MUST READ)**
http://www.spywareinfo.com/~merijn/htlogtutorial.html
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42
http://hjt.wizardsofwebsites.com/

Where to seek help with your HijackThis scan log
SpywareInfo Forums
http://forums.spywareinfo.com/
other help forums for HijackThis:
Net-Integration
http://forums.net-integration.net/index.php?c=19
TomCoyote
http://forums.tomcoyote.com/index.php?showforum=27

HTH - ;-)
--

LuckyStrike
(e-mail address removed)

How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm
http://home.satx.rr.com/badour/html/post.html
--------------------------------------------------------------------

in message

LuckyStrike,
Thank you so much for your, response/ time/advice/Help.
I tried to post a reply immediately, but for some reason I was having a problem posting.
I followed all of your suggestions, visited every site as suggested, ran

all of the suggested scan you suggested, unfortunately, they all found
nothing. Spybot keeps picking it up.

I ran my Pestpatrol scan which gave me a clean scan, however, in the

"Startup" menu log, this is the only thing that I see that might be related;

Registry - HKEY_CLASSES_ROOT\htafile\shell\open\command[MSHTA.EXE"%1"%*]
Registry - HKEY_LOCAL_MACHINE\software\classes\htafile\shell\open\command\[MSHTA.EXE"%1
"%*]
(note: * substitutes for x)
Is this related in anyway?
Thanks in advance
--
bettyboop

Hi again BB -

I also forgot to mention (it's late... so excuse me for omitting this). No,
it is unlikely that the "enable third-party browser extension" (unchecked)
has anything to do with this.

Also, should you elect to remove (clean) the item via S-SD (Spybot search
and destroy...for future reference) you can always recover it by using the
recovery button on the main S-SD GUI interface.

HTH -
--

LuckyStrike
(e-mail address removed)
--------------------------------------------------------------------
my
Hijack This log, I didn't see anything to resembling this. My other scans,
Adware6, Pestpatrol, Spyweeper,ect,..produce a clean sweep. would
that have something to do with this entry?

 

[Guest]

LuckyStrike
PA Bear

Thank you again for all of your response, your TIME, and help.
I apologize for the delay in my response. I have been having a lot of trouble trying to reply to your response. (For the life of me, I just can't figure out why?)

I visited Net-Integrations, the Official Site of Spybot S&D, there, I found several people with the same problem, thus, question. Spybot people are aware of the problem, "a bug", however, judging from the level of concern from fellow computer users, Spybot has not fixed the problem, which was purported to be addressed with this current update. Obviously, that has not happened. The "Official" solution is to "ignore it" by simply placing it in the "ignore list" until the "bug" is fixed.
I have decided to take the "Official" advice at this time because I am just to burnt out to deal with the registry at this time, however, I will use the advice given by PA Bear to address the registry.
Thanks again for everything.
I hope this post and the advice given by you and PA Bear with help someone with the same Spybot problem.
--
bettyboop

Hi bettyboop -

No, the two items shown by PestPatrol have no relation to the
HKEY_CLASSES_ROOT\cmdfile\shell\open\command\!="%1"%* Registry entry. Leave
them be.

Open Regedit>navigate to the above mentioned key>Highlight (select
it)>export that key (for safe measure)>then delete it from the Registry.
Remove the entire *command* key, not just the value. That will remove the
constantly returning detection that S-SD presents with each scan.

Run S-SD again. I am certain that this pesky Possible Extension Hijack will
no longer be detected and displayed.

For a more complete "armament" against future "Pestware" <g>, do the
following:

Disable ActiveX via IE Options. Do the same for Active Scripting as well. At
least set those two to Prompt, if you don't want to disable them. In the
Security tab>Internet>custom settings. Yes, you will get annoying reminders
about page may not display properly, and Scripts are usually safe do you
want to, etc. etc.

My settings are for Active X are:
Prompt
Disable
Disable
Prompt
Prompt

Then more info here:
How to surf the Internet more safely with Internet Explorer
http://www.windows-help.net/features/surf-safe-pf.html
http://www.infinisource.com/techfiles/surf-safe.html
http://www.bluekestrel.com/int_explor_setup.htm

Internet Explorer Security Zones by Scott Schnoll
http://www.nwnetworks.com/iezones.htm?
MICROSOFT SECURITY FAQ
http://securityadmin.info/noframes/faqget.asp

Then (although I know you already have some of these applications, this is a
copy and paste from my canned reply, so please forgive any duplications or
items you already have.) :

Check for Spyware - How - to's
First, install the respective programs and then update them immediately,
so that they have the current versions, and definitions. Read the Help
Files and Tutorials.
Run them one at a time. With Ad-Aware you may have it
generally clean whatever it finds. The same applies for CWShredder.
Spybot S&D requires special attention (listed below), as does HijackThis
(Only more so. Details listed below) The programs are listed in order of
their general strength, safety, and purpose. It is perhaps best to install
and run these in this order of appearance. All are freeware programs,
but if you are pleased with the results and quality of the utilities,
donations to the respective Authors are cheerfully accepted.

*Most important* - Before you try to remove spyware using any of the
following programs, realize that the process of cleaning and removing
certain spyware and malware may possibly interrupt and kill your internet
connection.
Therefore, you should obtain a copy of LSPFIX, which will then make it
possible for you to re-establish your internet connection should it be
terminated.

Download LSPFIX from either of the following sites:

http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html (For Win2k or XP)

Another thing to consider doing is to run a program (only run one program
at a time) a few times consecutively. The reason for this is that the first
pass may kill certain Spyware programs, but may not be able to terminate
and kill all files and programs which may be running at the time.
That is why a second pass > may be necessary to be thoroughly effective.

Also, under the most stubborn cases, running the programs in Safe-Mode
will allow for the best cleaning conditions, as there will be a minimum of
interference from processes running in the background.

Ad -Aware
http://www.lavasoftusa.com/support/download/
Ad-Aware Tutorial (might help if you look through this)
http://www.bleepingcomputer.com/forums/index.php?showtutorial=48

CWShredder (cleans all Cool Web Search malware)
http://www.majorgeeks.com/download4086.html
CWShredder Tutorial
http://www.bleepingcomputer.com/forums/index.php?showtutorial=47

Coolwebsearch Smartkiller
http://www.safer-networking.org/files/delcwssk.zip

The above item is sometimes necessary if CWShredder detects a SmartSearch2
variant on your PC.

Spybot S&D
http://www.safer-networking.org/index.php?page=download
Spybot Tutorial (Must Read)
http://www.safer-networking.org/index.php?page=tutorial
Other tutorials for Spybot S&D (Also must read)
http://www.bleepingcomputer.com/forums/index.php?showtutorial=43
http://tomcoyote.com/SPYBOT/index1.php
http://tomcoyote.com/SPYBOT/index2.php

The item below, SWB, is designed to *prevent* installation of malware and the
like by comparing known CLSID's of these "bad guys" with what is in its
definitions. By enabling a *Kill Bit* it prevents known malignant ActiveX
from being installed or run on your machine. It doesn't remove anything,
nor will it fix anything that is already in your PC. Rather, it will prevent
installation or re-installation of the item once it has been removed
either > manually, or by the use of another program which will perform
the duty of removing the spyware.

SpywareBlaster (prevents installation of spyware, Trojans, etc.)
http://www.javacoolsoftware.com/spywareguard.html
SpywareBlaster Tutorial
http://www.bleepingcomputer.com/forums/index.php?showtutorial=49

SpywareGuard (companion program to SWB, above)
http://www.javacoolsoftware.com/spywareguard.html
SpywareGuard Tutorial
http://www.bleepingcomputer.com/forums/index.php?showtutorial=50

If you use Spybot S & D, be sure to clean *ONLY* the items displayed in
*RED*. DO NOT clean any items displayed in Black or Green at this time.

Lastly there is HijackThis. Hijack this is a very powerful, last resort
type of program which is generally best used in conjunction with help from
those > who deal with the findings of the log created by the HijackThis scan.
It does nothing in the scan itself; it merely says what is in and running on
your PC. The items must be checked-marked to be "cleaned". You must
know *exactly* what you are checking-off before you proceed.
If you don't, you can quite possibly disable many useful and vital functions
of your PC. Remember; read the Tutorials, and seek help at SpywareInfo
Forums, Net-Integration, or TomCoyote forums for safety's sake.

HijackThis
http://www.spywareinfo.com/~merijn/downloads.html
If the preceding site is down, you may get HijackThis from Major Geeks
(amongst other sites as well)
Hijack This (from Major Geeks)
http://www.majorgeeks.com/download3155.html

HijackThis Tutorials **(MUST READ)**
http://www.spywareinfo.com/~merijn/htlogtutorial.html
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42
http://hjt.wizardsofwebsites.com/

Where to seek help with your HijackThis scan log
SpywareInfo Forums
http://forums.spywareinfo.com/
other help forums for HijackThis:
Net-Integration
http://forums.net-integration.net/index.php?c=19
TomCoyote
http://forums.tomcoyote.com/index.php?showforum=27

HTH - ;-)
--

LuckyStrike
(e-mail address removed)

How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm
http://home.satx.rr.com/badour/html/post.html
--------------------------------------------------------------------

in message

LuckyStrike,
Thank you so much for your, response/ time/advice/Help.
I tried to post a reply immediately, but for some reason I was having a problem posting.
I followed all of your suggestions, visited every site as suggested, ran

all of the suggested scan you suggested, unfortunately, they all found
nothing. Spybot keeps picking it up.

I ran my Pestpatrol scan which gave me a clean scan, however, in the

"Startup" menu log, this is the only thing that I see that might be related;

Registry - HKEY_CLASSES_ROOT\htafile\shell\open\command[MSHTA.EXE"%1"%*]
Registry - HKEY_LOCAL_MACHINE\software\classes\htafile\shell\open\command\[MSHTA.EXE"%1
"%*]
(note: * substitutes for x)
Is this related in anyway?
Thanks in advance
--
bettyboop

Hi again BB -

I also forgot to mention (it's late... so excuse me for omitting this). No,
it is unlikely that the "enable third-party browser extension" (unchecked)
has anything to do with this.

Also, should you elect to remove (clean) the item via S-SD (Spybot search
and destroy...for future reference) you can always recover it by using the
recovery button on the main S-SD GUI interface.

HTH -
--

LuckyStrike
(e-mail address removed)
--------------------------------------------------------------------
:
Hi All,
I have found this results listed on my Spybot result page. I looked in my
Hijack This log, I didn't see anything to resembling this. My other scans,
Adware6, Pestpatrol, Spyweeper,ect,..produce a clean sweep.
The Spybot results read:
POSSIBLE EXTENSION HIJACK
Default command file handler
HKEY_CLASSESS_ROOT\cmdfile\shell\open\command\!="%1"%*
(Please note that the*at the end of the % substitutes for an x)

Please comment.

Also, in the Internet Options box, in the Advance tab, I have the BROWSING
"enable third-party brower extension (requires restart") unchecked., would
that have something to do with this entry?

 

[LuckyStrike]

OK then Bettyboop, you are welcome, and welcomed to do as you see fit. ;-)

To access and find your post using the MS web page reader which you
presently use, click the *search box* and enter your search (name or
subject).

Otherwise, you might find it beneficial to use Outlook Express as your
newsreader. I do, and it is miles above the web page reader in every way;
It's free, and will enable you to read, post, reply, and search so much
faster and easier. Here's how to do that:

WSC OE setup (quick method)
http://www.aumha.org/win5/support.php
http://aumha.org/nntp.php

These below are some bits of info on what one does if setup is to be
accomplished by a manual process. All are basically the same instructions,
but I've included them all for your benefit to see that regardless of which
set-up you have, the instructions are the same.
http://support.microsoft.com/default.aspx?scid=kb;en-us;182167
http://users.westelcom.com/rogersr/setupoe.htm
http://www.michaelstevenstech.com/outlookexpressnewreader.htm
http://www.my-binaries.com/newsreaders-OutlookExpress-instructions.asp

Newsgroup Setup Instructions
http://www.microsoft.com/windows/smartdisplay/using/newsgroups/setup.mspx

About using OE as a newsreader
http://www.iup.edu/helpdesk/service/pc/software/outlookexp/usenet/newsfaq.shtm

http://www.microsoft.com/mom/community/setup.asp (forget that this says
Windows Server System; it's the same exact setup process for use on regular
PC setups)

Windows Me Newsgroups Setup Instructions
http://www.microsoft.com/windowsme/support/newsgroups/newssetup.asp
Windows XP setup for OE newsreader
http://www.microsoft.com/windowsxp/expertzone/newsgroupsetup.mspx

There you have it. I hope this will help in some way.
--

LuckyStrike
(e-mail address removed)

How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm
http://home.satx.rr.com/badour/html/post.html
------------------------------------------------------------------

LuckyStrike
PA Bear

Thank you again for all of your response, your TIME, and help.
I apologize for the delay in my response. I have been having a lot of

trouble trying to reply to your response. (For the life of me, I just can't
figure out why?)

I visited Net-Integrations, the Official Site of Spybot S&D, there, I

found several people with the same problem, thus, question. Spybot people
are aware of the problem, "a bug", however, judging from the level of
concern from fellow computer users, Spybot has not fixed the problem, which
was purported to be addressed with this current update. Obviously, that
has not happened. The "Official" solution is to "ignore it" by simply
placing it in the "ignore list" until the "bug" is fixed.

I have decided to take the "Official" advice at this time because I am

just to burnt out to deal with the registry at this time, however, I will
use the advice given by PA Bear to address the registry.

Thanks again for everything.
I hope this post and the advice given by you and PA Bear with help someone

with the same Spybot problem.

--
bettyboop

Hi bettyboop -

No, the two items shown by PestPatrol have no relation to the
HKEY_CLASSES_ROOT\cmdfile\shell\open\command\!="%1"%* Registry entry. Leave
them be.

Open Regedit>navigate to the above mentioned key>Highlight (select
it)>export that key (for safe measure)>then delete it from the Registry.
Remove the entire *command* key, not just the value. That will remove the
constantly returning detection that S-SD presents with each scan.

Run S-SD again. I am certain that this pesky Possible Extension Hijack will
no longer be detected and displayed.

For a more complete "armament" against future "Pestware" <g>, do the
following:

Disable ActiveX via IE Options. Do the same for Active Scripting as well. At
least set those two to Prompt, if you don't want to disable them. In the
Security tab>Internet>custom settings. Yes, you will get annoying reminders
about page may not display properly, and Scripts are usually safe do you
want to, etc. etc.

My settings are for Active X are:
Prompt
Disable
Disable
Prompt
Prompt

Then more info here:
How to surf the Internet more safely with Internet Explorer
http://www.windows-help.net/features/surf-safe-pf.html
http://www.infinisource.com/techfiles/surf-safe.html
http://www.bluekestrel.com/int_explor_setup.htm

Internet Explorer Security Zones by Scott Schnoll
http://www.nwnetworks.com/iezones.htm?
MICROSOFT SECURITY FAQ
http://securityadmin.info/noframes/faqget.asp

Then (although I know you already have some of these applications, this is a
copy and paste from my canned reply, so please forgive any duplications or
items you already have.) :

Check for Spyware - How - to's
First, install the respective programs and then update them immediately,
so that they have the current versions, and definitions. Read the Help
Files and Tutorials.
Run them one at a time. With Ad-Aware you may have it
generally clean whatever it finds. The same applies for CWShredder.
Spybot S&D requires special attention (listed below), as does HijackThis
(Only more so. Details listed below) The programs are listed in order of
their general strength, safety, and purpose. It is perhaps best to install
and run these in this order of appearance. All are freeware programs,
but if you are pleased with the results and quality of the utilities,
donations to the respective Authors are cheerfully accepted.

*Most important* - Before you try to remove spyware using any of the
following programs, realize that the process of cleaning and removing
certain spyware and malware may possibly interrupt and kill your internet
connection.
Therefore, you should obtain a copy of LSPFIX, which will then make it
possible for you to re-establish your internet connection should it be
terminated.

Download LSPFIX from either of the following sites:

http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html (For Win2k or XP)

Another thing to consider doing is to run a program (only run one program
at a time) a few times consecutively. The reason for this is that the first
pass may kill certain Spyware programs, but may not be able to terminate
and kill all files and programs which may be running at the time.
That is why a second pass > may be necessary to be thoroughly effective.

Also, under the most stubborn cases, running the programs in Safe-Mode
will allow for the best cleaning conditions, as there will be a minimum of
interference from processes running in the background.

Ad -Aware
http://www.lavasoftusa.com/support/download/
Ad-Aware Tutorial (might help if you look through this)
http://www.bleepingcomputer.com/forums/index.php?showtutorial=48

CWShredder (cleans all Cool Web Search malware)
http://www.majorgeeks.com/download4086.html
CWShredder Tutorial
http://www.bleepingcomputer.com/forums/index.php?showtutorial=47

Coolwebsearch Smartkiller
http://www.safer-networking.org/files/delcwssk.zip

The above item is sometimes necessary if CWShredder detects a SmartSearch2
variant on your PC.

Spybot S&D
http://www.safer-networking.org/index.php?page=download
Spybot Tutorial (Must Read)
http://www.safer-networking.org/index.php?page=tutorial
Other tutorials for Spybot S&D (Also must read)
http://www.bleepingcomputer.com/forums/index.php?showtutorial=43
http://tomcoyote.com/SPYBOT/index1.php
http://tomcoyote.com/SPYBOT/index2.php

The item below, SWB, is designed to *prevent* installation of malware

and
the

like by comparing known CLSID's of these "bad guys" with what is in its
definitions. By enabling a *Kill Bit* it prevents known malignant ActiveX
from being installed or run on your machine. It doesn't remove anything,
nor will it fix anything that is already in your PC. Rather, it will prevent
installation or re-installation of the item once it has been removed
either > manually, or by the use of another program which will perform
the duty of removing the spyware.

SpywareBlaster (prevents installation of spyware, Trojans, etc.)
http://www.javacoolsoftware.com/spywareguard.html
SpywareBlaster Tutorial
http://www.bleepingcomputer.com/forums/index.php?showtutorial=49

SpywareGuard (companion program to SWB, above)
http://www.javacoolsoftware.com/spywareguard.html
SpywareGuard Tutorial
http://www.bleepingcomputer.com/forums/index.php?showtutorial=50

If you use Spybot S & D, be sure to clean *ONLY* the items displayed in
*RED*. DO NOT clean any items displayed in Black or Green at this time.

Lastly there is HijackThis. Hijack this is a very powerful, last resort
type of program which is generally best used in conjunction with help from
those > who deal with the findings of the log created by the

HijackThis
scan.

It does nothing in the scan itself; it merely says what is in and

running
on

your PC. The items must be checked-marked to be "cleaned". You must
know *exactly* what you are checking-off before you proceed.
If you don't, you can quite possibly disable many useful and vital functions
of your PC. Remember; read the Tutorials, and seek help at SpywareInfo
Forums, Net-Integration, or TomCoyote forums for safety's sake.

HijackThis
http://www.spywareinfo.com/~merijn/downloads.html
If the preceding site is down, you may get HijackThis from Major Geeks
(amongst other sites as well)
Hijack This (from Major Geeks)
http://www.majorgeeks.com/download3155.html

HijackThis Tutorials **(MUST READ)**
http://www.spywareinfo.com/~merijn/htlogtutorial.html
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42
http://hjt.wizardsofwebsites.com/

Where to seek help with your HijackThis scan log
SpywareInfo Forums
http://forums.spywareinfo.com/
other help forums for HijackThis:
Net-Integration
http://forums.net-integration.net/index.php?c=19
TomCoyote
http://forums.tomcoyote.com/index.php?showforum=27

HTH - ;-)
--

LuckyStrike
(e-mail address removed)

How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm
http://home.satx.rr.com/badour/html/post.html
--------------------------------------------------------------------

in message

LuckyStrike,
Thank you so much for your, response/ time/advice/Help.
I tried to post a reply immediately, but for some reason I was having

a
problem posting.

I followed all of your suggestions, visited every site as suggested,

ran
all of the suggested scan you suggested, unfortunately, they all found
nothing. Spybot keeps picking it up.

I ran my Pestpatrol scan which gave me a clean scan, however, in the

"Startup" menu log, this is the only thing that I see that might be related;

Registry - HKEY_CLASSES_ROOT\htafile\shell\open\command[MSHTA.EXE"%1"%*]
Registry -

HKEY_LOCAL_MACHINE\software\classes\htafile\shell\open\command\[MSHTA.EXE"%1
"%*]

(note: * substitutes for x)
Is this related in anyway?
Thanks in advance
--
bettyboop


:

Hi again BB -

I also forgot to mention (it's late... so excuse me for omitting

this).
No,

it is unlikely that the "enable third-party browser extension" (unchecked)
has anything to do with this.

Also, should you elect to remove (clean) the item via S-SD (Spybot search
and destroy...for future reference) you can always recover it by

using
the

recovery button on the main S-SD GUI interface.

HTH -

looked in
my

Hijack This log, I didn't see anything to resembling this. My other scans,
Adware6, Pestpatrol, Spyweeper,ect,..produce a clean sweep.
The Spybot results read:
POSSIBLE EXTENSION HIJACK
Default command file handler
HKEY_CLASSESS_ROOT\cmdfile\shell\open\command\!="%1"%*
(Please note that the*at the end of the % substitutes for an x)

Please comment.

Also, in the Internet Options box, in the Advance tab, I have the BROWSING
"enable third-party brower extension (requires restart")

unchecked.,
would

that have something to do with this entry?