R1, R2, R3 not showing in hijackthis? in Security

R1, R2, R3 not showing in hijackthis? in Security http://www.dslreports.com/forum/r10807481 en Wed, 09 Dec 2009 11:55:46 EDT Wed, 09 Dec 2009 11:55:46 EDT Re: R1, R2, R3 not showing in hijackthis? http://www.dslreports.com/forum/remark,10825527 CalamityJane :

said by John2g :
R0,R1,R2,R3 Sections

This section covers the Internet Explorer Start Page, Home Page, and Url Search Hooks.

R0 is for Internet Explorers starting page and search assistant.

R1 is for Internet Explorers Search functions and other characteristics.

R2 is not used currently.

R3 is for a Url Search Hook. An Url Search Hook is used when you type an address in the location field of the browser, but do not include a protocol such as » or »ftp:// in the address. When you enter such an address, the browser will attempt to figure out the correct protocol on its own, and if it fails to do so, will use the UrlSearchHook listed in the R3 section to try to find the location you entered.

Some Registry Keys: HKLM\Software\Microsoft\Internet Explorer\Main,Start Page
HKCU\Software\Microsoft\Internet Explorer\Main: Start Page
HKLM\Software\Microsoft\Internet Explorer\Main: Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Main: Default_Page_URL
HKLM\Software\Microsoft\Internet Explorer\Main: Search Page
HKCU\Software\Microsoft\Internet Explorer\Main: Search Page
HKCU\Software\Microsoft\Internet Explorer\SearchURL: (Default)
HKCU\Software\Microsoft\Internet Explorer\Main: Window Title
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: ProxyOverride
HKCU\Software\Microsoft\Internet Connection Wizard: ShellNext
HKCU\Software\Microsoft\Internet Explorer\Main: Search Bar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant

Example Listing R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.google.com/

A common question is what does it mean when the word Obfuscated is next to one of these entries. When something is obfuscated that means that it is being made difficult to perceive or understand. In Spyware terms that means the Spyware or Hijacker is hiding an entry it made by converting the values into some other form that it understands easily, but humans would have trouble recognizing, such as adding entries into the registry in Hexadecimal. This is just another method of hiding its presence and making it difficult to be removed.

If you do not recognize the web site that either R0 and R1 are pointing to, and you want to change it, then you can have HijackThis safely fix these, as they will not be detrimental to your Internet Explorer install. If you would like to see what sites they are, you can go to the site, and if it's a lot of popups and links, you can almost always delete it. It is important to note that if an RO/R1 points to a file, and you fix the entry with HijackThis, Hijackthis will not delete that particular file and you will have to do it manually.

There are certain R3 entries that end with a underscore ( _ ) . An example of what one would look like is:

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)

Notice the CLSID, the numbers between the { }, have a _ at the end of it and they may sometimes difficult to remove with HijackThis. To fix this you will need to delete the particular registry entry manually by going to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

Then delete the CLSID entry under it that you would like to remove. Please leave the CLSID , CFBFAE00-17A6-11D0-99CB-00C04FD64497, as it is the valid default one.

Unless you recognize the software being used as the UrlSearchHook, you should generally Google it and after doing some research, allow HijackThis to fix it

John2g

didn't write this...Bleeping Computer did.

The full article is here and many of you will find it useful and extremely well written in layman's terms, however, if you are going to quote it you should respect their copyright ;)

Welcome to the BleepingComputer.com Tutorial Center

HijackThis Tutorial
How to use HijackThis to remove Browser Hijackers & Spyware
»www.bleepingcomputer.com/forums/···orial=42

quote:
Created: 03/25/2004

This article is published and created for »www.bleepingcomputer.com, otherwise known as Bleeping Computer, and is covered by all copyright laws. All articles on this website are copyright � 2004 by Bleeping Computer, LLC. All right reserved. Use of these articles is limited to viewing and printing for personal use only. If you would like to use this material or portions of this material for other purposes you must receive explicit permission from Bleeping Computer before reprinting or redistributing this article in any medium.

Knowing the true author and how much work went into that tutorial, credit should be given where credit is due.

Bleeping Computers has done an excellent job with all their tutorials and they are frequently updated to stay current
»www.bleepingcomputer.com/forums/···utorials
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum
Proud Member of ASAP (Alliance of Security Analysis Professionals) »www.a-sap.org/]]> http://www.dslreports.com/forum/remark,10825527 Tue, 20 Jul 2004 08:21:09 EDT Re: R1, R2, R3 not showing in hijackthis? http://www.dslreports.com/forum/remark,10824707 DSLfanpal : OK, This is my hijackthis log. Please advice. Will the Rx not showing up if I set my homepage to blank?

Logfile of HijackThis v1.98.0
Scan saved at 2:44:21 PM, on 20/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\System32\Fast.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Cerience\RepliGo\RepliGoMon.exe
C:\Program Files\Babylon\Babylon.exe
C:\PROGRA~1\NORTON~2\navapw32.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Norton CleanSweep\csinsmnt.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MYIE2\MyIE.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Download\HijackThis.exe

O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\PROGRA~1\E-BOOK~1\FLIPAL~1\FpLaunch.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RepliGoIEHelperCtl Class - {91DE4477-9CDC-4806-9BCB-28A963988E94} - C:\Program Files\Cerience\RepliGo\RepliGoIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: &RepliGo - {81F4066B-F330-4872-8094-3E9FBCCEC8C1} - C:\Program Files\Cerience\RepliGo\RepliGoIEBar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [RepliGo Assistant] "C:\Program Files\Cerience\RepliGo\RepliGoMon.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [Acronis�True�Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.LNK = C:\Program Files\Norton CleanSweep\csinsmnt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Add to Ad Hunter - C:\Program Files\MYIE2\config/blacklist.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Get siteinfo data (fsc) - C:\Program Files\EMS Free Surfer Companion\fslauncher.htm
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - »pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - »security.symantec.com/sscv6/Shar···absa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{10FF0C2A-0D9B-4F6E-85D1-45FFFC93D055}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{10FF0C2A-0D9B-4F6E-85D1-45FFFC93D055}: NameServer = 202.188.0.133 202.188.1.5
O20 - AppInit_DLLs: apitrap.dll]]> http://www.dslreports.com/forum/remark,10824707 Tue, 20 Jul 2004 02:47:10 EDT Re: R1, R2, R3 not showing in hijackthis? http://www.dslreports.com/forum/remark,10816585 Name Game : Now if you think you actually do have some of those and your hijack log should be displaying them..do me a favor and post the hijack log in your next post and let us take a look at it.
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/]]> http://www.dslreports.com/forum/remark,10816585 Mon, 19 Jul 2004 10:53:25 EDT Re: R1, R2, R3 not showing in hijackthis? http://www.dslreports.com/forum/remark,10816583 John2g :

said by Name Game :

i under stood your question..and i think John2g did also. :)

I did.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. ]]> http://www.dslreports.com/forum/remark,10816583 Mon, 19 Jul 2004 10:53:15 EDT Re: R1, R2, R3 not showing in hijackthis? http://www.dslreports.com/forum/remark,10816556 Name Game :

said by DSLfanpal :
No, You misunderstood my question. I know what is R0 to R3. My question is why my scan result has no R1, R2 & R3 but the log starts from O1 onwards. A normal scan will consist log that starts from R1 or R0 onwards but mine is that R0 to R3 is missing from the log.

Hope your understand my question.

Please advice and thanks in advance.

i under stood your question..and i think John2g did also. :) Fact is I also do not have any R1, R2 & R3 or R0 in my log either..that is not odd..

I do have the O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

but I could also take that one out if I did not want the Mplayer in my browser.

I have no need for any of these...

R - Registry, StartPage/SearchPage changes
R0 - Changed registry value
R1 - Created registry value
R2 - Created registry key
R3 - Created extra registry value where only one should be

Do you ? ;)

Here are the rest of those two letter codes for General Info if anyone else reads this thread.

***************************

Two Letter Codes

After the running processes, the list of entries found by Hijack This begins. Each entry starts with a 2-letter code to say what it is. According to Hijack This' Info, heres what each code means:
R - Registry, StartPage/SearchPage changes
R0 - Changed registry value
R1 - Created registry value
R2 - Created registry key
R3 - Created extra registry value where only one should be
F - IniFiles, autoloading entries
F0 - Changed inifile value
F1 - Created inifile value
N - Netscape/Mozilla StartPage/SearchPage changes
N1 - Change in prefs.js of Netscape 4.x
N2 - Change in prefs.js of Netscape 6
N3 - Change in prefs.js of Netscape 7
N4 - Change in prefs.js of Mozilla
O - Other, several sections which represent:
O1 - Hijack of auto.search.msn.com with Hosts file
O2 - Enumeration of existing MSIE BHO's
O3 - Enumeration of existing MSIE toolbars
O4 - Enumeration of suspicious autoloading Registry entries
O5 - Blocking of loading Internet Options in Control Panel
O6 - Disabling of 'Internet Options' Main tab with Policies
O7 - Disabling of Regedit with Policies
O8 - Extra MSIE context menu items
O9 - Extra 'Tools' menuitems and buttons
O10 - Breaking of Internet access by New.Net or WebHancer
O11 - Extra options in MSIE 'Advanced' settings tab
O12 - MSIE plugins for file extensions or MIME types
O13 - Hijack of default URL prefixes
O14 - Changing of IERESET.INF
O15 - Trusted Zone Autoadd
O16 - Download Program Files item
O17 - Domain hijack
O18 - Enumeration of existing protocols
O19 - User stylesheet hijack

--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/]]> http://www.dslreports.com/forum/remark,10816556 Mon, 19 Jul 2004 10:48:44 EDT Re: R1, R2, R3 not showing in hijackthis? http://www.dslreports.com/forum/remark,10816221 Bubba : Did you by chance use the....Add check to ignorelist....function of HJT and forget ?

Also....as you may be aware....you hope NOT to have any R3 entries.]]> http://www.dslreports.com/forum/remark,10816221 Mon, 19 Jul 2004 09:58:15 EDT Re: R1, R2, R3 not showing in hijackthis? http://www.dslreports.com/forum/remark,10815060 DSLfanpal : No, You misunderstood my question. I know what is R0 to R3. My question is why my scan result has no R1, R2 & R3 but the log starts from O1 onwards. A normal scan will consist log that starts from R1 or R0 onwards but mine is that R0 to R3 is missing from the log.

Hope your understand my question.

Please advice and thanks in advance.]]> http://www.dslreports.com/forum/remark,10815060 Mon, 19 Jul 2004 03:46:39 EDT Re: R1, R2, R3 not showing in hijackthis? http://www.dslreports.com/forum/remark,10807582 seqrets : Excellent explanation John! ]]> http://www.dslreports.com/forum/remark,10807582 Sun, 18 Jul 2004 06:12:13 EDT Re: R1, R2, R3 not showing in hijackthis? http://www.dslreports.com/forum/remark,10807543 John2g : R0,R1,R2,R3 Sections

This section covers the Internet Explorer Start Page, Home Page, and Url Search Hooks.

R0 is for Internet Explorers starting page and search assistant.

R1 is for Internet Explorers Search functions and other characteristics.

R2 is not used currently.

R3 is for a Url Search Hook. An Url Search Hook is used when you type an address in the location field of the browser, but do not include a protocol such as » or »ftp:// in the address. When you enter such an address, the browser will attempt to figure out the correct protocol on its own, and if it fails to do so, will use the UrlSearchHook listed in the R3 section to try to find the location you entered.

Some Registry Keys: HKLM\Software\Microsoft\Internet Explorer\Main,Start Page
HKCU\Software\Microsoft\Internet Explorer\Main: Start Page
HKLM\Software\Microsoft\Internet Explorer\Main: Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Main: Default_Page_URL
HKLM\Software\Microsoft\Internet Explorer\Main: Search Page
HKCU\Software\Microsoft\Internet Explorer\Main: Search Page
HKCU\Software\Microsoft\Internet Explorer\SearchURL: (Default)
HKCU\Software\Microsoft\Internet Explorer\Main: Window Title
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: ProxyOverride
HKCU\Software\Microsoft\Internet Connection Wizard: ShellNext
HKCU\Software\Microsoft\Internet Explorer\Main: Search Bar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant

Example Listing R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.google.com/

A common question is what does it mean when the word Obfuscated is next to one of these entries. When something is obfuscated that means that it is being made difficult to perceive or understand. In Spyware terms that means the Spyware or Hijacker is hiding an entry it made by converting the values into some other form that it understands easily, but humans would have trouble recognizing, such as adding entries into the registry in Hexadecimal. This is just another method of hiding its presence and making it difficult to be removed.

If you do not recognize the web site that either R0 and R1 are pointing to, and you want to change it, then you can have HijackThis safely fix these, as they will not be detrimental to your Internet Explorer install. If you would like to see what sites they are, you can go to the site, and if it's a lot of popups and links, you can almost always delete it. It is important to note that if an RO/R1 points to a file, and you fix the entry with HijackThis, Hijackthis will not delete that particular file and you will have to do it manually.

There are certain R3 entries that end with a underscore ( _ ) . An example of what one would look like is:

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)

Notice the CLSID, the numbers between the { }, have a _ at the end of it and they may sometimes difficult to remove with HijackThis. To fix this you will need to delete the particular registry entry manually by going to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

Then delete the CLSID entry under it that you would like to remove. Please leave the CLSID , CFBFAE00-17A6-11D0-99CB-00C04FD64497, as it is the valid default one.

Unless you recognize the software being used as the UrlSearchHook, you should generally Google it and after doing some research, allow HijackThis to fix it
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. ]]> http://www.dslreports.com/forum/remark,10807543 Sun, 18 Jul 2004 05:42:42 EDT R1, R2, R3 not showing in hijackthis? http://www.dslreports.com/forum/remark,10807481 DSLfanpal : I run Hijackthis 1.98 and the scan result only shows O1 onwards but not R1, R2, R3.

Running MyIE2, WinXP

Please advice and thanks in advance.]]> http://www.dslreports.com/forum/remark,10807481 Sun, 18 Jul 2004 05:11:39 EDT