R1, R2, R3 not showing in hijackthis?

Author	All Replies
DSLfanpal join:2002-08-15 Good Country	R1, R2, R3 not showing in hijackthis? I run Hijackthis 1.98 and the scan result only shows O1 onwards but not R1, R2, R3. Running MyIE2, WinXP Please advice and thanks in advance.
	to forum · permalink · · 2004-07-18 05:11:39 ·
John2g Qui Tacet Consentit Premium join:2001-08-10 England	R0,R1,R2,R3 Sections This section covers the Internet Explorer Start Page, Home Page, and Url Search Hooks. R0 is for Internet Explorers starting page and search assistant. R1 is for Internet Explorers Search functions and other characteristics. R2 is not used currently. R3 is for a Url Search Hook. An Url Search Hook is used when you type an address in the location field of the browser, but do not include a protocol such as » or »ftp:// in the address. When you enter such an address, the browser will attempt to figure out the correct protocol on its own, and if it fails to do so, will use the UrlSearchHook listed in the R3 section to try to find the location you entered. Some Registry Keys: HKLM\Software\Microsoft\Internet Explorer\Main,Start Page HKCU\Software\Microsoft\Internet Explorer\Main: Start Page HKLM\Software\Microsoft\Internet Explorer\Main: Default_Page_URL HKCU\Software\Microsoft\Internet Explorer\Main: Default_Page_URL HKLM\Software\Microsoft\Internet Explorer\Main: Search Page HKCU\Software\Microsoft\Internet Explorer\Main: Search Page HKCU\Software\Microsoft\Internet Explorer\SearchURL: (Default) HKCU\Software\Microsoft\Internet Explorer\Main: Window Title HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: ProxyOverride HKCU\Software\Microsoft\Internet Connection Wizard: ShellNext HKCU\Software\Microsoft\Internet Explorer\Main: Search Bar HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant Example Listing R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.google.com/ A common question is what does it mean when the word Obfuscated is next to one of these entries. When something is obfuscated that means that it is being made difficult to perceive or understand. In Spyware terms that means the Spyware or Hijacker is hiding an entry it made by converting the values into some other form that it understands easily, but humans would have trouble recognizing, such as adding entries into the registry in Hexadecimal. This is just another method of hiding its presence and making it difficult to be removed. If you do not recognize the web site that either R0 and R1 are pointing to, and you want to change it, then you can have HijackThis safely fix these, as they will not be detrimental to your Internet Explorer install. If you would like to see what sites they are, you can go to the site, and if it's a lot of popups and links, you can almost always delete it. It is important to note that if an RO/R1 points to a file, and you fix the entry with HijackThis, Hijackthis will not delete that particular file and you will have to do it manually. There are certain R3 entries that end with a underscore ( _ ) . An example of what one would look like is: R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file) Notice the CLSID, the numbers between the { }, have a _ at the end of it and they may sometimes difficult to remove with HijackThis. To fix this you will need to delete the particular registry entry manually by going to the following key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks Then delete the CLSID entry under it that you would like to remove. Please leave the CLSID , CFBFAE00-17A6-11D0-99CB-00C04FD64497, as it is the valid default one. Unless you recognize the software being used as the UrlSearchHook, you should generally Google it and after doing some research, allow HijackThis to fix it -- Better to remain silent and be thought a fool, than to speak and remove all doubt.
	to forum · permalink · · 2004-07-18 05:42:42 ·
seqrets Premium join:2001-05-03 Nederland, TX clubs:	Excellent explanation John!
	to forum · permalink · · 2004-07-18 06:12:13 ·
DSLfanpal join:2002-08-15 Good Country	reply to DSLfanpal No, You misunderstood my question. I know what is R0 to R3. My question is why my scan result has no R1, R2 & R3 but the log starts from O1 onwards. A normal scan will consist log that starts from R1 or R0 onwards but mine is that R0 to R3 is missing from the log. Hope your understand my question. Please advice and thanks in advance.
	to forum · permalink · · 2004-07-19 03:46:39 ·
Bubba GIT-R-DONE Premium,MVM join:2002-08-19 Around, Us	reply to DSLfanpal Did you by chance use the....Add check to ignorelist....function of HJT and forget ? Also....as you may be aware....you hope NOT to have any R3 entries.
	to forum · permalink · · 2004-07-19 09:58:15 ·
Name Game Premium join:2002-07-07 North Myrtle Beach, SC	reply to DSLfanpal said by DSLfanpal : No, You misunderstood my question. I know what is R0 to R3. My question is why my scan result has no R1, R2 & R3 but the log starts from O1 onwards. A normal scan will consist log that starts from R1 or R0 onwards but mine is that R0 to R3 is missing from the log. Hope your understand my question. Please advice and thanks in advance. i under stood your question..and i think John2g did also. Fact is I also do not have any R1, R2 & R3 or R0 in my log either..that is not odd.. I do have the O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX but I could also take that one out if I did not want the Mplayer in my browser. I have no need for any of these... R - Registry, StartPage/SearchPage changes R0 - Changed registry value R1 - Created registry value R2 - Created registry key R3 - Created extra registry value where only one should be Do you ? Here are the rest of those two letter codes for General Info if anyone else reads this thread. *************************** Two Letter Codes After the running processes, the list of entries found by Hijack This begins. Each entry starts with a 2-letter code to say what it is. According to Hijack This' Info, heres what each code means: R - Registry, StartPage/SearchPage changes R0 - Changed registry value R1 - Created registry value R2 - Created registry key R3 - Created extra registry value where only one should be F - IniFiles, autoloading entries F0 - Changed inifile value F1 - Created inifile value N - Netscape/Mozilla StartPage/SearchPage changes N1 - Change in prefs.js of Netscape 4.x N2 - Change in prefs.js of Netscape 6 N3 - Change in prefs.js of Netscape 7 N4 - Change in prefs.js of Mozilla O - Other, several sections which represent: O1 - Hijack of auto.search.msn.com with Hosts file O2 - Enumeration of existing MSIE BHO's O3 - Enumeration of existing MSIE toolbars O4 - Enumeration of suspicious autoloading Registry entries O5 - Blocking of loading Internet Options in Control Panel O6 - Disabling of 'Internet Options' Main tab with Policies O7 - Disabling of Regedit with Policies O8 - Extra MSIE context menu items O9 - Extra 'Tools' menuitems and buttons O10 - Breaking of Internet access by New.Net or WebHancer O11 - Extra options in MSIE 'Advanced' settings tab O12 - MSIE plugins for file extensions or MIME types O13 - Hijack of default URL prefixes O14 - Changing of IERESET.INF O15 - Trusted Zone Autoadd O16 - Download Program Files item O17 - Domain hijack O18 - Enumeration of existing protocols O19 - User stylesheet hijack -- Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kidshttp://www.missingkids.com/
	to forum · permalink · · 2004-07-19 10:48:44 ·
John2g Qui Tacet Consentit Premium join:2001-08-10 England	said by Name Game : i under stood your question..and i think John2g did also. I did. -- Better to remain silent and be thought a fool, than to speak and remove all doubt.
	to forum · permalink · · 2004-07-19 10:53:15 ·
Name Game Premium join:2002-07-07 North Myrtle Beach, SC 1 edit	reply to DSLfanpal Now if you think you actually do have some of those and your hijack log should be displaying them..do me a favor and post the hijack log in your next post and let us take a look at it. -- Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/
	to forum · permalink · · 2004-07-19 10:53:25 ·
DSLfanpal join:2002-08-15 Good Country	reply to DSLfanpal OK, This is my hijackthis log. Please advice. Will the Rx not showing up if I set my homepage to blank? Logfile of HijackThis v1.98.0 Scan saved at 2:44:21 PM, on 20/7/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\WINDOWS\System32\Fast.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton Internet Security\NISUM.EXE C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Norton Internet Security\SymProxySvc.exe C:\WINDOWS\System32\WFXSVC.EXE C:\Program Files\Norton Internet Security\NISSERV.EXE C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\wfxsnt40.exe C:\Program Files\Cerience\RepliGo\RepliGoMon.exe C:\Program Files\Babylon\Babylon.exe C:\PROGRA~1\NORTON~2\navapw32.exe C:\Program Files\Norton Internet Security\IAMAPP.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe C:\Program Files\Messenger Plus! 3\MsgPlus.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Norton CleanSweep\csinsmnt.exe C:\WINDOWS\system32\ntvdm.exe C:\Program Files\Palm\HOTSYNC.EXE C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\MYIE2\MyIE.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Download\HijackThis.exe O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\PROGRA~1\E-BOOK~1\FLIPAL~1\FpLaunch.DLL O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: RepliGoIEHelperCtl Class - {91DE4477-9CDC-4806-9BCB-28A963988E94} - C:\Program Files\Cerience\RepliGo\RepliGoIEHelper.dll O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll O3 - Toolbar: &RepliGo - {81F4066B-F330-4872-8094-3E9FBCCEC8C1} - C:\Program Files\Cerience\RepliGo\RepliGoIEBar.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe O4 - HKLM\..\Run: [RepliGo Assistant] "C:\Program Files\Cerience\RepliGo\RepliGoMon.exe" O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.LNK = C:\Program Files\Norton CleanSweep\csinsmnt.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Add to Ad Hunter - C:\Program Files\MYIE2\config/blacklist.htm O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Get siteinfo data (fsc) - C:\Program Files\EMS Free Surfer Companion\fslauncher.htm O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file) O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - »pcpitstop.com/internet/pcpConnCheck.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - »security.symantec.com/sscv6/Shar···absa.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{10FF0C2A-0D9B-4F6E-85D1-45FFFC93D055}: NameServer = 202.188.0.133 202.188.1.5 O17 - HKLM\System\CS1\Services\Tcpip\..\{10FF0C2A-0D9B-4F6E-85D1-45FFFC93D055}: NameServer = 202.188.0.133 202.188.1.5 O20 - AppInit_DLLs: apitrap.dll
	to forum · permalink · · 2004-07-20 02:47:10 ·
CalamityJane Premium,VIP,MVM join:2002-08-27 Eustis, FL	reply to John2g said by John2g : R0,R1,R2,R3 Sections This section covers the Internet Explorer Start Page, Home Page, and Url Search Hooks. R0 is for Internet Explorers starting page and search assistant. R1 is for Internet Explorers Search functions and other characteristics. R2 is not used currently. R3 is for a Url Search Hook. An Url Search Hook is used when you type an address in the location field of the browser, but do not include a protocol such as » or »ftp:// in the address. When you enter such an address, the browser will attempt to figure out the correct protocol on its own, and if it fails to do so, will use the UrlSearchHook listed in the R3 section to try to find the location you entered. Some Registry Keys: HKLM\Software\Microsoft\Internet Explorer\Main,Start Page HKCU\Software\Microsoft\Internet Explorer\Main: Start Page HKLM\Software\Microsoft\Internet Explorer\Main: Default_Page_URL HKCU\Software\Microsoft\Internet Explorer\Main: Default_Page_URL HKLM\Software\Microsoft\Internet Explorer\Main: Search Page HKCU\Software\Microsoft\Internet Explorer\Main: Search Page HKCU\Software\Microsoft\Internet Explorer\SearchURL: (Default) HKCU\Software\Microsoft\Internet Explorer\Main: Window Title HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: ProxyOverride HKCU\Software\Microsoft\Internet Connection Wizard: ShellNext HKCU\Software\Microsoft\Internet Explorer\Main: Search Bar HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant Example Listing R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.google.com/ A common question is what does it mean when the word Obfuscated is next to one of these entries. When something is obfuscated that means that it is being made difficult to perceive or understand. In Spyware terms that means the Spyware or Hijacker is hiding an entry it made by converting the values into some other form that it understands easily, but humans would have trouble recognizing, such as adding entries into the registry in Hexadecimal. This is just another method of hiding its presence and making it difficult to be removed. If you do not recognize the web site that either R0 and R1 are pointing to, and you want to change it, then you can have HijackThis safely fix these, as they will not be detrimental to your Internet Explorer install. If you would like to see what sites they are, you can go to the site, and if it's a lot of popups and links, you can almost always delete it. It is important to note that if an RO/R1 points to a file, and you fix the entry with HijackThis, Hijackthis will not delete that particular file and you will have to do it manually. There are certain R3 entries that end with a underscore ( _ ) . An example of what one would look like is: R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file) Notice the CLSID, the numbers between the { }, have a _ at the end of it and they may sometimes difficult to remove with HijackThis. To fix this you will need to delete the particular registry entry manually by going to the following key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks Then delete the CLSID entry under it that you would like to remove. Please leave the CLSID , CFBFAE00-17A6-11D0-99CB-00C04FD64497, as it is the valid default one. Unless you recognize the software being used as the UrlSearchHook, you should generally Google it and after doing some research, allow HijackThis to fix it John2g didn't write this...Bleeping Computer did. The full article is here and many of you will find it useful and extremely well written in layman's terms, however, if you are going to quote it you should respect their copyright Welcome to the BleepingComputer.com Tutorial Center HijackThis Tutorial How to use HijackThis to remove Browser Hijackers & Spyware »www.bleepingcomputer.com/forums/···orial=42 quote: Created: 03/25/2004 This article is published and created for »www.bleepingcomputer.com, otherwise known as Bleeping Computer, and is covered by all copyright laws. All articles on this website are copyright © 2004 by Bleeping Computer, LLC. All right reserved. Use of these articles is limited to viewing and printing for personal use only. If you would like to use this material or portions of this material for other purposes you must receive explicit permission from Bleeping Computer before reprinting or redistributing this article in any medium. Knowing the true author and how much work went into that tutorial, credit should be given where credit is due. Bleeping Computers has done an excellent job with all their tutorials and they are frequently updated to stay current »www.bleepingcomputer.com/forums/···utorials -- It takes a disaster to make a woman out of a female Gladiator Security Forum Proud Member of ASAP (Alliance of Security Analysis Professionals) »www.a-sap.org/
	to forum · permalink · · 2004-07-20 08:21:09 ·


Sunday, 08-Nov 16:47:58	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. republican-creole page compression OFF