Re: R1, R2, R3 not showing in hijackthis?

Author	All Replies
John2g Qui Tacet Consentit Premium join:2001-08-10 England	reply to DSLfanpal Re: R1, R2, R3 not showing in hijackthis? R0,R1,R2,R3 Sections This section covers the Internet Explorer Start Page, Home Page, and Url Search Hooks. R0 is for Internet Explorers starting page and search assistant. R1 is for Internet Explorers Search functions and other characteristics. R2 is not used currently. R3 is for a Url Search Hook. An Url Search Hook is used when you type an address in the location field of the browser, but do not include a protocol such as » or »ftp:// in the address. When you enter such an address, the browser will attempt to figure out the correct protocol on its own, and if it fails to do so, will use the UrlSearchHook listed in the R3 section to try to find the location you entered. Some Registry Keys: HKLM\Software\Microsoft\Internet Explorer\Main,Start Page HKCU\Software\Microsoft\Internet Explorer\Main: Start Page HKLM\Software\Microsoft\Internet Explorer\Main: Default_Page_URL HKCU\Software\Microsoft\Internet Explorer\Main: Default_Page_URL HKLM\Software\Microsoft\Internet Explorer\Main: Search Page HKCU\Software\Microsoft\Internet Explorer\Main: Search Page HKCU\Software\Microsoft\Internet Explorer\SearchURL: (Default) HKCU\Software\Microsoft\Internet Explorer\Main: Window Title HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: ProxyOverride HKCU\Software\Microsoft\Internet Connection Wizard: ShellNext HKCU\Software\Microsoft\Internet Explorer\Main: Search Bar HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant Example Listing R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.google.com/ A common question is what does it mean when the word Obfuscated is next to one of these entries. When something is obfuscated that means that it is being made difficult to perceive or understand. In Spyware terms that means the Spyware or Hijacker is hiding an entry it made by converting the values into some other form that it understands easily, but humans would have trouble recognizing, such as adding entries into the registry in Hexadecimal. This is just another method of hiding its presence and making it difficult to be removed. If you do not recognize the web site that either R0 and R1 are pointing to, and you want to change it, then you can have HijackThis safely fix these, as they will not be detrimental to your Internet Explorer install. If you would like to see what sites they are, you can go to the site, and if it's a lot of popups and links, you can almost always delete it. It is important to note that if an RO/R1 points to a file, and you fix the entry with HijackThis, Hijackthis will not delete that particular file and you will have to do it manually. There are certain R3 entries that end with a underscore ( _ ) . An example of what one would look like is: R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file) Notice the CLSID, the numbers between the { }, have a _ at the end of it and they may sometimes difficult to remove with HijackThis. To fix this you will need to delete the particular registry entry manually by going to the following key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks Then delete the CLSID entry under it that you would like to remove. Please leave the CLSID , CFBFAE00-17A6-11D0-99CB-00C04FD64497, as it is the valid default one. Unless you recognize the software being used as the UrlSearchHook, you should generally Google it and after doing some research, allow HijackThis to fix it -- Better to remain silent and be thought a fool, than to speak and remove all doubt.
	to forum · permalink · · 2004-07-18 05:42:42 ·
seqrets Premium join:2001-05-03 Nederland, TX clubs:	Excellent explanation John!
seqrets Premium join:2001-05-03 Nederland, TX clubs:	to forum · permalink · · 2004-07-18 06:12:13 ·
CalamityJane Premium,VIP,MVM join:2002-08-27 Eustis, FL	reply to John2g said by John2g : R0,R1,R2,R3 Sections This section covers the Internet Explorer Start Page, Home Page, and Url Search Hooks. R0 is for Internet Explorers starting page and search assistant. R1 is for Internet Explorers Search functions and other characteristics. R2 is not used currently. R3 is for a Url Search Hook. An Url Search Hook is used when you type an address in the location field of the browser, but do not include a protocol such as » or »ftp:// in the address. When you enter such an address, the browser will attempt to figure out the correct protocol on its own, and if it fails to do so, will use the UrlSearchHook listed in the R3 section to try to find the location you entered. Some Registry Keys: HKLM\Software\Microsoft\Internet Explorer\Main,Start Page HKCU\Software\Microsoft\Internet Explorer\Main: Start Page HKLM\Software\Microsoft\Internet Explorer\Main: Default_Page_URL HKCU\Software\Microsoft\Internet Explorer\Main: Default_Page_URL HKLM\Software\Microsoft\Internet Explorer\Main: Search Page HKCU\Software\Microsoft\Internet Explorer\Main: Search Page HKCU\Software\Microsoft\Internet Explorer\SearchURL: (Default) HKCU\Software\Microsoft\Internet Explorer\Main: Window Title HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: ProxyOverride HKCU\Software\Microsoft\Internet Connection Wizard: ShellNext HKCU\Software\Microsoft\Internet Explorer\Main: Search Bar HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant Example Listing R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.google.com/ A common question is what does it mean when the word Obfuscated is next to one of these entries. When something is obfuscated that means that it is being made difficult to perceive or understand. In Spyware terms that means the Spyware or Hijacker is hiding an entry it made by converting the values into some other form that it understands easily, but humans would have trouble recognizing, such as adding entries into the registry in Hexadecimal. This is just another method of hiding its presence and making it difficult to be removed. If you do not recognize the web site that either R0 and R1 are pointing to, and you want to change it, then you can have HijackThis safely fix these, as they will not be detrimental to your Internet Explorer install. If you would like to see what sites they are, you can go to the site, and if it's a lot of popups and links, you can almost always delete it. It is important to note that if an RO/R1 points to a file, and you fix the entry with HijackThis, Hijackthis will not delete that particular file and you will have to do it manually. There are certain R3 entries that end with a underscore ( _ ) . An example of what one would look like is: R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file) Notice the CLSID, the numbers between the { }, have a _ at the end of it and they may sometimes difficult to remove with HijackThis. To fix this you will need to delete the particular registry entry manually by going to the following key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks Then delete the CLSID entry under it that you would like to remove. Please leave the CLSID , CFBFAE00-17A6-11D0-99CB-00C04FD64497, as it is the valid default one. Unless you recognize the software being used as the UrlSearchHook, you should generally Google it and after doing some research, allow HijackThis to fix it John2g didn't write this...Bleeping Computer did. The full article is here and many of you will find it useful and extremely well written in layman's terms, however, if you are going to quote it you should respect their copyright Welcome to the BleepingComputer.com Tutorial Center HijackThis Tutorial How to use HijackThis to remove Browser Hijackers & Spyware »www.bleepingcomputer.com/forums/···orial=42 quote: Created: 03/25/2004 This article is published and created for »www.bleepingcomputer.com, otherwise known as Bleeping Computer, and is covered by all copyright laws. All articles on this website are copyright © 2004 by Bleeping Computer, LLC. All right reserved. Use of these articles is limited to viewing and printing for personal use only. If you would like to use this material or portions of this material for other purposes you must receive explicit permission from Bleeping Computer before reprinting or redistributing this article in any medium. Knowing the true author and how much work went into that tutorial, credit should be given where credit is due. Bleeping Computers has done an excellent job with all their tutorials and they are frequently updated to stay current »www.bleepingcomputer.com/forums/···utorials -- It takes a disaster to make a woman out of a female Gladiator Security Forum Proud Member of ASAP (Alliance of Security Analysis Professionals) »www.a-sap.org/
CalamityJane Premium,VIP,MVM join:2002-08-27 Eustis, FL	to forum · permalink · · 2004-07-20 08:21:09 ·


Saturday, 05-Dec 08:56:03	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF