Attempted Registery Change

[Frank C]

Hi:
Is there a way to determine the source of an attempted registery change?
I blocked this attempt because I was not doing any program changes or updates at the time that it occured.

2/17/2006 9:00:11 AM Denied value "{EFA24E62-B078-11D0-89E4-00C04FC9E26E}" (new data: "") added in User-specific browser toolbar!

My browsers are I.E. and Firefox.

Thanks
Frank C

 

[md usa spybot fan]

You can not tell specifically what "the source of an attempted registry change" is but from the message you can derive what the change is.

According to this message a toolbar (GUID "{EFA24E62-B078-11D0-89E4-00C04FC9E26E}") was being removed (new data: "") and the change was denied:

• 2/17/2006 9:00:11 AM Denied value "{EFA24E62-B078-11D0-89E4-00C04FC9E26E}" (new data: "") added in User-specific browser toolbar!

According to Castlecops that is a legitimate Toolbar:

• http://castlecops.com/clsid-943.html
  
• BHO/CLSID/Toolbar: Deep Dive
  GUID: {EFA24E62-B078-11d0-89E4-00C04FC9E26E}
  Filename: IE History Band

 

[Frank C]

Deep Dive

Thanks for the reply:

According to f-secure
Deep Dive is Malware
http://www.f-secure.com/sw-desc/toolbar_deep_dive.shtml

Frank C also from MD

 

[tashi]

Hello Frank C.
Could we see a log please.

• Open SpyBot, check for and get any updates available.
• Close all browsers, check for problems and fix everything found in red
• Then on the toolbar menu select mode and switch to advanced mode, on the left lower down select tools, and view report, ensure all the options are selected near the bottom except
  
• Uncheck[ ] do not report disabled or known legitimate Items.
• uncheck[ ] Include a list of services in report.
• Uncheck[ ] Include uninstall list in report.
  
• Now select (near the top) view report.
• Press export in the save in box choose a place such as your my documents folder, then in your next post near the bottom select the "browse" button; navigate to and attach or post that report.

 

[Frank C]

As Instructed

Hi Tashi:
Updated detection rules and English help
Scan - No immediate threats were found.
Log as specified exceeded limits
SpybotSD.Report.txt:
Your file of 122.7 KB bytes exceeds the forum's limit of 39.1 KB for this filetype.
Can I cut it down ? How?
Frank

 

[md usa spybot fan]

Frank C:

Did you?

• uncheck[ ] Include a list of services in report.
• Uncheck[ ] Include uninstall list in report.

This greatly reduces the size to the report.

If the report is still too large, copy and paste it to a new post (or multiple posts if required).

 

[Frank C]

Contrite

Sorry:
I did not correctly uncheck items as specified.
Frank

 

[tashi]

Hi there.

I will ask Lonny to check the log as well.

Please see:
Have you updated Windows? Security Programs? Links and Tips.
Post #4
Sun Microsystems

Cheers.

 

[LonnyRJones]

That report looks fine to me Frank C

Do let us know if there are any other odd problems or symtoms though

 

[Frank C]

Bottom Line

Hi:
Yes, My windows XP is at SP2
All Security hot fixes through Februrary are current.
Bottom line; Is Deep dive maleware?
Thanks Frank

 

[LonnyRJones]

If it was this one, no not malware
http://castlecops.com/clsid-943.html
BHO/CLSID/Toolbar: Deep Dive
GUID: {EFA24E62-B078-11d0-89E4-00C04FC9E26E}
Filename: IE History Band

 

[NotCody]

Two quick observations I made after reading these threads

1.
I noticed after installing SpyBot S&D ver 1.4 and TeaTimer that if I went into my Windows Explorer ("window key" + E on this Win2000 pc) and then hit F3 to search for a file, I would get the warning message about a User-specific browser toolbar value being added. If I denied the change, this would happen each time I would redo a similar search. If I allowed the change, the error message would not appear again until I tried changing the physical size of the search window. If I allowed THAT change, the warning messages would pretty much disappear unless I later tried changing the Explorer Bar view (View, Explorer Bar, then change to History and then back to Folders).
The key value in question is as follows:
{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
And when I did the window-size change, it was:
{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}

I'm just bringing this to your attention after reading this post in case it might shed more light on this issue. (Maybe Frank C was doing a windows file search or something in the midst of his web browsing?) Do you think SpyBot needs any "tweaking" before the next release to ignore this particular registry item? (Yet if it stays as it is, that's fine, too -- I just have to remember to "allow" my own initiated local file searches so warnings don't keep popping up. But having more warnings as opposed to too few warnings is better. )

Also, before the next SpyBot release:
2. Do you know how you can hit the "window key" (to the left of the Alt key that is to the left of the spacebar) on your keyboard to bring up the Start button list and then hit the "P" key to display the installed programs and then hit the first letter of the application you want to start? Even though "Spybot - Search & Destroy" is listed, I can't "get" to it with the "S" key -- I have to use the mouse or the up or down arrow keys. Weird, huh? (This is the case in Win2k and WinXP -- WinNT seems unaffected.) Please advise if this can be remedied in the next release. I believe the ampersand (&) in the name of a folder or shortcut in the (All Users) Programs folder somehow directs Win2k and WinXP to use the very next character following the ampersand as the keyboard key to be searched on, and since there is a space after the ampersand in this case (and the spacebar doesn't work in selecting an item), typing "S" doesn't go to that program. Quick fix: Change the folder name the program creates for itself as it sets itself up to use the word "and" instead of the "&" character!

Otherwise, it's a GREAT program! Nice work!

Thanks, and have a great day! :bigthumb: