Problems with Active x

Ok that doesn't seem like it is related to spyware but here is my problem. I have a friends computer they were complaining they couldn't log into hotmail and some other sites.. I got a hold of this thing and it was riddled with spyware and virus's Norton antivirus was installed but broken. I installed and ran ad aware and spybot, then installed and ran avg free and have the machine somewhat cleaned up. there are still some rogue services and pop ups. I have tried many online scanners and I cant update the computer because I need to have active x running on IE. Here's the kicker, I have set and reset the settings in internet options several times. I also tried using the trend micro scan with firefox. Something on this darn thing is keeping active x from running and keeping me from making progress any suggestions?

 

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Alright, I don't have alot of detail on the tools... Howerver I was able to download and run all of the tools mentioned in the tutorial. I was unable to run any of the scans bc of the Active X problem. Most of the tools did not find anything... CC cleaner found quite a few invalid shortcuts. nothing real major though. the ad aware ad on did find a variant and I rebooted and re scanned and came up clean after that. Here is the log from Hijack this. I didn't note previously that this computer is still on service pack 1 I will be going back to the windows site to fight for a download while I wait for your reply.
Many thanks for the help.

 

Download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report and a fresh HJT log.

 

ok here they are....

 

ok so I still can't get into her hotmail account because of the active x problem


Also I am getting an error, this is only in normal mode. Runtime Error
Microsoft visual C++ Runtime library
C:\program files\simtpage\forquery.exe
this application has requested the runtime to terminate it in an unusual way
Please contact the applications support team

that folder does not exist in the program files directory. also if I search for forquery I get a file with an IE icon that I can not delete.

 

OK, Ewido cleaned a lot off your system; however, you still have an unknown trojan on your system.

Download
- Pocket Killbox

Please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.


Now come back here and post all three logs as attachments and a fresh HJT log, you will need to do 2 posts to attach all 4 logs.

 

kill box downloaded

I can not run the Panda online scan bc of the direct x problem.

qoologic and Rk results attached here
btw when I ran qoologic i received the following error message, I just kept clicking ok and eventually got thru and recieved a log report.

 

Apologies, in haste I forgot the error message

C:\Windows\System32\cmd.exe
C:\Windows\System32\autoexec.nt The system file is not suitable for running ms-dos and microsoft windows applications Choose close to terminate the application.

Attatched is the hijack log

 

You posted the qoologic zip file not the qoologic log from the scan.

- download Nail/Bolder/Aurora Remover 0.3.1 Beta and save it to its own folder like c:\ABIremover

- Now extract the abiremover.exe file from the ZIP file into the folder you created but do not run the EXE yet. We will run it after booting in safe mode below.

From Add or Remove Programs in the Control Panel uninstall the following:

Next Scan with Hijackthis and fix the following:

Run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

- Run the abiremover.exe but make sure you are physically disconnected from the internet (unplug your cable to be sure). Just click install, wait (explorer window will disapear)

- When abiremover finishes DO NOT reboot into normal mode, continue with the below steps.

Open ExplorerXP navigate to and DELETE the following:

Now run CCleaner (installed while running the READ ME FIRST) and delete all the files in the C:\Windows\Prefetch folder.

Now reboot in normal mode and post a new HJT log.

 

I have a fix for that, will post it latter after we make sure everything else is working correctly.

 

Whew! alrighty I am back after the weekend...

I will post the correct qoologic file....

everything went fine, however I was unable to remove CasClient it was not in the AdRemove programs list.

Also after running abiremover, the files you wanted me to delete were also gone... there was a khkgcdd.ini file, I opened it up said something about majorgeeks downloads so I left it alone.


side note on the update thingy. I set windows udate to run daily which it has not. as when I was in add remove programs I notice the remove files for xpsp2. if you check the system info it says sp1. do you think some one could have hosed up the sp2 install. I was thinking of removing them and trying updates again.

 

You will want to delete Khkgcddd.ini and any other file with that name on your system.

If you didn't out this in the Internet Explorer Trusted Zone, remove it:

Have HJT fix the following:

Reboot into Safe Mode

{ADDED} Using Windows Explorer delete this Directory C:\Program Files\Cas.

Using Search in the Start Menu, search your HHD for Khkgcddd.* delete every file found.

Now run CCleaner and delete all the files in the C:\Windows\Prefetch folder.

Now reboot in normal mode and post a new HJT log.

 

no more khgcddd files... I checked on that net nucleus it is not in "trusted sites" there is actually nothing in Trusted sites. I had emptied it when I was first trying to figure out why I couldn't run any active x components. I did double check to make sure, I noticed it came back up in the hijackthis log.

 

Have HJT fix the following:

That should do it.

Post a new HJT log.

In Add or Remove Programs uninstall XPSP2. Run windows update and bring your system Up2Date.

 

k here is the updated hjt log. I will uninstall xps2 2 now figure that will take a while and i"m not so sure I will actually be able to do the updates. but hey, ya never know

 

OK, your log is clean. Are you still having issues with ActiveX?

This is the fix for autoexec.nt

Error message when you install or start an MS-DOS or 16-bit Windows-based program
​

Please print out these instructions so that you can operate with All Browser Windows CLOSED.
​

If you try to start or install an MS-DOS-based or a 16-bit Windows-based program on your Windows XP-based computer, you may receive an error message that is similar to one of the following:

16-bit MS-DOS Subsystem
path to the program that you are trying to start or install
C:\Winnt\System32\config.nt The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate the application.

16-bit MS-DOS Subsystem
path to the program that you are trying to start or install
config.nt The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate the application.

16-bit MS-DOS Subsystem
path to the program that you are trying to start or install
C:\Windows\System32\Autoexec.nt The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate the application.

Although you may be prompted to quit the program or ignore the error message, either selection makes the program quit.

This issue may occur if one or more of the following files are missing or damaged:

• Config.nt
• Autoexec.nt
• Command.com

To resolve this issue:

1. Insert the CD into the CD drive or DVD drive.

2. Click Start, and then click Run.

3. In the Open box, type cmd, and then click OK.

4. At the command prompt, type the following commands, pressing ENTER after each command:

expand CD-ROM Drive Letter:\i386\config.nt_ c:\windows\system32\config.nt
expand CD-ROM Drive Letter:\i386\autoexec.nt_ c:\windows\system32\autoexec.nt
expand CD-ROM Drive Letter:\i386\command.co_ c:\windows\system32\command.com
exit
​

5. Start or install the program. If the issue is resolved, do not complete the remaining steps. If the issue is not resolved, go to the next step.

6. Note: The Command.com file is not edited or created in the following process. Because of this, you may have to expand it from your Windows XP CD-ROM.

Start Notepad.

7. In Notepad, type the following entries:

dos=high, umb
device=%SYSTEMROOT%\system32\himem.sys
files=40
​

8. On the File menu, click Save As.

9. In the File Name box, type Config.nt, and then click Save. Close the Config.nt file.

10. On the File menu, click New.

11. In the new blank document, type the following entries:

@echo off
lh %SYSTEMROOT%\system32\mscdexnt.exe
lh %SYSTEMROOT%\system32\redir
lh %SYSTEMROOT%\system32\dosx
SET BLASTER=A220 I5 D1 P330 T3
​

12. On the File menu, click Save As.

13. In the File Name box, type Autoexec.nt, and then click Save. Close the Autoexec.nt file.

14. Start Windows Explorer. Locate the Config.nt file, right-click the Config.nt file, and then click Copy.

15. Right-click the %SYSTEMROOT%\System32 folder, and then click Paste.

16. Locate the Autoexec.nt file, right-click the Autoexec.nt file, and then click Copy.

17. Right-click the %SYSTEMROOT%\System32 folder, and then click Paste.

18. Locate the Command.com file, right-click the expanded Command.com file, and then click Copy.

19. Right-click the %SYSTEMROOT%\System32 folder, and then click Paste. Restart your computer.

If the issue continues to occur, copy the Autoexec.nt and Config.nt files from the Repair folder in Windows to the System folder. To do so, follow these steps:

1. Click Start, click Run, type c:\windows\repair, and then click OK.

2. Right-click autoexec.nt, and then click Copy.

3. Click Start, click Run, type c:\windows\system32, and then click OK.

4. Right-click anywhere in that folder, and then click Paste.

5. Right-click the Autoexect.nt file that you just copied, and then click Properties.

6. Click to select Read-Only, and then click OK.

7. Repeat steps 1 through 6 to copy the Config.nt file.

NOTE: You must ENABLE Read-Only Permissions or the files will be removed after you restart Windows.

 

Yes, I was thinking maybe there is a registry setting sticking it somewhere. I just opened the registry and there are some entries for softare that is questionable. like cas
HKEY_CURRENT_USER\Software\CAS
HKEY_LOCAL_MACHINE\SOFTWARE\AffiliateCreator\EBA61BB6-AA73-4F9D-946B-C722BEE0F153

obviously I don't want to go around randomyly obliterating reg settings, is there a web page somewhere i can use for reference.....

 

ok yeah so there are also entries for media gateway....

I think I found what I was looking for but I am way to afraid to touch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility

Has hundreds of entries that all seem to have the same values is this normal?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000000-0000-0000-0000-000000000000}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000000-0000-0000-0000-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000000-5eb9-11d5-9d45-009027c14662}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000000-8633-1405-0B53-2C8830E9FAEC}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000000-CDDC-0704-0B53-2C8830E9FAEC}

Etc.....

LSS I am still stuck, I can not update the computer bc I can not run active x.

 

I would say those are safe to delete. export the keys before you delete them, that way you can merge them back into the registry if needed.

 

ActiveX Controls are not working

​

Please print out these instructions so that you can operate with All Browser Windows CLOSED.
​

Solution #1
·[font=&quot] [/font]Your current security settings prohibit running ActiveX controls on this page. As a result, the page may not display correctly.
·[font=&quot] [/font]An ActiveX control on this page is not safe. Your current security settings prohibit running unsafe controls on this page. As a result, this page may not display as intended.

The problem can be resolved using the procedure listed below.

1. Select ‘Internet Options’ from ‘Tools’ menu.
2. Select ‘Security’ tab.
3. Select the "Add" button.
4. Select the "Default Level" button or select the "Custom Level" button to enable the items listed below.

·[font=&quot] [/font]Run ActiveX controls and plug-ins = Enable
·[font=&quot] [/font]Script ActiveX controls marked safe for scripting = Enable
·[font=&quot] [/font]File download = Enable
·[font=&quot] [/font]Active scripting = Enable
·[font=&quot] [/font]User Authentication | Logon = Automatic login with current username and password

“Download unsigned ActiveX controls”, select Prompt. Click OK.

Solution #2
To change Internet Explorer Security and Personal settings

1.Open Internet Explorer.
2.Click Tools > Internet Options.
3.On the Security tab, in the box at the top of the dialog box, click the Internet icon.
4.Under Security level for this zone, move the slider to Low. If you see a Warning dialog box, click Yes
5.Repeat steps 4-6 for the icons Local Intranet, Trusted sites, and Restricted sites.
6.On the Privacy tab, under Settings, move the slider to Accept All Cookies.
7.Click Apply and OK.

REBOOT

To restore the default settings for Internet Explorer Security and Personal settings

1.Open Internet Explorer.
2.Click Tools > Internet Options.
3.On the Security tab, in the box at the top of the dialog box, click the Internet icon.
4.Under Security level for this zone, click Default Level.
5.Repeat steps 4 and 5 for the icons Local Intranet, Trusted sites, and Restricted sites.
6.On the Privacy tab, under Settings, click Default.
7.Click Apply and OK.

Solution #3

1) Click Start, and then click Run
2) In the Open box, type cmd, and then click OK.
3) At the command prompt, type the following commands, pressing ENTER after each line:

Note: Click OK if you are prompted to do this.

regsvr32 /u softpub.dll
regsvr32 /u wintrust.dll
regsvr32 /u initpki.dll
regsvr32 /u dssenh.dll
regsvr32 /u rsaenh.dll
regsvr32 /u gpkcsp.dll
regsvr32 /u sccbase.dll
regsvr32 /u slbcsp.dll
regsvr32 /u cryptdlg.dll
regsvr32 /u softpub.dll

4) Restart your computer!
5) Click Start, and then click Run
6) In the Open box, type cmd, and then click OK.
7) At the command prompt, type the following commands, pressing ENTER after each line:

Note: Click OK if you are prompted to do this.

regsvr32 softpub.dll
regsvr32 wintrust.dll
regsvr32 initpki.dll
regsvr32 dssenh.dll
regsvr32 rsaenh.dll
regsvr32 gpkcsp.dll
regsvr32 sccbase.dll
regsvr32 slbcsp.dll
regsvr32 cryptdlg.dll
regsvr32 softpub.dll

8) Exit, Reboot and see if problem remains.

Solution #4
Click Start, Run and type REGEDIT

Navigate to:

HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ Zones \ 0

In the right-pane, double-click the value 1200 and set it's value to 0

1200 corresponds to Run ActiveX controls and plug-ins setting

Repeat the same in this registry key:

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ Zones \ 0

In the right-pane, double-click the value 1200 and set its value to 0

Close Registry Editor and restart Windows. The restrictions message should no longer be displayed. Note that some third-party security programs enable this restriction as a measure to protect the system from attacks.

 

I've done them all and Active X still isn't working. for the most part all of my settings were already set to what the directions said they were. I am suspect of as you mentioned a 3rd party software, would that create a seperate reg entry? Like norton.... or some other hoo ha firewall type deal. Again there was something on here but it was one of the first things I uninstalled when cleaning. Ps. also uninstalled norton and Avg after I cleaned off the virus'

 

Yes Norton can block the running of ActiveX controls. What version of Norton did you have installed?

Also you may want to post in the Software Forum and Reference this thread. You'll get expert help there. This is more a software issue now, your system appears to be malware free.

Make sure you install a Firewall and Antivirus

How to Protect yourself from malware!

 

ok cool I appreciate all of your help. Yes it is norton antivirus 2003. When I got this thing you couldn't launch norton so I unistalled it. I belive it is when i first tried to re-install norton is when I noticed active x wasn't running.

Many thanks as I wouldn't be at this point without you, wish me luck

 

I'll keep an eye on the other thread.