Advice for suspicious activeX?

Hi

Yes please do the R&RMF and attach the logs.

 

No it is not really a problem. Yes you will see many people removing it just due to the name and the fact that it is referred to as downloader. It is from http://www.otxresearch.com/ which is a marketing research company. You can simply fix any 016 lines in HJT logs anyway since it does not cause any problems if you do. The active x controls will just get downloaded again if the the site gets used again. Obviously you would not want to remove active x files for things that you use since you would have to waste time downloading them again.

According to your logs, My Way Search Assistant is not installed anymore.

You don't appear to have any active malware; however, you do need to delete the below files:

C:\Documents and Settings\Tova\Local Settings\Temp\0fa7iuoh.exe
C:\Documents and Settings\Tova\Local Settings\Temp\61vq6p2u.exe
C:\Documents and Settings\Tova\Local Settings\Temp\8pv9puzu.exe
C:\Documents and Settings\Tova\Local Settings\Temp\AUInst.log
C:\Documents and Settings\Tova\Local Settings\Temp\IMT59.xml
C:\Documents and Settings\Tova\Local Settings\Temp\IMT5A.xml
C:\Documents and Settings\Tova\Local Settings\Temp\IMT5B.xml
C:\Documents and Settings\Tova\Local Settings\Temp\IMT60.xml
C:\Documents and Settings\Tova\Local Settings\Temp\IMT61.xml
C:\Documents and Settings\Tova\Local Settings\Temp\IMT62.xml
C:\Documents and Settings\Tova\Local Settings\Temp\ju26klgo.exe
C:\Documents and Settings\Tova\Local Settings\Temp\l001yeps.exe
C:\Documents and Settings\Tova\Local Settings\Temp\lcdqmjrn.exe
C:\Documents and Settings\Tova\Local Settings\Temp\mjfhbwqr.exe
C:\Documents and Settings\Tova\Local Settings\Temp\pcf28.tmp
C:\Documents and Settings\Tova\Local Settings\Temp\pycj5pyx.exe
C:\Documents and Settings\Tova\Local Settings\Temp\REGSCRIPT.REG
C:\Documents and Settings\Tova\Local Settings\Temp\_tf2C.tmp


Let me know if you have problems deleting any of these.

 

Don't worry about them. They are likely for something you run. The main worries were the randomly named EXE files.



If you are not having any other malware problems, it is time to do our final steps:

2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\cf" /u
     • Notes: The space between the cf" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. If we had you run Avenger, you can delete all files related to Avenger now.
4. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
5. If you are running Windows XP or Windows ME, do the below:
   • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
6. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

It may be a issue due to renaming ComboFix.exe to cf.exe but we need to do this because some new malware blocks combofix.exe from being run. Just delete the cf folder.

 

You're welcome. Surf safely!