xp update frustrations..please help

I've been cleaning up a pc for a friend, and I ran into a problem that's got me a little frustrated. I can't get the activex security settings to allow me to view web pages properly. It doesn't matter what they are set at. So I thought that updating windows xp to sp2 would help, but I need the activex component to download windows update. Is there a way to fix the active x component first so that I can update everything else?

 

What happened exactly? Also ActiveX problem could be one thing and the problem of not accessing Windows Update could be another.

For the Windows Update issue if you are getting any error message (on your system or in the browser) let us know.

For now you could try deleting everything in:
\Documents and Settings\username\Local Settings\Temporary Internet Files folder.
Afterwards, browse to: \WINDOWS\Downloaded Program Files folder and delete the WUWebControl Class ActiveX component and any other that might appear related.
Then try updating Windows again to see if it helped.

If that doesn't help, please give more detailed info on the problem including all error messages(if any).

~TL

 

ok, I tried looking for wuwebcontrolclass it's not there. Here's the whole story on this computer; it was/is severely infected with adware and spyware, and I'm trying to remove it all and get it back in good shape. I installed anti-virus and did an update and a full scan, that program alone has already removed something like 200 items that are potentially infected or dangerous. I'm still getting alot of pop ups and ad ware, so through a google search I found this site and the tutorial on removing spyware and adware, I started following the steps, and got all the tools downloaded. I went to do the online scans and I get the message "your security settings prohibit running activex controls on this page" So I adjusted the activex settings in internet tools and I still get the same error. Then I thought if I did a windows update and installed xp's sp2, I should get the updates to activex that I need, but I need to have the activex problem resolved in order to do a windows update. That's pretty much where I'm at right now. Any advice would be greatly appreciated.

 

I was getting anxious so I skipped the online scanning tools and dove right in with other tools I downloaded (Ccleaner, Adaware, Spybot, MS antispy, and hijackthis) It went pretty well, and I think the system is clean as far as I can tell. If someone could look at my Hijack log and doublecheck me I'd appreciate that too!

Logfile of HijackThis v1.99.1
Scan saved at 9:44:03 PM, on 10/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\DEFEND~1\DEFEND~1\PopUpKiller.exe
C:\Program Files\Defender Pro LLC\Defender Pro Firewall\KAVPF.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\spywaretools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.type2find.com/sp2.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.shopnav.com/sidesearch.cgi?uid=88891625&id=5.20013
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ocadmny5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ocadmny5.slt\prefs.js)
O1 - Hosts: ns the mappings of ip addresses to host names. each
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [DI2] "C:\DOCUME~1\Owner\LOCALS~1\Temp\27.exe\27.exe"
O4 - HKLM\..\Run: [Antispy] C:\Program Files\Defender Pro\AntiSpy\Dpas.exe startup
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Defender\Defender Pro 2005\kav.exe /minimize
O4 - HKLM\..\Run: [System service75] C:\WINDOWS\etb\pokapoka75.exe
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\DEFEND~1\DEFEND~1\PopUpKiller.exe
O4 - Global Startup: Defender Pro Firewall.lnk = ?
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Defender\Defender Pro 2005\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

Now to tackle that pesky activex problem and get windows updated.

 

Hello again MJ,

You can forget about your ActiveX and Windows Update problem because you have some real bad malware on your system!

Without going into the minor entries that needs fixing, I will simply point out the real baddies I could identify:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.type2find.com/sp2.php << Elite bar Trojan!
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.shopnav.com/sidese...1625&id=5.20013

O4 - HKLM\..\Run: [DI2] "C:\DOCUME~1\Owner\LOCALS~1\Temp\27.exe\27.exe"
O4 - HKLM\..\Run: [System service75] C:\WINDOWS\etb\pokapoka75.exe <<< a really bad and pesky MALWARE! The special .dll file used commonly known to make the etb folder under C:\Windows invisible! Even in Safe Mode and command prompt!) Using Windows XP Recovery Console to delete would be the most solid method if that is indeed the case).
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe <<< another TROJAN!


~ These are other suspicious entries that should be fixed:R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O1 - Hosts: ns the mappings of ip addresses to host names. each << do you have any idea about this entry?

You should never try to install Windows updates or service packs when the system is currently infected! Further more, stop the Windows Update and System Restore services for now.

You will need additional cleanup and registry startup control utilities. I recommend the following free ones and what you could use them for:

System Utilities:
The freeware StartupControlPanel allows you to disable, delete and even undelete, programs configured to startup along with Windows.
The freeware CCleaner helps remove old, junk and temp files / folders that clutters your system.
The freeware ToolbarCop is helpful in analyzing Browser Helper Objects, ActiveX, IE plug-ins. With this tool, you could disable and/or delete unneeded or malicious ones.

For rest you could use HijackThis but the pokapoka is the real baddie that you need to get rid of using Recovery Console to delete the C:\Windows\etb folder!

Ok, since I am not an approved Spyware specialist on this site, I will notify those who should be able to move your thread and help you further on this, ok?

Good Luck,

~TL

 

Thanks for all the helpful info. I'm finding that those pokapoka's are indeed a pain to get rid of. I went looking for the etb folder, and couldn't find it, now I know..it's invisible. I'll look at the recovery console and see what I can do with it. I did run Ccleaner a number of times, I wonder why it didn't pick up the 27.exe program? Oh well, believe it or not, what's left on there to clean up is 100 times better than when I started. He ran this computer for well over a year on a dsl line with absolutely no antivirus or firewall protection of any kind. Thanks again, I feel like I'm on the home stretch with this thing.

 

Sounds good,

I informed someone I know about this thread to move your thread and help you further with it since he is the real expert.
But as far as the etb folder goes, that must be deleted and using Recovery Console is your best bet!

Remember things get screwy upon starting the PC meaning you must first cripple the baddies by eliminating their startup, it could be a registry value under a startup related key, within the normally not used Win.ini or even System.ini files, it could be entered as a service in the Services Control Panel, it could be a registered .dll file that gets called upon logging on to XP!
Once things are corrected in the above locations, deleting the malware related files would be much easier.

So please do delete all the entries I mentioned (do this in Safe Mode for more effective results). Do not forget to stop the System REstore Service till things get straighten out and delete the previous Restore points using Cleanup Manager: Start > Run > cleanmgr > OK (after selecting the drive) > More Options - tab > under System Restore > Cleanup...

Good Luck,
~TL