Invalid ActiveX/COM Registry Entries

Status
Not open for further replies.

wlknaack

Posts: 143   +0
Norton System Works uncovered nine (9) invalid entries in the ActiveX/COM sections of my Windows Registry.

The nine affected keys:

AWFile\Defaultcom, COLFile\Defaultcom, ELMFile\Defaultcom, FFAFile\Defaultcom, FFLFile\Defaultcom, FFTFile\Defaultcom, FFXFile\Defaultcom, DPCFile\Defaultcom and STFFile\Defaultcom.

The nine keys all refer to a missing icon:

C:\Program Files\Support.com\backup\mi\misc.exe,6

I cannot find "misc.exe,6" either in the "mi" folder, or anywhere on the computer. Can anyone help me get this file?

Also, it is the first time I have ever seen the extension ".exe,6" or anything similar? Has anyone seen this extension?
 
There should not be ANY directory support.com.
That would be part of a virus/trojan/other nasty.
The exe,6 points to the 6th icon within that exe-file.

That file misc.exe in your reference is with 99.9% certainty NOT the official MS file.

Not trusting Norton (ever) I would suggest to go to this post here first, and follow the instructions EXACTLY, especially about UPDATING and HJT-location.
How to remove Begin2Search/Coolwebsearch and Other Nasties
Then see How to post your Hijackthis log-files.
 
Reply to realblackstuff

First, thanks for responding to my post.

I had Adware Personal SE, Spybot Search & Destroy and HijackThis installed and operating on my computer, along with WinPatrol and SpywareBlaster. In addition I have Norton 2005 Internet Security, and ZoneAlarm Firewall. All I had to download and install, in accordance with your instructions was CWShredder.

A note aside: Since I only needed to install CWShredder, I did not disable Windows' System Restore. I can, of course, always uninstall, disable System Restore, and then reinstall all the spyware programs if it is necessary. Question: Why disable System Restore before downloading and installing?

I went through the "show all files and folders, including hidden and system" procedure, and rebooted in "safe mode." I ran the programs in the following order: CWShredder, Adware (including VX2 Plug-In), then Spybot. The computer came up clean. The only thing found was an Alexa in the Registry by Adware, which I quarantined.

I rebooted, ran the programs again in the same order, then ran Norton Antivirus, and finally HijackThis and saved the scan log. All, programs came up clean, not one item was found. I have included the Hijackthis Scan Log in this reply.

I again ran the utility program in Norton System Works, and the only problems in the computer were the same nine invalid keys which were the reason for my post.

With regard to the directory: support.com. It would appear to be a valid directory though, perhaps, not part of Microsoft Windows. The directory contains, to give you one example, the support function for my broadband ISP, including maintenance and diagnostic software programs for the broadband connection.

I had previously (2/28/05) ran a HijackThis Scan Log and reviewed it based upon the information in your "How To Remove" post, and it looked clean. Will you please review the current HijackThis Scan Log and let me know what you think?

Again, thanks for all your help in this matter. I have no idea what to do next.
 
These are words to live buy! as RBS says never trust Norton! seen more computer with problems using Norton than anything else..
 
Addendum to Reply to realblackstuff

I made a mistake when following your instructions: After I ran the spyware programs in safe mode, I did a normal reboot and ran HijakThis, when I should have rebooted back into safe mode. I did it over, correctly this time, and the HijakThis Scan Log is attached for your review.

In my review of the Scan Log, I have four (4) 016-DPF entries, three (3) of which are Symantec's. As I, like so many others, am experiencing problems with Symantec's products, I am reluctant to change anything connected to Symantec. Do you still suggest I delete all the 016-DPF entries?

I value your input.
 
In Safe mode, run HJT on its own and let it 'fix':
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedata/ActiveData.cab

The above O16 - DPF: are all ActiveX referrals.
They will be re-loaded if you really need them, so you can 'fix' them without a second thought.

Reboot and see how it goes.

Disabling System Restore will delete all your restore points up till then. These points may already have been 'contaminated' with the virus/trojan, that you are trying to delete.
 
Reply #2 to realblackstuff

Ran HijackThis in safe mode. Removed all nine (9) items you suggested. Rebooted and ran Systemworks' Utility WinDoctor and, unfortunately, the invalid ActiveX keys are still there. I guess we will have to look elsewhere for a solution.

As a note aside, while I was running HijackThis, the following error message appeared:

Unexpected Error Occurred
Error #52 (Bad file name of number) in SubGetLongPath (?.exe)

The error appeared at the entry "04-global Startup: Microsoft Works Calendar Reminders.Ink = ?." When I clicked OK, the process continued, and all nine entries were removed. I sent an email to merijn@spywareinfo.com with the relevant details as requested in the error message.

I have attached the "final Hijackthis scan log" for your review. Thanks for all your effort on this problem.
 
Dont give up hope yet if RBS cannot fix your problem there is no one I know that is better! Did you disable system restore??

There is one other program you can try it is called A-Squared. If this is a virus or nasty it will take care of it.

get it here Update it than run it..
 
Those ActiveX errors are not within the scope of HJT, nor any of the other spyware removers.

Surf to the support-site of your ISP and ask them for the misc.exe program.
Or delete those entries manually from your registry.
 
Reply to tbrunt3 & realblackstuff

TO: tbrunt3:

I didn't disable System Restore the first time, but I went back and disabled System Restore, went into safe mode, ran all the spyware programs RBS recommended, rebooted back into safe mode and ran HTS.

TO: realblackstuff:

The ISP is only one of many folders under support.com, and I do not believe the misc.exe or the misc.exe,6 applies to the ISP diagnostic software.

The primary option provided by Norton System Works to correct the invalid entries was to provide the path C:\Program Files\.........\misc.exe in place of the missing path C:\Program Files\..........misc.exe,6, but the key would not accept it. There was a secondary solution which was to replace the path
with C:\WINDOWS\Installer\{811b049-6000-11d3-8cfe-0050048383c9}\misc.exe (File version not applicable.). I tried that, and System Works no longer shows any ActiveX/COM invalid entries.

It looks like the problem is solved, but if this solution causes other problems, or if the ActiveX/COM invalid entries reappear, I still have the option to delete them, which was always the third option.

Thanks for all your help.

As a note aside, and something I failed to mention previously: When I was in safe mode, running all the spyware programs, I decided to run Norton Antivirus. I could not get the Norton Antivirus to run in safe mode; all I keep getting was that the program ran into problems and had to shutdown (you know, one of those notify/don't notify Microsoft screens). Does this surprise you?
 
I had the same problem as WLKNAACK. I removed Comcast's application called Desktop Doctor and the errors went away.

Sammm
 
Status
Not open for further replies.
Back