MS ActiveX ? unknown to MS ?

  • Thread starter Thread starter Lynx
  • Start date Start date
L

Lynx

Hi Guys,

I was exploring System Explorers and noticed 3 new ActiveX programs appeared
in the list. It was easy to find because for a long time I did have only 4
entries there (MS Office 2003, 2 Sun Javas and Shockwave Flash).

They are marked as "unknown ActiveX":

{17492023-C23A-453E-A040-C7C580BBF700}

{8E0D4DE5-3180-4024-A327-4DFAD1796A8D}

{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}

I tried to block them. They will resurrect after restart. The same after
deleting with SpyBot.

I don't want to annoy anybody so I put some info and the extract from reg.
extract just for {..700} at the end.

Are those GWFSPidGen.DLL & LegitCheckControl.DLL part of the "Genuine
Advantage.." stuff?

If so what is "unknown" about it from Microsoft's point of view?

If those are nasties it would be nice to know how get rid if them?

Thanks in advance



1)

[HKEY_CURRENT_USER\Software\GIANTCompany\AntiSpyware\SpyNet]

"{17492023-C23A-453E-A040-C7C580BBF700}"="sent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{17492023-C23A-453E-A040-C7C580BBF700}\Contains\Files]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{17492023-C23A-453E-A040-C7C580BBF700}\DownloadInformation]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{17492023-C23A-453E-A040-C7C580BBF700}\InstalledVersion]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/GWFSPidGen.DLL]

".Owner"="{17492023-C23A-453E-A040-C7C580BBF700}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/GWFSPidGen.DLL]

"{17492023-C23A-453E-A040-C7C580BBF700}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/LegitCheckControl.DLL]

"{17492023-C23A-453E-A040-C7C580BBF700}"=""

2) File Analyzer sais:

Microsoft PidGen

GWFSPidGen.DLL

Description: PidGen

Original file name: PidGen.dll

Publisher: Microsoft

Path: C:\WINDOWS\system32\GWFSPidGen.DLL

Version: 1.5.0.42

Size: 23304 bytes

MD5: 76cfe0b49089af874d3d135efc38bf3a
 
The first one is related to Windows Genuine Advantage
Validation Tool, the second is related to
MessengerStatsClient Class at messenger.zone.msn.com, and
the third is the entry for Java Plug-in 1.4.2_03.

I found these by Googling the entries.

Alan
-----Original Message-----
Hi Guys,

I was exploring System Explorers and noticed 3 new ActiveX programs appeared
in the list. It was easy to find because for a long time I did have only 4
entries there (MS Office 2003, 2 Sun Javas and Shockwave Flash).

They are marked as "unknown ActiveX":

{17492023-C23A-453E-A040-C7C580BBF700}

{8E0D4DE5-3180-4024-A327-4DFAD1796A8D}

{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}

I tried to block them. They will resurrect after restart. The same after
deleting with SpyBot.

I don't want to annoy anybody so I put some info and the extract from reg.
extract just for {..700} at the end.

Are those GWFSPidGen.DLL & LegitCheckControl.DLL part of the "Genuine
Advantage.." stuff?

If so what is "unknown" about it from Microsoft's point of view?

If those are nasties it would be nice to know how get rid if them?

Thanks in advance



1)

[HKEY_CURRENT_USER\Software\GIANTCompany\AntiSpyware\SpyNe
t]

"{17492023-C23A-453E-A040-C7C580BBF700}"="sent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{17492023-C23A-453E-A040-C7C580BBF700}
Click to expand...
\Contains\Files]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{17492023-C23A-453E-A040-C7C580BBF700}
Click to expand...
\DownloadInformation]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{17492023-C23A-453E-A040-C7C580BBF700} \InstalledVersion]
Click to expand...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\ModuleUsage\C:/WINDOWS/system32/GWFSPidGen.DLL]
".Owner"="{17492023-C23A-453E-A040-C7C580BBF700}"
Click to expand...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\ModuleUsage\C:/WINDOWS/system32/GWFSPidGen.DLL]
"{17492023-C23A-453E-A040-C7C580BBF700}"=""
Click to expand...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\ModuleUsage\C:/WINDOWS/system32/LegitCheckControl.DLL]

"{17492023-C23A-453E-A040-C7C580BBF700}"=""

2) File Analyzer sais:

Microsoft PidGen

GWFSPidGen.DLL

Description: PidGen

Original file name: PidGen.dll

Publisher: Microsoft

Path: C:\WINDOWS\system32\GWFSPidGen.DLL

Version: 1.5.0.42

Size: 23304 bytes

MD5: 76cfe0b49089af874d3d135efc38bf3a












.
Click to expand...
 
Thanks Alan.
Interesting enough Recent upgrade from Java was from 1.5.0_03 to 1.5.0_04
though
1.4?? No trace of it here. Hmm
and "I did not have sex..." No I'd rather put it like: "I Genuinely did not
take Advantage..."
Anyway how to remove em?
Regards
 
Lynx said:
Interesting enough Recent upgrade from Java was from 1.5.0_03 to
1.5.0_04 though
1.4?? No trace of it here. Hmm
Anyway how to remove em?
Click to expand...

You probably do not want to remove them, as they are harmless.

If for some reason you wish to remove them, first check control panel
"Add/Remove Programs" to see if they are listed there, with a button for
removal.

Otherwise, in MSIE, you can pull down the Tools menu, and select "Manage
Add-ons".
 
Thanks Robin,
... as they are harmless.
Click to expand...
It's encouraging
Can't see them in mentioned places.
Found 2 java 1.5_04 entries in "being used" Add-ons" but no 1.4
If for some reason you wish to remove
Click to expand...
No reason - the main reason:) was that "MS_unknown" MS GWFSPidGen.
User block it. It becomes grey in the list and it should stay grey even
white unless user unblock it
The fact that it reappeared without any notification made me blue even
dark-blue. That's all
Cheers
 
I think if anything is known to be free of spyware, it's
allowed even if you blocked it in the past. That way,
somethings that should not have been blocked by the user,
and might be important, are allowed.

The Java issue might also have been a typo on the part of
the site's designer. IT might also have been used in
both 1.5 and 1.4 as well.

Alan
 
Actually, the Jave 1.4 issue is my own DUMB mistake. The
site that I looked at had almost the same entry for Java
Plug-in 1.4.2_03, only a few numbers were different in
the beginning of the string listed on the site. Since
there is only a few numbers that are different in the
beginning of the string, then this is likely an entry for
Java Plug-in 1.5.x_x.

Alan
 
Back
Top