This is a continuation and slight change in scope from a thread I had already started under the mistaken assumption that this was a "profiles" issue.

http://www.pcguide.com/vb/showthread.php?threadid=29948

That said, I felt that the previous thread title/subject was not representative of the problem, so here goes:

I've got my cousin's WinXP laptop for the remainder of this month and the first part of the next. He came by a few weeks ago to visit and mentioned a "problem" with his laptop (turned out to be more like ten, but I digress....). His complaint? Running slow/wierd. :-)

Anyway, he has been unable to access WinUpdate for I don't know how long, so I tried to figure out why. He had msblast, so I removed that completely, but still no dice. I installed and ran Ad Aware and it only found a few objects, mostly "innocuous" items such as a few cookies and Alexa (which, while many will say it's technically not spy/parasiteware, just makes me mad). I still need to dl and run SpyBot.

I updated his virus defs and ran a full sys scan (for whatever that's worth these days). It found one item. I can't even remember what it was, but it was low threat/damage. That's not to say there weren't 100 things it didn't/couldn't/wouldn't find, but I just posted that part to head any "are your virus defs up to date?" suggestions off at the pass. This was NAV Corporate Edition ver.8.x - again, for whatever that's worth these days.

The specific problem is this: when accessing WinUpdate (or the resident WinXP Help, both of which use ActiveX controls), I receive the following error msg:

"Your current security settings prohibit running ActiveX controls on this page. As a result, the page may not display correctly."

I've searched for this a lot, and all the "help" seems to be of this nature: http://www.wintrouble.net/discus/messages/63/5303.html?1083597864

The sh*t of it is, no one seems to tell you what to do if this fails. I originally thought that one possible scenario was that it was something corrupted/incorrect with the settings *in that profile* - so I created a brand new (yes, w/ admin privs) profile and that didn't help.

Another thought I had was that it was something wrong with the install of IE, so I uninstalled it (which WinXP does *NOT* appreciate, mind you!) and reinstalled it from a clean .exe - still nothing. Same error msg.

BTW, the type of WinUpdates I'm wanting to do are of the "auto/manual" variety - i.e. I go to WinUpdate site, click "Scan for updates" which automatically determines (thanks to aforementioned ActiveX controls) which updates apply, I then "manually" decide which updates to apply. If I have to, I will sign on for "true" auto updates until the sys is up to speed, but at this point, I'd still like to try other options.

Any help would be greatly appreciated. Sorry for the novel.

The End.

Afterword: Could something that infected this PC have flipped the kill bit and is preventing ActiveX controls from running via the reg? I know there's a KB on that somewhere, I just haven't been able to find it now that I need it.

Is there a firewall on the system?
anything like zone alarm will prevent activeX unless given permission.
Check to see if the built in Windoze firewall is enabled as well.
In IE, you can go to the tools>options>security, and check to see whether ActiveX is enabled in there as well.

Delete files in the ..\Program Files\WindowsUpdate\V4
In the Control Panel click Internet Options > Security and make sure all the zones are at Default.
Delete all Internet temp files. Internet Options > General > Delete Files.

Might want to check to see if a program is blocking ActiveX. Could be a software firewall, anti-virus or a 3rd party security program. Close all those programs for the time being till you are able to update.

I think there was one other step, but can't think of it at the moment.
But the suggestions given might get you started.

"Afterword: Could something that infected this PC have flipped the kill bit and is preventing ActiveX controls from running via the reg?"
You are VERY close I think, except it isn't a "kill bit".
Some infection has probably done what "IE Spyad" does.
It puts these two sites in the list of "restricted sites".
Possibly at:
1. "HKCU\Software\Microsoft\Windows\Current Version\Internet Settings\Zonemap\Domains".
Once they are listed there they are subject to the restictions placed on tham by settings specified at:
2. "IE->Tools->Internet Options-->Security->Restricted Sites->Custom Level"

a) If these sites' keys are removed from the list at location 1, then the restrictions don't apply to them.
b) If the maximum restrictions at location 2 were all set to "Prompt", then you would be able to answer "yes" when asked if you want to allow the "ActiveX" controls to run.

The infection may [try to] prevent you fixing this, but its worth a look.
The sites may be listed somewhere other than 1, so it may be worth searching the registry for a key with a name that includes some part of the web page address [domain] that is fairly unique.

Originally posted by deddard
Is there a firewall on the system?
anything like zone alarm will prevent activeX unless given permission.
Check to see if the built in Windoze firewall is enabled as well.
In IE, you can go to the tools>options>security, and check to see whether ActiveX is enabled in there as well.

No firewall on sys.

Doh! on the Internet Connexn Firewall thing - I can't believe I forgot about that stupid POS. I'll have to check that out when I get home.

And, yes, I've already set all my ActiveX settings to the lowest poss setting just in order to get this to work (of course, I'm never connected to the Inet unless I'm testing a fix for this issue). I've also put any and all variants of the WinUpdate site into my Trusted Sites and set the Trusted Zome to low sec, the Inet Zone to medium sec, and there are no sites in the Restricted Zone.

I'm going to kick myself if that ICF suggestion does the trick..... twice.

Originally posted by Sylvander
"Afterword: Could something that infected this PC have flipped the kill bit and is preventing ActiveX controls from running via the reg?"
You are VERY close I think, except it isn't a "kill bit".
Some infection has probably done what "IE Spyad" does.



The rest of my Afterword was: "I know there's a KB on that somewhere, I just haven't been able to find it now that I need it."

Well, I still can't find the KB that I was actually referring to, but I did find this one that is markedly similar in most respects via Google:

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q240797&ID=KB;EN-US;Q240797

I know I've got the original printed out and rotting in my archives somewhere.....

Still, after reading your response, I reread the kill bit info in the KB article I *did* find, and two things stuck out:

1) M$ recommended not *unkilling* a "dead" ActiveX Control

2) When the kill bit is set, IE never calls for the control in question.

Hmmn...

Originally posted by Sylvander
It puts these two sites in the list of "restricted sites".
Possibly at:
1. "HKCU\Software\Microsoft\Windows\Current Version\Internet Settings\Zonemap\Domains".
Once they are listed there they are subject to the restictions placed on tham by settings specified at:
2. "IE->Tools->Internet Options-->Security->Restricted Sites->Custom Level"

a) If these sites' keys are removed from the list at location 1, then the restrictions don't apply to them.
b) If the maximum restrictions at location 2 were all set to "Prompt", then you would be able to answer "yes" when asked if you want to allow the "ActiveX" controls to run.

The infection may [try to] prevent you fixing this, but its worth a look.
The sites may be listed somewhere other than 1, so it may be worth searching the registry for a key with a name that includes some part of the web page address [domain] that is fairly unique.

I will have to check out your suggestions, as well as finding info on IE Spyad.

Thank you.

"Your current security settings prohibit running ActiveX controls on this page. As a result, the page may not display correctly."
This is exactly what is displayed when I visit any of the sites listed in the "Restricted Zone" by IE Spyad, which the security restriction level set to "Disable" [which they are in certain cases].

The only difference here is that the sites are clearly listed in the IE Spyad reg file, the locations are specified, and can be easily removed from that list if desired.

Your problem is that your sites are probably listed somewhere in the registry, but may be difficult to find.

First of all, I didn't have ICF enabled. Thank goodness. I would have kicked myself over and over if that had been the case.

I don't have IE Spyad installed, but I installed Spyware S&D yesterday, which has added a whole bunch of URLs to my Restricted Sites. There are no MS or WinUpdate sites listed in IE's Restricted Zone (accessed via Internet Options), but to be thorough I went to that reg subkey you listed two posts back (HKCU\Software\Microsoft\Windows\Current Version\Internet Settings\Zonemap\Domains).

I did find the main two variants from my Trusted Zone listed, but they had different data values listed for them (2) than did the sites I knew were in my Restricted Zone (4). So is this the subkey where *all* "Zone" entries are stored, but the data value determines whether they are Trusted, Restricted, etc?

BTW, is this the part where I post the HJT log file and pray?

Thanks.

By all means downlaod HJT to a permanent folder. and after sacnning, post your log here.

OK, here it is:

Logfile of HijackThis v1.97.7
Scan saved at 3:05:45 AM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\GWHotKey.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05. exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O9 - Extra button: MoneySide (HKLM)
O15 - Trusted Zone: http://eraider.ttu.edu
O15 - Trusted Zone: http://*.windowsupdate.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{5088C28E-2630-4CDD-B048-5CA7C5059CE7}: NameServer = [IP witheld],[IP witheld]

The two processes that have me the most concerned are the two in Sys32: smss.exe and lsass.exe. I'm also somewhat concerned about that last BHO (the one that says "no file"). Should I be? Thanks for any insight that might be forthcoming.

The two processes that have me the most concerned are the two in Sys32: smss.exe and lsass.exe. I'm also somewhat concerned about that last BHO (the one that says "no file"). Should I be? Thanks for any insight that might be forthcoming.

Read about smss.exe (http://www.liutilities.com/products/wintaskspro/processlibrary/smss/)

and

Read about lsass.exe here (http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/)

I would remove the following:

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - Startup: PowerReg Scheduler V3.exe

Based on the log, I assume you are using dialup to connect to the internet and the 017 settings are from your ISP.

Otherwise your log looks pretty clean to me. Let's see what Steve & budfred have to say.

I'm about to head home from work, so I'll read about those processes when I get to the house. The 017 entry *is* from my ISP, though I'm actually connected via DSL modem, through a Linksys router - and I perhaps should have noted that the "[IP witheld]" was my own editing, not how it initially appeared in the log. The full IP actually actually appeared in the log, which I didn't want to broadcast by posting. :) I think I'll go back and try to edit it with red ink to make that more clear.

Thanks!

Thanks for the info on smss.exe and lsass.exe. So I guess they weren't culprits of any kind. I second your thought, though, in that it looks like a fairly clean log. With the major exception, of course, of that one BHO with (no name) and (no file).

OK, I think I may be on the right track here, can someone weigh in?

Found this on MajorGeeks:

--------------
Where you going back to windows update when this happened?

If so to re-install goto in XP ( I'm assuming you have XP ) here and delete the "Update Class" file then goback to WU and when a security notice pops up say yes/ok and it will re-install the WU ActiveX control for WU

C:\WINDOWS\Downloaded Program Files
--------------

So, I thought I'd at least have me a look. C:\WINNT\Downloaded Program Files. Hmmn. No file named "Update Class." But what *was* in there? Two instances of "Java Runtime Environment 1.3.0_01" - and they both had a Status of "Damaged."

So, should I remove JRE (from Add/Remove Programs, and poss. from the Downloaded Programs Files folder), reboot, then reinstall JRE, or am I barking up the wrong tree with this? Also, since the info from MajorGeeks tends to suggest that the "Update Class" file *is* the ActiveX control for Windows Update, what does that say about this laptop if it *isn't* there?

Could *that* be the root cause of this problem? I honestly don't know if my cousin has *ever* run Windows Update - in fact, I'd bet he hasn't. Which might mean that this particular ActiveX control has *never* worked....