MS ActiveX ? unknown to MS ?

[Lynx]

Hi Guys,

I was exploring System Explorers and noticed 3 new ActiveX programs appeared
in the list. It was easy to find because for a long time I did have only 4
entries there (MS Office 2003, 2 Sun Javas and Shockwave Flash).

They are marked as "unknown ActiveX":

{17492023-C23A-453E-A040-C7C580BBF700}

{8E0D4DE5-3180-4024-A327-4DFAD1796A8D}

{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}

I tried to block them. They will resurrect after restart. The same after
deleting with SpyBot.

I don't want to annoy anybody so I put some info and the extract from reg.
extract just for {..700} at the end.

Are those GWFSPidGen.DLL & LegitCheckControl.DLL part of the "Genuine
Advantage.." stuff?

If so what is "unknown" about it from Microsoft's point of view?

If those are nasties it would be nice to know how get rid if them?

Thanks in advance



1)

[HKEY_CURRENT_USER\Software\GIANTCompany\AntiSpyware\SpyNet]

"{17492023-C23A-453E-A040-C7C580BBF700}"="sent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{17492023-C23A-453E-A040-C7C580BBF700}\Contains\Files]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{17492023-C23A-453E-A040-C7C580BBF700}\DownloadInformation]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{17492023-C23A-453E-A040-C7C580BBF700}\InstalledVersion]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/GWFSPidGen.DLL]

".Owner"="{17492023-C23A-453E-A040-C7C580BBF700}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/GWFSPidGen.DLL]

"{17492023-C23A-453E-A040-C7C580BBF700}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/LegitCheckControl.DLL]

"{17492023-C23A-453E-A040-C7C580BBF700}"=""

2) File Analyzer sais:

Microsoft PidGen

GWFSPidGen.DLL

Description: PidGen

Original file name: PidGen.dll

Publisher: Microsoft

Path: C:\WINDOWS\system32\GWFSPidGen.DLL

Version: 1.5.0.42

Size: 23304 bytes

MD5: 76cfe0b49089af874d3d135efc38bf3a

 

[Alan]

The first one is related to Windows Genuine Advantage
Validation Tool, the second is related to
MessengerStatsClient Class at messenger.zone.msn.com, and
the third is the entry for Java Plug-in 1.4.2_03.

I found these by Googling the entries.

Alan

-----Original Message-----
Hi Guys,

I was exploring System Explorers and noticed 3 new ActiveX programs appeared
in the list. It was easy to find because for a long time I did have only 4
entries there (MS Office 2003, 2 Sun Javas and Shockwave Flash).

They are marked as "unknown ActiveX":

{17492023-C23A-453E-A040-C7C580BBF700}

{8E0D4DE5-3180-4024-A327-4DFAD1796A8D}

{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}

I tried to block them. They will resurrect after restart. The same after
deleting with SpyBot.

I don't want to annoy anybody so I put some info and the extract from reg.
extract just for {..700} at the end.

Are those GWFSPidGen.DLL & LegitCheckControl.DLL part of the "Genuine
Advantage.." stuff?

If so what is "unknown" about it from Microsoft's point of view?

If those are nasties it would be nice to know how get rid if them?

Thanks in advance



1)

[HKEY_CURRENT_USER\Software\GIANTCompany\AntiSpyware\SpyNe
t]

"{17492023-C23A-453E-A040-C7C580BBF700}"="sent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution

Units\{17492023-C23A-453E-A040-C7C580BBF700}

\Contains\Files]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution

Units\{17492023-C23A-453E-A040-C7C580BBF700}

\DownloadInformation]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution

Units\{17492023-C23A-453E-A040-C7C580BBF700} \InstalledVersion]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\ModuleUsage\C:/WINDOWS/system32/GWFSPidGen.DLL]

".Owner"="{17492023-C23A-453E-A040-C7C580BBF700}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\ModuleUsage\C:/WINDOWS/system32/GWFSPidGen.DLL]

"{17492023-C23A-453E-A040-C7C580BBF700}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\ModuleUsage\C:/WINDOWS/system32/LegitCheckControl.DLL]

"{17492023-C23A-453E-A040-C7C580BBF700}"=""

2) File Analyzer sais:

Microsoft PidGen

GWFSPidGen.DLL

Description: PidGen

Original file name: PidGen.dll

Publisher: Microsoft

Path: C:\WINDOWS\system32\GWFSPidGen.DLL

Version: 1.5.0.42

Size: 23304 bytes

MD5: 76cfe0b49089af874d3d135efc38bf3a












.

 

[Lynx]

Thanks Alan.
Interesting enough Recent upgrade from Java was from 1.5.0_03 to 1.5.0_04
though
1.4?? No trace of it here. Hmm
and "I did not have sex..." No I'd rather put it like: "I Genuinely did not
take Advantage..."
Anyway how to remove em?
Regards

 

[Robin Walker [MVP]]

Interesting enough Recent upgrade from Java was from 1.5.0_03 to
1.5.0_04 though
1.4?? No trace of it here. Hmm
Anyway how to remove em?

You probably do not want to remove them, as they are harmless.

If for some reason you wish to remove them, first check control panel
"Add/Remove Programs" to see if they are listed there, with a button for
removal.

Otherwise, in MSIE, you can pull down the Tools menu, and select "Manage
Add-ons".

 

[Lynx]

Thanks Robin,

... as they are harmless.

It's encouraging
Can't see them in mentioned places.
Found 2 java 1.5_04 entries in "being used" Add-ons" but no 1.4

If for some reason you wish to remove

No reason - the main reason was that "MS_unknown" MS GWFSPidGen.
User block it. It becomes grey in the list and it should stay grey even
white unless user unblock it
The fact that it reappeared without any notification made me blue even
dark-blue. That's all
Cheers

 

[Alan]

I think if anything is known to be free of spyware, it's
allowed even if you blocked it in the past. That way,
somethings that should not have been blocked by the user,
and might be important, are allowed.

The Java issue might also have been a typo on the part of
the site's designer. IT might also have been used in
both 1.5 and 1.4 as well.

Alan

 

[Guest]

Actually, the Jave 1.4 issue is my own DUMB mistake. The
site that I looked at had almost the same entry for Java
Plug-in 1.4.2_03, only a few numbers were different in
the beginning of the string listed on the site. Since
there is only a few numbers that are different in the
beginning of the string, then this is likely an entry for
Java Plug-in 1.5.x_x.

Alan