PestControl Problem

After receiving on July 29/04 "An Important Letter from Michael Dell", I took dell suggestion to download the by Dell supported "PestPatrol" by Sunbelt Software for a free try-out on my Dell Precision 620 running under the by Dell prvided Windows 2000. (notwithstanding that my Norton Internet Security 2004 programmes also look after Spy- and Adware),

It reported 13 issued (outlined below in detail) and I had the PestControl software delete these. It deleted all but one (due to insufficient rights).

I then received an immediate problem message from my Norton 2004 Internet Security programme. Rebooting the computer, Norton didn’t run and showed "tampered", so it appears some of the entries PestControl deleted were related to and needed by Norton.

Trying to find out which one of the deletion was legit, I used Pest Control to "un-delete" one deletion at a time but it proceeded to un-delet all at once. Afterwards Norton run again.

I un-installed PestControl in view of the problem with Norton but found

   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\PPControl.exe

in the registry, notwithstanding that the uninstall log reported deletion of this entry.

So I re-installed a recent image of my "C" partition and updated again Norton and Windows to be current.

Dell states it’s supports Norton and Sunbelt and that it has tested PestControl. Dell also confirms on it’s web site that Norton Antivirus (NAV) 2004 has anti spyware protection.

Questions:

...So what did I do wrong and why did PestControl break (i.e. tamper with) Norton, despite testing of the product by Dell (did they test with Norton 2004 running and did they check into potential "false positives")?

...Do I indeed have Adware/Spyware on my system notwithstanding NAV is on my system and reports it to be clean? Or, are these all "false positives" giving my below outlined detailed investigations, which drew blanks, except perhaps for the file ssa3d30.ocx unless it is a legit file used by other applications?

PestControl reported the following (all registry entries under HKEY_Local_Machine\software):

Location                                                                               Pest                 Action    Note

\classes\clsid\{065e6fd8-1bf9-11d2-bae8-00104b9e0792} BonziBuddy      Deleted   1

\classes\clsid\{065e6fdc-1bf9-11d2-bae8-00104b9e0792} BonziBuddy      Deleted   1

\classes\clsid\{065e6fe6-1bf9-11d2-bae8-00104b9e0792} BonziBuddy      Deleted   1

\classes\clsid\{065e6fe3-1bf9-11d2-bae8-00104b9e0792} BonziBuddy      Deleted   1

\classes\clsid\{065e6fdf-1bf9-11d2-bae8-00104b9e0792} BonziBuddy      Deleted    1

\classes\clsid\{065e6fe9-1bf9-11d2-bae8-00104b9e0792} BonziBuddy      Deleted   1

C:\WINNT\system32\ssa3d30.ocx                                       InternetAlert      Deleted   1

\microsoft\windows\currentversion\moduleusage\c:/winnt/system32/msvcrt.dll|.owner

                                                                                            SAHAgent         Deleted   2

\microsoft\windows\currentversion\moduleusage\c:/winnt/system32/mfc42.dll|.owner

                                                                                            SAHAgent         Deleted   2

\microsoft\code store database\distribution units\{11111111-1111-1111-1111-111111111111}

                                                                                            VX2                   Deleted   3

\siteicons                                                                             UKVideo2Dialer  Deleted 4

C:\Program Files\dialers                                                     Unknown Dialer Directory

                                                                                                                      Deleted   4

\microsoft\windows\currentversion\installer\products\c8d617f6f8933d11581e000540386890\webpublfiles|usage                                                           Lop.com             Notdel.;insuff. Rights  5

Notes

1) Reg. entries refer to SSFrame, Panel, Ribbon, Check, Option and Command Control and all have reference to the ssa3d30.ocx file, which in turn refers to Active X Control Version 3.0.0.34 dated Nov 10/98 and seems to have been installed Dec.22/2000 at 16:10:21. The File is created by Sheridan Software Systems Inc. and refers to Active Threed Plus. I have never heard of the company nor of Active Threed Plus. I did install on Dec 22/00 (started setting up computer on Dec 19/00 which included updates to Norton Internet Security for the 2000 version), Windows Commander 4.51 but at 14:03 hrs which has since been renamed to Total Commander under various new versions. Set up my e-mail around 21 hrs Also installed from C/D various Soundblaster software and updated drivers from their Website but all in the 22 hrs timeframe. Thus I had obviously been on the web and may have been on the web at 16:10 hrs but did not recorded in my records any downloads nor other data. So I don't know where this file comes from or what applicion installed this file. Until today I have never heard of BonziBuddy nor have I ever installed it. It's not in the add/remove Appl. under Control Panel.

2) Both entries show "unknown owner" and referenced files seem to be original MS files relating to MS Visual C++ with the MFC file an updated version of June 19/03 installed July 14/03 (installed 4 Windows Updates that day including SP4) and the other from Dec 7/99 and the original Dell installation. - don't know reason for register entry. Can't find any info on SAHAgent and don't know what it is.

3) has in the referenced key a branch download Inf and in it a line Codebar = file C:\winnt\system32\calc.exe which is an original MS O/S file based on install date. A search for VX2 on the system and in the registry had no hits. So I don't know where the reference to VX2 comes from. Searching the Web for it, this certainly seems to be a nasty spyware, however I don't recall having ever visited any of the "bad" sites. A search for 9 .dll's and 1 .cch files I found documented in an removal article did not show up any such files. The above register key was not listed on that site's discussing the spyware. So how is that register key related to VX2?

4) assume those two are related. Register entry has a reference inder siteicons to Client ID {34504E78-FB20-1104-90AE-00508BA2510B}. I cannot find that reference in any files on the system nor elsewhere in the Registry. Don't know what the UKVideo2 Dialer is and can't find any UKVideo2 references in Files or registry. I obviously have various Video related software, including Ulead DVDFactory2 which has a file UKMgr.dll. I'm not aware of having installed any "dialers" (wouldn't) Also am connected to Internet via Cable, so a dialer would be of no use. The directory was created on Feb 14/01 and is empty.

5)Searching the web for Lop found references to Live Online Portal. However no reference to the above registry entry, nor can I find any files listed as being used by LOP. Additionally, my browser's start page has never been changed nor have I noted any of LOP's other symptoms, I have no idea how this "protected" entry got on my system. Is it indeed related to Lop? ---- ref. for usage is 0x29980001 (697827329) which doesn't tell me anything.

Message Edited by Spamfighter on 09-05-2004 11:55 AM