PDA

View Full Version : getPlusUninstall_ocx



goslings
2007-06-16, 09:53
spybot pick this up, and info report nothing (as is the case with most)
old data: getPlusUninstall_ocx
old data: rundll32.exe advpack.dll LaunchNFSection
I've blocked for now, but what is it ?
goggled it and no hits
regards

md usa spybot fan
2007-06-17, 18:56
Please look in the Resident for the denied registry change entry and post it to this thread:
Go into Spybot > Mode > Advanced Mode > Tools > Resident > page (scroll) to the bottom of the listing and highlight a portion of the log that shows the denied entry, then right click and select Copy. Paste (Ctrl+V) the log entries to another post in this thread.
Thanks.

MartY3
2007-10-12, 00:57
i got exact same thing today, so i blocked it, and here is the pasted entry from the log.

11/10/2007 22:54:48 Denied (based on user decision) value "getPlusUninstall_ocx" (new data: "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall") added in System Startup global entry!

home someone could shed some light on this, and if its something i need to worry about..

thankyou

marty

TerryChilds
2007-10-16, 02:42
I get the same message when I reboot, but I don't have the files in the directory where it says it is. The location is C:\Windows\inf\GETPUSo.inf not found

md usa spybot fan
2007-10-16, 15:51
MartY3:

A lot of this is speculation since I don't know what you were doing at the time you received the registry change and I have never personally run across that particular registry entry.

"getPlus" is a download manager (http://www.getplus.com/get.html) and appears that it may be used in Adobe Acrobat Reader 8.1 updates (http://firefox.phpmagazine.net/2007/06/adobe_acrobat_81_got_firefox_i.html).

I found the registry entry in question in several HijackThis reports in the [HKLM \ .. \ RunOnce] registry key:


O4-HKLM \ .. \ RunOnce: [getPlusUninstall_ocx] rundll32.exe advpack.dll, LaunchINFSection C: \ WINDOWS \ inf \ GETPLUSo.INF, DefaultUninstall
The RunOnce registry key is just that, startup entries placed in the RunOnce registry key are run when the system is restarted and then the registry entry is deleted.

Since the entry is placed in the RunOnce key it appears to be a cleanup routine. If this is the case, TeaTimer would see and report the change twice (providing it was allowed both times), once when the entry was added to the registry and once when it was deleted after you restarted the system and the job ran.

If in fact I am correct, by denying the registry change when it is being added to the registry you would prevent the cleanup job from running. If you deny the registry change when the entry is being deleted, the job will attempt to run each time the system is restarted.

If looks like your denial was when the entry was being added, so I assume the job never ran. Although it is hard to from a partial listing of TeaTimer's dialog message, it appears that goslings (http://forums.spybot.info/member.php?u=23050)' denial may have been when the entry was being deleted, so the job would have tried to run again on the next system restart.

TerryChilds
2007-10-17, 04:39
I ran a program called fixwareout and I no longer get the error message

Sunshine Ray
2008-01-12, 16:23
the tea timer (what ever that is) did go off before, which is a new one to me, I have others going off since spybot and kaspersky I using it or I blocks alot especially to registery I am very concerned about, already had 1 computer ruined from that.

ok I am getting same messages so I let my Kasperskey allow the registery change. I just had some microsoft downloads, custom, last night, if htey are using this other problem, I book marked it, but look at the page I think they would say so, why would they use another product to download their software updates http://www.getplus.com/get.html , they are large enough to do and then some withoout your knowlegde often, it says replacing the dlll32 (something-already allowed it so the box gone).

first post here, I took of spybot beofre prior verision some years ago as itw asn't working with IE very well. much better this go around, my kasperskey is beyond me I don't what is trying to get changed or why alot of the time when it blocks it and says yeah or neah.
thanks . btw I disabled and actutely chronically ill and often can't type, so please excuse the typos, or reading throu sometimes what is quite a mess, sometimes ihave to type in caps.
Sunshine::oops:

puffidredz
2008-02-02, 17:08
The error ironically comes from Adaware 2007. I uninstalled Adaware and it went away. I reinstalled Adaware and it's back and it doesnt go away. Apparently it wants you to buy Adaware 2007 Plus as I've heard from some people they bought it and only then it went away. I suppose it could be spyware causing it to glitch and produce the error. Go fig.

HSeldon
2008-02-29, 15:25
"teatimer" is short for "the Resident TeaTimer." I quote from the S&D FAQ:

What is the Resident TeaTimer?
The Resident TeaTimer is a tool of Spybot-S&D which perpetually monitors the processes called/initiated. It immediately detects known malicious processes wanting to start and terminates them giving you some options, how to deal with this process in the future. You can set TeaTimer to:

be informed, when the process tries to start again
automatically kill the process
or generally allow the process to run
There is also an option to delete the file associated with this process.

In addition, TeaTimer detects when something wants to change some critical registry keys. TeaTimer can protect you against such changes again giving you an option: You can either Allow or Deny the change.

The TeaTimer is always running in the background.

//////////////

I had the same ...ocx message appear, as md_usa_spybotfan mentioned, after upgrading to Adobe Reader version 8.1.2 last night.

md usa spybot fan
2008-02-29, 16:05
HSeldon:

Thanks for conferring that I wasn't totally barking up the wrong tree.

If the TeaTimer dialog that you received was when the startup entry was being added and if in fact it was being added as a Runonce startup entry as I theorized, then you should receive another TeaTimer dialog/notification when the entry is deleted after you restart your system.

Thanks for the feedback.

Regards,
md usa spybot fan

hope for the future
2008-07-01, 16:04
I just did a windows reinstall, and I got this message when I rebooted after installing Adobe Reader. This also confirms the relation of the message to Adobe. The fact that it's associated with Adobe and Adaware is a good sign, eh?