31 replies to this topic

[krit86lr]

Hey Andy,

I'm posting 2 HJT logs. My router was turned off for a few days, and I just want to be sure that I didn't catch anything during that time. I fixed some things on the first log, and then made a new log.

Here is the 1st Log!
Logfile of HijackThis v1.99.1
Scan saved at 1:27:41 PM, on 3/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} - http://www.pestpatro...an/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142050658658
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1140500544249
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe

2nd Scan:
Logfile of HijackThis v1.99.1
Scan saved at 1:42:20 PM, on 3/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142050658658
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1140500544249
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe

Thanks Andy!
K

[AndyManchesta]

Hi K

You have a Virus Infection

Only joking its fine , the only thing I can see that you might want to consider is uninstalling Windows Messenger as you have MSN messenger installed and them both starting with Windows.

If you wanted to remove Windows Messenger anytime use Doug Knox's script as it also makes a slight tweak to the registry to prevent Outlook taking along time to open after Windows Messenger is removed.

You can get the script and the instructions here but its very simple

http://www.dougknox....nger_remove.htm

Chat to you later

Andy

[krit86lr]

AndyManchesta, on Mar 17 2006, 06:22 PM, said:

Hi K

You have a Virus Infection

Only joking its fine , the only thing I can see that you might want to consider is uninstalling Windows Messenger as you have MSN messenger installed and them both starting with Windows.

If you wanted to remove Windows Messenger anytime use Doug Knox's script as it also makes a slight tweak to the registry to prevent Outlook taking along time to open after Windows Messenger is removed.

You can get the script and the instructions here but its very simple

http://www.dougknox....nger_remove.htm

Chat to you later

Andy

You scared me!!!

A few quick questions. I am using Windows Live Beta Messenger right now, so I'm not sure which one is directly linked to it.

Also, I use Thunderbird so I don't care about Outlook.

I'm having problems with my services settings changing everytime that I reboot. Can I do something to change that? I'm the administrator so I don't understand why ALL of my settings are changed on every reboot. This has been a fairly recent thing, so I thought maybe something (besides me) was controlling my computer.




Thanks!

[AndyManchesta]

Yes that was probably a bad joke

Windows Messenger is really poor and not needed now you have MSN messenger, it could also mean that if you set yourself to offline with MSN all your contacts can still see your online as your signed into Windows Messenger, Its up to you if you want to remove it as you could just remove its start up entry by opening Windows messenger and choosing options or preferences and unchecking the start with windows option, I cannot remember exactly which option it is as I removed that from myown pc when I installed MSN messenger. It will not effect Windows live beta Messenger in anyway. You can see its connected to MSN as they are the 018 (file missing) entries , they are not missing though its just a small bug in Hijack This which happens on some of the entries so it can be ignored.

Even though you do not use Outlook the script from Doug Knox is very easy to use and very quick so its probably the best option, I could easily post the command to uninstall the messenger using the run box but with his VB file making the slight tweak to the registry its a better option.

Can you explain more about your services settings as Im not sure exactly what you mean There's certainly no indication of backdoor trojans in the log to allow someone access but if you are worried that it maybe infected run a scan with Panda

If needed Run Panda Activescan from Here.

Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.

If you can let me know what services are changing I will try help with that.

Andy

[krit86lr]

Thanks Andy. It was a good joke because it worked! (for a second at least)

When I go to services.msc I have Messenger disabled so I don't know why it won't go away. I will use your tweak in a few minutes.

What I mean by services: Run > services.msc
* When I set my services to be disabled/manual/automatic. The settings are changed on reboot, and on every reboot it is different services that are changed. Why would this be happening?

A few minutes ago I got this error - C:\System Volume Information is not accessible. Access is denied. I'll do the Panda scan a little later. It takes very long. This morning I ran all of my scanners in safe mode with my ethernet cable unplugged. Should I run Panda in safe mode with networking?

What does all of this mean?
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-02-20 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-03-10 Includes\Cookies.sbi
2006-03-10 Includes\Dialer.sbi
2006-03-10 Includes\Hijackers.sbi
2006-03-10 Includes\Keyloggers.sbi
2006-03-10 Includes\Malware.sbi
2006-03-10 Includes\PUPS.sbi
2006-03-10 Includes\Revision.sbi
2006-03-10 Includes\Security.sbi
2006-03-10 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2006-03-10 Includes\Trojans.sbi

Category: Wrong app path
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\install.exe
Filename: install.exe
Data:

Category: Startup file does not exist
Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsmqIntCert
Filename: regsvr32 /s mqrt.dll
Data:

Category: Wrong app path
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\setup.exe
Filename: setup.exe
Data:

Category: Wrong app path
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\table30.exe
Filename: table30.exe
Data:

Category: Wrong app path
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\winnt32.exe
Filename: winnt32.exe
Data:



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-02-20 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-03-10 Includes\Cookies.sbi
2006-03-10 Includes\Dialer.sbi
2006-03-10 Includes\Hijackers.sbi
2006-03-10 Includes\Keyloggers.sbi
2006-03-10 Includes\Malware.sbi
2006-03-10 Includes\PUPS.sbi
2006-03-10 Includes\Revision.sbi
2006-03-10 Includes\Security.sbi
2006-03-10 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2006-03-10 Includes\Trojans.sbi

Ad-Aware SE Personal 1.06 (Ad-Aware SE Personal)
uninstall cmd: C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
publisher: Lavasoft
help link: http://www.lavasoft.com

(AudioHQ)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\AudioHQ.isu"

(Branding)
What is this Branding thing? It's not in my control panel. Bug in spybot?
CCleaner (remove only) (CCleaner)
uninstall cmd: "C:\Program Files\CCleaner\uninst.exe"




Spybot says that regsvr32 /s mqrt.dll - Startup file does not exist. (Sorry for the long post.)

[krit86lr]

Sorry Andy, but I wasn't able to follow your instructions. I did run the Panda Scan, and all came up clean, but I could only see half of the page/screen (it was like it was cut in half). So I couldn't save the report because I didn't see the option to do so.

I suppose that I'm not infected which is good, but it's weird that my services are adjusting themselved.

Yesterday...my remote registry was set to automatic, and started. That scared the crap out of me.

[AndyManchesta]

Hi K

Sorry for the delay, Ive been very busy today and will be for another couple of hours but will try get a reply to you when I get back home abit later Have you been running any tweaking tools that would change services or disable them (or change anything connected to Windows) ? or Registry cleaners that will remove invalid entries ? Alot of these reg cleaners can do more damage than good because there is so many different area's of the registry that can reference a file, I personally do not use any reg cleaner (not even Ccleaners) as leftover entries are not a problem and if the cleaners make a mistake that can create a problem that wasnt there originally.

The Spybot system scan is similar to a Reg Cleaner and looks for invalid entries or paths. All the applications in your scan look valid, however its showing the key isnt pointing at the application - it has probably been replaced by the correct key. You could probably delete them without any problems, but I wouldnt bother as they are not doing any harm apart from using a tiny amount of space. If in doubt best to leave them alone. System Volume Information isnt accessible and you will get access denied messages when attempting to open the folder, this is one reason AV scanners say you need to turn System Restore off before scanning but its not required as you can easily flush the restore points and start a fresh one.

regsvr32 /s mqrt.dll means its registering the mqrt.dll file silently , as long as the mqrt.dll file exists thats fine to leave, if Spybot is looking for a file named 'regsvr32 /s mqrt.dll' then it will not find it so that could be whats happening.

Ive only had a quick look at them but will check them again when I get back later and check out the services issues you are having.

Andy

[krit86lr]

AndyManchesta, on Mar 18 2006, 02:14 PM, said:

Hi K

Sorry for the delay, Ive been very busy today and will be for another couple of hours but will try get a reply to you when I get back home abit later Have you been running any tweaking tools that would change services or disable them (or change anything connected to Windows) ? or Registry cleaners that will remove invalid entries ? Alot of these reg cleaners can do more damage than good because there is so many different area's of the registry that can reference a file, I personally do not use any reg cleaner (not even Ccleaners) as leftover entries are not a problem and if the cleaners make a mistake that can create a problem that wasnt there originally.

I have been playing with TuneUp Utilities this week, but my problems started before that. I do use reg cleaners, but I only allow them to remove entries that are associated with uninstalled programs so I don't think that the issue lies there. I've been using reg cleaners for a while and have never had any problems.

AndyManchesta, on Mar 18 2006, 02:14 PM, said:

The Spybot system scan is similar to a Reg Cleaner and looks for invalid entries or paths. All the applications in your scan look valid, however its showing the key isnt pointing at the application - it has probably been replaced by the correct key. You could probably delete them without any problems, but I wouldnt bother as they are not doing any harm apart from using a tiny amount of space. If in doubt best to leave them alone. System Volume Information isnt accessible and you will get access denied messages when attempting to open the folder, this is one reason AV scanners say you need to turn System Restore off before scanning but its not required as you can easily flush the restore points and start a fresh one.

regsvr32 /s mqrt.dll means its registering the mqrt.dll file silently , as long as the mqrt.dll file exists thats fine to leave, if Spybot is looking for a file named 'regsvr32 /s mqrt.dll' then it will not find it so that could be whats happening.

Ive only had a quick look at them but will check them again when I get back later and check out the services issues you are having.

Andy

Thanks Andy. No rush.

[krit86lr]

Andy I tried to send you a PM, but CCleaner's site isn't working properly right now.

Are you wanting me to post my services and their settings? I wasn't clear about that. Would that be useful even though they keep changing themselves?

MP said that it's the computer grimlins. I need a grimlin fog/killer.

[AndyManchesta]

Hi K

I didnt mean for you to post all the Sevices and Im not sure whats making ones that are set to disable re-enable themselves when you reboot, Maybe worth checking your Event Viewer to see if any the Information events show Windows Defender blocking any changes, If there is trying shutting down Defender just to test it and make the changes you want (Click Apply then OK) and reboot to see if they are changed, Spybots tea timer feature could also block changes or other registry monitoring programs so let us know if you have any enabled.

With the Spybot System Internals scan Id leave them as they are not causing any issues. I'm not familiar with TuneUp, is this the site http://www.tune-up.com/ (Maybe Ive just been living in a cave and its really well known )

[krit86lr]

AndyManchesta, on Mar 18 2006, 06:27 PM, said:

Hi K

I didnt mean for you to post all the Sevices and Im not sure whats making ones that are set to disable re-enable themselves when you reboot, Maybe worth checking your Event Viewer to see if any the Information events show Windows Defender blocking any changes, If there is trying shutting down Defender just to test it and make the changes you want (Click Apply then OK) and reboot to see if they are changed, Spybots tea timer feature could also block changes or other registry monitoring programs so let us know if you have any enabled.

With the Spybot System Internals scan Id leave them as they are not causing any issues. I'm not familiar with TuneUp, is this the site http://www.tune-up.com/ (Maybe Ive just been living in a cave and its really well known )

I will check Event Viewer again. I have only skimmed through it recently. I may have even cleaned it...we'll see.

Windows Defender, good idea. I have tea timer turned off. I think that it was Andavari who said that too many real-time protection thingy's will conflict with one another.

TuneUp is soooo much fun. I probably won't pay for it though. I'm not convinced that it's worth the price. Yes it's very popular and that is the correct link.

I'll be back a little later with more info. Thanks again.

[Tarun]

AndyManchesta, on Mar 17 2006, 07:22 PM, said:

Hi K

You have a Virus Infection

Only joking its fine , the only thing I can see that you might want to consider is uninstalling Windows Messenger as you have MSN messenger installed and them both starting with Windows.

If you wanted to remove Windows Messenger anytime use Doug Knox's script as it also makes a slight tweak to the registry to prevent Outlook taking along time to open after Windows Messenger is removed.

You can get the script and the instructions here but its very simple

http://www.dougknox....nger_remove.htm

Chat to you later

Andy

I wouldn't advise doing that, because if you rip out Windows Messenger you break the Remote Assistance functionality.

AndyManchesta, on Mar 17 2006, 07:49 PM, said:

Windows Messenger is really poor and not needed now you have MSN messenger, it could also mean that if you set yourself to offline with MSN all your contacts can still see your online as your signed into Windows Messenger, Its up to you if you want to remove it as you could just remove its start up entry by opening Windows messenger and choosing options or preferences and unchecking the start with windows option, I cannot remember exactly which option it is as I removed that from myown pc when I installed MSN messenger. It will not effect Windows live beta Messenger in anyway. You can see its connected to MSN as they are the 018 (file missing) entries , they are not missing though its just a small bug in Hijack This which happens on some of the entries so it can be ignored.

Andy

You also cannot sign into the same account with two different Windows/MSN Messengers. So if she goes invisible on one Messenger, no one would see her unless she had two accounts and either were not set to invisible.

[AndyManchesta]

Hey Tarun

I wouldnt describe it as ripping out Messenger, its just uninstalling it If people did want someone else to control their computer remotely via messenger sometime then yes as Tarun says keep it installed, However it will always be on the Windows Updates site after it is removed if that option is ever needed.

EDIT: Ive just tried running MSN and Windows Messenger together and Tarun is correct, Its not possible to have them both enabled at the same time, When It happened to me I must of had MSN Messenger set to not login on reboot for Windows Messenger to be able to run and show I was online to my contacts (it was over a year ago so I cannot remember). Thanks for pointing that out.

Don't remove Windows Messenger for that reason but do still consider removing it or disabling it because its poor and not much use starting with Windows if the MSN version is installed

[krit86lr]

I'm kinda posting more than necessary probably, but I don't know what some of it means. So ignore the unnecessary, okay?

[krit86lr]

What does it mean when it says: The service has successfully been sent a start control?

Maybe I should repair my permissions?

[krit86lr]

Well, well, well.

Defender is the gremlin. I'm getting rid of it now.

Thanks!
K

[AndyManchesta]

Hey K

I'm just posting on another forum but will check your events soon and see if I can help explain any, You can maybe disable Windows Defender and make the changes then enable it rather than uninstall it, It is a beta test though so thats a reason I wanted you to temporarily disable it to see if it was interfering with making the Service Reg changes .

I dont have it on my pc's but Im sure it would provide decent protection for when its needed.

[krit86lr]

AndyManchesta, on Mar 18 2006, 11:37 PM, said:

Hey K

I'm just posting on another forum but will check your events soon and see if I can help explain any, You can maybe disable Windows Defender and make the changes then enable it rather than uninstall it, It is a beta test though so thats a reason I wanted you to temporarily disable it to see if it was interfering with making the Service Reg changes .

I dont have it on my pc's but Im sure it would provide decent protection for when its needed.

I'm thinking about it. I could just disable it when I want to, and it's funny that you said that because I just posted that in another forum.

I am also still considering uninstalling it all together. I am probably secure enough without it, but I would need to reinstall it anytime that I post a HJT log anywhere. Most forums require that WD be used as part of the scanning before posting a log.

Third option that I just thought of. Keep it disabled until I need it. Once a month I run about 10 scanners in safe mode with my ethernet wire unplugged. I could just use it at those times.

Between my router, eTrust & Teatimer realtime protection I will probably be fine. I really like TeaTimer alot too. If you install software that wants to install itself in your startup menu you can accept or reject that action. Same thing with the registry.

[AndyManchesta]

Hi K

I took the lazy option and used Event Id to check them out Its a very useful site if you need to check Events anytime but you have to pay to access some area's (I havent though and still find it useful) . I didnt get info on them all through that site but here's the ones I did find:

Quote

Event Type: Warning
Event Source: MsiInstaller
Event Category: None
Event ID: 1004
Date: 3/18/2006
Time: 4:05:20 PM
User: krit86lr
Computer: krit86lr
Description:
Detection of product '{B835B495-9BE4-4C9F-929B-1DFEE3D189B3}', feature 'MsgrFeat', component '{33EF8657-5705-47D4-B01F-E96A27C1D8BD}' failed. The resource 'HKEY_CLASSES_ROOT\Typelib\{53CED51D-432B-45B2-A3E0-0CE2C24235D4}\' does not exist.

http://www.eventid.net/display.asp?eventid...staller&phase=1

Quote

Event Type: Warning
Event Source: MsiInstaller
Event Category: None
Event ID: 1001
Date: 3/18/2006
Time: 4:05:20 PM
User: krit86lr
Computer: krit86lr
Description:
Detection of product '{B835B495-9BE4-4C9F-929B-1DFEE3D189B3}', feature 'MsgrFeat' failed during request for component '{C6638736-7004-4E1D-A5BC-30110004EFC5}'

http://www.eventid.net/display.asp?eventid...staller&phase=1

Quote

Event Type: Information
Event Source: MsiInstaller
Event Category: None
Event ID: 11728
Date: 3/18/2006
Time: 4:05:43 PM
User: krit86lr
Computer: krit86lr
Description:
Product: Messenger Beta -- Configuration completed successfully
Data:
0000: 7b 42 38 33 35 42 34 39 {B835B49
0008: 35 2d 39 42 45 34 2d 34 5-9BE4-4
0010: 43 39 46 2d 39 32 39 42 C9F-929B
0018: 2d 31 44 46 45 45 33 44 -1DFEE3D
0020: 31 38 39 42 33 7d 189B3}

http://www.eventid.net/display.asp?eventid...staller&phase=1

Quote

Event Type: Information
Event Source: ESENT
Event Category: Logging/Recovery
Event ID: 300
Date: 3/18/2006
Time: 4:05:55 PM
User: N/A
Computer: krit86lr
Description:
msnmsgr (792) \\.\C:\Documents and Settings\Phish\Local Settings\Application Data\Microsoft\Messenger\krit86lr@hotmail.com\SharingMetadata\Working\database_FE98_6B2C_986A_E29F\dfsr.db: The database engine is initiating recovery steps.

http://www.eventid.net/display.asp?eventid...%20ISAM&phase=1

Have you named a folder 'Phish' ?

Quote

Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7035
Date: 3/18/2006
Time: 4:05:53 PM
User: NT AUTHORITY\SYSTEM
Computer: krit86lr
Description:
The Messenger Sharing USN Journal Reader service service was successfully sent a start control.

http://www.eventid.net/display.asp?eventid...Manager&phase=1

Quote

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7011
Date: 3/18/2006
Time: 11:45:27 AM
User: N/A
Computer: krit86lr
Description:
Timeout (30000 milliseconds) waiting for a transaction response from the RemoteRegistry service.

http://www.eventid.net/display.asp?eventid...Manager&phase=1

Quote

Event Type: Information
Event Source: BROWSER
Event Category: None
Event ID: 8033
Date: 3/18/2006
Time: 11:32:34 AM
User: N/A
Computer: krit86lr
Description:
The browser has forced an election on network \Device\NetBT_Tcpip_{4XX96XX5-1XX6-4XXC-A6XX-DDXX7FXXCXXE} because a master browser was stopped.

http://www.eventid.net/display.asp?eventid...BROWSER&phase=1

Quote

Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64002
Date: 3/17/2006
Time: 11:34:52 PM
User: N/A
Computer: krit86lr
Description:
File replacement was attempted on the protected system file c:\program files\outlook express\msimn.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.2180.

http://www.eventid.n...d=64002&source=

Quote

Event Type: Information
Event Source: EventLog
Event Category: None
Event ID: 6009
Date: 3/17/2006
Time: 11:32:27 PM
User: N/A
Computer: KRISTIN
Description:
Microsoft ® Windows ® 5.01. 2600 Service Pack 2 Uniprocessor Free.

http://www.eventid.net/display.asp?eventid...ventLog&phase=1

[krit86lr]

Did you read them? Are they okay? (I'm the one being lazy. I could have looked that up for you if you had asked. I have the Event ID link bookmarked.)

I just finished changing all of my settings. WD will just be disabled until I need it for something.

Yes, I have a folder named Phish and it's also my username. They are one of the greatest bands ever!