Hey Andy,

I'm posting 2 HJT logs. My router was turned off for a few days, and I just want to be sure that I didn't catch anything during that time. I fixed some things on the first log, and then made a new log.

Here is the 1st Log!
Logfile of HijackThis v1.99.1
Scan saved at 1:27:41 PM, on 3/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} - http://www.pestpatrol.com/pestscan/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142050658658
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1140500544249
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe

2nd Scan:
Logfile of HijackThis v1.99.1
Scan saved at 1:42:20 PM, on 3/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142050658658
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1140500544249
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe

Thanks Andy!
K

Hi K

You have a Virus Infection

Only joking its fine , the only thing I can see that you might want to consider is uninstalling Windows Messenger as you have MSN messenger installed and them both starting with Windows.

If you wanted to remove Windows Messenger anytime use Doug Knox's script as it also makes a slight tweak to the registry to prevent Outlook taking along time to open after Windows Messenger is removed.

You can get the script and the instructions here but its very simple

http://www.dougknox.com/xp/tips/xp_messenger_remove.htm

Chat to you later

Andy

You scared me!!!

A few quick questions. I am using Windows Live Beta Messenger right now, so I'm not sure which one is directly linked to it.

Also, I use Thunderbird so I don't care about Outlook.

I'm having problems with my services settings changing everytime that I reboot. Can I do something to change that? I'm the administrator so I don't understand why ALL of my settings are changed on every reboot. This has been a fairly recent thing, so I thought maybe something (besides me) was controlling my computer.




Thanks!

Yes that was probably a bad joke

Windows Messenger is really poor and not needed now you have MSN messenger, it could also mean that if you set yourself to offline with MSN all your contacts can still see your online as your signed into Windows Messenger, Its up to you if you want to remove it as you could just remove its start up entry by opening Windows messenger and choosing options or preferences and unchecking the start with windows option, I cannot remember exactly which option it is as I removed that from myown pc when I installed MSN messenger. It will not effect Windows live beta Messenger in anyway. You can see its connected to MSN as they are the 018 (file missing) entries , they are not missing though its just a small bug in Hijack This which happens on some of the entries so it can be ignored.

Even though you do not use Outlook the script from Doug Knox is very easy to use and very quick so its probably the best option, I could easily post the command to uninstall the messenger using the run box but with his VB file making the slight tweak to the registry its a better option.

Can you explain more about your services settings as Im not sure exactly what you mean There's certainly no indication of backdoor trojans in the log to allow someone access but if you are worried that it maybe infected run a scan with Panda

If needed Run Panda Activescan from Here.

Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.

If you can let me know what services are changing I will try help with that.

Andy

Thanks Andy. It was a good joke because it worked! (for a second at least)

When I go to services.msc I have Messenger disabled so I don't know why it won't go away. I will use your tweak in a few minutes.

What I mean by services: Run > services.msc
* When I set my services to be disabled/manual/automatic. The settings are changed on reboot, and on every reboot it is different services that are changed. Why would this be happening?

A few minutes ago I got this error - C:\System Volume Information is not accessible. Access is denied. I'll do the Panda scan a little later. It takes very long. This morning I ran all of my scanners in safe mode with my ethernet cable unplugged. Should I run Panda in safe mode with networking?

What does all of this mean?
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-02-20 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-03-10 Includes\Cookies.sbi
2006-03-10 Includes\Dialer.sbi
2006-03-10 Includes\Hijackers.sbi
2006-03-10 Includes\Keyloggers.sbi
2006-03-10 Includes\Malware.sbi
2006-03-10 Includes\PUPS.sbi
2006-03-10 Includes\Revision.sbi
2006-03-10 Includes\Security.sbi
2006-03-10 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2006-03-10 Includes\Trojans.sbi

Category: Wrong app path
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\install.exe
Filename: install.exe
Data:

Category: Startup file does not exist
Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsmqIntCert
Filename: regsvr32 /s mqrt.dll
Data:

Category: Wrong app path
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\setup.exe
Filename: setup.exe
Data:

Category: Wrong app path
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\table30.exe
Filename: table30.exe
Data:

Category: Wrong app path
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\winnt32.exe
Filename: winnt32.exe
Data:



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-02-20 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-03-10 Includes\Cookies.sbi
2006-03-10 Includes\Dialer.sbi
2006-03-10 Includes\Hijackers.sbi
2006-03-10 Includes\Keyloggers.sbi
2006-03-10 Includes\Malware.sbi
2006-03-10 Includes\PUPS.sbi
2006-03-10 Includes\Revision.sbi
2006-03-10 Includes\Security.sbi
2006-03-10 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2006-03-10 Includes\Trojans.sbi

Ad-Aware SE Personal 1.06 (Ad-Aware SE Personal)
uninstall cmd: C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
publisher: Lavasoft
help link: http://www.lavasoft.com

(AudioHQ)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\AudioHQ.isu"

(Branding)
What is this Branding thing? It's not in my control panel. Bug in spybot?
CCleaner (remove only) (CCleaner)
uninstall cmd: "C:\Program Files\CCleaner\uninst.exe"




Spybot says that regsvr32 /s mqrt.dll - Startup file does not exist. (Sorry for the long post.)

Sorry Andy, but I wasn't able to follow your instructions. I did run the Panda Scan, and all came up clean, but I could only see half of the page/screen (it was like it was cut in half). So I couldn't save the report because I didn't see the option to do so.

I suppose that I'm not infected which is good, but it's weird that my services are adjusting themselved.

Yesterday...my remote registry was set to automatic, and started. That scared the crap out of me.

Hi K

Sorry for the delay, Ive been very busy today and will be for another couple of hours but will try get a reply to you when I get back home abit later Have you been running any tweaking tools that would change services or disable them (or change anything connected to Windows) ? or Registry cleaners that will remove invalid entries ? Alot of these reg cleaners can do more damage than good because there is so many different area's of the registry that can reference a file, I personally do not use any reg cleaner (not even Ccleaners) as leftover entries are not a problem and if the cleaners make a mistake that can create a problem that wasnt there originally.

The Spybot system scan is similar to a Reg Cleaner and looks for invalid entries or paths. All the applications in your scan look valid, however its showing the key isnt pointing at the application - it has probably been replaced by the correct key. You could probably delete them without any problems, but I wouldnt bother as they are not doing any harm apart from using a tiny amount of space. If in doubt best to leave them alone. System Volume Information isnt accessible and you will get access denied messages when attempting to open the folder, this is one reason AV scanners say you need to turn System Restore off before scanning but its not required as you can easily flush the restore points and start a fresh one.

regsvr32 /s mqrt.dll means its registering the mqrt.dll file silently , as long as the mqrt.dll file exists thats fine to leave, if Spybot is looking for a file named 'regsvr32 /s mqrt.dll' then it will not find it so that could be whats happening.

Ive only had a quick look at them but will check them again when I get back later and check out the services issues you are having.

Andy

I have been playing with TuneUp Utilities this week, but my problems started before that. I do use reg cleaners, but I only allow them to remove entries that are associated with uninstalled programs so I don't think that the issue lies there. I've been using reg cleaners for a while and have never had any problems.

Thanks Andy. No rush.

Andy I tried to send you a PM, but CCleaner's site isn't working properly right now.

Are you wanting me to post my services and their settings? I wasn't clear about that. Would that be useful even though they keep changing themselves?

MP said that it's the computer grimlins. I need a grimlin fog/killer.

Hi K

I didnt mean for you to post all the Sevices and Im not sure whats making ones that are set to disable re-enable themselves when you reboot, Maybe worth checking your Event Viewer to see if any the Information events show Windows Defender blocking any changes, If there is trying shutting down Defender just to test it and make the changes you want (Click Apply then OK) and reboot to see if they are changed, Spybots tea timer feature could also block changes or other registry monitoring programs so let us know if you have any enabled.

With the Spybot System Internals scan Id leave them as they are not causing any issues. I'm not familiar with TuneUp, is this the site http://www.tune-up.com/ (Maybe Ive just been living in a cave and its really well known )

I will check Event Viewer again. I have only skimmed through it recently. I may have even cleaned it...we'll see.

Windows Defender, good idea. I have tea timer turned off. I think that it was Andavari who said that too many real-time protection thingy's will conflict with one another.

TuneUp is soooo much fun. I probably won't pay for it though. I'm not convinced that it's worth the price. Yes it's very popular and that is the correct link.

I'll be back a little later with more info. Thanks again.

I wouldn't advise doing that, because if you rip out Windows Messenger you break the Remote Assistance functionality.


You also cannot sign into the same account with two different Windows/MSN Messengers. So if she goes invisible on one Messenger, no one would see her unless she had two accounts and either were not set to invisible.

Hey Tarun

I wouldnt describe it as ripping out Messenger, its just uninstalling it If people did want someone else to control their computer remotely via messenger sometime then yes as Tarun says keep it installed, However it will always be on the Windows Updates site after it is removed if that option is ever needed.

EDIT: Ive just tried running MSN and Windows Messenger together and Tarun is correct, Its not possible to have them both enabled at the same time, When It happened to me I must of had MSN Messenger set to not login on reboot for Windows Messenger to be able to run and show I was online to my contacts (it was over a year ago so I cannot remember). Thanks for pointing that out.

Don't remove Windows Messenger for that reason but do still consider removing it or disabling it because its poor and not much use starting with Windows if the MSN version is installed

I'm kinda posting more than necessary probably, but I don't know what some of it means. So ignore the unnecessary, okay?

What does it mean when it says: The service has successfully been sent a start control?

Maybe I should repair my permissions?

Well, well, well.

Defender is the gremlin. I'm getting rid of it now.

Thanks!
K

Hey K

I'm just posting on another forum but will check your events soon and see if I can help explain any, You can maybe disable Windows Defender and make the changes then enable it rather than uninstall it, It is a beta test though so thats a reason I wanted you to temporarily disable it to see if it was interfering with making the Service Reg changes .

I dont have it on my pc's but Im sure it would provide decent protection for when its needed.

I'm thinking about it. I could just disable it when I want to, and it's funny that you said that because I just posted that in another forum.

I am also still considering uninstalling it all together. I am probably secure enough without it, but I would need to reinstall it anytime that I post a HJT log anywhere. Most forums require that WD be used as part of the scanning before posting a log.

Third option that I just thought of. Keep it disabled until I need it. Once a month I run about 10 scanners in safe mode with my ethernet wire unplugged. I could just use it at those times.

Between my router, eTrust & Teatimer realtime protection I will probably be fine. I really like TeaTimer alot too. If you install software that wants to install itself in your startup menu you can accept or reject that action. Same thing with the registry.

Hi K

I took the lazy option and used Event Id to check them out Its a very useful site if you need to check Events anytime but you have to pay to access some area's (I havent though and still find it useful) . I didnt get info on them all through that site but here's the ones I did find:










Have you named a folder 'Phish' ?

Did you read them? Are they okay? (I'm the one being lazy. I could have looked that up for you if you had asked. I have the Event ID link bookmarked.)

I just finished changing all of my settings. WD will just be disabled until I need it for something.

Yes, I have a folder named Phish and it's also my username. They are one of the greatest bands ever!

I find that alot of sites do not recommend Windows Defender with it being a beta test , anyone who runs beta software should be willing to re-install their OS if the program causes damage and even though that should never happen the person should understand its a possibility before using it. Since Beta 2 was released more and more sites maybe promoting it as alot of the original bugs were fixed but I believe thats a personal choice the user should make so I would let them know its available and maybe say they should consider using it but wouldn't insist they use beta software incase there is conflicts or new bugs, Its also only compatible with SP2 on XP so thats another reason I wouldnt include it as an essential step before posting a log as the user may not realize and decide to give up and keep the spyware rather than say they didnt follow all the steps because they didnt have SP2 for whatever reason. Its definitely something I would recommend when it comes out of beta but there's plenty of alternative programs to use until then.

TeaTimer is excellent like you say but should always be disabled before fixing malware, it can remember settings and restore the malware reg entries otherwise and generally make things alot more difficult to clean up, On clean pc's that's not a issue though so it would be a good idea to use it.

Its your choice how you want to handle Windows Defender, If you can make the changes when its disabled then like you said it may be best doing that.






I cannot see any Events to be concerned about , some maybe connected to the Service settings being blocked , others seem to be programs starting or stopping or connected to the pc shutting down, and some are showing certain components missing or permission issues but thats ok unless they keep re-appearing, Best to leave them if you can now change your services ok and do not notice any other problems on the system.

The 3 different forums that I participate in all require Windows Defender. For those that don't have SP2 or XP a different option is provided.

When I run my scans I actually turn off everything, which is why I unplug my ethernet cable. Is TeaTimer the only one that saves settings? I've never had malware on my computer, but I don't want to start now either.

For now I am going to leave Defender disabled until I need it for my weekly/monthly scanning, or a HJT log. If I get a disease then I'll keep it on. (I just saw a thread that read: "I have a disease!") I had to use that because I thought that it was really funny.

Thanks for all of your help! My computer is very happy again.

About the programs that can prevent reg changes , that really applies to any program that offers Real Time protection, Tea timer is a main problem for that because when a malware entry is spotted by TeaTimer it'll prompt the user, if they say no the change will not be made.... but, as long as the infection remains, these changes will attempt to be made. The prompts will annoy the user and they will eventually say ok and check the "remember this decision" check box so they'll be left alone. TeaTimer remembers the decision and if something else tries to remove the entry, it'll automatically reject it without prompting the user.

It does apply to all these Programs though and probably afew others:

Spybot TeaTimer
Ad-Watch
Microsoft Antispyware/Windows Defender
SpySweeper
SpywareGuard
Spyware Doctor
CounterSpy
Prevx
WinPatrol

One way round that is to run the fixes in safe mode but then there is a risk of when the system reboots to normal mode the protective program will detect a change then restore the settings we just removed so its usually best to just disable them until the cleanup is finished.

Or use alternative methods such as a hammer

Or a magnet!

That should take care of the gremlins too.

Depends if its Gizmo or his ugly cousins, Id keep gizmo just to entertain me and then teach him how to clean up, cook and turn the TV over when I cant find the remote

Great idea! I knew he could come in handy for something. You're a damn genious Andy.


Dishes!! I would be very happy.

You just need a dishwasher then, suppose a trained gizmo would be cheaper though and more fun as he'd keep multiplying when he touched the water

If you have any more problems on the pc let us know and I will bluff myway through it

I have a dishwasher, but gizmo can put the dishes in there AND put them away.

Thanks! Why aren't you asleep? It's 8:30am there. Have you been up all night?

Yeah Ive been up all night but had a good sleep yesterday to early in the afternoon then went to work, Ive just spent the night listening to music, drinking some Vodka and coke and playing on the net so Its been ok. I'm going to the shops soon when they open at 10am then may go to sleep for a while or I will be cranky later

hmmmm...vodka

hehe


vodka and tequilla my favorite

Hi K

Yeah If I'm going to drink it will be Brandy and coke or Vodka and coke, I'm abit of a lightweight and do not drink often so only have a couple when I get the urge, thats usually alot of coke and abit of spirit's or I regret it the next day I never drink beer so the spirit's keep me smiling when I fancy some

Boy, I used to be able to drink tons, but in my old age it doesn't agree with me quite so much. Two-three drinks tops these days. When I was younger 15 drinks, and it still didn't bother me.

Gettin' old