Author Topic: Here's My Log - YIKES! (Read 5159 times)

babyoh · « **on:** February 26, 2006, 11:08:22 PM »

i had problems with Microsoft's Defender Anti-Spyware -- i UNINSTALLED it, but when i turned on SPYBOT's TEATIMER, TeaTimer screwed up part of MS's uninstall.
** SPTBOT gave me this error message:
2/26/2006 1:36:43 PM Denied value "Windows Defender" (new data: "") deleted in System Startup global entry!
---- for more on that:
http://www.landzdown.com/index.php?topic=5630.0

SOOOO, i'm pretty sure there are pieces of MS's anti-spyware floating around in my registry.
1) would ir be SAFEST for me to DOWNLOAD that app and uninstall it again? it should delete the "SYSTEM STARTUP GLOBAL ENTRY" that spybot allowed through. i would THINK, anyway...

2) i have a WINDOWS DEFENDER FOLDER in C:\Program Files\Windows Defender\ SAFE TO DELETE?

2) i uninstalled SPYWARE GUARD, and got a message at the end saying, "Some parts of spyware guard could not be deleted, and you'll have to delete them by hand." -- SAFE TO DO? DELETE THE ENTIRE FOLDER in C:\program files? OH YEAH: I'M CLEAN ACCORDING TO SYMANTEC A/V, ADAWARE SE and SPYBOT.

here's my log!

Logfile of HijackThis v1.99.1
Scan saved at 3:45:40 PM, on 2/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\igfxext.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HIJACK THIS\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.computers.us.fujitsu.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\0ebmk1gj.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\0ebmk1gj.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.computers.us.fujitsu.com/
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Aaron Hulett [MSFT] · « **Reply #1 on:** February 27, 2006, 12:59:16 AM »

http://www.landzdown.com/index.php?topic=5630.msg20517#msg20517

winchester73 · « **Reply #2 on:** February 27, 2006, 01:13:42 PM »

TeaTimer is alerting you to this entry:

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

You have partially removed SpywareGuard, as this is a remnant:

O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)

Yes, you can delete that folder by hand if you don't wish to use SG. If you don't turn off SG before uninstalling it, you sometimes get various errors ... sgmain.exe, for example, stays in the Task Manager.

As for the Windows Defender folder, it is part of the MS program that you are trying to remove. So, yes, I should think it is safe to manually remove the folder.

babyoh · « **Reply #3 on:** February 27, 2006, 06:42:05 PM »

hi winchester73.
i hand deleted my SPYWARE GUARD folder (i think it was in C:\Program Files), but i STILL have this BHO when i run HIJACKthis:
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)

there were TWO folders named MS DEFENDER. - did a search for "defender" on my drive--
C:\documents and setttings\All Users\Application Data\Microsoft
C:\Documents and Setting\Owner\Application Data\Microsoft
- i just Hand-Deleted both.

But I STILL have this in my HJ THIS logfile:
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
--i'll re-start my computer, and double-check, maybe i missed something.

...time to edit the registry in SAFE MODE?

winchester73 · « **Reply #4 on:** February 27, 2006, 08:07:29 PM »

DO NOT EDIT THE REGISTRY.

Did you try to "fix" the two items with HijackThis?

Close all open windows, and run HJT again. To the right of those two items, there is a box ... use the mouse to click a "check" in the box next to these two items:

O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

Then click "Fix Checked". Reboot.

babyoh · « **Reply #5 on:** February 28, 2006, 03:33:09 AM »

the is FRUSTRATING

DEFENDER has STOPPED me from being able to use SPYBOT'S TEA-TIMER -- eventho i DELETED Defender.
- here's what happened:
TEATIMER was ON, when i put the check next next to
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
in HIJACKthis.
i got that weird, 1/2 invisible TT alert while i was trying to run HT to fix the problem. (see my other post above, for the link)
i launched and SHUT DOWN TT, and it SEEMS like i fixed everything.
*

* PROBLEM: EVERY TIME i try to turn on TEATIMER now, i get that goofy alert, and it puts the damn thing BACK!
- i can only "FIX" this, if i NEVER turn TEA-TIMER back ON again; it UNDOES the change.
any ideas??
** do i have good protection from SPYWARE BLASTER? ...i NEED IT, if i can't turn on TEA-TIMER without this happening...

babyoh · « **Reply #6 on:** February 28, 2006, 04:12:35 AM »

tea-timer log:

2/26/2006 1:36:43 PM Denied value "Windows Defender" (new data: "") deleted in System Startup global entry!
2/26/2006 5:18:25 PM Denied value "Windows Defender" (new data: "") deleted in System Startup global entry!
2/27/2006 6:28:46 PM Denied value "Windows Defender" (new data: "") deleted in System Startup global entry!
2/27/2006 6:28:47 PM Denied value "{4A368E80-174F-4872-96B5-0B27DDD11DB2}" (new data: "") deleted in Browser Helper Object!
2/27/2006 8:32:52 PM Denied value "Windows Defender" (new data: "") deleted in System Startup global entry!

winchester73 · « **Reply #7 on:** February 28, 2006, 02:21:15 PM »

Let's see a fresh HJT log.

Yes, you need to turn off Tea-Timer before fixing items with HJT.

babyoh · « **Reply #8 on:** February 28, 2006, 03:42:20 PM »

thanks, winchester.
i can't see VERY MUCH of Tea-Timer's buttons, but i can see enough to make them out and click on them.
i think i got TT to allow me to FIX the DEFENDER problem.
- NOW: i upgraded to ADOBE 7.0, and based on what TTimer says it didn't allow. it seems like i need to check the HIKACKthis button for:
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

does that sound right?
i got this in Tea-Timer:
2/26/2006 1:36:43 PM Denied value "Windows Defender" (new data: "") deleted in System Startup global entry!
2/26/2006 5:18:25 PM Denied value "Windows Defender" (new data: "") deleted in System Startup global entry!
2/27/2006 6:28:46 PM Denied value "Windows Defender" (new data: "") deleted in System Startup global entry!
2/27/2006 6:28:47 PM Denied value "{4A368E80-174F-4872-96B5-0B27DDD11DB2}" (new data: "") deleted in Browser Helper Object!
2/27/2006 8:32:52 PM Denied value "Windows Defender" (new data: "") deleted in System Startup global entry!
2/27/2006 9:45:54 PM Denied value "Windows Defender" (new data: "") deleted in System Startup global entry!
2/28/2006 7:36:43 AM Denied value "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}" (new data: "") deleted in Browser Helper Object!
2/28/2006 8:24:54 AM Allowed value "Windows Defender" (new data: "") deleted in System Startup global entry!

* here's my new log: *

- -
Logfile of HijackThis v1.99.1
Scan saved at 8:29:22 AM, on 2/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
C:\WINDOWS\System32\igfxext.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Documents and Settings\Owner\Desktop\HIJACK THIS\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.computers.us.fujitsu.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\0ebmk1gj.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\0ebmk1gj.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.computers.us.fujitsu.com/
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

winchester73 · « **Reply #9 on:** February 28, 2006, 07:35:08 PM »

4A368E80-174F-4872-96B5-0B27DDD11DB2 is SpywareGuard's dlprotect.dll

... not in your HJT log.

06849E9F-C8D7-4D59-B87D-784B7D6BE0B3 is Adobe's AcroIEhelper.ocx and AcroIEhelper.dll

... this is in your HJT log.

Those two items from earlier are gone, so it appears you were successful.

This item:

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

... is XP's Dump Report fault logging software ... that warning you get that asks if you want to send the information to Microsoft.

If I might suggest something, don't install new unrelated software while you are trying to solve an existing problem.

babyoh · « **Reply #10 on:** February 28, 2006, 11:52:38 PM »

thanks, winchester.
funny: right after i updated ADOBE, i got that Tea-Timer alert - Do you want to ALLOW or DENY changes?
- i couldn't see the buttons, and hadn't found out yet that the LEFT one meant ALLOW CHANGE...
so, i just shut down TT.
- BEFORE, all those other times, this was how TT "DENIED" necessary changes.
it SEEMED to do the same this time. TT's log says:
2/28/2006 7:36:43 AM Denied value "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}" (new data: "") deleted in Browser Helper Object!

ADOBE is working great, but you're sure i don't need to RE-DELETE:
06849E9F-C8D7-4D59-B87D-784B7D6BE0B3 ?
- it's just weird because, those other times TT was DENYING part of an Un-Install that needed to go through.

Thanks for the help, Win!

winchester73 · « **Reply #11 on:** March 01, 2006, 12:05:01 AM »

I think I understand what you are talking about ...

When you boot, your computer is trying to load the Acrobat 7.0 AcroIEHelper.dll BHO (it is in your HJT log, so it is trying to run). TeaTimer is popping up and you are denying the change ...

When you say "Adobe works", do you mean the reader when you launch it, or when you download a .pdf from a website? The BHO would allow the display of Acrobat documents within your web browser window. Are you sure you are able to do that?

Quote

right after i updated ADOBE, i got that Tea-Timer alert - Do you want to ALLOW or DENY changes?

Indeed, because you updated to version 7, and it added its BHO to replace the one that you already had.

Like I said in one of your other threads:

When you exit Teatimer, it takes a snapshot of the registry keys it is monitoring ... when you restart it, it will attempt to restore the Registry keys to the state it was in when the snapshot was taken.

Quote

you're sure i don't need to RE-DELETE

Hopefully I've explained that ...

Quote

it's just weird because, those other times TT was DENYING part of an Un-Install that needed to go through.

It's really not weird ... the uninstall was making registry changes. Teatimer is/was alerting you to it, same as above.

Corrine · « **Reply #12 on:** March 01, 2006, 12:08:40 AM »

babyoh, you are talking about two entirely different actions here.

1) Adobe was an update. You denied the browser helper object install by Adobe with Tea Teimer.

2) Windows Defender was an uninstall. You needed to accept the registry change for the uninstall.

Please take this in the manner in which it is meant . . . as a suggestion that will help you down the road. You really need to slow down and do one thing at a time. If you have a problem with one software, don't start making changes with another until you solve the first problem. Otherwise, you are multiplying the issues.

Corrine · « **Reply #13 on:** March 01, 2006, 12:11:14 AM »

Oops -- Winchester already answered. I lost my connection and clicked the post button when I got reconnected.

winchester73 · « **Reply #14 on:** March 01, 2006, 12:12:37 AM »

If I could offer another suggestion ... keep to one thread, rather than opening multiple threads about the same basic issue. It's too confusing to feeble minded people like me to try to follow things ... I find myself repeating things, and I'm not sure I can properly help you in multiple threads.

LandzDown Forum

News:

Author Topic: Here's My Log - YIKES! (Read 5159 times)

babyoh

Here's My Log - YIKES!

Aaron Hulett [MSFT]

Re: Here's My Log - YIKES!

winchester73

Re: Here's My Log - YIKES!

babyoh

Re: Here's My Log - YIKES!

winchester73

Re: Here's My Log - YIKES!

babyoh

Re: Here's My Log - YIKES!

babyoh

Re: Here's My Log - YIKES!

winchester73

Re: Here's My Log - YIKES!

babyoh

Re: Here's My Log - YIKES!

winchester73

Re: Here's My Log - YIKES!

babyoh

Re: Here's My Log - YIKES!

winchester73

Re: Here's My Log - YIKES!

Corrine

Re: Here's My Log - YIKES!

Corrine

Re: Here's My Log - YIKES!

winchester73

Re: Here's My Log - YIKES!