Hotbar trying to install

[Rob]

Mike;
Thanks for your interest - I was beginning to think that I'd miscommunicated my problem!
I was just in the process of sending this message when your response showed up so it may
appear to be a little disjointed in the thread (caught/changed it in my outbox).

In answer to your suggestions;
Scans were done under Admin.
Did them (MSAS, Adaware & Spybot) in safe mode as well - nothing.
The warning tells me that it's trying to install an "Internet Express Shell Browser".
I click remove and it (too) rapidly displays what appear to be registry entries that I
assume it is killing.
(I'm confused, in that how can it kill something that isn't installed?)

I have done some more detective work since my 1st post and have come up with the
following scenario that is related to the problem.

This machine is used by both my wife and daughter and;
If I initially logon with my daughter's id - all is well - no warnings.
If I logon as my wife then logoff and log back on as my daughter - boom - I get the
warning.

In other words, anytime my wife establishes a session and logs off it will cause the
warning when, subsequently, my daughter logs on.

I have pored over the registry entries after logging on as my wife but cannot find
anything there, so it appears as though something is being left behind by my wife's
session which causes MSAS to think that Hotbar is trying to install when my daughter logs
on.

Any thoughts?

Again, thanks.

 

[Guest]

Hi Rob,

Download CCleaner, www.ccleaner.com and remove all temporarily junk.
Also clean registry with "Issues".

Restart in safe mode, press F8 during reboot just before Windows flag screen
appears.

If you are running SP2, open IE--->Tools--->Manage Add-ons, and uncheck any
BHO's that you don't recºgnize.

You can also use the System Explorers in Microsoft Antispyware to look at
BHO's and block them--it also shows known and unknown fºr BHO's..
http://www.microsoft.com/windowsxp/using/web/sp2_addonmanager.mspx .

I hope this post is helpful, let us know how it works ºut.

Engel

 

[Rob]

Thanks Engel, but I've been there, done that (ccleaner, safe mode & addons).
I also manually checked through the registry looking for keys referenced in various
articles related to Hotbar.

At the end of the day it isn't a huge issue, more of an annoyance in having to respond to
the warning whenever the scenario occurs.

I'm not an expert, but not exactly a novice either and it has me intrigued as to how the
whole thing works.

The big question, to me, is why does it happen only when my wife has started/ended a
session and then my daughter logs on?

 

[Dave M]

Hi Rob;
As I'm sure your aware, MSAS Beta1 was never designed to be a multi-user
application, but even leaving MSAS out of the equation for a second, I need to
ask if you ran the CCleaner application on all your accounts? There's a
terrific amount of junk left over on the other accounts even when you run it
from an admin authority account, so in combination it actually doesn't surprise
me that your seeing this kind of activity.

I have no idea of how your wife's and daughters accounts are set up... but if I
had to guess I'd say one is probably admin and the other limited, so if run in
the correct order your seeing strange results. That's pretty much a stab in the
dark, but I think you'd be wise to clean out both of them with CCleaner and see
where that leaves you. I just checked my wife's account (admin) after running
CCleaner on mine and there was 20+ Meg of garbage still.

If you still have problems after that I'd suggest you use another A-S at least
until MSAS supports multi-user. I believe the free Spybot S&D does, correct me
if I'm wrong here since I don't use it.

Hope that helps you.

 

[Rob]

Dave;
Thanks for you response.

I was wondering about MSAS w/Multi accounts as I've seen posts about the subject but
always *assumed* they were talking about a network environment (as noted-I'm not an
expert).
In my case both users are set up as admin (I know, I know should only be one and only used
when needed, but....

As to CCleaner - you've made me think about that. I know I have run it on my wife's acct.
(I'm usually reasonably fastidious about maintenance), but not exactly sure when so FWIW
I'll try it. This problem has just "recently" started although I'm not sure exactly when
(my daughter is not too prompt in telling me about when oddball things start happening!).

Again, thank you.

 

[Rob]

Dave;
I'm back with the same problem, which I'm *almost* resigned to living with plus a new
anomaly.
I ran CCleaner on my wife's account.
Now when I logon I'm getting an MSAS notification that it has blocked an Internet Explorer
bar MS Windows Shell Common DLL from installing.
File Shell32.DLL.

The interesting(?) part is that I've tried this a few times, to ensure I could replicate
it, and on *one* occasion it did not happen. I noted that as the Icons appeared on the
task bar that, on the one occasion it worked ok, the MSAS icon appeared first (before
ZoneAlarm & AVG).
I don't believe in coincidences.

Is there anyway to determine the order of events when apps are initializing? I'd dearly
love to do this again to see if it's related.


--
Regards;
Rob
------------------------------------------------------------------------

Dave;
Thanks for you response.

I was wondering about MSAS w/Multi accounts as I've seen posts about the subject but
always *assumed* they were talking about a network environment (as noted-I'm not an
expert).
In my case both users are set up as admin (I know, I know should only be one and only used
when needed, but....

As to CCleaner - you've made me think about that. I know I have run it on my wife's acct.
(I'm usually reasonably fastidious about maintenance), but not exactly sure when so FWIW
I'll try it. This problem has just "recently" started although I'm not sure exactly when
(my daughter is not too prompt in telling me about when oddball things start happening!).

Again, thank you.

 

[Dave M]

Hi Rob;
Wow, that stinks. Yes, there is a way to determine the order and do the kind of
research you're proposing. A power tool is available to look at the order that
programs are initiated during startup. It comes from Mark Russinovich of Sony's
Rootkit exposure fame and is similar to Msconfig, but much more powerful, so use
some degree of caution. It's called Autoruns and is available from Sysinternals
here:

http://www.sysinternals.com/Utilities/Autoruns.html

An article describing it's function is available here:

http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=44089&DisplayTab=Article

My shell32.dll is loaded from
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
and of course is a signed (and verified) Ms dll so you might want to verify that
on your system as well using this program.
Interestingly enough, this is also where the MSAS Service Hook loads as well as
my copy of Ewido shell guard. A powerful location.

 

[Rob]

Dave;
Thanks again.
I'm pretty well "blitzed" at this point so I think I'd better leave it for now (getting
"cranky").
To "resolve" the original Hotbar issue I got totally ticked and allowed it to "install".
Turned around and ran MSAS, Spybot and Adaware plus looked for the known registry entries.
Nothing found so I assume a false positive from something(?).

It still brought up the warning the next time I logged on so I said, fine, ignore it.

At least all I get now is is the toast message reminding me that I said ignore it - still
an aggravation - but quicker than the Remove option on the false warning.

Think I'll just go put my feet up and have a beer.

 

[Dave M]

I hear you, but I'd think we'd have multiple reports of false positives if it
was. So don't just let it go. Beer sounds good today though.

Another thought are you running SpyBot's teatimer or have you the paid version
of Adaware Pro? That can cause conflicts with the Real Time Protection in MSAS.
Another stretch, but something you should consider.

 

[Rob]

"I hear you, but I'd think we'd have multiple reports of false positives if it
was. So don't just let it go."

Yea, I was thinking about that too, but I can't seem to find a trace of the Hotbar that I
"allowed" to install.

"Another thought are you running SpyBot's teatimer or have you the paid version
of Adaware Pro?"

No to both.

I dragged myself back to it and discovered something else (other than the fact that I
should have kept drinking beer!).
When I log on to my daughter's m/c I get a green "toast" advising that MSAS has allowed
messenger to be added to the startup list-which is ok and expected/understood (she's a big
chatter!).

But, at the same time about two to three other notices slide behind that one. I can't see
them, only catch the action of them hiding. When the original notice disappears so do the
others. I'd really like to know what they are saying (which should be the point of them
being generated in the 1st place!).

I know that there was problem with these notices if your taskbar was set to display
vertically but that's not so in my case (mine is set at the top of the screen and is
hidden).

Any idea of how I can see them?

 

[Dave M]

Sure, click Real-time Protection, then click View all events on the right side
of the window by the graph graphic. That will give you a history of all the
popup events. Click/highlight one to see the complete text. The general idea
with popups is green=standard stuff, blue=might be worthy of extra thought,
orange/red=could be a problem

I know well into the past, MSAS had a detection problem with Hotbar, but it's
been long since fixed and it should now light up like a Christmas Tree:
http://www.dozleng.com/updates/topic5524

Randy's suggestion of using HijackThis is well worth considering if your at all
in doubt, but you need interactive guidance to use it, make sure you tell them
multi-user (family pc) if you go that route.

 

[Rob]

Thanks.
Found the log - don't know why I couldn't see it when I was looking for it - too tired I
guess.
Nothing dramatic - just telling me it was allowing Messenger to start up and the home page
changing (wife's CNN to Daughter's MuchMusic).

As to Randy's suggestion.
Yes I am going to post it - I ran HJT prior to allowing the "Hotbar" to install and, as I
wasn't sure how these things work, I did the scans under both identities.
Haven't looked at the ins/outs of posting them (should I post both?) although I have seen
postings of this nature.
Held off posting it because I was bound and determined to figure it out myself ("pride
goeth before a fall") but have to wave the white flag at this point!

Again, thanks for your help/handholding.
(If you're ever in Winnipeg I'll buy you a beer.)

 

[Dave M]

I'd just post the one... probably from the id where you allowed Hotbar to
install.
If they want more they'll ask... and I'm sure they will
Just make sure you reference multi-user environment and admin authority.
Thanks for the invite... and have a good Holiday.