View Full Version : recurring alert on startup
Hi Friends,
I've recently installed S&D on a new laptop. After installing...well I don't remember what at the moment, but afterwards, every time I startup, there's an alert for...I think it's Active x, Valued Deleted. And I know that I can just check 'Remember this decision', and it will automatically be Allowed at every startup.
For the most part, I'm fine with that. But partly I'm curious why my allowing the alert once doesn't forever delete the thing I'm allowing. And I wonder if there's is some way to have to make my allowing it once, permanent?
FYI, the Deny button is grayed out, or I would try that for a permanent solution. Also I looked up the Active X listings in the program, and it's not there; probably allowing the action deletes the it, at least until next startup. There IS an Active X with the exact same CLSID, except for one character difference, which is a Java Runtime Environment 1.6.0. It's bold, with no green checkmark icon, which apparently means that it's not listed in your database. (There are 2 other JRE with green checkmarks, and another without, but not bolded.)
Anyway, 2 questions:
Why isn't my Allow decision permanent?
And is there anyway to make this decision permanent, so that S&D doesn't have to remember it every startup?
Which version of Spybot do you have,brynn?
Okie-doke.There was an issue with an older version of Spybot that was very similar to what is happening with you.That was corrected in later versions,so this probably isn't what is happening.But,it's an easy thing to try,so might as well give it a shot,and if it doesn't work,I'll look around for another solution. :)
Please try this,and let me know how it goes:
http://forums.spybot.info/showpost.php?p=179638&postcount=6
Ok, I have performed those steps, and will let you know after next startup if it was successful.
(Looks like I asked the same question years ago, eh? :slap: But weird because this is on a different computer) (btw, as I recall, it solved that problem back then, so cross fingers :bigthumb:)
Thanks for your help:)
haha,I didn't realize the post I put the link for was from your post. :laugh:
You're welcome,hope it works. :)
haha,I didn't realize the post I put the link for was from your post.
Yeah, I was pretty confused at first, lol!
Unfortunately, it didn't work this time :-(
Okie-doke,we'll try another way. :)
Could you rightclick Teatimer,select Show Log,then Copy and Paste some of the last lines at the bottom here?
Also,do you have Internet Explorer 8?
Yes, it's IE8 and it's the only browser I have.
I hope I copied enough. I went back to the day where you had me disable and restart TeaTimer.
6/8/2010 7:45:24 AM Allowed (based on user decision) value "{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}" (new data: "") deleted in ActiveX Distribution Unit!
6/8/2010 8:44:57 AM Allowed (based on user decision) value "{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}" (new data: "") deleted in ActiveX Distribution Unit!
6/8/2010 8:47:31 AM Allowed (based on user decision) value "SpybotSD TeaTimer" (new data: "C:\Program Files (x86)\Spybot S&D\Spybot - Search & Destroy\TeaTimer.exe") added in System Startup user entry!
6/8/2010 8:47:42 AM Allowed (based on user decision) value "{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}" (new data: "") deleted in ActiveX Distribution Unit!
6/8/2010 10:10:39 PM Allowed (based on user decision) value "{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}" (new data: "") deleted in ActiveX Distribution Unit!
6/9/2010 1:20:03 PM Allowed (based on user decision) value "{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}" (new data: "") deleted in ActiveX Distribution Unit!
6/10/2010 9:57:49 AM Allowed (based on user decision) value "{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}" (new data: "") deleted in ActiveX Distribution Unit!
6/10/2010 1:17:55 PM Denied (based on user decision) value "FlashPlayerUpdate" (new data: "C:\Windows\SysWow64\Macromed\Flash\FlashUtil10e.exe") added in System Startup user entry!
Yes,you did copy enough. :)
I'm not sure why Teatimer keeps prompting about the Active X control being deleted on every start-up.
If the Active X control is still on your computer,deleting it will get Teatimer to stop prompting about it on every start-up,though.Or,you could click Allow,and Remember This Decision,if you prefer.
I'm not sure if the active x will show in Internet Explorer,or if it's still present anywhere on your computer,or if this is something with Teatimer,but if the Active X control is still present,it might be listed in IE 8.
Could you open Internet Explorer,click Tools,Manage add-ons,then Enable or Disable add-ons,then in the dropdown box beside Show,select Downloaded active x controls.
CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA is listed as filename jinstall-1_6_0_17-windows-i586.cab at SystemLookup.
In Downloaded active x controls,you should see something like Java Plug-in 1.6.0_20.If you scroll over to file,it shows the .dll file names.
I'm not sure if it will show as jinstall-1_6_0_17-windows-i586.cab there,but Active X controls are just downloaded again the next time if they are needed,so you can highlight jinstall-1_6_0_17-windows-i586.cab if you see it listed there,then delete it.
If it doesn't show as jinstall-1_6_0_17-windows-i586.cab,you could highlight and delete anything there with Java Plug-in 1.6.0_20 or similar,and delete it.
Ok, I think you're basically saying 'let's delete it some other way'. But I'm lost on your instructions. I'm on Windows 7 64-bit. I can open Manage Add-Ons, but from there, there's no "Enable or Disable add-ons". There IS a dropdown box under Show...Download controls...but no item with that CLSID.
I'm guessing that's because when I started up this morning, I Allowed on the alert for deleting it. I don't know, but what if I just ignore the alert the next time I restart, move it to the side, then open IE and look for it? If that's a reasonable idea, I do see the Remove button in the More info box. Is that what I should try?
Or wait, isn't there a way to undo things in Spybot S&D? Let's see if I can bring it back....ooh, I guess that's just for things that are removed during a scan:oops:. Well, it's easy enough to restart, but I'll wait for your reply, to make sure I'm on the right track.
That would be because those instructions are for Internet Explorer 7.Sorry about that. :oops:
Do you have any other security programs,besides Spybot and Windows Defender,that include any features similar to Teatimer?
By similar, do you mean real-time anti-malware? Yes:
ESET Smart Security
I also have MBAM, but haven't purchased the real-time portion for this machine.
Edit: I did just move the alert aside when I started just now, and then looked in IE for the item, but no, not there. I'm not sure what that might mean, if anything?? Not in Spybot SD either.
Does your ESET Smart Security include something called Real-time file system protection?And ESET includes log files you can access for Events,etc.?
Yeah, Smart Security is the suite, while av alone is NOD 32. Yes there are a few log files available, one of them called Events. But it's only showing virus signature updates, and statistical info sent back to ESET. Nothing else, although I'm not sure what you might be looking for. I do NOT know the program inside out, so there may be some way to display a different log.
What is it you want me to look for?
I'm not very familiar with ESET Smart Security or the Real-time file system protection included with it.I can't find a whole lot of info about Real-time file system protection,but I was wondering if Real-time file system protection might possibly prevent or restore changes to your computer?If it does,I wonder if the ActiveX control is being deleted every time you start up,which you are being prompted by Teatimer about and allowing,and then it is being restored by Eset,and then the whole thing happens over again when you start-up your computer.
Eset has an Events log and is there also a Detected Threats log?If there is a way to copy both those logfiles,could you copy and paste those two logs here? :)
Sorry for the delay. The Detected Threats log is empty (new computer, good security practices). Here's just a few lines from the Events log -- I selected the same few days from the TeaTimer log that you had me post in an earlier reply. The entire log is identical to this -- no mention of any Active X or JRE. Also, I never see any kind of alert from ESET, although I understand that it could be doing it silently. However still, nothing in the log...
6/12/2010 4:48:33 PM Kernel Statistical information was sent to ESET.
6/12/2010 4:48:31 PM Kernel Virus signature database successfully updated to version 5192 (20100612).
6/11/2010 11:41:42 AM Kernel Statistical information was sent to ESET.
6/11/2010 11:41:40 AM Kernel Statistical information was sent to ESET.
6/11/2010 11:41:39 AM Kernel Statistical information was sent to ESET.
6/11/2010 11:41:22 AM Kernel Statistical information was sent to ESET.
6/11/2010 11:41:20 AM Kernel Statistical information was sent to ESET.
6/11/2010 11:41:17 AM Kernel Virus signature database successfully updated to version 5190 (20100611).
6/8/2010 7:46:51 AM Kernel Statistical information was sent to ESET.
6/8/2010 7:46:50 AM Kernel Statistical information was sent to ESET.
6/8/2010 7:46:49 AM Kernel Statistical information was sent to ESET.
6/8/2010 7:46:47 AM Kernel Statistical information was sent to ESET.
6/8/2010 7:46:46 AM Kernel Statistical information was sent to ESET.
6/8/2010 7:46:45 AM Kernel Statistical information was sent to ESET.
6/8/2010 7:46:18 AM Kernel Virus signature database successfully updated to version 5182 (20100608).
6/7/2010 6:48:40 AM Kernel Statistical information was sent to ESET.
Well, as I mentioned in original message, I can always check 'Remember this decision'. That may be my best option in the end. It just bugs me that it can't be permanently deleted..... What about if I just search my system for that CLSID, then manually delete?
Thanks again for all your help :)
Thanks for posting the threats log.Yes,you could go with the Remember this decision,that might be easiest. :)
Hey, good news! :)
Well partially good news anyway. When I logged on just now, I almost checked 'Remember...', but then thought a last ditch effort of scanning my system for that CLSID wouldn't hurt. It was not found, which is surprising now, because I suddenly realized I had been using IE 8, not IE 8 (64-bit)!
I didn't know if there would be any difference, but I opened the 64-bit version (I normally use non-64-bit, so I can play little flash games online). And there IS that exact CLSID!
Now, before I delete it, I want to report that there isn't anything with .cab on the end. The filename is jp2iexp.dll and version 1.6.0.17. In your earlier message you said you thought it would be 1.6.0.20. I'm pretty sure this is the file I want to delete, and I know you said if it was the wrong Active X file, that I would just be prompted the next time I need it. But I just want to be sure.
Do you think it's weird that it shows in the 64-bit IE and not the non-64-bit version? It just seems weird to me. But then a lot of things MS does seem weird, lol :laugh:
Anyway, thanks again :)
Hi,there. :)
I wrote Java Plug-in 1.6.0_20 just as an example of what it might look like,since I was looking at my own activex control in Internet Explorer,actually.
Since the one you're seeing in 64-bit IE has the same CLSID and is version 1.6.0.17,I'm pretty certain you've found it.
Go ahead and delete the activex,and if prompted by Teatimer,Allow the change.It will do no harm.
Do you think it's weird that it shows in the 64-bit IE and not the non-64-bit version? It just seems weird to me. But then a lot of things MS does seem weird, lol
I'm a bad one to ask,since I'm not very familiar with the 62-bit version of IE.On Googling 64-bit Internet Explorer 8,I saw some posts saying ActiveX wasn't supported in 64-bit IE which was a bit puzzling,not sure if that's accurate or not,I couldn't find anything really "Official." :)
Yes it's accurate. That's why many (if not most....well, mine, anyway) laptops are made with a non-64-bit version, so that games using active x can still be played. At least that's the explanation I was given.
That's why I think it's weird that this active x is found in the 64-bit version. But then I don't remember what I had installed that prompted it being deleted. Maybe I mistakenly downloaded it, forgetting that I wouldn't be able to play a game with it; and then it was automatically deleted, since it doesn't belong????
I can't imagine why 64-bit shouldn't be able to use active x. But again, I'm no expert. Who knows why :laugh:!!
In any case, I've deleted it, and now will close down for the night. And we'll see what happens tomorrow when I start up. So cross fingers -- I'll let you know what happens :)
This article applies to:
Platform(s): Windows 7, Vista, Windows XP, Windows 2003, Windows 2008 Server
Browser(s): Internet Explorer 8.x, Internet Explorer 7.x
Java version(s): 6.0, 6u10+
http://java.com/en/download/faq/java_win64bit.xml
Windows 64-bit operating system comes with both 32-bit and 64-bit Internet Explorer (IE) browsers. 32-bit IE comes as a default. There are different versions of Java software available for download depending on whether you are using 32-bit or 64-bit IE browsers.
Please note that the 64-bit Java is presented as a download option automatically for 64-bit Internet Explorer users, as it is the only officially available 64-bit browser for Windows.
You must also individually maintain both of these versions of Java separately if they are installed, as they were when I recently received my Dell Windows 7 Premium based desktop. If you don't normally use the 64-bit browser, you may prefer to uninstall this copy of Java from Control Panel, since otherwise it will become badly out of date over time.
Bitman
Thanks for the info bitman!
I haven't read the article yet, but I definitely will.
As for deleting the active x control (clsid as I've posted in previous messages), that was successful and it is no longer appearing in Manage Add-Ons for the 64-bit IE. But the Spybot S&D alert IS still recurring at every startup. Does this give us any useful info, that being deleted yet its still triggering alerts? Could it be a bug, or should I just use "Remember"?
Thanks again, as always :)
Just fyi --
A restart fixed the problem, as opposed to a shut down and startup. Since this is a laptop, I usually just shut down when finished, rather than let it "go to sleep" like I do with my desktop. With desktop, restarts are common, but not so with laptop.
Anyway, it was an accidental restart which turned out to be a good thing, because no more alerts! I don't know...well first, I don't know why a restart should be different from a shutdown and startup. So 2nd, I don't know if a restart would have fixed the problem from the get-go, or if deleting the Active X manually is what was needed. I suspect so, but then I understand very little about these things :confused:
But the bottom line is problem solved :bigthumb:
Thanks again to everyone who helped me with this. I really appreciate it :heart:
Glad you're no longer getting the alerts from Teatimer on startup,brynn. :)
Hi again,
Sorry for digging up this older topic, but the exact same problem has happened again, and I wanted to share the experience (and hope it might catch the attention of just the right person to look into further).
Recently I was notified that a Java update was available, so I downloaded and installed. The next time I started up, I got the exact same alert I was getting before. It was a different CLSID#, but just the same, was related to the Java update install -- an active x, value deleted (Deny button grayed out).
Even though I only use the non-64-bit version of IE8 (on my 64-bit Windows 7 laptop), the Java updates are always made to the 64-bit version. That still baffles me (because 64-bit IE can't run active x, that's why the non-64-bit IE is provided)! Anyway, I found the file by matching the CLSID#, and deleted it through Manage Add-Ons in the 64-bit IE8.
But just like before, even though I confirmed that the file was deleted (by getting zero results on searching the whole computer), the S&D alert still came up every time I started up. And just like before, after I restarted, as opposed to shutting down and starting up, the problem was solved -- the alert no longer appears on startup.
Here is the most concise summary of the problem I can make (although I might not be using the proper terminology):
Install Java update
Spybot S&D alert at every startup; active x, value deleted, Deny button grayed out
CLSID# is only found in 64-bit version of IE8, even though I only use the non-64-bit version
Delete file with matching CLSID from Manage Add-Ons in 64-bit version IE8
Still receive same Spybot S&D alert at every startup, even though search of entire computer confirms the file was successfully deleted
Restart, as opposed to shutdown and startup resolves the problem -- no more alerts at startup
The unresolved part of this whole experience that I would attribute to Spybot S&D, is threefold (imo):
1 - the recurring Spybot S&D alert -- apparent inability to perform the deletion (Allow button)
2 - alert still recurs, even after the file has been deleted
3 - a restart gets rid of the alert, but shutdown/startup does not (what's the difference??)
And that I would attribute to Java, why does Java only update the 64-bit version of IE8, especially since I only use the non-64-bit version? And I realize this is a question I need to ask at some Java support forum or tech support. Just voicing it here for the sake of detail.
So are these things ALL issues to present to Java, or are some of them based in Spybot S&D? What can I do to get a developer to either have a look into it, or otherwise explain it?
Thank you very much :)