Solve : Real Player Uninstall realsched.exe/TkBell problem?

1.	Solve : Real Player Uninstall realsched.exe/TkBell problem?
Answer» I'm at a loss about this one. I installed the latest REAL Player Gold (10?) and then uninstalled it thru the Control Panel. Then I deleted folders and ran a couple of registry cleaning programs to get rid of the rest. Then I rebooted. That was yesterday. Since then, at startup and every minute or two, WinPatrol Alert gives me the new auto Startup Program alert for realsched.exe (which goes along with TkBell), followed by an instruction page (not helpful) in my browser. Here's what I've done: - I've searched registry entries and files for these and Real Player with two or three registry editing and file management programs and deleted everything, including from Startup (msconfig), but at least one TkBell/"C:\Programs\Common Files\realsched.exe - osboot" entry keeps replacing itself in both the registry and startup.* - I tried renaming the files, then dropping the file names entirely, as well as deleting just the data entries, but the entries keep coming back (located in HKLM\Software\Microsoft\Windows\Current Version\Run and startup). - I've tried both of these steps several times with immediate restarts in between, but nothing works. That suggests there's something else left which is generating the problem, but darn if I know what it is. I know these are harmless entries in the malware sense, but there's no reason (other than Real Player's bad will) that these should still be around. If anyone has an idea that sounds like something I haven't tried, I'd be grateful to hear it. This is a single user XP/SP3 system. * There are three registry entries in binary that have realsched.exe, but finding the realsched.exe sequence is too difficult with regedit. They are located in HKLM\SYSTEM\CurrentControlSet (and ContrlSet002 and 006) \Control\SessionManager\AppCompatibility. I've deleted them from RegSeeker and they come back every time. Download HijackThis: http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download Click on Download HijackThis Installer Post HijackTHis log. Quote from: Broni on August 04, 2008, 11:06:14 PM Download HijackThis: http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download Click on Download HijackThis Installer Post HijackTHis log. Thanks. The log is attached. For sanity's sake while I was waiting for a suggestion, I decided to ok Real Player TkBellExe/realsched.exe for startup with WinPatrol. So I don't know if that's going to distort what's in the log. I can always reverse it and then rerun DHT. [recovering disk space -- attachment deleted by admin]*** Disable Windows Defender, as it'll interfere with cleaning process: * Open Windows Defender * Click Tools * Click General Settings * Scroll down to Real Time Protection Options * Uncheck Turn on Real Time Protection * After you uncheck this, click on the Save button * Close Windows Defender * Disable TeaTimer, as it'll interfere with the cleaning process: Right click Spybot's TeaTimer System Tray ICON. Click Exit Spybot-S&D Resident. TeaTimer closes. Open HJT, and checkmark: - O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\ checkmark also some unnecessary entries: - O2 - BHO: (no name) - {074C1DC5-9320-4A9A-947D-C042949C6216} - (no file) - O2 - BHO: SendagoIEAddin.Connect - {d56f81a1-5713-460e-ba87-e5653597ff4c} - mscoree.dll (file missing) - O3 - Toolbar: (no name) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - (no file) - O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) Click "Fix checked" button. Restart computer in Safe Mode (keep tapping F8 key, when your computer starts, until menu appears). Delete Real folder from C:\Program Files\Common Files Restart in normal mode. That should solve your Real Player problem. Broni, thanks but before I follow your suggestion, there is no folder "Real" in C:\Program Files\Common Files. If there was one I deleted it early on. What you're seeing in the HJT log is the registry entry TkBellExe keeps recreating (there and in Startup). The name is the truncated version of what I renamed "C:\....\Update_OB\realsched.exe - osboot" to be as an unsuccessful attempt to fool whatever was generating the problem. I'm not sure how to delete a registry entry via Safe Mode, if that would solve it. There is a Real folder in C:\Documents and Settings\[my name]\Application Data\, but that contains a RealMediaSDK folder. I didn't uninstall/remove RealMedia generally because it's been there and operating ok for some time. Quote there is no folder "Real" in C:\Program Files\Common Files In that case, just fix the entry through HJT, and restart computer. Quote from: Broni on August 06, 2008, 12:04:09 AM Quote there is no folder "Real" in C:\Program Files\Common Files In that case, just fix the entry through HJT, and restart computer. I assume you meant in Safe Mode, because it HJT had no effect on this in regular operating mode. Problem appears to be solved now, i.e., there's no entry in the registry or Startup. Many thanks!You're WELCOME I assume you fixed this: O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\ with HJT. Quote from: Broni on August 06, 2008, 09:35:15 PM You're welcome I assume you fixed this: O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\ with HJT. I thought I had, because there haven't been any problems since my last post. But looking again tonight I saw the same entry via HJT. So I went back into Safe Mode and deleted it with HJT, then still in Safe Mode ran RegSeeker to find the other TkBell entries (12; there were no "realsched" entries). I deleted the 11 ControlSet ones in RegSeeker and the other in Microsoft\Shared with RegEdit. Since rebooting, none of the 12 have returned.Very good. I hope, you back up your registry, whenever you make any changes... Quote from: Broni on August 07, 2008, 12:14:33 AM Very good. I hope, you back up your registry, whenever you make any changes... Since with reg cleaning programs I make changes almost daily in the form of deletions and fixes, I save the changes most of the time. Though through many hundreds (thousands?) of these, I've never had to go back.I recommend, you use Erunt: http://www.larshederer.homepage.t-online.de/erunt/ Manual: http://pcug.org.au/boesen/ERUNT/ERUNT.htm In my opinion, it's better, then System RESTORE, and I use it on all my Windows versions. Quote from: Broni on August 07, 2008, 05:42:14 PM I recommend, you use Erunt**: http://www.larshederer.homepage.t-online.de/erunt/ Manual: http://pcug.org.au/boesen/ERUNT/ERUNT.htm In my opinion, it's better, then System Restore, and I use it on all my Windows versions. Thanks, I installed it and its optimizing partner. The write up must be old, because it says that registry back up should be done under Administrator log in, but then the install asks to put ERUNT in the startup folder to run each boot, i.e., post log in. However, I don't think it matters in my case, since I've got a single user XP setup. As long as ERDNT folder is located in Windows folder, you're OK.

Answer»

I'm at a loss about this one. I installed the latest REAL Player Gold (10?) and then uninstalled it thru the Control Panel. Then I deleted folders and ran a couple of registry cleaning programs to get rid of the rest. Then I rebooted. That was yesterday.

Since then, at startup and every minute or two, WinPatrol Alert gives me the new auto Startup Program alert for realsched.exe (which goes along with TkBell), followed by an instruction page (not helpful) in my browser. Here's what I've done:

- I've searched registry entries and files for these and Real Player with two or three registry editing and file management programs and deleted everything, including from Startup (msconfig), but at least one TkBell/"C:\Programs\Common Files\realsched.exe - osboot" entry keeps replacing itself in both the registry and startup.*

- I tried renaming the files, then dropping the file names entirely, as well as deleting just the data entries, but the entries keep coming back (located in HKLM\Software\Microsoft\Windows\Current Version\Run and startup).

- I've tried both of these steps several times with immediate restarts in between, but nothing works. That suggests there's something else left which is generating the problem, but darn if I know what it is.

I know these are harmless entries in the malware sense, but there's no reason (other than Real Player's bad will) that these should still be around. If anyone has an idea that sounds like something I haven't tried, I'd be grateful to hear it. This is a single user XP/SP3 system.

* There are three registry entries in binary that have realsched.exe, but finding the realsched.exe sequence is too difficult with regedit. They are located in HKLM\SYSTEM\CurrentControlSet (and ContrlSet002 and 006) \Control\SessionManager\AppCompatibility. I've deleted them from RegSeeker and they come back every time. Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
Click on Download HijackThis Installer
Post HijackTHis log. Quote from: Broni on August 04, 2008, 11:06:14 PM

Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
Click on Download HijackThis Installer
Post HijackTHis log.

Thanks. The log is attached. For sanity's sake while I was waiting for a suggestion, I decided to ok Real Player TkBellExe/realsched.exe for startup with WinPatrol. So I don't know if that's going to distort what's in the log. I can always reverse it and then rerun DHT.

[recovering disk space -- attachment deleted by admin]*** Disable Windows Defender, as it'll interfere with cleaning process:
* Open Windows Defender
* Click Tools
* Click General Settings
* Scroll down to Real Time Protection Options
* Uncheck Turn on Real Time Protection
* After you uncheck this, click on the Save button
* Close Windows Defender

*** Disable TeaTimer, as it'll interfere with the cleaning process:
Right click Spybot's TeaTimer System Tray ICON.
Click Exit Spybot-S&D Resident.
TeaTimer closes.

Open HJT, and checkmark:
- O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\
checkmark also some unnecessary entries:
- O2 - BHO: (no name) - {074C1DC5-9320-4A9A-947D-C042949C6216} - (no file)
- O2 - BHO: SendagoIEAddin.Connect - {d56f81a1-5713-460e-ba87-e5653597ff4c} - mscoree.dll (file missing)
- O3 - Toolbar: (no name) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - (no file)
- O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
Click "Fix checked" button.

Restart computer in Safe Mode (keep tapping F8 key, when your computer starts, until menu appears).
Delete Real folder from C:\Program Files\Common Files

Restart in normal mode.
That should solve your Real Player problem.
Broni, thanks but before I follow your suggestion, there is no folder "Real" in C:\Program Files\Common Files. If there was one I deleted it early on. What you're seeing in the HJT log is the registry entry TkBellExe keeps recreating (there and in Startup). The name is the truncated version of what I renamed "C:\....\Update_OB\realsched.exe - osboot" to be as an unsuccessful attempt to fool whatever was generating the problem. I'm not sure how to delete a registry entry via Safe Mode, if that would solve it.

There is a Real folder in C:\Documents and Settings\[my name]\Application Data\, but that contains a RealMediaSDK folder. I didn't uninstall/remove RealMedia generally because it's been there and operating ok for some time. Quote

there is no folder "Real" in C:\Program Files\Common Files

In that case, just fix the entry through HJT, and restart computer. Quote from: Broni on August 06, 2008, 12:04:09 AM

Quote
there is no folder "Real" in C:\Program Files\Common Files
In that case, just fix the entry through HJT, and restart computer.

I assume you meant in Safe Mode, because it HJT had no effect on this in regular operating mode. Problem appears to be solved now, i.e., there's no entry in the registry or Startup. Many thanks!You're WELCOME
I assume you fixed this:
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\
with HJT.
Quote from: Broni on August 06, 2008, 09:35:15 PM

You're welcome
I assume you fixed this:
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\
with HJT.

I thought I had, because there haven't been any problems since my last post. But looking again tonight I saw the same entry via HJT. So I went back into Safe Mode and deleted it with HJT, then still in Safe Mode ran RegSeeker to find the other TkBell entries (12; there were no "realsched" entries). I deleted the 11 ControlSet ones in RegSeeker and the other in Microsoft\Shared with RegEdit. Since rebooting, none of the 12 have returned.Very good. I hope, you back up your registry, whenever you make any changes... Quote from: Broni on August 07, 2008, 12:14:33 AM

Very good. I hope, you back up your registry, whenever you make any changes...

Since with reg cleaning programs I make changes almost daily in the form of deletions and fixes, I save the changes most of the time. Though through many hundreds (thousands?) of these, I've never had to go back.I recommend, you use Erunt: http://www.larshederer.homepage.t-online.de/erunt/
Manual: http://pcug.org.au/boesen/ERUNT/ERUNT.htm
In my opinion, it's better, then System RESTORE, and I use it on all my Windows versions. Quote from: Broni on August 07, 2008, 05:42:14 PM

I recommend, you use Erunt: http://www.larshederer.homepage.t-online.de/erunt/
Manual: http://pcug.org.au/boesen/ERUNT/ERUNT.htm
In my opinion, it's better, then System Restore, and I use it on all my Windows versions.

Thanks, I installed it and its optimizing partner. The write up must be old, because it says that registry back up should be done under Administrator log in, but then the install asks to put ERUNT in the startup folder to run each boot, i.e., post log in. However, I don't think it matters in my case, since I've got a single user XP setup. As long as ERDNT folder is located in Windows folder, you're OK.

Solve : Real Player Uninstall realsched.exe/TkBell problem?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment