TeaTimer blocks Registry change - need more information

**alphafalcon** · 2008-05-15, 01:49

Hi,
Im currently trying to get rid of some particularly nasty programs, and so far Spybot has been of great help, especially TeaTimer stopping the re-adding of startup keys.I believe that I have cleaned my system of most parts of the spyware, but I keep getting TeaTimer alerts about a new BHO-Entry. As I've cleaned all places that were obvious to me I'm at a dead end because I can only see that someone wants to add the BHO but not WHICH programm/process/thread is doing it. Is there any way to get TeaTimer to tell me?
Thanks in advance!
Falcon

**md usa spybot fan** · 2008-05-15, 06:34

alphafalcon:

What is the CLSID (class ID) of the BHO? Copy the registry change for the BHO from the Resident.log into a new post in this thread.

There are several ways to access the Resident.log file:

Right click on the TeaTimer (Spybot-SD Resident) system tray icon and select Show Log.
Go into Spybot > Mode > Advanced Mode > Tools > Resident.
Go into Spybot > Mode > Advanced mode > Tools > View Reports > View Previous reports. Select the Resident.log file and open it.
Using Windows Explorer, navigate to the Resident.log file located in one of the following directories:
- Windows 95 or 98:
  C:\Windows\Application Data\Spybot - Search & Destroy\Logs
- Windows ME:
  C:\Windows\All Users\Application Data\Spybot - Search & Destroy\Logs
- Windows NT, 2000 or XP:
  C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs
- Windows Vista:
  C:\ProgramData\Spybot - Search & Destroy\Logs
Double click on Resident.log file and it should open with Notepad.

To copy information from the log into the Clipboard:

Highlight the portion of the log that you want to copy.
Right click and select Copy.

Paste (Ctrl+V) the information from the Clipboard into a new post in this thread.

**alphafalcon** · 2008-05-19, 13:03

thanks for the reply,
I managed to get rid of the spyware (some virtumonde variant I think) by booting linux and manually deleting its dll, so no need for help with cleaning up anymore

I'm still curious if theres a way to see which process wanted to change something in the registry.
Thanks

**md usa spybot fan** · 2008-05-19, 13:38

alphafalcon:

TeaTimer does not capture information about what process made the registry change because TeaTimer actually detects that a registry change has occurred after the fact and allows you to reverse the change by doing a "Deny change".

If you have a recurring registry change, you can determine what process is making that change using a registry monitoring program. One such program is Regmon:

RegMon for Windows v7.04
http://technet.microsoft.com/en-us/s.../bb896652.aspx

**alphafalcon** · 2008-05-19, 23:25

Thanks, exactly what I was looking for

Thread: TeaTimer blocks Registry change - need more information

Thread Tools

Display

TeaTimer blocks Registry change - need more information

Posting Permissions