PDA

View Full Version : Resident TeaTimer Issues


nct35
2007-01-18, 00:13
Hi all. This is my first post on this forum.

I am concerned that resident seems to be coming up with many registry value changes. It would seem that they relate to IE, but my main browser is Mozilla and I only use IE occasionally. I think that something is trying to gain access and change my homepage or whatever. Below you will find logs from the past two days. I have only just been able to reset the dialogue box with ResHack for Tea Timer issues, so I have been pressing CTRL A and CTRL D. However, if I deny the change, it keeps coming back until I allow it.

Really need to sort this out soon. Thanks

2007/01/16 08:34:40 Allowed value "" (new data: "http://www.google.com/search?q=%s") changed in Browser page!
2007/01/16 08:34:41 Allowed value "SearchAssistant" (new data: "http://www.google.com/ie") changed in Browser page!
2007/01/16 15:29:42 Allowed value "" (new data: "http://www.google.com/search?q=%s") changed in Browser page!
2007/01/16 15:29:42 Allowed value "SearchAssistant" (new data: "http://www.google.com/ie") changed in Browser page!
2007/01/16 16:51:48 Allowed value "" (new data: "http://www.google.com/search?q=%s") changed in Browser page!
2007/01/16 16:51:48 Allowed value "SearchAssistant" (new data: "http://www.google.com/ie") changed in Browser page!
2007/01/16 18:43:18 Allowed value "{E36C5562-C4E0-4220-BCB2-1C671E3A5916}" (new data: "") added in ActiveX Distribution Unit!
2007/01/16 19:30:11 Allowed value "" (new data: "http://www.google.com/search?q=%s") changed in Browser page!
2007/01/16 19:30:11 Allowed value "SearchAssistant" (new data: "http://www.google.com/ie") changed in Browser page!
2007/01/16 20:04:04 Allowed value "" (new data: "http://www.google.com/search?q=%s") changed in Browser page!
2007/01/16 20:06:23 Allowed value "SearchAssistant" (new data: "http://www.google.com/ie") changed in Browser page!


2007/01/17 17:19:38 Allowed value "Uniblue Quick Access" (new data: "") deleted in System Startup user entry!
2007/01/17 17:19:44 Allowed value "" (new data: "http://www.google.com/search?q=%s") changed in Browser page!
2007/01/17 17:19:45 Allowed value "SearchAssistant" (new data: "http://www.google.com/ie") changed in Browser page!
2007/01/17 23:00:08 Denied value "Uniblue Quick Access" (new data: "") deleted in System Startup user entry!
2007/01/17 23:00:15 Allowed value "" (new data: "http://www.google.com/search?q=%s") changed in Browser page!
2007/01/17 23:00:16 Allowed value "SearchAssistant" (new data: "http://www.google.com/ie") changed in Browser page!
2007/01/17 23:01:30 Denied value "BootExecute" (new data: "") deleted in Session manager!
2007/01/17 23:01:47 Denied value "ExcludeFromKnownDlls" (new data: "") deleted in Session manager!
2007/01/17 23:01:53 Denied value "BootExecute" (new data: "") deleted in Session manager!
2007/01/17 23:02:02 Denied value "ExcludeFromKnownDlls" (new data: "") deleted in Session manager!
2007/01/17 23:02:12 Denied value "BootExecute" (new data: "") deleted in Session manager!
2007/01/17 23:02:14 Denied value "ExcludeFromKnownDlls" (new data: "") deleted in Session manager!
2007/01/17 23:02:18 Denied value "BootExecute" (new data: "") deleted in Session manager!
2007/01/17 23:02:31 Denied value "ExcludeFromKnownDlls" (new data: "") deleted in Session manager!
2007/01/17 23:02:39 Denied value "BootExecute" (new data: "") deleted in Session manager!
2007/01/17 23:02:42 Denied value "ExcludeFromKnownDlls" (new data: "") deleted in Session manager!
2007/01/17 23:02:48 Allowed value "BootExecute" (new data: "") deleted in Session manager!
2007/01/17 23:02:52 Allowed value "ExcludeFromKnownDlls" (new data: "") deleted in Session manager!
md usa spybot fan
2007-01-23, 18:40
nct35:

I believe that you are going to have to be a little more specific about you were doing at the various times represent in the log. I see things like:
Making Google your default Internet Explorer search engine.
What may to be the installation of Seagate SeaTools.
What appears to be the deletion of a startup entry for Uniblue Quick Access (which was allowed and then denied at later point in time).
Etc.
It seems hard for me to believe that all of these actions were the result of malware "… trying to gain access and change my homepage or whatever. "

If you rebooted just prior to the following, TeaTimer's snapshot files may be out of sync with the registry:


2007/01/17 23:00:08 Denied value "Uniblue Quick Access" (new data: "") deleted in System Startup user entry!
2007/01/17 23:00:15 Allowed value "" (new data: "http://www.google.com/search?q=%s") changed in Browser page!
2007/01/17 23:00:16 Allowed value "SearchAssistant" (new data: "http://www.google.com/ie") changed in Browser page!
2007/01/17 23:01:30 Denied value "BootExecute" (new data: "") deleted in Session manager!
2007/01/17 23:01:47 Denied value "ExcludeFromKnownDlls" (new data: "") deleted in Session manager!
2007/01/17 23:01:53 Denied value "BootExecute" (new data: "") deleted in Session manager!
2007/01/17 23:02:02 Denied value "ExcludeFromKnownDlls" (new data: "") deleted in Session manager!
2007/01/17 23:02:12 Denied value "BootExecute" (new data: "") deleted in Session manager!
2007/01/17 23:02:14 Denied value "ExcludeFromKnownDlls" (new data: "") deleted in Session manager!
2007/01/17 23:02:18 Denied value "BootExecute" (new data: "") deleted in Session manager!
2007/01/17 23:02:31 Denied value "ExcludeFromKnownDlls" (new data: "") deleted in Session manager!
2007/01/17 23:02:39 Denied value "BootExecute" (new data: "") deleted in Session manager!
2007/01/17 23:02:42 Denied value "ExcludeFromKnownDlls" (new data: "") deleted in Session manager!
2007/01/17 23:02:48 Allowed value "BootExecute" (new data: "") deleted in Session manager!
2007/01/17 23:02:52 Allowed value "ExcludeFromKnownDlls" (new data: "") deleted in Session manager!
TeaTimer takes snapshots of Registry entries and compares these with the Registry at startup. Until these snapshots are updated you may get pop-ups (at startup) of changes you made in the past. In other words, TeaTimer attempts to return the Registry to the state it was in when the snapshots were taken.

I believe that the reason that snapshot files get out of sync with the registry is because when TeaTimer starts the snapshot files are read into memory and maintained there. The snapshot files only appear to be rewritten when TeaTimer closes. During system shutdown (or restart) it appears that TeaTimer is terminated before it has a chance to rewrite the snapshot files and therefore they are out of sync with the registry if changes have been made to the registry.

The solution to the problem is to refresh TeaTimer's snapshot files after making changes to the registry such as changing your home page, System Startup, etc. There are two ways to do this:Refresh TeaTimer's snapshot files:
Right click Spybot's TeaTimer System Tray Icon > click Exit Spybot-S&D Resident.
TeaTimer closes.
TeaTimer's snapshot files are refreshed at this time.

Restart TeaTimer:
Using Windows Explorer, navigate to C:\Program Files\Spybot - Search & Destroy.
Double click TeaTimer.exe to start it.

Manually exit TeaTimer immediately prior to system shutdown or restart.