When starting up my PC the usual things happened including the registry entry allowed pop ups and some denied - the latter were all ITBarLayout. The allowed entries disappeared. The denied ones kept flashing in the right hand side of the screen - maybe half a dozen of the same message.

I found an archived 2005 set of posts that helped me edit the registry and one made reference to previous threads about looping notices. I assume these are what I was experiencing.

I cannot find the instructions to solve this proble, Can anyone please help?

I have got rid of these in an unsatisfactory manner - with the greatest of difficulty I accessed the black and white list and pressed the black cross to remove the item from the black list.

The difficulty was that whilst these notices were constantly on screen right click access was only momentary and therefore trial and error as to whether I managed to start the B&W list. There seems no way to access these via the standard program. Why? You go to settings and there is no B&W listing. There ought to be incase access to the icon at the bottom right of the screen is unavailable.

So now ITBarLayout is allowed when I want it denied. I need to solve the looping notices problem. Presumably with the looping working properly then I can deny the program? Can anyone confirm this to be the case?

Incidentally, I noticed a music website set as default in the IE7 search box. I have removed this. Don't know if this is widely the source?

Help would be most appreciated.

Please show us what change is being denied:
Go into Spybot > Mode > Advanced Mode > Tools > Resident > page (scroll) to the bottom of the listing and highlight a portion of the log that shows the denied ITBarLayout, then right click and select Copy. Paste (Ctrl+V) the log entries to another post in this thread.
Thanks.

28/05/2007 14:37:51 Denied value "ITBarLayout" (new data: "") deleted in User-specific browser toolbar!
28/05/2007 14:37:53 Denied value "ITBarLayout" (new data: "") deleted in User-specific browser toolbar!
28/05/2007 14:37:54 Denied value "ITBarLayout" (new data: "") deleted in User-specific browser toolbar!
28/05/2007 14:37:58 Allowed value "ITBarLayout" (new data: "") deleted in User-specific browser toolbar!

There are so many of these entries that there are too many for this message box.

Something is continually attempting to delete an "ITBarLayout" entry and I believe that you answered the original pop-up dialog with "Deny change" and "Remember this decision". Now that the information concerning that change it is stored in a file. TeaTimer uses that information to automatically "Allow" or "Deny" changes. Check and see if you have any entries stored for the registry entries that are being denied as follows:Right click on the TeaTimer system tray icon and select Settings. This will bring up TeaTimer's "White & Black List". There are four (4) Buttons across the top of the "White & Black List":

Allowed processes
Blocked processes
Allowed registry changes
Blocked registry changes

Note: If you don't see all four buttons, try expanding the window to the right.


You can review all the entries that you have stored by clicking on these buttons. The entries that you should review are in "Denied registry changes". You can delete entries by clicking on the scripted black "X" to the right of the entry that you want to delete and then clicking the "OK" button when you're done. This will in effect make TeaTimer forget what you told it to remember so that during future changes to these items TeaTimer will issue a pop-up dialog rather then just a notification pop-up.

You can answer the pop-up dialog accordingly when it is received again. Note: The change that you showed was actually deleting the entry (new data: ""), so allow the change and the loop of messages should stop.

For more information on how to trace what is attempting to delete the "ITBarLayout", see the following thread:
http://forums.spybot.info/showthread.php?t=1380

Thanks.

Your last reply I recognise. because a google search brought it and the link you provided to my attention which I have printed off.

It does say in that post:

(OK, you covered how to fix the looping notices in previous posts, but I don't want to fix them, I want them not to happen in the first place!)

This I cannot find and was the main reason for entering this forum. Perhaps you can help provide this info?

Yes I did finanlly get to the B&W list and click on the black cross. This removed it from the denied list and put it in the allowed list. This I did not want, but am afriad to deny it again in case I get this 'looping; affect - as if the denial was stuck. Back to my request for that previous info.

Hope you can help.

It does say in that post:

(OK, you covered how to fix the looping notices in previous posts, but I don't want to fix them, I want them not to happen in the first place!)

This I cannot find and was the main reason for entering this forum. Perhaps you can help provide this info?
I can't possible tell you how to keep a particular registry change from happening unless I know what is issuing the change. Actually, what cnsublett (http://forums.spybot.info/member.php?u=8333) stated in that post was:


(OK, you covered how to fix the looping notices in previous posts, but I don't want to fix them, I want them not to happen in the first place!)

My question is: how do I find out what is causing this and block/remove/delete it?I can't find a pattern of when or why it happens; it doesn't seem to be related to any specific sites, etc. Help? Thanks!
I covered "how do I find out what is causing this" in this post:
http://forums.spybot.info/showpost.php?p=37155&postcount=9
__________________



Yes I did finanlly get to the B&W list and click on the black cross. This removed it from the denied list and put it in the allowed list. This I did not want, but am afriad to deny it again in case I get this 'looping; affect - as if the denial was stuck.
Unless I am misunderstanding, I don't quite understand why after removing the entry from the "Blocked registry changes" to keep the change from looping you added an entry to the "Allowed registry changes". If you want to attempt to determine what is causing the change you should not have entries in either the "Allowed registry changes" or the "Blocked registry changes". You must start monitoring registry changes when one of these registry changes occurs, do a "Deny change" without a "Remember this decision" and when the registry change is repeated see if you have trapped what is issuing the change.

I my opinion, "Remember this decision" should be used sparingly, if at all. I personally do not currently have any entries in TeaTimer's "White & Black List" for either the "Allowed registry changes" or the "Blocked registry changes".

When I pressed the black cross the denied entry disappeared. When I checked the allowed entried it was in there as well. It seemed to me that once it was deleted from denied it appeared in allowed.

Should I delete it from allowed as well?

PS I was not using the PC when ITBarLayout must have first appeared. Others in the family do not know how to use the security software I have installed so who knows what was pressed if any messages came up.

PPS Sorry about this. I have just deleted (pressed the black cross) in the allowed list and it has not reappeared in the blocked list.

What I did notice was an entry much earlier in the allowed list for an ITBar7Layout.

Is this news to you?

I have an "ITBar7Layout" registry entry that was added the day I installed Windows Internet Explorer 7:


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"ITBar7Layout"=hex:13,00,00,00,00,00,00,00,00,00,00,00,30,00,00,00,10,00,00,00,\
…
My Resident.log indicates that I allowed the change:


1/11/2006 12:21:45 PM Allowed value "ITBar7Layout" (new data: "hex:13,00,00,00,00,00,00,00,00,00,00,00,30,00,00,00,10,00,00,00, …,") added in User-specific browser toolbar!
However, I do not have an entry in TeaTimer's "White & Black List" under "Allowed registry changes". By using "Remember this decision" and creating an "Allowed registry changes" entry would have defeat the purpose of TeaTimer by allowing like registry changes in the future without the opportunity intervene and reverse the change.

Its back!!!!

I have attempted to attach screen dumps but they may be too small to be of any use.

How do I stop ITBarLayout from coming onto the computer?

Denying keeps causing this looping problem with Spybot.

The only way I can get rid of it is to allow it.

Help please!!!

Incidentally I have no items in deny. If I did would this problem happen with all denials?

ddasddascra:

I feel like we are going around in circles like a dog chasing its tail.


How do I stop ITBarLayout from coming onto the computer?
I don't know. I don't even know if the change is legitimate and should be allowed without knowing what process is issuing the registry change. I have attempted to explain one method to determine what process is issuing the registry change to the ITBarLayout registry entry by using Regmon that I detailed for cnsublett (http://forums.spybot.info/member.php?u=8333) in the following post:
http://forums.spybot.info/showpost.php?p=37155&postcount=9
Without you determining what process is issuing those registry changes, I can no long help you except to remind you that when these repetitive changes to ITBarLayout are occurring doing a "Deny change" with a "Remember this change" will cause a loop.

Good luck and I hope someone else can help.

I also think we are going round in circles.

I appreciate your time and help very much.

So this leaves me two things to follow:
- I will attempt to use Regmon and follow that advice
- I still would like an answer to looping (have I missed something on this one?)

At the moment every time I start up the computer Spybot allowes those on White list and a notice comes up asking me to allow or deny ITBarLayout. At the moment I have to allow it without telling it to remember. If I deny it I get the looping affect.

Once allowed I have checked the B&W lists and found no ITetc entry (as I guess would be expected) and I also used Regedit to check for a registry entry. Again no ITBarLayout entry. This puzzles me since having allowed it for the current session I would have expected to see an entry in the Registry where they previously were and from which I deleted them as per your instructions.

You probably gathered I'm having great difficulty with dealing with this and will post when I have attemtped Regmon ( It will work from boot up will it? I need to 'trap' it during the computer start process).

I honestly don't know if the second question has been answered.

I also don't know if I deny anyother activities whether the same looping problem will occur. I am now afraid to deny anything with Spybot. This is a broader issue that I would think is not just related to ITetc.

Please bear with me as I am not a well person, suffering from stress / depression, etc.

Many thanks again.

If you are no longer getting the change to the ITBarLayout registry entry except when you reboot the system, the cause of the problem could be because TeaTimer's snapshot files are out of sync with the registry. TeaTimer takes snapshots of Registry entries and compares these with the Registry at startup. Until these snapshots are updated you are likely to get pop-ups (at startup) of changes you made in the past. In other words, TeaTimer attempts to return the Registry to the state it was in when the snapshots were taken.

The solution to the problem is to refresh TeaTimer's snapshot files after making changes to the registry such as changing your home page. There are two ways to do this:Refresh TeaTimer's snapshot files:
Right click Spybot's TeaTimer System Tray Icon > click Exit Spybot-S&D Resident.
TeaTimer closes.
TeaTimer's snapshot files are refreshed at this time.

Restart TeaTimer:
Using Windows Explorer, navigate to C:\Program Files\Spybot - Search & Destroy.
Double click TeaTimer.exe to start it.

Manually exit TeaTimer immediately prior to system shutdown or restart.
The loop:

Something changes the registry. TeaTimer recognizes the change by comparing the registry with its snapshot files and issues a registry change dialog. You do an "Deny change" with a "Remember this decision". Because of the "Deny change" TeaTimer returns the registry entry to the original value contained in its snapshot files and because of the "Remember this decision" TeaTimer sets up logic to automatically repeat the "Deny change" on like changes. Whatever changed the registry recognizes that the change has been reversed and reissues the change. TeaTimer recognizes the change and reverses the change. You have caused a loop by using "Remember this decision".

ps: I have no idea what your latest loops was because you elect to post screen shots that I could not read rather than a portion of the Resident.log.

I followed your instructions to manually exit Spybot ? Teatimer before shutting down the PC.

First reboot - success - no allowed or denied messages or looping.

Just for luck I have rebooted the PC a second time and the same success.

Keeping fingers, legs, etc crossed I hope this is the end of this experience.

I am most grateful for you help and patience in seeing me through this event.

It is most appreciated.

Many thanks.

PS I think I will give the RegMon a pass for now and hope this does not reoccur.

I was having this same problem upon boot up of my pc when Spybot loaded on startup. After reading your posts, I finally decided....what would it hurt to just uninstall and re-install? Viola! It worked so far.

Just a helpful idea so this stupid issue doesn't make you stir crazy like it was making me when it locked up my spybot and pc. Then you can spend time doing better things then trying to capture the registry value that's running and causing the issue. :red:

I will wait and see if we get a repeat of the issue in the meantime. If I do, I will run this reg program and see whats up.

Wishing you all a happy, happy summer! :banana: