Is there a way I can undo a deny action in teatimer, or at least re-simulate what I denied?

I looked at the log, and get this:

10/20/2007 10:45:26 AM Allowed (based on user decision) value "Aim6" (new data: ""C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp") changed in System Startup user entry!
10/20/2007 10:58:26 AM Denied (based on user decision) value "" (new data: ""%1" %*") added in Extension handler!
10/20/2007 10:58:28 AM Denied (based on user decision) value "" (new data: ""%1" %*") added in Extension handler!
10/20/2007 10:58:29 AM Denied (based on user decision) value "" (new data: ""%1" %*") added in Extension handler!
10/20/2007 10:58:39 AM Denied (based on user decision) value "IsolatedCommand" (new data: ""%1" %*") added in Extension handler!
10/20/2007 10:58:40 AM Denied (based on user decision) value "" (new data: ""%1" %*") added in Extension handler!
10/20/2007 10:58:40 AM Denied (based on user decision) value "" (new data: ""%1" /S") added in Extension handler!
10/20/2007 10:58:40 AM Denied (based on user decision) value "" (new data: ""%1"") added in Extension handler!
10/20/2007 10:58:40 AM Denied (based on user decision) value "" (new data: "regedit.exe "%1"") added in Extension handler!
10/20/2007 10:58:41 AM Denied (based on user decision) value "" (new data: ""%1" %*") added in Extension handler!

The problem is that, that is not enough information to resimulate. How would I know WHERE in the Extension Handler it was supposed to be added?

Denying this caused me to not be able to open exe, bat, or reg files. I have tried all of those exe fixes, but none of them work.

If I select a program to run as administrator, though, it DOES work.

So is there any way to undo this? Or does anyone have any ideas to fix it?

On Vista Premium from HP

Thanks, Michael

Hello,

Please right-click the Resident icon in the system tray "Spybot S&D resident" and select "Settings". There you will find 4 lists for remembered decisions (allowed/denied processes and registry changes). In order to remove an entry just click on the cross next to it. TeaTimer will then "forget" this decision and you will be asked again the next time.

Best regards
Sandra
Team Spybot

I think he has a valid point, the label should be clearer. I've updated the RegWatch.sbs for the next update to name the exact extension handler an action is about.

"%1" %* is the data for the default value in HKEY_CLASSES_ROOT\exefile\shell\open\command\ as well as in HKEY_CLASSES_ROOT\batfile\shell\open\command\,
regedit.exe "%1" is for HKEY_CLASSES_ROOT\regfile\shell\open\command\.

Hello,
I have probably similar problem. Can you help me please?

Here is my log:
18.11.2007 20:18:30 denied value "" (new data: "") deleted in EXE Extension handler!
(translation from my language)

I cant execute any program directly (only some programs I can execute through files = html files opens mozilla firefox, "Includes" files opens SpyBot)

I cant execute Regedit, TeaTimer etc.
Btw. maybe the updated RegWatch.sbs helps, but I dont know, when I can find this file.

I am sorry for my bad english.

Thanks, Stepan

Problem solved: http://www.dougknox.com/xp/file_assoc.htm

Here is registry change log (I hope Doug Knox is not hacker ;-) and his registry fixes are "clear"...)
- could someone explain me, why registry for PeerGuardian has changed?

===============================================
18.11.2007 23:19:15 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:SOFTWARE\Classes\lnkfile\CLSID
Value:
Data:
New Data:{00021401-0000-0000-C000-000000000046}



===============================================
18.11.2007 23:19:19 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Classes\.lnk
Value:
Data:
New Data:lnkfile



===============================================
18.11.2007 23:19:21 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Classes\.exe
Value:
Data:
New Data:exefile



===============================================
18.11.2007 23:19:25 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Value:SysTray
Data:
New Data:{35CEC8A3-2BE6-11D2-8773-92E220524153}



===============================================
18.11.2007 23:19:33 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Policies\System
Value:shutdownwithoutlogon
Data:
New Data:1



===============================================
18.11.2007 23:19:36 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:REGSHAVE
Data:
New Data:C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN



===============================================
18.11.2007 23:19:51 - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:PeerGuardian
Data:
New Data:C:\Program Files\PeerGuardian2\pg2.exe



===============================================

I had the identical problem as "TheRainIsHere", also on Vista Premium on HP after denying those registry changes in Tea Timer. As in that case, I am still able to open by right clicking to "Run as administrator".

Getting rid of the denials by altering the "remembered decisions" and checking to allow such changes did not solve the problem.

Does anyone know how to restore the default values in the registry for the extension handlers for BAT, COM, EXE, PIF, SCR, and REG file types? I suppose the EXE and REG would be most critical, but I am afraid that I may have messed them all up, as I denied the changes for all six. [The Doug Knox fixes were for XP, not Vista].

Thanks!

Hello all,

SpyBot went to work and I am unsure as to what to do about the following.

It is asking me to allow or deny an SCR extension handler value that has already been changed.

The old data is "%1" /S
The new data is "%1"%*

Should I allow or deny and what are the ramifications of choosing the wrong action? I don't know what those are or what they mean so I'm working with this little message on the screen for 3 days now.

Thanks
J

JJJJJ (J):

In the following TeaTimer dialog:


Category: SCR Extension handler
Change: Value changed
Entry:
Old data: "%1" /S
New data: "%1" %*
The old data is the normal default for the following registry key:


[HKEY_CLASSES_ROOT\scrfile\shell\open\command]
The new data looks like the default for the following registry key (batfile):


[HKEY_CLASSES_ROOT\batfile\shell\open\command]
The "/S" parameter in the default makes .scr files executable, so I don't believe that it makes a difference which is used. However, not knowing what you were doing at the time or if any other registry entries that are not monitored TeaTimer were changed, I would stick with the default entry and deny the change. I would also consider restoring all of the default registry associations for .scr files.

Questions:
What Windows OS are you running?
What were you doing at the time the TeaTimer dialog appeared?

Hello MD,

Thanks for the quick response.

I have Windows XP Pro 2002.
I was somehow infected with some malicious malware and was cleaning things up when Spybot kicked in and produced the message.

I will wait to see if this information will make a difference on the recommendation to deny the change. I always believed in denying everything anyway but I was just stomped and didn't do it because I thought that the malwarare utility may have needed to make the change to make the repair.

Will Spybot restore everything to default or is that a different mission?

Thanks again for the help.
J

JJJJJ:


... I always believed in denying everything anyway …
If you can't figure out what the change is, don't necessarily "Deny" the change. If you deny the wrong change you can adversely affect the stability, functionality and security of your system. When a change occurs try to take into consideration what is happening on your system (installing, updating, etc. or apparently in your case removing malware). Think of it this way: If you "Allow" all changes, you would be no worse off than if I didn't have TeaTimer enabled at all.


… I was somehow infected with some malicious malware and was cleaning things up when Spybot kicked in and produced the message.
…

didn't do it because I thought that the malwarare utility may have needed to make the change to make the repair. …
If you were fixing malware, that fact would have been very pertinent information in your initial post. The change that you queried about is not a usual change and returning the entry to its default value is/was probably a prudent choice. However, if you were actually fixing a malware problem, it may not be the correct choice depending on the malware involved, the program correcting it, the steps being taken to disable the malware, what other registry changes transpired while there was an outstanding dialog, etc.
JJJJJ:


... I always believed in denying everything anyway …
If you can't figure out what the change is, don't necessarily "Deny" the change. If you deny the wrong change you can adversely affect the stability, functionality and security of your system. When a change occurs try to take into consideration what is happening on your system (installing, updating, etc. or apparently in your case removing malware). Think of it this way: If you "Allow" all changes, you would be no worse off than if I didn't have TeaTimer enabled at all.


… I was somehow infected with some malicious malware and was cleaning things up when Spybot kicked in and produced the message.
…

didn't do it because I thought that the malwarare utility may have needed to make the change to make the repair. …
If you were fixing malware, that fact would have been very pertinent information in your initial post. The change that you queried about is not a usual change and returning the entry to its default value is/was probably a prudent choice. However, if you were actually fixing a malware problem, it may not be the correct choice depending on the malware involved, the program correcting it, what other registry changes transpired while there was an outstanding dialog, etc.

MD,

I denied three changes, the first and then to an .exe and then to a .bat file and all seemed well. So I ran the clean up again and it came that 3 files were infected...same as the original.

I allowed the program to delete it and Spybot came out of spy mode and brought the deletions to my attention. So I allowed the changes. I Ran the program again and all is well.

Thanks for the help.:)

J