PDA

View Full Version : Tea Timer warns about Spybot Actions..?



urbanachiever
2008-02-01, 20:38
Hi!

I just removed a trojan using Spybot, and when i chose "remove" or "fixa åtgärdat problem" as it says in swedish, then Tea Timer directly asked me to either deny or allow registry changes... So i searched the web for answers on what to choose, found none, and then chose to allow the three changes that Tea Timer alerted about.

So, did i choose right? Did Tea Timer warn about the Spybot action, or was it the trojan that autoinstalled itself again?

Cant explain how thankful ill be if someone can answer me. :)? or :oops:?

Zenobia
2008-02-01, 23:46
You probably made the right choice.When Teatimer popped up,it was probably alerting you to the changes about to be made,and since it was Spybot making those changes,Allowing the change probably allowed the things to be removed from your computer.
To have a better idea if you made the right choice or not,you could paste the last couple of lines of your resident.log on here for someone to look at.You'd do that by opening Spybot,clicking mode up top,then selecting Advanced mode.Then click Tools,then Resident.Over in the window to the right,scroll down to the bottom of your resident.log,then highlight the last couple of lines,then rightclick,then select Copy,then paste those lines here.

urbanachiever
2008-02-02, 00:59
Hi, thanks for answering and i hope your right :) Heres my resident log;


2007-11-27 19:55:36 Allowed (based on user decision) value "{7E853D72-626A-48EC-A868-BA8D5E23E045}" (new data: "") added in Browser Helper Object!
2008-01-21 17:42:58 Allowed (based on user decision) value "Orb" (new data: ""C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background") added in System Startup user entry!
2008-01-21 17:44:29 Allowed (based on user decision) value "WinampAgent" (new data: ""C:\Program Files\Winamp\winampa.exe"") added in System Startup global entry!
2008-01-21 17:51:29 Allowed (based on user decision) value "Orb" (new data: "") deleted in System Startup user entry!
2008-01-21 17:51:44 Allowed (based on user decision) value "WinampAgent" (new data: "") deleted in System Startup global entry!
2008-01-28 19:24:39 Denied (based on user decision) value "QuickTime Task" (new data: ""C:\Program Files\QuickTime\qttask.exe" -atboottime") added in System Startup global entry!
2008-02-01 19:01:03 Allowed (based on user decision) value "DefaultUserName" (new data: "Administrator") changed in Winlogon!
2008-02-01 19:28:11 Allowed (based on user decision) value "SpybotDeletingB5659" (new data: "command /c del "C:\WINDOWS\system32\libeay32.dll_old"") added in System Startup user entry!
2008-02-01 19:28:15 Allowed (based on user decision) value "SpybotDeletingD9133" (new data: "cmd /c del "C:\WINDOWS\system32\libeay32.dll_old"") added in System Startup user entry!
2008-02-01 19:28:17 Allowed (based on user decision) value "SpybotDeletingA9188" (new data: "command /c del "C:\WINDOWS\system32\libeay32.dll_old"") added in System Startup global entry!
2008-02-01 19:28:19 Allowed (based on user decision) value "SpybotDeletingC3741" (new data: "cmd /c del "C:\WINDOWS\system32\libeay32.dll_old"") added in System Startup global entry!


... By the way, maybe this is not related, i dont know, but does anyone know if this trojan could have taken control over my msnandress, or maybe it came from msn? I have two adresses at the microsoft@live.se-domain, and one of them have been having difficulty to log on to msn, but the other one always functions... And i dont know if im paranoid, but i think ive noticed that my connection is slower when im logged in on that adress.

Zenobia
2008-02-02, 02:33
2008-02-01 19:28:11 Allowed (based on user decision) value "SpybotDeletingB5659" (new data: "command /c del "C:\WINDOWS\system32\libeay32.dll_old"") added in System Startup user entry!
2008-02-01 19:28:15 Allowed (based on user decision) value "SpybotDeletingD9133" (new data: "cmd /c del "C:\WINDOWS\system32\libeay32.dll_old"") added in System Startup user entry!
2008-02-01 19:28:17 Allowed (based on user decision) value "SpybotDeletingA9188" (new data: "command /c del "C:\WINDOWS\system32\libeay32.dll_old"") added in System Startup global entry!
2008-02-01 19:28:19 Allowed (based on user decision) value "SpybotDeletingC3741" (new data: "cmd /c del "C:\WINDOWS\system32\libeay32.dll_old"") added in System Startup global entry!

Okay,for an explanation of why Teatimer popped up asking whether to Allow or Deny those changes,please see here:

hello,

these autorun entries are generates by Spybot S&D if it encounters files that cannot be deleted during runtime because they are locked by other processes.
C:\WINDOWS\SchedLgU.Txt
for instance is the scheduler log file and is locked by Windodws as long as it runs.
from: http://forums.spybot.info/showthread.php?t=17193

And here:
http://forums.spybot.info/project.php?issueid=68
The above says it was implemented in version 1.5.1.16 alpha.Which version of Spybot do you have?You can tell by opening Spybot,then going to Help,then About.

..................................................................................................


C:\WINDOWS\system32\libeay32.dll_old
Also,please see here about the false positive reported by Rosenfeld:
possible FP: libeay32.dllflagged as Win32.Delfzq (http://forums.spybot.info/showthread.php?p=160520)