I was using firefox to view a website that contains flash. A message from TeaTimer popped up saying that something had tried to change the registry key for flash. I clicked 'deny change,' because I didn't think I had done anything that would cause registry keys to change (like installing a new program). Then, firefox crashed. It works now, but I'm concerned. What happened?

Why would just looking at a page cause something to change the registry key for flash? Why would denying it make firefox crash? Should I be concerned that my computer is infected with something? (I've never had TeaTime do anything while I was browsing the internet before, only when I've installed or removed programs)

Thank you.

Hello,

Probably something needs to be installed for this flash.
Please read this information about TeaTimer:
http://www.safer-networking.org/en/faq/33.html
and http://www.safer-networking.org/en/faq/34.html
If you surf the web and without any user interaction the teatimer pops up and warns about a registry change it is better to "deny", but if you install something by yourself it is OK to "allow" the change.

Best regards
Sandra
Team Spybot

This is purely speculation but, it is possible that when you visited the site it recognized there was a Flash Player update required involving a registry change. Then removing the registry change that was done during the update by denying the change with TeaTimer, Firefox was no longer able to continue.

Please show us what change is being denied:
Go into Spybot > Mode > Advanced Mode > Tools > Resident > page (scroll) to the bottom of the listing and highlight a portion of the log that shows the denied registry change, then right click and select Copy. Paste (Ctrl+V) the log entries to another post in this thread.

Here is what the log says:


2/20/2008 4:01:51 PM Denied (based on user decision) value "FlashPlayerUpdate" (new data: "C:\Program Files\Mozilla Firefox\plugins\NPSWF32_FlashUtil.exe -p") added in System Startup user entry!

Brussel:

From your post the following startup registry entry was being added:


"FlashPlayerUpdate"="C:\Program Files\Mozilla Firefox\plugins\NPSWF32_FlashUtil.exe -p"
To one of the following registry keys (unfortunately Spybot does not indicate which):


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
Searching for that entry on the Web, I found dozens of entries in HijackThis logs were that entry was located in the following registry key:


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunOnce" startup entries are executed once and then are deleted. If they are located in the [HKEY_CURRENT_USER] registry hive they would be executed when that particular user logs on and then deleted.

Generally "RunOnce" registry entries are used to complete or cleanup installations of new software. I did not find any definitive information about what the program "NPSWF32_FlashUtil.exe" with a parameter of "-p" does, although it is probably out there some place.

I'm sorry but I don't know much about "FlashPlayer" nor Firefox and if there are options within either or both that allow/disallow automatic updates. If there are and an automatic update of "FlashPlayer" was occurring than the registry change probably should have been allowed.

_______________

spybotsandra (http://forums.spybot.info/member.php?u=5) indicated:


If you surf the web and without any user interaction the teatimer pops up and warns about a registry change it is better to "deny", but if you install something by yourself it is OK to "allow" the change.
Although I agree with that statement in general, personally think a somewhat modified approach to answering TeaTimer should be considered:
Realize that the registry change monitor within TeaTimer is not rule based (with a few exceptions so it will not interfere with certain other security packages). In general it reports all changes within certain registry keys, good, bad or indifferent.
If you "Allow" all changes, you would be no worse off than if I didn't have TeaTimer enabled at all.
When a change occurs try to take into consideration what is happening on your system (installing, updating, etc.).
If you can't figure out what the change is, don't necessarily "Deny" the change. If you deny the wrong change you can adversely affect the stability, functionality and even the security of your system.

I did not find any definitive information about what the program "NPSWF32_FlashUtil.exe" with a parameter of "-p" does, although it is probably out there some place.

I'm sorry but I don't know much about "FlashPlayer" nor Firefox and if there are options within either or both that allow/disallow automatic updates. If there are and an automatic update of "FlashPlayer" was occurring than the registry change probably should have been allowed.

md,I can't remember details from my last flash player update for Firefox,but at C:\Program Files\Mozilla Firefox\plugins,I have
NPSWF32_FlashUtil.exe,and doubleclicking it brings up a window saying there is an update for Flash Player.

When I mouseover NPSWF32_FlashUtil.exe,it pops up that it is Adobe Flash Player Helper 9.0 r28.hth. :)

... I have
NPSWF32_FlashUtil.exe,and doubleclicking it brings up a window saying there is an update for Flash Player. ...
Thanks for the info. It actually confirms that the change may have been a legitimate register change if in fact "FlashPlayer" was being updated at the time the TeaTimer dialog appeared.

The parameter "-p" may play a roll in what NPSWF32_FlashUtil.exe does when executed and could alter what NPSWF32_FlashUtil.exe is intended to do when added as a "RunOnce" registry entry.

You were daring enough just executing NPSWF32_FlashUtil.exe, so please don't try it with the parameter.

Thanks and regards,
md usa spybot fan

You're welcome. :greeting:


You were daring enough just executing NPSWF32_FlashUtil.exe, so please don't try it with the parameter.
Lol,okay. :)

Here is some information that I gathered about the program NPSWF32_FlashUtil.exe and what it does:
1) It is related to the Adobe Flash plugin for Mozilla Firefox.
2) It is downloaded when visiting a site that contains an embedded flash object, which contains an element that will cause a user's player to be updated if it is out of date
3) When downloaded, it is run with the -p parameter, which causes the program to register itself in the RunOnce registry key (to be run without the -p parameter at the next startup)
4) At the next startup, the user is prompted that there is a new version of the Flash player available and is asked whether to install the update now, later, or not at all. The startup entry for the program is then deleted.

Hoped this helped to clarify a little