Hi, Spybot has given me a warning that a registry entry has been changed called
Browser Helper Object. The change is that the value was deleted. It's a bit odd because it doesn't give me the option to deny the change (it is greyed out), neither is there is any info on it. I'm not sure if I should accept his change?

Any advice?

Thanks, Trevor

TeeZee:

During some registry changes the "Deny change" option is grayed out (is not an option). This appears to be on changes such as the removal of a Browser Helper Object (Value deleted). This is speculation but I assume that the "Deny change" is grayed out because by the time TeaTimer recognizes the Registry change the underlying code for the BHO has been deleted and therefore denying the change would do no good to save the BHO from being deleted. I assume that the same would hold true for a "Value deleted" for an ActiveX process and possibly other changes. In this case the registry change dialog serves as a warning that something has changed.

Hi, thanks for your reply. How can I know if the change that was made is harmful or not?

TeeZee:

You have to determine what you were doing when the change occurred. Where you uninstalling or changing something?

The key to what Browser Helper Object (BHO) was actually deleted would be the Class ID (CLSID) that was in the Old Data field of the message you received. That information is also recorded in the Resident.log.

There are several ways (4 listed below) to access the TeaTimer's Resident.log file:
Right click on the TeaTimer (Spybot-SD Resident) system tray icon and select Show Log.
Go into Spybot > Mode > Advanced Mode > Tools > Resident.
Go into Spybot > Mode > Advanced mode > Tools > View Reports > View Previous reports. Select the Resident.log file and open it.
Using Windows Explorer, navigate to the Resident.log file located in one of the following directories:
Windows 95 or 98:
C:\Windows\Application Data\Spybot - Search & Destroy\Logs
Windows ME:
C:\Windows\All Users\Application Data\Spybot - Search & Destroy\Logs
Windows NT, 2000 or XP:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs
Windows Vista:
C:\ProgramData\Spybot - Search & Destroy\Logs
Double click on Resident.log file and it should open with Notepad.

Hi,
I am having this same issue. I have opened the Resident.log file, and here is what it says:

5/12/2008 8:27:54 AM Allowed (based on user decision) value "{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}" (new data: "") deleted in Browser Helper Object!
5/12/2008 8:27:58 AM Allowed (based on user decision) value "{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}" (new data: "") added in Browser Helper Object!
5/12/2008 9:43:04 PM Allowed (based on user decision) value "{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}" (new data: "") deleted in Browser Helper Object!
5/12/2008 9:43:07 PM Allowed (based on user decision) value "{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}" (new data: "") added in Browser Helper Object!

Right now, there is a popup window telling me again that the value has been deleted. Any ideas?

Thanks.

Hello,

There is no action needed.
That is only a notification from the resident TeaTimer that a process has been blocked.
Please read this information about TeaTimer:
http://www.safer-networking.org/en/faq/33.html
and http://www.safer-networking.org/en/faq/34.html
The tutorial (point 8) on our homepage should also help explaining:
http://www.safer-networking.org/en/tutorial/index.html

Best regards
Sandra
Team Spybot

Thanks, Sandra.

I have a few other questions. They are based on the quote below from this link, http://www.safer-networking.org/en/tutorial/index.html

"But if the message comes out of the blue sky while you were surfing the web, you should get cautious. In this case it is better to deny the registry change."

Well, my messages have been coming out of the blue sky, and not necessarily when I am even surfing the web (I find the messages on my machine first thing in the morning, the machine has been running all night). Is there any way to tell what program is trying to change the registry? I have run scans for viruses and spyware, and nothing has come up. What other precautions should I take?

yotravel,

This is either part of FlashGet, which you should know you've installed, malware masquerading as this BHO or possibly a false positive.

http://www.file.net/process/jccatch.dll.html

I suggest you create a Spybot log listing with the BHO section and copy/paste the information relating to this item (identified by the number below) in your next post. That will help someone here identify it if you can't yourself.

Bitman