PDA

View Full Version : TeaTimer blocks Registry change - need more information



alphafalcon
2008-05-15, 02:49
Hi,
Im currently trying to get rid of some particularly nasty programs, and so far Spybot has been of great help, especially TeaTimer stopping the re-adding of startup keys.I believe that I have cleaned my system of most parts of the spyware, but I keep getting TeaTimer alerts about a new BHO-Entry. As I've cleaned all places that were obvious to me I'm at a dead end because I can only see that someone wants to add the BHO but not WHICH programm/process/thread is doing it. Is there any way to get TeaTimer to tell me?
Thanks in advance!
Falcon

md usa spybot fan
2008-05-15, 07:34
alphafalcon:

What is the CLSID (class ID) of the BHO? Copy the registry change for the BHO from the Resident.log into a new post in this thread.

There are several ways to access the Resident.log file:
Right click on the TeaTimer (Spybot-SD Resident) system tray icon and select Show Log.
Go into Spybot > Mode > Advanced Mode > Tools > Resident.
Go into Spybot > Mode > Advanced mode > Tools > View Reports > View Previous reports. Select the Resident.log file and open it.
Using Windows Explorer, navigate to the Resident.log file located in one of the following directories:
Windows 95 or 98:
C:\Windows\Application Data\Spybot - Search & Destroy\Logs
Windows ME:
C:\Windows\All Users\Application Data\Spybot - Search & Destroy\Logs
Windows NT, 2000 or XP:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs
Windows Vista:
C:\ProgramData\Spybot - Search & Destroy\Logs
Double click on Resident.log file and it should open with Notepad.
To copy information from the log into the Clipboard:
Highlight the portion of the log that you want to copy.
Right click and select Copy.
Paste (Ctrl+V) the information from the Clipboard into a new post in this thread.

alphafalcon
2008-05-19, 14:03
thanks for the reply,
I managed to get rid of the spyware (some virtumonde variant I think) by booting linux and manually deleting its dll, so no need for help with cleaning up anymore :bigthumb: I'm still curious if theres a way to see which process wanted to change something in the registry.
Thanks

md usa spybot fan
2008-05-19, 14:38
alphafalcon:

TeaTimer does not capture information about what process made the registry change because TeaTimer actually detects that a registry change has occurred after the fact and allows you to reverse the change by doing a "Deny change".

If you have a recurring registry change, you can determine what process is making that change using a registry monitoring program. One such program is Regmon:
RegMon for Windows v7.04
http://technet.microsoft.com/en-us/sysinternals/bb896652.aspx

alphafalcon
2008-05-20, 00:25
Thanks, exactly what I was looking for :bigthumb: