• Welcome Guest, to the Spybot Forums! It's 2025, and we just upgraded our forum software.

    Today is Safer Internet Day, and with our new forum, you can finally use passkeys to login. That was about time!

    Of course, you could ask if a forum is still useful, with so many social media networks out there where you might already have an account, and met a lot of users. You can now use your login from some of those networks to log in here. And by posting here, your question and data is stored on our servers and not automatically shared with a whole social media network.

    We'll also start using the forum for small bits of information, announcements and more again.

TeaTimer blocks Registry change - need more information

A

alphafalcon

New member
Hi,
Im currently trying to get rid of some particularly nasty programs, and so far Spybot has been of great help, especially TeaTimer stopping the re-adding of startup keys.I believe that I have cleaned my system of most parts of the spyware, but I keep getting TeaTimer alerts about a new BHO-Entry. As I've cleaned all places that were obvious to me I'm at a dead end because I can only see that someone wants to add the BHO but not WHICH programm/process/thread is doing it. Is there any way to get TeaTimer to tell me?
Thanks in advance!
Falcon
 
alphafalcon:

What is the CLSID (class ID) of the BHO? Copy the registry change for the BHO from the Resident.log into a new post in this thread.

There are several ways to access the Resident.log file:
  1. Right click on the TeaTimer (Spybot-SD Resident) system tray icon and select Show Log.
  2. Go into Spybot > Mode > Advanced Mode > Tools > Resident.
  3. Go into Spybot > Mode > Advanced mode > Tools > View Reports > View Previous reports. Select the Resident.log file and open it.
  4. Using Windows Explorer, navigate to the Resident.log file located in one of the following directories:
    • Windows 95 or 98:
      C:\Windows\Application Data\Spybot - Search & Destroy\Logs
    • Windows ME:
      C:\Windows\All Users\Application Data\Spybot - Search & Destroy\Logs
    • Windows NT, 2000 or XP:
      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs
    • Windows Vista:
      C:\ProgramData\Spybot - Search & Destroy\Logs
    Double click on Resident.log file and it should open with Notepad.
To copy information from the log into the Clipboard:
  • Highlight the portion of the log that you want to copy.
  • Right click and select Copy.
Paste (Ctrl+V) the information from the Clipboard into a new post in this thread.
 
Last edited:
thanks for the reply,
I managed to get rid of the spyware (some virtumonde variant I think) by booting linux and manually deleting its dll, so no need for help with cleaning up anymore :bigthumb: I'm still curious if theres a way to see which process wanted to change something in the registry.
Thanks
 
alphafalcon:

TeaTimer does not capture information about what process made the registry change because TeaTimer actually detects that a registry change has occurred after the fact and allows you to reverse the change by doing a "Deny change".

If you have a recurring registry change, you can determine what process is making that change using a registry monitoring program. One such program is Regmon:
 
You must log in or register to reply here.
Back
Top