Hi,

I recently cleansed (hopefully!) my computer from the Antivirus-2008 malware. Now, after getting rid of that, I get the following S&D messages:

Category: System Startup global entry
Change: Value deleted
Entry: Antivirus
Old data: C:\Program Files\VAV\vav.exe
New Data: [blank]


Category: Browser page
Change: Value deleted
Entry: Start page
Old data: http://www.microsoft.com/isapi/redir.dll?prd=iepver=6ar=msnhome
New Data: http://www.google.ca


Category: System Startup global entry
Change: Value deleted
Entry: lphcntgj0e77t
Old data: C:\WINDOWS\system32\lphcntgj0e77t.exe
New Data: [blank]


Category: System Startup global entry
Change: Value deleted
Entry: SMrhcjtgj0e77t
Old data: C:\Program Files\rhcjtgj0e77t\rhcjtgj0e77t.exe
New Data: [blank]



Category: System Startup global entry
Change: Value deleted
Entry: SysA2B5.exe
Old data: C:\Windows\SysA2B5.exe
New Data: [blank]



Category: System Startup global entry
Change: Value deleted
Entry: SysA4B7.exe
Old data: C:\Windows\SysA4B7.exe
New Data: [blank]


And I've denied all of these so far, as they're all linked to the virus I had. [except the start home page, which is more likely linked to my having updated Windows Security yesterday]

But I'm wondering if I should allow them, since all S&D bot is telling me is that these .exes have been deleted from the registry? Basically, I'm not sure what this 'value deleted' means. If it means it's a simple acknowledgement that these files have been deleted, great. But if it will then copy these files to some memory or something, then I should just deny them all. Right?


Any help would be greatly appreciated.

:red: I think you got it all wrong.

Actually what TeaTimer meant was that Antivirus 2008 was removed from your computer, thus it will not start up again in the future.

Old data: C:\Program Files\VAV\vav.exe
New Data: [blank]

vav.exe is a malicious process (old data), now after removing it, it is not there anymore.

The second startup entry does not show anything in the Google search engine, so I'm concluding that it was randomly generated. As for the homepage, you can safely allow that.

As for the last three processes, they were randomly generated by the spyware.
--
Have you 'denied' it once? Are you denying it on every startup? Or did you tick 'Remember my Decision'?

Conclusion: You can safely allow all of them.

I hope this clears your doubt.

OK, that's actually what I suspected (read the bottom of my initial post ;)) ... but I just wanted to be certain, as this is the first time I've had this problem.

I believe I did 'remember this decision' on 1-2 denials, but for the rest, I just denied and didn't 'remember this decision' since I began thinking of what this meant logically ;)

Is it harmful now then, that I've 'remembered this decision' on a few of those denials? If so, is there any way to reverse that decision and go ahead and allow them now?

Thank you for the help!

Mike8:


...I s it harmful now then, that I've 'remembered this decision' on a few of those denials? ...
It may not be harmful but it would keep you from allowing a similar registry change in the future because it would automatically be denied.


... If so, is there any way to reverse that decision and go ahead and allow them now? ...
If you check "Remember this decision" on a change, the information concerning that change it is stored in a file. TeaTimer uses that information to automatically "Allow" or "Deny" similar registry changes for all future changes. To edit that information:Right click on the TeaTimer system tray icon and select Settings. This will bring up TeaTimer's "White & Black List". There are four (4) Buttons across the top of the "White & Black List":
Allowed registry changes
Blocked registry changes
Allowed processes
Blocked processes
You can review all the entries that you have stored by clicking on these buttons. The entries that you should review are in "Blocked registry changes". You can delete entries by clicking on the scripted black "X" to the right of the entry that you want to delete, answering "Yes" to the confirmation dialog and then clicking the "OK" button when you're done.After you have done that, the next time a similar registry change occurs TeaTimer will issue a registry change dialog rather than automatically deny the change. At that time you could allow the change if you wanted to. I suggest that you do not use the "Remember this decision" option unless there is a compelling reason to.

Thanks md usa spybot fan.

Thank you both very much. :)

I feel I should now head over to the Malware forum to ensure my computer is fully clean...

Yes, give a shot.

Have you ran a full scan with Spybot-SD? Make sure you have the latest version : ).

Yes I did. But I got an error message at the end stating I need to be elevated to administrator.

I also have Avast, SuperAntiSpyware (which fixed some of the problems S&D found and allowed me to remove them), and Ad-aware, as well as a host of other programs I got from http://www.elitekiller.com/malware.htm

If it said you need elevated privileges, I'm assuming you are using Windows Vista OS?
How can I get Admin rights in Windows Vista? (http://www.spybot.info/en/faq/42.html).

I have to say SAS is pretty good.

Ahha! Thank you for that. I was wondering if somehow that virus/malware had prevented me from using S&D to its full capabilities. ;)


The only 'nice' part of getting infected with a virus/malware is that you see there are many very nice people willing to share their time and knowledge to help you fix the problem. Thank you again!

I'm glad I cleared your doubts.

Welcome to the Spybot community.