PDA

View Full Version : TeaTimer or Spybot causing Taskbar malfunction



Detector
2008-08-08, 07:02
As I now got the update to the new version 1.6 of Spybot, I have recognized a malfunction of the taskbar (Taskleiste):

The PC:
Win2K with all the updates, ADSL-2, 512 MB RAM, 733 MHz
Working fine.

I have been using the following options:
- Immer im Vordergrund / Keep the taskbar on top of other windows
- Automatisch im Hintergrund / Auto-hide the taskbar

As I wanted to see the taskbar earlier, I just got down with the mouse and it popped up.

Now the taskbar always keeps up and does not lower it self down any more.
It simply does not disappear regardless of the settings.
Something is blocking the function and this is caused by Spybot.

I have disabled the Info ballons in Teatimer and rebooted the PC of no gain. I liked the Spybot-behaviour as it was earlier.

I have uninstalled Spybot, cleaned up the filesystem and the registry, without success.
(As Spybot is uninstalled, the taskbar works fine again.)
If I just disable Teatimer, it does not make any difference.

My workaround now is to keep the taskbar in the background and get it visible by the Windows key, but this is not fluently enough.
The mouse is better, because the eyes are following the pointer.

Is the issue known? Is there a solution? Update?
A conflict in the Registry? Registry key?

Yodama
2008-08-08, 08:08
hello Detector,

thank you for addressing this issue. This has not been reported so far, we will look into this and see if it can be reproduced and solved.

catfishjoe
2008-08-08, 21:09
Hi. I have the same problem, more or less. Eventually my Taskbar does start to behave, but once teatimer starts scanning again the Taskbar reverts to bad behaviour. Also the initial scan (that teatimer does on bootup) takes forever. Windows 2000 pro, Amd dule core, 2gig memory. hope the above helps improve Spybot because I would hate to be without it.
Thanks for the years of protection.
Catfishjoe.

catfishjoe
2008-08-09, 15:24
Just wanted to add, I unclicked show info baloon, which had no result, ecven when I restarted (ie:baloon still there for a long period, stopping the hide taskbar from operating, but after a full shutdown and start baloon is now not showing and hide taskbar is now working. so it seems to be the baloon graphic that is causing the problem, with Win 2000 pro, anyway.

Detector
2008-08-10, 09:52
The new update solved the problem. In this version there are no ballons, not even the field (entry, button) for the ballons does exist any more. Version 1.6.0.30

Besides of this, I think ICQ 5.1 partly caused the problems, because the ballon-popups stated something about ICQ if I so opened Outlook, or something else (the same thing also without ICQ running). In this Spybot version there is no such information any more (probably still the same odd behaviour - or a false positive?).

The information is nice to have, but is there a cure about this too?
I have now once again uninstalled ICQ 5.1 and Spybot. I cleaned everything in the registry as well (ICQ, Spybot, Teatimer, Safer Networking) with Registry First Aid's "Search the Registry", as in the filesystem. Then I installed Spybot first (Version 1.6.0.30 - Digital Signature: Montag, 07. Juli 2008 09:57:41). After that Netvigator ICQ (the Hongkong version of ICQ 5.1, still available on www.icq.com).

In the earlier Spybot versions I could disable the ICQ-Trayboot by putting this Registry information (key) to the blocked (disabled) registry changes (Blockierte Reg-Änderungen) as this information came the first time. Now I don't get this option. I just get a ballon popup telling me, that this is allowed and the entry is back:

Resident
07:59 Änderung an der Registrierungsdatenbank erlaubt
Resident erlaubt die Änderung von ICQ Lite
(Kategorie System Startup user entry)
basierend auf Ihre Erlaubnis-Liste.

But I have not permitted anything!?

If I manually delete the following entry (because deleting this in Spybot does not delete the entry),...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce]
"ICQ Lite"="C:\\Programme\\ICQLite\\ICQLite.exe -trayboot"
... I get the same Spybot popup (ballon) again and immediatelly:

Resident
07:59 Änderung an der Registrierungsdatenbank erlaubt
Resident erlaubt die Änderung von ICQ Lite
(Kategorie System Startup user entry)
basierend auf Ihre Erlaubnis-Liste.

As I now start ICQ, the same statement comes again and the entry is back in Spybot, as also in the registry.


I'm wondering how I can put this entry (disable this in the registry) there (Blocked Reg-changes) manually?
In which Spybot file I may make this entry, or is it a registry key?
How's the syntax?

It is nice, that Spybot is telling me, that this entry is possibly bad and as I had disabled this in the earlier versions, ICQ still worked fine and my PC too. But I'm missing a possibility to disable this now. If I uncheck the entry in Spybot Systemstart, I get a new entry with the same information. If I erase the entry, it is simply back there again.
I am missing more possibilities to do something durable in Spybots "Systemstart" and/or manual changes (editing) in the Settings (Options - "Blocked Reg-changes").

This is the entry coming again and again:
Located: HK_CU:RunOnce, ICQ Lite (DISABLED)
where: S-1-5-21-527237240-583907252-682003330-500...
command: C:\Programme\ICQLite\ICQLite.exe -trayboot
file: C:\Programme\ICQLite\ICQLite.exe
size: 3142236
MD5: 2EAD5900356FD61DFDF27B1A819126E1

This is the Spybot information about this entry:

Aktuelle Datei: C:\Programme\ICQLite\ICQLite.exe -trayboot

Datenbank-Status: Üblicherweise nicht benötigt
Wert: ICQ Lite
Dateiname: ICQLite.exe

Beschreibung
_ICQ Lite_ - compact version of the popular messaging program

Quelle: Paul Collins Startup list
____________________

Aktuelle Datei: C:\Programme\ICQLite\ICQLite.exe -trayboot

Datenbank-Status: Nicht benötigt - Viren, Spyware, Malware oder sonstiges Unnötiges
Wert: ICQ Lite
Dateiname: scvhost.exe

Beschreibung
Added by the _AGENT-DSF_ TROJAN!

Quelle: Paul Collins Startup list
____________________

Aktuelle Datei: C:\Programme\ICQLite\ICQLite.exe -trayboot

Datenbank-Status: Nicht benötigt - Viren, Spyware, Malware oder sonstiges Unnötiges
Wert: ICQ Lite
Dateiname: winlog.exe

Beschreibung
Added by the _IRCBOT-TJ_ TROJAN!

Quelle: Paul Collins Startup list



____________________

The contents of the Resident.log:

09.08.2008 22:04:16 Erlaubt (based on lassh blacklist) value "ICQ Lite" (new data: "C:\Programme\ICQLite\ICQLite.exe -trayboot") hinzugefügt in System Startup user entry!
10.08.2008 06:47:26 Erlaubt (based on lassh blacklist) value "ICQ Lite" (new data: "") gelöscht in System Startup user entry!
10.08.2008 07:59:09 Erlaubt (based on lassh blacklist) value "ICQ Lite" (new data: "C:\Programme\ICQLite\ICQLite.exe -trayboot") hinzugefügt in System Startup user entry!
10.08.2008 08:08:53 Erlaubt (based on lassh blacklist) value "ICQ Lite" (new data: "") gelöscht in System Startup user entry!
10.08.2008 08:12:39 Erlaubt (based on lassh blacklist) value "ICQ Lite" (new data: "C:\Programme\ICQLite\ICQLite.exe -trayboot") hinzugefügt in System Startup user entry!


Is it possible, that this "lassh blacklist" is allowing the entry and it is not possible to put it to the blocked registry entries any more?


I'm wondering about the Spybot-settings (blocked and permitted list - Permitted Reg-changes, Blocked Reg-changes, Permitted processes, Blocked processes):
There is no possibility to edit these entries.
How comes that here are never any entries in Permitted processes, or in Blocked processes?

How can I put back C:\Programme\ICQLite\ICQLite.exe -trayboot in the Blocked Reg-changes?
Is it really a process which is active if I open Outlook and other programs, or is it a false alarm?

spybotsandra
2008-08-11, 19:47
Hello,

To edit your blacklist:
Please right-click the Resident icon in the system tray "Spybot S&D resident" and select "Settings". There you will find 4 lists for remembered decisions (allowed/denied processes and registry changes). In order to remove an entry just click on the cross next to it. TeaTimer will then "forget" this decision and you will be asked again the next time.

It is also possible to manually add the TeaTimer blacklist.
You can write your own custom .sbi files, which are used by the Resident TeaTimer for blocking as well.
For more informations please have a look at this thread in our forum:
http://forums.spybot.info/showthread.php?t=15291

Best regards
Sandra
Team Spybot

Detector
2008-08-12, 11:09
Hi Sandra,

thank you for your response!

Unfortunately I could not manage to build that file for this entry.
I made the following effort:

// info: This file blocks
:: ICQ Lite
File:"ICQLite.exe -trayboot","C:\Programme\ICQLite\ICQLite.exe","filesize=3142236,md5=2EAD5900356FD61DFDF27B1A819126E1"
AutoRunByFilename:"*\ICQLite.exe","","filesize=3142236,md5=2EAD5900356FD61DFDF27B1A819126E1"

As you can see, I could not find out the right syntax for the parameter "-trayboot".
I read some sites here as well:
Thank you for the link to this link! ^^
Safer Networking Forums > Software > OpenSBI Discussion
http://forums.spybot.info/forumdisplay.php?f=50

I putted the *.sbi-file in the following folder:
C:\Programme\Spybot - Search & Destroy\Includes
There was an entry blocked after building the file but immediately (!) allowed again.
So it was not quite right and didn't change anything (no entries about this were visible in the Blacklist either).

If I wrote the needed entries directly in the file RegKeyBlack.sbe (Denied Registry Changes?) in the folder
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Excludes
all the entries were gone (nothing blocked any more) because this file is obviously protected of some reason.
So it's the wrong file to make manual entries anyway. (I just tried it out as well...)

These are probably the entries I'm missing now and as I can remember did be there earlier (Denied Registry Changes):
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce\ICQ Lite="C:\Programme\ICQLite\ICQLite.exe" -trayboot

Meanwhile I have made a workaround with Regedt32.exe:
I restricted the rights for the registry keys in "Runonce" and now the entry can't be made there any more.
This is of course not any optimal solution if any other programs want to write something there too.

It is not quite harmless to make such trials, because after a while I got an error message that something malicious were found in that process and I got three choises:
Per default ICQ.exe would have been deleted.
This file is clean and the PC is clean, just something went wrong.
I installed Spybot and ICQ once again.
Both programs are now working well.
(I'll wait and see...)

And of course, there was no entry in the Blacklist earlier, so there was nothing to delete and to be rebuild again.

On the other hand it might be useless to make this all if the process is clean anyway. But you never know when you'll need this knowledge and experience. And on the other site a clean process is not permanently active causing a lot of ballon messages (as it was)...

ScaryGary
2008-10-03, 19:11
I recently worked on a customers computer "HP Notebook" that I installed spybot on. After installing it the taskbar icon would disappear when booting up and boot up would stall when starting to display taskbar icons. I could however log off and back on and the icon "Teatimer" would reappear. Any info on this one?