PDA

View Full Version : What do you do when TeaTimer is "out of control"...



Hoibie
2008-08-27, 21:54
Glad this group is here. This morning I ran a downloaded portable games package just to see what was in it. All files are autoscanned by my AV upon introduction to the file system. Anyway, TeaTimer balked and reported that a BHO was being installed. I said deny, but apparently whatever was in this package kept pounding away and TeaTimer put up a series of Allow/Deny boxes with the resultant report boxes off to the side. I got tired of hitting Deny so I ticked on "Remember this setting" and the computer (XP Pro fully updated) keeps going in a loop with TeaTimer spitting out hundreds of alerts - all with the same Registry value being cited - making the computer unusable. After an hour of so of this, I hit Ctl/Atl/Del and stopped TeaTimer's process. System settled down. I checked MSCONFIG to look for the errant startup entry - none found. I know that there are other sources of startup entries but this is all I could get done with a bogged down machine. And on reboot, we're right back at it. I then decided to click on Allow and try to let it pass through (I know, I know bad choice but what else could I do...) but TeaTimer again spit out hundreds of notices that it was "denying" the registry change. I've killed it once again and am doing an on-demand AV scan with NOD32 ESS. I don't know if it'll find anything nor do I know how whatever this is got past NOD either. What to do?

I say try to get in and quickly disable TeaTimer in the SpyBot S&D interface. But I don't have much time between presentation of the desktop and the beginning of the "fun". If I let the BHO get in there, I'm guessing I can probably take it out once I get past this TeaTimer issue. I don't know if this alleged "BHO" is a Browser Helper Object or a Browser Hijack Object - two different animals. Maybe someone can clear that up for me.

Do others of the experts agree with this procedure? And, I'm not faulting TeaTimer but what's the strategy to employ TT goes into a loop like this?

Thanks and I'll be anxiously awaiting to see some replies to this.

drragostea
2008-08-28, 01:22
Of course, something will be wrong if TeaTimer "pounds" at you persistently.

When you executed the portable games "package" to see what it's "contents" were, it attempted to add a Browser Help Object (BHO) into Internet Explorer. The general idea of BHOs is more to ease the browser's (user) surfing, whether that be a add-on or a new toolbar.

Fortunately, you can undo the change because you ticked "Remember my Decision". I'm not sure if this is a valid inference, but when you executed the game package, it must have added a entry to the Startup Manager, or else TeaTimer wouldn't be prompting you with so many pop-ups.

What you can do is right-click on TeaTimer's icon in the taskbar and click 'Settings'.
______________________________
If you check "Remember this decision" on a change, the information concerning that change it is stored in a file. TeaTimer uses that information to automatically "Allow" or "Deny" similar registry changes for all future changes. To edit that information:Right click on the TeaTimer system tray icon and select Settings. This will bring up TeaTimer's "White & Black List". There are four (4) Buttons across the top of the "White & Black List":
Allowed registry changes
Blocked registry changes
Allowed processes
Blocked processes
You can review all the entries that you have stored by clicking on these buttons. The entries that you should review are in "Blocked registry changes". You can delete entries by clicking on the scripted black "X" to the right of the entry that you want to delete, answering "Yes" to the confirmation dialog and then clicking the "OK" button when you're done.
_____________________
After you have removed the entry by double clicking the cross (X) then, the next time the same registry change occurs (BHO) you'll be prompted instead of denied.

So the basic idea is that you can undo the change.

I hope this answered your question.

Hoibie
2008-08-28, 07:39
Hello and thanks.

I think yours is a good reply. Good of you to take the time. Unfortunately, now I have lost my desktop icons, the task bar, the system tray so I can't launch SB (or any other app for that matter). It's really messed up. I do still have my wallpaper, I can get to task mgr but that's it. I am getting logged on, because I can reach the drives over my simple filesharing network.

It's not SpyBot's fault -- I really botched this up! It all stems from when I saw BHO and thinking that BHO stood for Browser Hijack Objects which you've explained that it doesn't mean that. I'm not really sure that BHO was wanted anyway.

So, I guess I'm off to one of the tech support sites, to see if they can help me bring this back. I really wish I hadn't touched that game thingie!!!

Thanks.

drragostea
2008-08-28, 07:44
Out of curiosity, where did you exactly "download" the game? Was it from a torrent site? A unknown source?

Hm. Can you start TaskManager (Ctrl+Alt+Delete)?
I remember one time, when I ran into this issue. My cousin was using this "tune-up utility" software, and it suggested to terminate the process "explorer.exe" because it was using too "much" memory (stupid!). He did so and upon the next boot, he could not log in Normal Boot (he literally can, except no desktop icons, no taskbar, just wallpaper). Safe Mode worked however. :scratch:

Are you facing a similar situation?

Hoibie
2008-08-28, 15:51
I won't go on too long here because this isn't a "fix my Windows" type of place but since you asked...

This was a "game pack" offered off of a user group BBS I frequent. I think I know what you're driving at and 3 other independent users there have confirmed (after I posted to warn about this issue) that the game pack is not viral nor does it contain spyware.

What's happening is this: I get the desktop, wallpaper and task bar. After a moment or two the desktop icons and task bar both disappear. A moment later they'll re-appear for about 10-15 seconds then disappear. A moment later they'll re-appear for about 10-15 secs then disappear. After seven or eight cycles of this behavior activity stops with just the wallpaper showing. Ctl-Alt-Del works. I found in that applet that I can Run a New Task called "desktop" (to call the DT to the fore) and the icons/task bar reappear. Once again, after a moment or two the desktop icons and task bar both disappear. A moment later they'll re-appear for about 10-15 seconds then disappear. A moment later they'll re-appear for about 10-15 secs then disappear... I won't go on but you get the pattern here. Some process is calling for some file to be loaded. When I call the desktop to the fore, Windows reports that it cannot locate '/idlist,:0:1124,C:\Documents' (looks like a corrupted reference) This box dismisses after a moment, followed by you-guessed-it...

I have the same exact behavior in Safe Mode. Except that Windows puts up its Safe Mode warning box. I can either click Yes or wait 10 secs and the box self-clears and we resume the cycle as the Safe Mode warning box returns. Wait or click Yes and it loops back again. I only get about 10 seconds to hit something in either Reg or Safe Mode before it's interrupted by this behavior. I can succesfully work in a DOS-box. The systems' drives are reachable via my router-based network.

I know enough about XP and Windows to not kill explorer.exe. It is running. A big problem here is that I can't get a detailed look at my processes that are running. Task Mgr doesn't give me enough info and everything that it shows looks legit in my experience. Because I only have 10 seconds or less to do something, I'm unable to use a prog like Winternals to look any deeper at the processes running to evaluate what's going on. Why not? Because unless I can quickly (and I mean quickly) launch something and get it running, the cycle breaks the launch and we're back to no icons/no task bar, yada-yada.

Restore it? Uh-uh because all my restore points are gone! Quite unbeknownst to me something cleared them out and I only have one from 8/27 at 8:15 AM around the time I was mussing with my game pack. (Restoring restore points and trying to figure out what caused them to clear is number one on my list to check out when I get this back...)

Are you thinking repair install at this moment? I am...

I really feel like a :clown: for having shot myself in the foot with this...

stupidhomer
2008-08-28, 16:54
if this has gone too far, maybe you should make a BartPE boot disk from another pc, and rescue your files from there, then just reformat and install windows again, then you can copy everything back again.

Hoibie
2008-08-28, 17:25
Yah - that's probabaly my only recourse at this moment. Fortunately, I do have several daily full backups on the USB External Drive. I was just interested in trying to cut the amount of time this is going to take, restoring everything. Gosh I wish I had the restore points from a couple of days ago. I'm certain that would clear this and get me back.

Recopy everything except that stupid game pack - which I was able to removed by clicking quickly to it...

Oh well...

drragostea
2008-08-28, 22:30
Sorry to hear of your troubles Hoibie :sad:. I just wanted to know... what does BBS stand for?

You can try a BartPE CD... or if you still hold on... request help at another tech forum.

Hoibie
2008-08-29, 03:12
BBS = Bulletin Board System aka Forum

I let the system run all afternoon and it now appears stable in Diagnostic mode. I've gotten StartUpList.exe to do a dump of it's findings. I see one entry that gives me pause. I'm on BleepingComputer's Forums and am searching for someone to help figure this out. Keep your fingers and toes-ies crossed.

Hoibie
2008-08-29, 05:53
I want you all to swing by www.bleepingcomputer.com. What a nice group (just like here...) Here's the message I just posted. Again, it's not the focus of your forum but I'd just like everyone to know how fortunate I was in this incident. Please, please, please -- don't do what I did and assume your restore points are present. I'm researching now to make sure I know how to ensure that the restore points are available to use and not dissolved into nothingness. Here's what I said:

That's it! I was soooo lucky this time!!! I got a chance to quickly navigate to Add/Remove and I caught a break - was just able to uninstall the whole SpyBot app, and I guess including TT. I might as well run the batch file (to clear the TT after-data) too - it can't hurt. Right after dismissing Add/Remove, I noticed huge improvements. So, I set up MSCONFIG to start all services and so forth, rebooted. Viola'! I think I have it back!! That startup list dump would've made many enemies here - looong! I need to now go through and make sure that it's all working including my AV. But I am pretty sure it is.

{Insert appropriate Happy Ending music here} :eek: