Sorry if this comes off as unclear but I was in the process of removing some spyware and adware on my computer with spybot: search & destroy when a box popped up that said:

Spybot Search and Destroy has detected an important registry entry that has been changed.

Category: System Startup use entry
Change: Value deleted

Entry: SVCHOST.EXE

Old data: C:\WINDOWS\system32\drivers\svchost.exe

Allow change or Deny Change?

Do I accept or deny the change? I don't want to choose the wrong option and in some way mess up my computer. Any help would be appreciated. I'm not really computer savvy so please be nice to me. :)

allow and remember this decision. The reason i say this is because you state that: "but I was in the process of removing some spyware and adware on my computer "

well actually... sorry I was in a rush when posting that. I meant that the box popped up after I deleted 35/36 of my problems and agreed to let spybot run at startup. So would I Allow or deny? sorry, I'm just really paranoid about this lol.

The process above is legitimate process only in Task Manager. If it is found in the Startup Manager, then it is likely that it is a malware infection.

Spybot-SD runs at startup because it will attempt to remove the entry that it could not remove during Normal Boot. In that case, yes you should allow the change.

umm, I allowed the process and after I restarted my computer and ran spybot, a box popped up saying:

Category: Browser Helper Object
Change: Value Deleted
Entry: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96

However, this time the Deny option is faded out. Is this a bad thing?

Also, my sboybot says that my computer has no problems but whenever I go online, I am often directed to a warning screen saying that I am entering an attack site. If sbybot can not clear this up, can you guys recommend a good plan to get rid of the problem? all help is very much appreciated.

THANK YOU. :) :bigthumb:

ghettomusick:

What version of Spybot - Search & Destroy are you running (Spybot » Help » About)?

The BHO (Browser Helper Object) GUID (Globally Unique Identifier) of {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96}appears to be "Certified spyware/foistware, or other malware" according to CastleCops. See this page from Computer Cops LLC (a.k.a. CastleCops):
CastleCops® ActiveToolBand.dll 83A2F9B1-01A2-4AA5-87D1-45B6B8505E96
http://www.castlecops.com/tk32677-ShowBarObj_Class.html
You indicated:


umm, I allowed the process and after I restarted my computer and ran spybot, a box popped up saying:
…

If you are really indicating after something (Spybot or whatever) detected and deleted the above BHO and you allow that deletion, then everything should be fine.


… However, this time the Deny option is faded out. Is this a bad thing? …
With certain changes such as the removal of a Browser Helper Object (Value deleted) the "Deny change" option is grayed out (not an option). Although this is speculation, I assume that the "Deny change" is grayed out because by the time TeaTimer recognizes the registry change the underlying code for the BHO has been deleted and therefore denying the change would do no good to save the BHO from being deleted and just leave an orphaned registry entry.

__________


… sboybot says that my computer has no problems but whenever I go online, I am often directed to a warning screen saying that I am entering an attack site. …
There are many Trojans that create messages to entice you to purchase anti-malware products to clean up alleged problems. On the other hand some other legitimate software that you are running may be identifying a real potential threat. If you could post the exact content of the message that you are getting, indicate what software is issuing that message and list other anti-malware besides Spybot you are running, perhaps someone can help you with that problem.

thank you so much for helping me out with my problem! I'll try to post all the info later tonight or on tuesday (I usually go to the library to use the computer now and it's closed tomorrow because of labor day). I'll post the info soon. Thanks for helping me through this. :)

Ok. I am running Spybot 1.6.0.30.

When I restart my computer, the registry warning box about the browser helper object always appears.

I tried to get the exact warning message but I couldn't so here's what I remember:

the message loaded instead of the normal page. It said something along the lines of "This is an attack site it can download dangerous viruses spyware etc. to your computer.... would you like to enter?" And of course I just exit the browsing window.

Also, when I was running a scan on spybot: search & destroy, the scan aborted when it reached IE bookmarks. When I tried a scan after this, everything checked out ok.

My internet is slower than usual and links on google only lead to other search engines.

Can anyone help diagnose my problem and possible ways to fix it? Thanks. :)

It's been a day so I'm going to bump this. Sorry if this is against any rules but I just want to know if my computer can be saved or not. :(

ghettomusick, are you still getting any prompts from TeaTimer?

Does the scan say "Aborted by user" when it scans the IE bookmarks? Or does it just freeze?

What happens with your search results?

What kind of Internet Connection do you have?

Do you use a Firewall? Any other anti-virus/malware tool?

ghettomusick, are you still getting any prompts from TeaTimer?

Does the scan say "Aborted by user" when it scans the IE bookmarks? Or does it just freeze?

What happens with your search results?

What kind of Internet Connection do you have?

Do you use a Firewall? Any other anti-virus/malware tool?

1. Umm, if by prompts you mean the resgistry box things, I only get one asking for me to allow or deny a browser helper object with the deny option faded out.

2. The scan said "aborted by user" only once when it reached IE bookmarks but it worked fine after. It didn't freeze.

3. When I make google searches on google using firefox, the links always direct me to these weird search engines I've never heard of. Sometimes when I am on a webpage, I will randomly get redirected to a warning page asking me if I want to enter an 'attack site'.

4. I use comcast for my internet connection.

5. I have norton but I haven't renewed it yet. I can run scans on it still though.


If I wasn't clear on something just tell me and I'll try and make more sense. :)

There still seems something wrong. It's about your "redirection". A normal browser (whether that be IE or Firefox) on the Windows Operating System wouldn't redirect you to some random page without reason. My concern is that there is still something hiding and manipulating, that you are not aware of (and that Norton could not possibly detect).

Is Norton's subscription still valid? If not, then it's ability to update will be also disabled, if I'm correct...

A slow browser as in speed (downloads and browsing)? Or plain lagging as in the browser takes time to go to an option?
--
I wasn't clear about #1. So the prompt came up only once?

There still seems something wrong. It's about your "redirection". A normal browser (whether that be IE or Firefox) on the Windows Operating System wouldn't redirect you to some random page without reason. My concern is that there is still something hiding and manipulating, that you are not aware of (and that Norton could not possibly detect).

Is Norton's subscription still valid? If not, then it's ability to update will be also disabled, if I'm correct...

A slow browser as in speed (downloads and browsing)? Or plain lagging as in the browser takes time to go to an option?
--
I wasn't clear about #1. So the prompt came up only once?

The prompt came up again when I restarted my computer. It just asks if I want to allow something about a broser helper object. I allow it because the deny option is faded out.

I still have to renew my subscription to Norton.

My browser is unusually slow and sometimes freezes for a couple of seconds. I don't know if this is important but everytime I load a page, the vertical scroll bar is stretched out and then it corrects itself after the page is loaded.

ghettomusick, does the prompt come up on every bootup?

If Norton's subscription is expired then it wouldn't serve to it's fullest potential. Do you use a firewall or another anti-malware program besides Spybot?

Does Spybot detect anything?
--
Better safe than sorry. I decided it would be best if you would start your thread in the Malware Removal Forums. A Malware Helper will assist you to purge the infection ASAP.

If you receive instructions there (Malware Forums), then this conversation will end.

Instructions:
Consider posting in the Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum and having someone take a look at your system.

If you decide to have an experienced malware removal specialist assist you, please follow the procedure in this link to run scans and produce a HijackThis log: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) ( http://forums.spybot.info/showthread.php?t=288).
>