PDA

View Full Version : Registry Change Denied--again and again



katiesdad
2005-11-16, 03:33
Hello...

Something tried to infect my computer with malware/spyware that tries to insert something into my registry (an IE toolbar thing apparently).

Fortunately Spybot caught it and I denied the registry change.
My problem is that "something" keeps trying and trying (and trying)
indefinitely to add the change, so I get the Spybot "Registry change
denied" popups continually.

Anybody know where pending registry changes go and how to permanently
delete them so I don't get this endless loop?

Thanks!

md usa spybot fan
2005-11-16, 06:43
Please go into Spybot > Mode > Advanced Mode > Tools > Resident and copy a portion of the log that shows the denied registry changes and paste it to a post.

katiesdad
2005-11-16, 07:36
Here's a couple lines that show the affected entry. There are zillions of these
just like these ones. Does this help? This value is also the one that keeps
popping up on the dialog boxes.

Any ideas how to stop this frustrating endless loop woudl be appreciated. :)


11/15/2005 7:35:11 PM Denied value "{8E718888-423F-11D2-876E-00A0C9082467}" (new data: "") deleted in Global browser toolbar!
11/15/2005 7:35:12 PM Denied value "{8E718888-423F-11D2-876E-00A0C9082467}" (new data: "") deleted in Global browser toolbar!

md usa spybot fan
2005-11-16, 08:37
It is not spyware/malware. CLSID={8E718888-423F-11D2-876E-00A0C9082467} is the Internet Explorer 5.0 / 5.5 Radio_Bar. See:
Tune in to a wider world of radio
http://www.microsoft.com/windows98/usingwindows/fun/articles/903Mar/radio.asp

stormlightning
2005-12-10, 03:31
I have this same problem, and I blocked it. Now how to not-block it?

md usa spybot fan
2005-12-10, 06:53
stormlightning:

You can edit the entries that TeaTimer uses to automatically "Allow" or "Deny" changes that were based on the use of "Remember this decision" as follows:Right click on the TeaTimer system tray icon and select Settings. This will bring up TeaTimer's "White & Black List". There are four (4) Buttons across the top of the "White & Black List":
Allowed processes
Blocked processes
Allowed registry changes
Blocked registry changes

Note: If you don't see all four buttons, try expanding the window to the right.


You can review all the entries that you have stored by clicking on these buttons. The entries that you should review are in "Allowed registry changes" and "Blocked registry changes". You can delete entries by clicking on the scripted black "X" to the right of the entry that you want to delete and then clicking the "OK" button when you're done. This will in effect make TeaTimer forget what you told it to remember so that during future changes to these items TeaTimer will issue a pop-up dialog rather then just a notification pop-up.

benhulkower
2006-04-03, 06:52
I'm having the same problem as Katiesdad, but it's two requested registry changes. The log looks like this: Denied value "wifvl" (new data: "") deleted in System Startup user entry!
4/2/2006 8:07:54 PM Denied value "alxukg" (new data: "") deleted in System Startup global entry!
Can anyone help? Thanks

vladilych
2006-04-09, 06:40
I have a similar problem.
The log looks like this -
9/04/2006 1:32:31 PM Denied value "{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" (new data: "") deleted in Global browser toolbar!
Which is basically the same as what is appearing in the flashing box which won't go away.
What should I do?
By the way, I can't find the TeaTimer system tray icon. Can someone tell me where it is?
thanks

Zenobia
2006-04-09, 11:58
Teatimer should be down by your clock in the Notification Area(system tray.)
If you have XP,maybe it's hidden.If so,try clicking the chevron to be able to see it.

Does the flashing box say something like resident denied the change of
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} based on your black list?

vladilych
2006-04-09, 13:44
Thanks Zenobia,
That's exactly what the flashing box says.
I have XP Home. I'll set off in search of Tea Timer and let you know if I have any problems.

vladilych
2006-04-09, 14:07
Zenobia,
Is the area for finding Tea Timer you're talking about in the bottom right hand corner of the screen where the clock is?
If that's the case I don't have any chevron there. The only icon which seems to be relevant is a SpyBot icon with what looks like a padlock in the lower left corner. When I hold the pointer over it a box which says "SpyBot SD Resident 1173 processes blacklisted" appears. When I right click on it a box appears but so fleetingly that I can't do anything with it.
Another thing, this flashing box problem only happens, when I log in under my XP account/profile, if I log on to my son's account/profile the problem doesn't occur.

Zenobia
2006-04-09, 14:49
Yes,that's the area.The icon with the padlock is teatimer.


When I right click on it a box appears but so fleetingly that I can't do anything with it.

Yes,I think that might be caused by the blinking box.I had that before,I had boxes going up the whole right of my screen,and I noticed Teatimer wouldn't let me rightclick it,I got a box that only appeared a couple seconds,too,so I couldn't get in to do anything with it.

I'm not sure if this will work,but it did for me.
Open Spybot,go to mode(up top),then advanced mode.Click Tools,then Resident.Then remove the checkmark beside Resident "TeaTimer" (Protection of over-all system settings)active.Then recheck it after a couple seconds.
That stopped the teatimer pop-ups(blinking box) for me,then I was able to remove what I wanted from the Black & White settings box,by following this:
http://forums.spybot.info/showpost.php?p=3755&postcount=6

You can return Spybot from Advanced mode to Normal mode by clicking mode up top,then Default Mode.

vladilych
2006-04-11, 13:37
Thanks Zenobia,
Unchecking and checking the check box in Resident under Tools worked like a charm. My desktop is now clear.
cheers.

Zenobia
2006-04-12, 00:12
You're welcome. :)

Paul Duffey
2006-12-08, 23:29
I too have Windows XP Home ed. and cannot find the Tea Timer icon. Apparently before I corrected the popup problem I denied ctf.mon, and now I can't use any Internet explorer tools because I can't get administrator privileges. Help! Paul Duffey

Paul Duffey
2006-12-08, 23:33
I too have Windows XP Home ed. Apparently before I corrected the popup problem I denied ctf.mon, and now I can't use any Internet explorer tools because I can't get administrator privileges. I opened tea timer and looked at the white & black pages & allowed & denied registry changes, but they are blank.Help! Paul Duffey

Zenobia
2006-12-09, 01:11
Items only show up in the black & white list if you had Remember This Decision checkmarked when Allowing or Denying a change with Teatimer.Do you know if that was checkmarked when you Denied the change?

Could you open Spybot,click mode,Advanced Mode,then go to Tools,then resident,in the window to the right scroll through and then highlight any text that mentions ctf.mon or ctfmon.exe with your mouse,then rightclick and select Copy,then paste it here?
Should look somewhat like this:
12/8/2006 7:03:05 PM Denied value "ctfmon.exe" (new data: "") deleted in System Startup user entry!

davidkessler
2008-12-02, 22:21
12/2/2008 3:16:15 PM Denied (based on user blacklist) value "soyozuvidu" (new data: "Rundll32.exe "C:\WINDOWS\system32\kuyusume.dll",s") changed in System Startup global entry!
12/2/2008 3:16:17 PM Denied (based on user blacklist) value "soyozuvidu" (new data: "Rundll32.exe "C:\WINDOWS\system32\kuyusume.dll",s") changed in System Startup global entry!
12/2/2008 3:16:22 PM Denied (based on user blacklist) value "soyozuvidu" (new data: "Rundll32.exe "C:\WINDOWS\system32\kuyusume.dll",s") changed in System Startup global entry!
12/2/2008 3:16:27 PM Denied (based on user blacklist) value "soyozuvidu" (new data: "Rundll32.exe "C:\WINDOWS\system32\kuyusume.dll",s") changed in System Startup global entry!


it just keeps going. hm. what is it.

Zenobia
2008-12-03, 00:31
Hi,there,davidkessler. :)
In your case,I suggest you visit the malware removal forum,and get checked out.I highly recommend you do go there,and ask for help.

The procedures to follow are here:
http://forums.spybot.info/showthread.php?t=288

Malware removal:
http://forums.spybot.info/forumdisplay.php?f=22