Hi, I have been trying to read posts on this issue, but I'm afraid that I'm having trouble following them.

Yesterday at around noon, Symantec's autodetect said I had some viruse. I got some weird message in internet explorer saying i should scan for viruses. I didn't check it, suspecting it was a virus, and about the same time the Symantec kicked in. I followed the steps, but every time I connect to the internet, they show up again. I noticed that internet explorer was opening on its own, and the e-mail Symantec tab was jumping all over the page. I turned off the wireless, and kept getting the message that explorer was trying to open (giving me the option of working off line). So, I turned on the wireless long enough to download Spybot Search and Destroy and ran a scan.

The scan produced 173 or so red items and I clicked on fix problems.

Now I keep getting these messages that require that I make a decision to "allow change" or "deny change" Nothing in the tutorial told me whether these registry changes are because Spybot is fixing the problems found in the scan or if the registry changes are the viruses themselves.

The current message reads:

"Spybot - Search and Destroy has detected an importany registry entry that has been changed."
"Category: System Startup global entry".
"Change: Value deleted".
"Entry: rs32net"
"Old Data: c:\windows\system32\rs32net.exe"

The past message was similar, but the Category or Entry was something like spybotdeleting. Sometimes it says value added. I accepted that one because I figured it was spybot, but I denied the change when I did not recognize the entry.

Now since so many of them are coming up, one after the other, I realize that I really have no idea what I am doing. I really don't know why software would represent itself as something to be used to clean your computer, but then give you choice of "allow" or "deny" without any clues on how that decision should be made . . .

In google I saw something about teatime (whatever that is), but the message was posted in 2006, so I assume I'm using a different version of spybot.

Is there anyone who can let me know if I should allow or deny all of these changes to the registry entries?

Thanks very much.

ivan20012:

I assume that the TeaTimer registry change dialog was generated by the removal of malware and the deletion of the startup registry entry should be allowed, but I can't be sure without knowing what you were fixing.

C:\WINDOWS\System32\rs32net.exe has been associated with malware:
rs32net.exe - Program Information
http://www.bleepingcomputer.com/startups/rs32net.exe-23954.html
Troj-Agent-HSA Trojan (TROJ_PANDEX.DR, Trojan.Win32.Agent.aefi, Generic.dx) - Sophos security analysis
http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthsa.html
You did not indicate what you were trying to fix.

If you would like someone to farther analyze a possible reason for the TeaTimer dialog, please post the Fixes.yymmdd-hhmm.txt log from the running of Spybot when encountered the TeaTimer dialog message.

There are two methods to copy and post that information:
Method 1:
Go into Spybot > Mode > Advanced mode > Tools > View Reports > View Previous reports. Look for the appropriate Fixes.yymmdd-hhmm.txt log file. Open it. To copy it to the Clipboard, right click on the listing and select Select All > Right click again and select Copy. Paste (Ctrl+V) the contents of the Clipboard into a new post in this thread.
Method 2
The Fixes.yymmdd-hhmm.log files are stored in the following folders:
Windows 95 or 98:
C:\Windows\Application Data\Spybot - Search & Destroy\Logs
Windows ME:
C:\Windows\All Users\Application Data\Spybot - Search & Destroy\Logs
Windows NT, 2000 or XP:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs
Windows Vista:
C:\ProgramData\Spybot - Search & Destroy
Using Windows Explorer, navigate to the correct Fixes.yymmdd-hhmm.txt log. Double click on it and it should open with Notepad. To copy it to the Clipboard, right click on the listing and select Select All > Right click again and select Copy. Paste (Ctrl+V) the contents of the Clipboard into a new post in this thread.
Note: By default here are two Checks.yymmdd-hhmm logs produced during a scan. The second Checks.yymmdd-hhmm has the details of what the scan found. A Fixes.yymmdd-hhmm log is produced if you fix or attempt to fix something.

Thanks for the quick response. At the risk of making you mad for my being such an idiot, I'm going to be honest about my behavior. I can't take the steps you requested and answer your questions because the Spybot start-up scan is running. How could that be? Because I'm an idiot and patience is not my virtue.

In my defense, I can say that this is the first time I have ever had a serious problem (and the first time I have ever tried to solve something serious in a forum). In the past when I have had a computer issue (hardware or software), I have gone onto google and solved it in short order. For that reason, I have been slow to realize that this could be a big deal. So although I posted the question, I moved forward and allowed the stuff anyway. Even more embarrassingly, I have since found "the before you post page" and I have not followed those steps.

So: to answer your specific questions: I'm not sure exactly what I was trying to get rid of. The symptoms on the computer were that explorer kept trying to open on its own, the Symantec anti-virus kept detecting trojan horses and bad things, but the Symantec fixes did not seem to be working (they re-appeared every time I re-connected to the internet). The measure that I took was to avoid connecting to the internet, install Spybot and run a scan. That led to the registry changes message, I allowed the changes and moved forward. The program said it could not delete all the red items, but that some of the problems could be in the start-up. It asked that I allow Spybot to run on Start-up and I said yes. It scanned for a long time on start up, and came up with 15 items. I checked fix and it said again that some of the items (3 items) could not be fixed, but that perhaps they could be on start-up. I hit re-start again. The computer is in the process of doing that now. The scan on start-up seems to take about an hour.

Some of the listed items were

Win32.ZenoSearch
eAcceleration
IRC.crt
Smitfraud-C.
virtumonde
Virtumonde.generic
Wild Tangent

I have a second laptop (clean), and I have continued to read this forum as the Spybot is doing its scans on the compromised laptop. As mentioned above, I have now read the before you post, post.

My questions is: Should I abort the scan and just start from scratch (downloading hijack program, getting and posting the hijack log, etc.)?

Again, I'm sorry for the long post, and for not finding the before you post stuff earlier.

Norton was right when you had a trojan/intrusion... You'll have to start your own thread in the Malware Removal Forums. Procedure is here:
Consider posting in the Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum and having someone take a look at your system.

If you decide to have an experienced malware removal specialist assist you, please follow the procedure in this link to run scans and produce a HijackThis log: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) ( http://forums.spybot.info/showthread.php?t=288).
___

Thanks for the quick response. I turned on the compromised computer for a sec to download the hijack this. I'll post the results in the other forum (once I figure out how to post in another sub-forum . . .)

The Malware Removal Forum is in a link in my above post.

You can start your own post the same way you posted this thread by clicking "New Thread".

New topic: http://forums.spybot.info/showthread.php?t=40762