hemingray
2009-01-10, 19:44
Hello all,
My question is about TeaTimer. Long story short, I'm fresh out of the Malware removal forum having had help to remove Vundo and friends. Since using Windows, I've only ever had 2 virus detections and this spyware detection. I was lulled into a false sense of security with Norton Internet Security which totally missed this (save detecting one trojan component among many). Foolish me for thinking it was capable of things that Spybot could do - I thought I would not need these tools!
Once cleaned (to the satisfaction of my helper here), I re-enabled TeaTimer. Immediately it asked for permission to delete some things and I thought this was Spybot asking for things to do with re-enabling protection. I started to get nervous because some were not evident as Spybot items, but neither did they seem to have suspicious names.
On running a scan, Spybot identified several Virtumonde trojan infections in - guess where? - the registry. Nothing had shown up in the browser yet, so I hoped by immediately fixing these with Spybot it would remove the entried before anything else got started. I let Spybot fix the problems, quit Spybot and ran an MBAM scan. It was clean. I rebooted (offline from the internet of course!) and rescanned using both Spybot and MBAM and it's still clean.
My question is about what was going on here. What was waiting to get into the registry again as soon as I enabled TeaTimer? And TeaTimer is confusing in this regard as it's not clear what you are allowing or denying. A rule of thumb seems to be if you are installing something you know you are, you can expect to get some hits with TeaTimer. So I thought, since all I was doing was enabling TeaTimer. In this case, something malicious was waiting - but the tools and scanners seemed to say things were clean.
One thing - some people, including me, are asked to run a script that removes some TeaTimer files - it failed when I ran it. I noted this during the cleanup help, but didn't get any comments on that. Are there things "queued" - changes to the registry maybe - by TeaTimer that may have been run when I renabled it?
I like to understand the system internals and have learned a lot in this experience, but I'm concerned with TeaTimer's lack of explanation (at allow/deny time) - and what is/was still there that would suddenly cause a trojan to appear again. I have also immunized since then - which I had not done during the removal process, not wanting to complicate that.
Would anyone like to comment on this specific aspect of TeaTimer?
Thanks!!
My question is about TeaTimer. Long story short, I'm fresh out of the Malware removal forum having had help to remove Vundo and friends. Since using Windows, I've only ever had 2 virus detections and this spyware detection. I was lulled into a false sense of security with Norton Internet Security which totally missed this (save detecting one trojan component among many). Foolish me for thinking it was capable of things that Spybot could do - I thought I would not need these tools!
Once cleaned (to the satisfaction of my helper here), I re-enabled TeaTimer. Immediately it asked for permission to delete some things and I thought this was Spybot asking for things to do with re-enabling protection. I started to get nervous because some were not evident as Spybot items, but neither did they seem to have suspicious names.
On running a scan, Spybot identified several Virtumonde trojan infections in - guess where? - the registry. Nothing had shown up in the browser yet, so I hoped by immediately fixing these with Spybot it would remove the entried before anything else got started. I let Spybot fix the problems, quit Spybot and ran an MBAM scan. It was clean. I rebooted (offline from the internet of course!) and rescanned using both Spybot and MBAM and it's still clean.
My question is about what was going on here. What was waiting to get into the registry again as soon as I enabled TeaTimer? And TeaTimer is confusing in this regard as it's not clear what you are allowing or denying. A rule of thumb seems to be if you are installing something you know you are, you can expect to get some hits with TeaTimer. So I thought, since all I was doing was enabling TeaTimer. In this case, something malicious was waiting - but the tools and scanners seemed to say things were clean.
One thing - some people, including me, are asked to run a script that removes some TeaTimer files - it failed when I ran it. I noted this during the cleanup help, but didn't get any comments on that. Are there things "queued" - changes to the registry maybe - by TeaTimer that may have been run when I renabled it?
I like to understand the system internals and have learned a lot in this experience, but I'm concerned with TeaTimer's lack of explanation (at allow/deny time) - and what is/was still there that would suddenly cause a trojan to appear again. I have also immunized since then - which I had not done during the removal process, not wanting to complicate that.
Would anyone like to comment on this specific aspect of TeaTimer?
Thanks!!