PDA

View Full Version : Spybot attempting to modify NIS registry entry?



Alan2t
2005-11-19, 20:07
According to the Symantec Resource Protector section in Norton Internet Security's log viewer, each time I boot up, WinXP NIS (2006) is blocking four attempts at "Unauthorized access" by Teatimer to NIS 2006 registry entires.

Two attempts are to access the NIS 2006 browser helper object CLSID:
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\

Two attempts are to access this entry:
\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\

Can anyone comment on why this is happening, and whether I should be concerned? :rolleyes:

md usa spybot fan
2005-11-19, 21:24
These are two of the 35 or so Registry keys that TeaTimer monitors:


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]


[HKEY_CLASSES_ROOT\exefile\shell\open\command]

I not sure because I don't run Norton Internet Security, but it is possible that TeaTimer is trying to modify those Registry entries. TeaTimer takes snapshots of registry entries and compares these snapshots with the system registry at startup. If there is a discrepancy between these "Snapshot" files and the system registry, Spybot's TeaTimer will attempt to restore the system registry to a state that it was in when the "Snapshot" was taken. When this happens it does not restore the system Registry entry without:
Issuing a pup-up dialog asking permission ("Allow change" or "Deny change").

--- or ---


Issuing a pop-up notification that it took an action based on a “White list” entry (Allowed registry changes) or “Black list” entry (Blocked registry changes) that was established when you used "Remember this decision" when answering a previous pup-up dialog.
When you logoff or do a system shutdown these snapshots do not appear to be refreshed. Until these snapshots are updated you can to get pop-ups of changes you made in the past. In other words, TeaTimer attempts to return the registry to the state it was in when the snapshot was taken. This happens primarily when you reboot the system.
These pop-ups of past changes usually occur when you reboot the system.

To refresh TeaTimer's snapshot files:
Right click Spybot's TeaTimer System Tray Icon > click Exit Spybot-S&D Resident.
TeaTimer closes.
TeaTimer's snapshot files are refreshed at this time.

Restart TeaTimer:
Using Windows Explorer, navigate to C:\Program Files\Spybot - Search & Destroy.
Double click TeaTimer.exe to start it.


I suggest that you refresh TeaTimer's snapshot files before your next system shutdown/reboot and then check the Symantec Resource Protector entries in Norton Activity Log after restarting the system and see if the problem has been resolved.