View Full Version : cannot access blk/white list for tea timer- help!
accha hai
2006-08-02, 23:49
caa:spider:
Greetings- when I right click the resident tea timer icon in the systray to choose 'settings', there is no 'settings' tab visible, only 'run spybot', 'resident ie' & 'exit spybot'. I seem to have accidentally blocked a .dll I need to run my McAfee firewall, but I can't figure out any other way to delete the block(!) than accessing this menu for the teatimer... Can someone please help me asap??? Is there some option I accidentally used in spybot that causes the 'Settings' option to no longer be visible when you right click the icon, or is there some other way to access the previously altered teatimer entries? :bigthumb: thanks much! :blush:
md usa spybot fan
2006-08-03, 00:52
Please go into Spybot > Help > About.
What version of Spybot - Search & Destroy are you running?
Spybot - Search & Destroy 1.3
Spybot - Search & Destroy 1.4
accha hai
2006-08-03, 01:15
:angel: thanks for any help! :bigthumb:
md usa spybot fan
2006-08-03, 07:21
The Settings option in TeaTimer's system tray icon and the ability to edit TeaTimer's "White & Black List" does not exits in Spybot 1.3. In order to remove items were you did a "Remember this decision" you must edit the files were TeaTimer stores that information. The files are:
ProcWhite.sbe (for Allowed processes)
ProcBlack.sbe (for Blocked processes)
RegKeyWhite.sbe (for Allowed registry changes)
RegKeyBlack.sbe (for Blocked registry changes)
The files are located in one the following directories depending on the OS you are running:
Windows 95/98
C:\Windows\Application Data\Spybot - Search & Destroy\Excludes
Windows ME
C:\Windows\All Users\Application Data\Spybot - Search & Destroy\Excludes
Windows NT/2000/XP
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Excludes
It should also be noted that there is a bug in Spybot-S&D's 1.3 TeaTimer. Do not use the "Remember this decision" option on a "Deny change" in TeaTimer’s Registry Change Monitor. If you do, the change will be initially denied, however, all subsequent like changes will be allowed. If you have done a "Remember this decision" on a "Deny change", you should delete the RegKeyBlack file where that information is stored
************************
Unless you are running on a Windows 95 system, you should consider upgrading to Spybot 1.4.
There are four (4) download sites for Spybot-S&D 1.4 here:
Mirror Selection – The home of Spybot–S&D!
http://www.safer-networking.org/en/mirrors/index.html
Uninstall Spybot-S&D 1.3: FAQ - Frequently Asked Questions
How to uninstall?
http://www.safer-networking.org/en/faq/27.htmlInstall Spybot-S&D 1.4:
Execute spybotsd14.exe download above.
Do not change the default installation path of:C:\Program Files\Spybot - Search & Destroy
Make sure that you update Sptbot-S&D 1.4 before running a scan.
Note: If you upgrade and use TeaTimer be aware of the following:
There is currently a bug in TeaTimer 1.4. Portions of TeaTimer's popup dialog overlay the "Allow change" and "Deny change" buttons. On my system the very top edges of the "Allow change" button (on the left) and "Deny change" button (on the right) are showing and I am still able to select the options. I also can check "Remember this decision" since it is visible. If no portion of the "Allow change" and "Deny change" buttons are showing, you can answer TeaTimer's popup dialog (English language version) by pressing "A" on your keyboard for "Allow change" or "D" for "Deny change". Note: If you close the dialog without answering "Allow change" or "Deny change" the registry change is denied.
If you can't deal with the problem that way until it is fixed, you can:
Apply one of the workarounds found in the following pinned (Sticky) thread that fixes the pop-up dialog so the buttons are visible:
Solution to fix the pop-ups in TeaTimer
http://forums.spybot.info/showthread.php?t=122
There are Three (3) fixes published in that thread. They are:
The ResHacker fix published by ElPiedra (http://forums.spybot.info/member.php?u=128) here:
http://forums.spybot.info/showpost.php?p=423&postcount=1
The murdo (http://forums.spybot.info/member.php?u=440) patch published here:
http://forums.spybot.info/showpost.php?p=775&postcount=9
The patch originally by SyreneD (http://forums.spybot.info/member.php?u=1735) that I published here:
http://forums.spybot.info/showpost.php?p=2670&postcount=38
Also republished by SyreneD (http://forums.spybot.info/member.php?u=1735) himself here:
http://forums.spybot.info/showpost.php?p=23575&postcount=125
Disable TeaTimer as follows:
Go into Spybot > Mode > Advanced Mode > Tools > Resident.
Uncheck the following:Resident "TeaTimer" (Protection of over-all system settings) Active.
accha hai
2006-08-03, 09:57
Hi- thanks for the very cool detailed answer (glad I waited for your response rather than upgrading right away)- so here's the situation... when I look in All Users.WINDOWS (the files don't exist in 'all users'- this is in XP btw) :D: the reg key black/white files exist- interestingly the white is chock full of stuff I don't remember allowing- an aside, but did you mean to delete the white list (below- not black?) in case of accidental allows via the 1.3 bug? just wondering since that looks like a possible issue here.... back to subject :spider:
But the upshot is that there's no proc white/black files despite me blocking/allowing a ton of stuff. Not in any of the user files in docs/setts in XP at least... my machine has been hacked in the past, btw, and also I was using a copy of SB 1.2 intermittently while using 1.3 as well- not sure if those factors relate. So what can I do? here's what I need to delete:
8/2/2006 9:21:56 AM Denied value "!fwdrvver.dll" (new data: "regsvr32.exe /s c:\PROGRA~1\COMMON~1\mcafee\fwdriver\fwdrvver.dll") added in System Startup global entry!
Can i just go in the regedit thing somehow & fix this? (no, its not in the reg key files you suggest below either unfortunately) It popped up only once with tea timer (after I was re-installing a problematic Mcafee suite)- the name looked so weird I blocked it, then I figured out it's needed to run the firewall (whoops! maybe they should try giving a slightly more legit sounding name that doesn't start with a bang! lol) :blush: So i just need for that file to run somehow. I'll upgrade to SB 1.4 if it will allow me to allow the file- not sure if i will lose all the other stuff from 1.3 though... sigh :( confusing... anyhow thanks much for helping me solve this riddle... :beerbeerb:
md usa spybot fan
2006-08-03, 17:09
When you do a "Deny Change" with the "Remember this decision" option the information is stored in the RegKeyBlack.sbe file. In Spybot 1.3 doing a "Deny Change" with the "Remember this decision" option is also were the bug existed as explained above.
You will not lose anything by upgrading to Spybot 1.4 as explained in the reference I cited above:
FAQ - Frequently Asked Questions
How to uninstall?
http://www.safer-networking.org/en/faq/27.html
In fact if you upgraded and did a "Deny Change" with the "Remember this decision" on the fwdrvver.dll registry change, the errant entry would still be in the RegKeyBlack.sbe file after you upgraded but could be dealt with using TeaTimer's "White & Black List".
When TeaTimer recognizes that there has been a change to a monitored registry key it: Checks to see if there is a stored "Remember this decision" that covers the change. If there is, TeaTimer uses that information and takes action (remember the bug in Spybot 1.3).
If the change is not covered by a previous "Remember this decision", a popup dialog is issued to allow you to decide if you want to allow the registry change or reverse the change.If you answer the popup dialog "Allow change" nothing is done to the registry. If you "Deny change" the change the registry change is reversed (backed out). The registry changes not done or done in response to an "Allow change" or "Deny change" are not reversible except by manually editing the registry or by redoing whatever stimulated the registry change to begin with.
If you were updating or installing the McAfee firewall, you could try to redo that operation again. The best course of action at the time the errant response occurred and possibly still a viable solution to the problem would have been to do a System Restore to the last System Restore Point before the problem occurred and then redo any software type changes that you had done after that Restore Point.
asciibinary
2006-08-24, 16:45
Note: If you upgrade and use TeaTimer be aware of the following:
There is currently a bug in TeaTimer 1.4. Portions of TeaTimer's popup dialog overlay the "Allow change" and "Deny change" buttons.
Thanks for the posted solutions; came here from Google looking for this :)
http://img206.imageshack.us/img206/148/googleai4.th.jpg (http://img206.imageshack.us/my.php?image=googleai4.jpg)
spybotsandra
2006-08-25, 10:24
:laugh: