Surfing google for roleplaying websites I click on a link. Suddenly I get a whole bunch of spybot teatime pop ups,
Browser helper object
value added
allow/deny

Or value deleted (alot more of them, only two value added pop ups)
Allow/deny greyed out
If I click the close button it denies it anyways.
Every window what ever I choose I get more pop ups. They are never ending.

I did a avg antivirus scan & found two trojan horses which I deleted.

Might there be harm in allowing these values to be deleted by unknown programs for unknown reasons? What do I do to stop the endless flow of pop ups where I have no idea how to choose anyways? Why is deny change greyed out for all the value deleted pop ups?

I hate it when you can't edit your own posts on a message board, theres no reason for it. Anyways..

To clarify, I can't use remember this decision on value deleted pop ups because deny change is grayed out for some stranger reason. But it wouldn't matter anyways because just about all the pop ups refer to different values to add/delete.

Might there be harm in allowing these values to be deleted by unknown programs for unknown reasons?
If you allow all changes, you would be no worse off than if I didn't have TeaTimer enabled at all. If you can't figure out what the change is, don't necessarily "Deny" the change. If you deny the wrong change you can adversely affect the stability, functionality and security of your system. When a change occurs try to take into consideration what is happening on your system (installing, updating, etc.).


What do I do to stop the endless flow of pop ups where I have no idea how to choose anyways?
Disable TeaTimer as follows:
Go into Spybot > Mode > Advanced Mode > Tools > Resident.
Uncheck the following:Resident "TeaTimer" (Protection of over-all system settings) Active.


Why is deny change greyed out for all the value deleted pop ups?

The "Deny change" option is grayed out (is not an option) on changes such as the removal of a Browser Helper Object (Value deleted). This is speculation but I assume that the "Deny change" is grayed out because by the time TeaTimer recognizes the Registry change the underlying code for the BHO has been deleted and therefore denying the change would do no good to save the BHO from being deleted. I also assume that the same would hold true for a "Value deleted" for an ActiveX process and possibly other changes. In this case the registry change dialog serves as a warning that something has changed.

"underlying code for the BHO"

Whats that? And why then does clicking the close dialogue button cause it to "deny the change" if the change can not be denied?

I need to determine why these changes are being made or at least determine a way to prevent the pop ups from what ever the source is without disabling teatimer altogether. I mean whats the point of teatimer if I disable it? I could be having some unknown hijacker program, virus etc that could be causing havoc. To disable teatimer would just leave me more vulnerable to it.

Back to my question, is there any infection etc problems that can be caused by deleting values like that, where teatimer is protecting me from such problems? Anyone have any ideas whats going on here & what my main concerns should be about it?

"underlying code for the BHO"

Whats that?
TeaTimer monitors the following registry key for changes to Browser Helper Objects (BHOs):


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
The installation of a BHO involves more than just setting a value in that one registry key (other registry entries are involved, a .dll, etc.). However, blocking the setting of that one registry key will prevent Internet explorer from recognizing the BHO.

I assume that the reason that you can not deny the deletion of a BHO is because TeaTimer has no way to restore the other pieces of the BHO except the one registry key it is monitoring.


And why then does clicking the close dialogue button cause it to "deny the change" if the change can not be denied?
I don't know. But since you know that is what happens, do not exit the dialog without answering it.


I need to determine why these changes are being made or at least determine a way to prevent the pop ups from what ever the source is without disabling teatimer altogether. I mean whats the point of teatimer if I disable it? I could be having some unknown hijacker program, virus etc that could be causing havoc. To disable teatimer would just leave me more vulnerable to it.
The reason that I suggested that you disable TeaTimer was because of this statement:


What do I do to stop the endless flow of pop ups where I have no idea how to choose anyways?
I was trying to point out that if you truly "... have no idea how to choose anyways", you can cause as much harm as good by using TeaTimer.


Back to my question, is there any infection etc problems that can be caused by deleting values like that, where teatimer is protecting me from such problems? Anyone have any ideas whats going on here & what my main concerns should be about it?
In order to answer that question, more details about the actual messages you are getting would be helpful.

To start with refresh TeaTimer's snapshot files to make sure that message(s) that you are getting are not being caused because the snapshot files are out of synchronization with the registry. To do that:
Right click Spybot's TeaTimer System Tray Icon > click Exit Spybot-S&D Resident.
TeaTimer closes.
TeaTimer's snapshot files are refreshed at this time.

Restart TeaTimer:
Using Windows Explorer, navigate to C:\Program Files\Spybot - Search & Destroy.
Double click TeaTimer.exe to start it.


What version of Spybot - Search & Destroy are you running? That information can found by going into Spybot > Help > About.
Spybot - Search & Destroy 1.3
Spybot - Search & Destroy 1.4
What are the dialog messages that you are repetitively getting? The easiest way to provide this information is to go into Spybot > Mode > Advanced Mode > Tools > Resident > page (scroll) to the bottom of the listing and highlight a portion of the log that shows the registry changes that you are concerned with, then right click and select Copy. Paste the log entries to another post in this thread.

Spybot 1.4 on XP


The installation of a BHO involves more than just setting a value in that one registry key (other registry entries are involved, a .dll, etc.). However, blocking the setting of that one registry key will prevent Internet explorer from recognizing the BHO.

So when ever you block any BHO change with teatimer will cause IE & teatimer to not recognize the the BHO as a whole & will cause a serious of change pop ups where people can't actually make a choice?

If this is a regular phenomenon you'd think they would designed teatimer with countermeasures to prevent this.


I don't know. But since you know that is what happens, do not exit the dialog without answering it.
Why is it so important to not deny these changes? I strongly suspect from the suspicious timing that all those changes are bad. As well as finding two backdoor viruses, I dont want them to leave a footprint that leaves me open to future attack. And I've had other glitches since even removing those making me wonder If I don't have some rootkit problem or something.


To start with refresh TeaTimer's snapshot files By doing that won't I be setting into stone... er programing on teatimer changes potentionally made by a backdoor virus?

BTW whats your source of information on spybot? I don't mean to offend, but it would be helpful to know with how much authority on the subject you speak.

8/23/2006 6:21:21 PM Denied value "{391a72a1-108d-435a-875e-5b9048e11657}" (new data: "") added in Browser Helper Object!
8/23/2006 6:21:30 PM Denied value "{E8D6FE61-0D91-374A-9384-01D3DB765BCE}" (new data: "") added in Browser Helper Object!
8/23/2006 6:21:55 PM Denied value "{4115122B-85FF-4DD3-9515-F075BEDE5EB5}" (new data: "") deleted in Browser Helper Object!
8/23/2006 6:22:05 PM Denied value "{E8D6FE61-0D91-374A-9384-01D3DB765BCE}" (new data: "") added in Internet Explorer searches!
8/23/2006 6:22:15 PM Denied value "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (new data: "") added in Internet Explorer searches!
8/23/2006 6:22:26 PM Denied value "{4115122B-85FF-4DD3-9515-F075BEDE5EB5}" (new data: "") deleted in Browser Helper Object!
8/23/2006 6:22:37 PM Denied value "{42A7CE31-CEE7-4CCE-A060-A44A7E52E062}" (new data: "") deleted in Browser Helper Object!
8/23/2006 6:22:48 PM Denied value "{51622319-40EA-4A6C-859D-660B8EAE769D}" (new data: "") deleted in Browser Helper Object!
8/23/2006 6:22:55 PM Denied value "{53707962-6F74-2D53-2644-206D7942484F}" (new data: "") deleted in Browser Helper Object!
8/23/2006 6:23:04 PM Denied value "{5F5F8DD6-1BF7-4018-9AE3-3C3C6D88D885}" (new data: "") deleted in Browser Helper Object!
8/23/2006 6:23:16 PM Denied value "{F33B5E46-E26B-4E86-BA33-7131F60D4045}" (new data: "") deleted in Browser Helper Object!
8/23/2006 6:23:33 PM Denied value "{4115122B-85FF-4DD3-9515-F075BEDE5EB5}" (new data: "") deleted in Browser Helper Object!
8/23/2006 6:24:29 PM Denied value "{42A7CE31-CEE7-4CCE-A060-A44A7E52E062}" (new data: "") deleted in Browser Helper Object!
8/23/2006 6:24:38 PM Denied value "{51622319-40EA-4A6C-859D-660B8EAE769D}" (new data: "") deleted in Browser Helper Object!
8/23/2006 6:24:46 PM Denied value "{53707962-6F74-2D53-2644-206D7942484F}" (new data: "") deleted in Browser Helper Object!
8/23/2006 6:25:06 PM Denied value "{5F5F8DD6-1BF7-4018-9AE3-3C3C6D88D885}" (new data: "") deleted in Browser Helper Object!
8/23/2006 6:34:12 PM Allowed value "{F33B5E46-E26B-4E86-BA33-7131F60D4045}" (new data: "") deleted in Browser Helper Object!
8/23/2006 6:34:33 PM Denied value "Windows update loader" (new data: "C:\Windows\xpupdate.exe") added in System Startup user entry!
8/23/2006 6:34:49 PM Denied value "{4115122B-85FF-4DD3-9515-F075BEDE5EB5}" (new data: "") deleted in Browser Helper Object!
8/23/2006 6:34:59 PM Denied value "{42A7CE31-CEE7-4CCE-A060-A44A7E52E062}" (new data: "") deleted in Browser Helper Object!
8/23/2006 6:35:15 PM Denied value "{51622319-40EA-4A6C-859D-660B8EAE769D}" (new data: "") deleted in Browser Helper Object!
8/23/2006 6:35:23 PM Denied value "{53707962-6F74-2D53-2644-206D7942484F}" (new data: "") deleted in Browser Helper Object!
8/23/2006 6:35:36 PM Denied value "{5F5F8DD6-1BF7-4018-9AE3-3C3C6D88D885}" (new data: "") deleted in Browser Helper Object!
8/23/2006 6:49:26 PM Denied value "{4115122B-85FF-4DD3-9515-F075BEDE5EB5}" (new data: "") deleted in Browser Helper Object!
8/23/2006 6:51:20 PM Denied value "{42A7CE31-CEE7-4CCE-A060-A44A7E52E062}" (new data: "") deleted in Browser Helper Object!
8/23/2006 7:46:16 PM Denied value "{51622319-40EA-4A6C-859D-660B8EAE769D}" (new data: "") deleted in Browser Helper Object!
8/23/2006 7:46:25 PM Denied value "{53707962-6F74-2D53-2644-206D7942484F}" (new data: "") deleted in Browser Helper Object!
8/23/2006 7:50:44 PM Denied value "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (new data: "") deleted in Internet Explorer searches!
8/23/2006 8:01:16 PM Denied value "{4115122B-85FF-4DD3-9515-F075BEDE5EB5}" (new data: "") deleted in Browser Helper Object!
8/23/2006 8:01:17 PM Denied value "{42A7CE31-CEE7-4CCE-A060-A44A7E52E062}" (new data: "") deleted in Browser Helper Object!
8/23/2006 8:01:19 PM Denied value "{51622319-40EA-4A6C-859D-660B8EAE769D}" (new data: "") deleted in Browser Helper Object!
8/23/2006 8:01:20 PM Denied value "{53707962-6F74-2D53-2644-206D7942484F}" (new data: "") deleted in Browser Helper Object!
8/24/2006 5:18:10 AM Denied value "{5F5F8DD6-1BF7-4018-9AE3-3C3C6D88D885}" (new data: "") deleted in Browser Helper Object!
8/24/2006 5:18:12 AM Denied value "{F33B5E46-E26B-4E86-BA33-7131F60D4045}" (new data: "") deleted in Browser Helper Object!
8/24/2006 8:54:17 PM Denied value "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (new data: "") deleted in Internet Explorer searches!

Recommendation:

Make sure that you do not have any stored "Remember this decision" entries were you exited from TeaTimer’s registry change dialog during the deletion of Browser Helper Objects. Right click on the TeaTimer system tray icon and select Settings. This brings up a window titled "White & Black List". There are four (4) Buttons across the top of the "White & Black List":

Allowed processes
Blocked processes
Allowed registry changes
Blocked registry changes

Note: If you don't see all four buttons, try expanding the window to the right.
Click on the "Blocked registry changes" button. Delete any entries that you find for Browser Helper Objects by clicking on the scripted black "X" to the right of the entry and then clicking the "OK" button when you're done.

In the future do not exit out of TeaTimer’s registry change dialog during the deletion of Browser Helper Objects.

Grrrr! All I hear from you is don't block registery changes. I want to block these registery changes! Their timing was more then a little suspicious. Visiting a webpage I never got to see because the browser collapsed and teatimer popups came the moment I clicked on the link, not installing anything etc. Blocking suspicious registery changes is what teatimer is all about. So why should I remove blockage of these registry changes?!


In the future do not exit out of TeaTimer’s registry change dialog during the deletion of Browser Helper Objects.
I had to exit out of the dialog box! It was the only other option other then to accept the changes, and I did not want to accept the changes! I'm not sure why you refer to it as "during the deletion of browser help objects" though because that makes no sense to me, I could only "block changes" by exiting out of the dialog box.

Please.. I keep finding viruses on my PC as well as other suspicious PC behavior like my PC locking up at startup. I believe its been compromised by a webpage I visited in a google search. I dont have the popups from teatimer any more but not because of anything I did with teatimer. I assume having teatimer off during load up or when I disable it to play certain games for freeing up resources simply allowed the changes.

Changes that are probably related to some friggin virus on some damn webpage. Teatimers solution is to ask me whether I want to accept these changes.. or accept these changes on a gazillion different changes.. oh joy!

Since you feel your system becomes infected because of visiting certain web site, I suggest that you review the following thread:
So how did I get infected in the first place?
http://forums.spybot.info/showthread.php?t=279
If you feel your system is currently infected with something, I suggest that you consider posting in the Malware Removal forum and having someone take a look at your system.

The instructions for running preliminary scans, producing logs and posting in that forum outlined in the following reference:
BEFORE you POST and Who will advise you. Preliminary Steps!
http://forums.spybot.info/showthread.php?t=288
After completing those steps, start a new thread (topic) in the following forum:
Malware Removal
http://forums.spybot.info/forumdisplay.php?f=22