View Full Version : Settings, Allowed Processes
Hello,
I have this notification in my Resident log. This could be a masquerading Trojan:
8/18/2013 6:58:19 AM Allowed (based on user white list) value "C:\Program Files (x86)\Logitech\Logitech Harmony Remote
Software 7\HarmonyRemote.exe" (new data: "C:\Program Files (x86)\Logitech\Logitech Harmony Remote Software 7
\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7") added in Firewall Authorized Applications!
Identical notifications have been occurring at the rate of two per day since June 6. Once I noticed the log entries I removed the entry from The Black & White List, Allowed Processes. I did this on 8/17/2013. Today, 8/18/2013, I found two more of the same notices at 6:58:19 EDT USA. There are no allowed processes in the white list.
I do have the HarmonyRemote.exe on my computer
Paranoid mode is selected, Source white list selected. Where is this List? Can this be the problem?
I have Spybot 1.6.2.46 on Vista SP2 64 bit
This is info on the Source Whitelist:
http://forums.spybot.info/showthread.php?37030-Tea-Timer-Source-Whitelist-What-is-it
This post has info about Firewall Authorized Applications.
http://forums.spybot.info/showthread.php?61654-Disable-TeaTimer-Firewall&p=397129&viewfull=1#post397129
Here are some of the listed Harmony remotes,from logitech:
http://www.logitech.com/en-ca/harmony-remotes
and http://myharmony.com/
Do you have a Harmony remote from Logitech?
Harmony Remote software:
http://download.cnet.com/Logitech-Harmony-Remote-Software/3000-18490_4-10964391.html
The Harmony Remote seems to have Harmony Remote software,or there is Harmony Remote software separate from that,I'm unsure exactly which right now.
You would likely know of it on your computer.
I don't currently have Spybot 1.6.2 installed to check anything out,since I moved to the current version.It's hard going from memory,so bear with me.
As I recall,the Source Whitelist is separate from the Black&White list.The things listed in the Black & White list are user selected,I think.If that is correct,it might indicate that HarmonyRemote.exe was put into Allowed Processes by you at some point,and perhaps forgotten.
The Source whitelist,separate from the user defined black & white list,used to Allow changes known to be okay.
You do have Paranoid mode selected,which used to have Teatimer act the way it did before the source whitelist was used.However,I wonder if having Source white list selected causes Teatimer to not prompt on things that are known to be okay,considering it would still be going by it's own whitelist?
To add on to that,I do think I remember noticing that the Teatimer logfile had a quirk of listing some allowed things as if it had been done by me,when I knew for sure that I hadn't,and that it must've been going by the Source White List.So that might explain the two additional log file entries,if they say they are based on user white list.So a bit convoluted,I know,but that is all possible,I think.
Also,I do remember that if you made a change in the Black&White list,but hit the close button on the window instead of pressing "OK",that the entry was not removed.You did say there were no entries in the Allowed Processes list,but doublechecking wouldn't hurt. :)
Thanks for the reply Zenobia,
I do have Logitech installed at the location reported in the Resident.log
C:\Program Files (x86)\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe"
It is used to set up the remote unit that controls my entertainment center.
I wanted to look at the Whitelist to see if Logitech was allowed there. I can not find it in :
C:\Program Files (x86)\Spybot - Search & Destroy\Includes
If it is X509White.sbs, I can't edit that file.
If I can't change the source whitelist I will deselect it and see how that goes.
I did not update to Spybot 2 because I did not want to be bothered learning a completely new interface. I am planning to get the Spybot paid version at the end of this year.
Frank C
Ok,let me know how it goes. :)
Zenobia,
Un-checking the "Use Source Whitelist had no effect. I still got two entries for logitech in the log this morning.
On closer inspection of the Allowed Registry changes in the Black and White list, I expanded the column so I could see the entire entry, I found four entries for logitech. I removed them. I will have to wait at least one day to see if this fixes the problem.
Frank C
Zenobia,
After removing four entries for logitech from Allowed Registry changes I got a request to allow the logitech entry every second. I denied and said remember this decision. When I looked at the log the blocking was occurring once per second
I Un-Installed Logictec Harmony Remote Software.
It looks like it has now stopped. I sent a request for help to Logitech on 8/17 and I have not gotten a response.
I have the original Install disk for the Logitech Harmony remote so I can re-install it if I need it.
I wonder if I need to back out registry changes. Do these firewall policy entries refer to the Windows Firewall? I am using the AVG Firewall.
Frank C
Yes,from this post,it looks to me like the firewall policy entries refer to Windows Firewall only:
http://forums.spybot.info/showthread.php?61654-Disable-TeaTimer-Firewall&p=397060&viewfull=1#post397060
The post by this person states that the prompts still happen even though they have windows firewall turned off,though:
http://forums.spybot.info/showthread.php?61654-Disable-TeaTimer-Firewall&p=397125&viewfull=1#post397125
The solution posted in that thread was to turn off Paranoid mode for Teatimer to avoid the constant prompts from Teatimer about the Firewall Authorized Applications:
http://forums.spybot.info/showthread.php?61654-Disable-TeaTimer-Firewall
Since you've uninstalled the Logictech Harmony Remote Software,yes,it would probably be best to remove the denied entries from Teatimer's black&white list for now,so the entries are not forgotten about if you need to reinstall it,so it can be configured in a workable way that is best for you if you do reinstall the Harmony Remote Software.
Zenobia,
I remove one registry entry:
HKEY_LOCAL_MACHINE\System\ControlSet002 \Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:ProgramFiles (X86)\Logitech\Logitech Harmony Remote Software 7\Harmony Remote.exe=C:ProgramFiles (X86)\Logitech\Logitech Harmony Remote
I removed two entries regarding Logitech from blocked registry changes. I kept the one that refers to the above registry delete.
I think I am OK now
Thanks for the help
Frank C
Ok,good.
You're welcome. :)