jack_frost
2006-12-15, 03:56
I will say upfront that I have already tried to get an answer to this question on the Castlecops Spybot forum, but I'm still in the dark. I am new to this whole forum thing, so I hope this is not regarded as unacceptable double posting. The real issue for me is trying to understand in more detail how the Whitelist operates and how to use it effectively - just as much as fixing the specific problem outlined below.
The issue:
I am trying to prevent realsched.exe (aka TkBellExe), the automatic update aspect of Realplayer, from automatically adding itself to system startup every time I open Realplayer. I was under the impression that Teatimer was meant to stop registry changes without permission.
However, Whenever I run msconfig and remove realsched from startup, I get a message from Teatimer saying: "Resident allowed the change of TkBellExe (category System Startup global entry) based on your white list."
However, as soon as I run Realplayer, realsched.exe is immediately added again to the allowed startup processes. I have tried unticking realsched from within system startup in Spybot, but exactly the same thing happens. As soon as I run Realplayer it reappears as a new allowed startup program in Spybot's system startup list.
I have tried deleting the following entry in the Whitelist of "allowed registry changes":
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe="C:\Program Files\Common Files\Real\Update_OB\Realsched.exe"
I would like to know how Realsched.exe got into my whitelist of allowed registry changes in the first place and how I get rid of them. I certainly can't remember ever giving Spybot permission to put them there and I can't work out how to add them to "Blocked registry changes" or "Blocked processes".
The "Resident" section of Spybot shows that I have removed Realsched from startup multiple times and that it is then immediately allowed again. The log of changes says:
13/12/2006 13:29:10 Allowed value "MSConfig" (new data: "") deleted in System Startup global entry!
13/12/2006 13:32:23 Allowed value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
13/12/2006 13:38:25 Allowed value "TkBellExe" (new data: "") deleted in System Startup global entry!
13/12/2006 13:38:33 Allowed value "MSConfig" (new data: "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto") added in System Startup global entry!
13/12/2006 13:40:42 Allowed value "TkBellExe" (new data: "") deleted in System Startup global entry!
13/12/2006 13:40:49 Allowed value "MSConfig" (new data: "") deleted in System Startup global entry!
13/12/2006 13:41:48 Allowed value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
13/12/2006 13:47:11 Allowed value "TkBellExe" (new data: "") deleted in System Startup global entry!
13/12/2006 13:48:09 Allowed value "MSConfig" (new data: "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto") added in System Startup global entry!
13/12/2006 15:08:38 Allowed value "PrevxOne" (new data: "") deleted in System Startup global entry!
13/12/2006 21:44:30 Allowed value "TkBellExe" (new data: "") deleted in System Startup global entry!
13/12/2006 21:47:48 Allowed value "MSConfig" (new data: "") deleted in System Startup global entry!
14/12/2006 08:47:14 Allowed value "TkBellExe" (new data: "") deleted in System Startup global entry!
14/12/2006 09:05:41 Allowed value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
14/12/2006 09:07:22 Allowed value "TkBellExe" (new data: "") deleted in System Startup global entry!
14/12/2006 09:12:27 Allowed value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
The issue:
I am trying to prevent realsched.exe (aka TkBellExe), the automatic update aspect of Realplayer, from automatically adding itself to system startup every time I open Realplayer. I was under the impression that Teatimer was meant to stop registry changes without permission.
However, Whenever I run msconfig and remove realsched from startup, I get a message from Teatimer saying: "Resident allowed the change of TkBellExe (category System Startup global entry) based on your white list."
However, as soon as I run Realplayer, realsched.exe is immediately added again to the allowed startup processes. I have tried unticking realsched from within system startup in Spybot, but exactly the same thing happens. As soon as I run Realplayer it reappears as a new allowed startup program in Spybot's system startup list.
I have tried deleting the following entry in the Whitelist of "allowed registry changes":
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe="C:\Program Files\Common Files\Real\Update_OB\Realsched.exe"
I would like to know how Realsched.exe got into my whitelist of allowed registry changes in the first place and how I get rid of them. I certainly can't remember ever giving Spybot permission to put them there and I can't work out how to add them to "Blocked registry changes" or "Blocked processes".
The "Resident" section of Spybot shows that I have removed Realsched from startup multiple times and that it is then immediately allowed again. The log of changes says:
13/12/2006 13:29:10 Allowed value "MSConfig" (new data: "") deleted in System Startup global entry!
13/12/2006 13:32:23 Allowed value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
13/12/2006 13:38:25 Allowed value "TkBellExe" (new data: "") deleted in System Startup global entry!
13/12/2006 13:38:33 Allowed value "MSConfig" (new data: "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto") added in System Startup global entry!
13/12/2006 13:40:42 Allowed value "TkBellExe" (new data: "") deleted in System Startup global entry!
13/12/2006 13:40:49 Allowed value "MSConfig" (new data: "") deleted in System Startup global entry!
13/12/2006 13:41:48 Allowed value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
13/12/2006 13:47:11 Allowed value "TkBellExe" (new data: "") deleted in System Startup global entry!
13/12/2006 13:48:09 Allowed value "MSConfig" (new data: "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto") added in System Startup global entry!
13/12/2006 15:08:38 Allowed value "PrevxOne" (new data: "") deleted in System Startup global entry!
13/12/2006 21:44:30 Allowed value "TkBellExe" (new data: "") deleted in System Startup global entry!
13/12/2006 21:47:48 Allowed value "MSConfig" (new data: "") deleted in System Startup global entry!
14/12/2006 08:47:14 Allowed value "TkBellExe" (new data: "") deleted in System Startup global entry!
14/12/2006 09:05:41 Allowed value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
14/12/2006 09:07:22 Allowed value "TkBellExe" (new data: "") deleted in System Startup global entry!
14/12/2006 09:12:27 Allowed value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!