Just fixed Virtumonde.dll, but Tea Timer still alerts

**AlienWhere?** · 2008-03-16, 02:38

It appears that pskelley was able to help me clean my system of Virtumonde.dll.
(http://forums.spybot.info/showthread.php?t=25508)

However, when I turned on Tea Timer I start getting non-stop alerts about a blacklisted item trying to make changes to the system.

The log has the following entries all over it when Tea Timer is running: 3/15/2008 4:56:55 PM Denied (based on user blacklist) value "yayvspq" (new data: "") deleted in Winlogon Notifiers!

Incidentally, the yayvspq.dll was the file that I had to clean out in order to fix the system.

I have since re-run the following scans:
1) S&D - CLEAN
2) HJT - CLEAN
3) KOS - CLEAN

Am I just being paranoid? Why is the Tea Timer constantly alerting on the old file?

Thanks in advance.

**Tom.K** · 2008-03-16, 18:48

How many times did you tried to remove Winlogon entry "yayvspq.dll" ?

**md usa spybot fan** · 2008-03-16, 21:22

AlienWhere?:

What version of Spybot are you running?

If you are running Spybot 1.5:

When you check "Remember this decision" on a change the information concerning that change it is stored in a file. TeaTimer uses that information to automatically "Allow" or "Deny" changes. To edit this information:

Right click on the TeaTimer system tray icon and select Settings. This will bring up TeaTimer's "White & Black List". There are four (4) Buttons across the top of the "White & Black List":
- Allowed registry changes
- Blocked registry changes
- Allowed processes
- Blocked processes
You can review all the entries that you have stored by clicking on these buttons.

The entries that you should review are in "Blocked registry changes".You must remove the entry from "Blocked registry changes" associated with "yayvspq" that is causing the registry change to be denied. You can delete entries by clicking on the scripted black "X" to the right of the entry that you want to delete, answering "Yes" to the confirmation dialog and then clicking the "OK" button when you're done.

After deleting the entry, when you get a confirmation dialog from TeaTimer for the deletion of the "yayvspq", reply "Allow change".

**AlienWhere?** · 2008-03-17, 15:31

Originally Posted by Tom.K

How many times did you tried to remove Winlogon entry "yayvspq.dll" ?

Twice. The second time it went through successfully.

**AlienWhere?** · 2008-03-17, 15:39

MD USA,

I am running 1.5.2.20.

I understand the white list vs. black list and the entries.
I am a bit hesitant to follow your suggestion as the yayvspq.dll was the file that had to be removed from the system in order to clean the Virtumonde trojan.

I'm afraid that it may still be on the system somewhere in some form, although searches have not revealed it, and if I remove it from the blacklist that it will reinfect my machine.

Thoughts?

**md usa spybot fan** · 2008-03-17, 16:44

AlienWhere?:

The registry change that is being denied is confirming the deletion of the following HijackThis log entry that pskelley had you delete:

Code:

O20 - Winlogon Notify: yayvspq - C:\WINDOWS\SYSTEM32\yayvspq.dll

Note the TeaTimer log shows the old date contains "yayvspq" and the new data blank (""):

Code:

"yayvspq" (new data: "") in Winlogon Notify

That indicates that the registry entry is being deleted.

TeaTimer is remembering that the entry original entry was there because it is still in TeaTimer's snapshot files. Since you used "Remember this decision" on a previous "Deny change", TeaTimer is automatically denying any changes associated with that registry entry.

If you follow my previous instructions you can resolve the problem.

The only other way to resolve the problem is to stop TeaTimer, delete TeaTimer's snapshot files and delete the RegKeyBlack.sbe file prior to restarting TeaTimer.

**AlienWhere?** · 2008-03-19, 17:25

Originally Posted by md usa spybot fan

AlienWhere?:

The registry change that is being denied is confirming the deletion of the following HijackThis log entry that pskelley had you delete:

Code:

O20 - Winlogon Notify: yayvspq - C:\WINDOWS\SYSTEM32\yayvspq.dll

Note the TeaTimer log shows the old date contains "yayvspq" and the new data blank (""):

Code:

"yayvspq" (new data: "") in Winlogon Notify

That indicates that the registry entry is being deleted.

TeaTimer is remembering that the entry original entry was there because it is still in TeaTimer's snapshot files. Since you used "Remember this decision" on a previous "Deny change", TeaTimer is automatically denying any changes associated with that registry entry.

If you follow my previous instructions you can resolve the problem.

The only other way to resolve the problem is to stop TeaTimer, delete TeaTimer's snapshot files and delete the RegKeyBlack.sbe file prior to restarting TeaTimer.

MD USA,

I understand what you're saying. I have made those changes now. Interestingly, when I went back in to do so, ithe Tea Timer alerts were no longer happening even before I made the change. I made it anyway, and now all seems as it should.

Thank you for the clear explanation about the Blacklist. I just wasn't quite getting it until you wrote that.

Cheers,
-steve

Thread: Just fixed Virtumonde.dll, but Tea Timer still alerts

Thread Tools

Display

Just fixed Virtumonde.dll, but Tea Timer still alerts

Deleting yayvspq.dll

Posting Permissions