Results 1 to 6 of 6

Thread: TeaTimer spam

  1. 2008-05-08, 21:34 #1
    supplyer
    supplyer is offline
    Junior Member
    Join Date
    May 2008
    Posts
    9

    Default TeaTimer spam

    I was recently infected with a virus, and have seemed to fight it off successfully so far. I was running TeaTimer and disallowed any registry changes regarding Browser Helper Objects (note that these were all changes to registry entries, not deletions). I blacklisted all of these changes namely because I wasn't doing anything when the changes popped up - my computer seemed to be idle, so I assumed that the changes were being made by some malicious code.
    Now it appears that this happens all the time, and TeaTimer fills up my screen with notifications of the blacklisted changes that were denied.
    Is there any way of knowing or confirming that these changes should indeed be blocked, or if I should allow them? If they should be blocked, I assume it means I still have malware on my machine and should post a report in that forum.
    Reply With Quote Reply With Quote
  2. 2008-05-08, 21:47 #2
    md usa spybot fan
    md usa spybot fan is offline
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    supplyer:

    What version of Spybot - Search & Destroy are you running (Spybot > Help > About)?

    Getting an answer is one thing, learning is another.

    Microsoft Windows XP Home Edition running on a 2.40GHz IntelŪ PentiumŪ 4 Processor with 512 MB of RAM and a 533 MHz System Bus.
    Reply With Quote Reply With Quote
  3. 2008-05-08, 22:30 #3
    supplyer
    supplyer is offline
    Junior Member
    Join Date
    May 2008
    Posts
    9

    Default

    1.5.2.20
    Reply With Quote Reply With Quote
  4. 2008-05-08, 22:55 #4
    md usa spybot fan
    md usa spybot fan is offline
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    supplyer:

    Please post the portion of the Resident.log that shows the changes you are having problems with.
    1. There are several ways (4 listed below) to access the TeaTimer's Resident.log file:
      1. Right click on the TeaTimer (Spybot-SD Resident) system tray icon and select Show Log.
      2. Go into Spybot > Mode > Advanced Mode > Tools > Resident.
      3. Go into Spybot > Mode > Advanced mode > Tools > View Reports > View Previous reports. Select the Resident.log file and open it.
      4. Using Windows Explorer, navigate to the Resident.log file located in one of the following directories:
        • Windows 95 or 98:
          C:\Windows\Application Data\Spybot - Search & Destroy\Logs
        • Windows ME:
          C:\Windows\All Users\Application Data\Spybot - Search & Destroy\Logs
        • Windows NT, 2000 or XP:
          C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs
        • Windows Vista:
          C:\ProgramData\Spybot - Search & Destroy\Logs

        Double click on Resident.log file and it should open with Notepad.
    2. To copy information from the log into a post in the forum:
      1. Copy the information into the Clipboard:
        • Highlight the portion of the log that you want to copy.
        • Right click and select Copy.
      2. Paste (Ctrl+V) the information from the Clipboard to a new post in this thread.

    Getting an answer is one thing, learning is another.

    Microsoft Windows XP Home Edition running on a 2.40GHz IntelŪ PentiumŪ 4 Processor with 512 MB of RAM and a 533 MHz System Bus.
    Reply With Quote Reply With Quote
  5. 2008-05-09, 01:20 #5
    supplyer
    supplyer is offline
    Junior Member
    Join Date
    May 2008
    Posts
    9

    Default

    Here is a sample of the logs demonstrating the registry changes that seem to happen constantly:

    5/8/2008 3:13:47 PM Denied (based on user blacklist) value "{63F7460B-C831-4142-A4AA-5EC303EC4343}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:13:49 PM Denied (based on user blacklist) value "{BC7D8DE8-EF3D-4F44-8B54-03759FAC1367}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:13:49 PM Denied (based on user blacklist) value "{c900b400-cdfe-11d3-976a-00e02913a9e0}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:13:49 PM Denied (based on user blacklist) value "{cf021f40-3e14-23a5-cba2-717765728274}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:13:50 PM Denied (based on user blacklist) value "{fc3a74e5-f281-4f10-ae1e-733078684f3c}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:13:50 PM Denied (based on user blacklist) value "{ffff0001-0002-101a-a3c9-08002b2f49fb}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:03 PM Allowed (based on user decision) value "UserInit" (new data: "c:\windows\system32\userinit.exe,") changed in Winlogon!
    5/8/2008 3:14:03 PM Denied (based on user blacklist) value "yayXrrOe" (new data: "") deleted in Winlogon Notifiers!
    5/8/2008 3:14:06 PM Denied (based on user blacklist) value "{63F7460B-C831-4142-A4AA-5EC303EC4343}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:06 PM Denied (based on user blacklist) value "{BC7D8DE8-EF3D-4F44-8B54-03759FAC1367}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:06 PM Denied (based on user blacklist) value "{c900b400-cdfe-11d3-976a-00e02913a9e0}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:06 PM Denied (based on user blacklist) value "{cf021f40-3e14-23a5-cba2-717765728274}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:06 PM Denied (based on user blacklist) value "{fc3a74e5-f281-4f10-ae1e-733078684f3c}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:06 PM Denied (based on user blacklist) value "{ffff0001-0002-101a-a3c9-08002b2f49fb}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:07 PM Denied (based on user blacklist) value "yayXrrOe" (new data: "") deleted in Winlogon Notifiers!
    5/8/2008 3:14:09 PM Denied (based on user blacklist) value "{63F7460B-C831-4142-A4AA-5EC303EC4343}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:09 PM Denied (based on user blacklist) value "{BC7D8DE8-EF3D-4F44-8B54-03759FAC1367}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:09 PM Denied (based on user blacklist) value "{c900b400-cdfe-11d3-976a-00e02913a9e0}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:09 PM Denied (based on user blacklist) value "{cf021f40-3e14-23a5-cba2-717765728274}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:09 PM Denied (based on user blacklist) value "{fc3a74e5-f281-4f10-ae1e-733078684f3c}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:10 PM Denied (based on user blacklist) value "{ffff0001-0002-101a-a3c9-08002b2f49fb}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:10 PM Denied (based on user blacklist) value "yayXrrOe" (new data: "") deleted in Winlogon Notifiers!
    5/8/2008 3:14:12 PM Denied (based on user blacklist) value "{63F7460B-C831-4142-A4AA-5EC303EC4343}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:13 PM Denied (based on user blacklist) value "{BC7D8DE8-EF3D-4F44-8B54-03759FAC1367}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:13 PM Denied (based on user blacklist) value "{c900b400-cdfe-11d3-976a-00e02913a9e0}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:13 PM Denied (based on user blacklist) value "{cf021f40-3e14-23a5-cba2-717765728274}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:13 PM Denied (based on user blacklist) value "{fc3a74e5-f281-4f10-ae1e-733078684f3c}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:13 PM Denied (based on user blacklist) value "{ffff0001-0002-101a-a3c9-08002b2f49fb}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:13 PM Denied (based on user blacklist) value "yayXrrOe" (new data: "") deleted in Winlogon Notifiers!
    5/8/2008 3:14:16 PM Denied (based on user blacklist) value "{63F7460B-C831-4142-A4AA-5EC303EC4343}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:16 PM Denied (based on user blacklist) value "{BC7D8DE8-EF3D-4F44-8B54-03759FAC1367}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:16 PM Denied (based on user blacklist) value "{c900b400-cdfe-11d3-976a-00e02913a9e0}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:16 PM Denied (based on user blacklist) value "{cf021f40-3e14-23a5-cba2-717765728274}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:16 PM Denied (based on user blacklist) value "{fc3a74e5-f281-4f10-ae1e-733078684f3c}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:17 PM Denied (based on user blacklist) value "{ffff0001-0002-101a-a3c9-08002b2f49fb}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:17 PM Denied (based on user blacklist) value "yayXrrOe" (new data: "") deleted in Winlogon Notifiers!
    5/8/2008 3:14:19 PM Denied (based on user blacklist) value "{63F7460B-C831-4142-A4AA-5EC303EC4343}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:20 PM Denied (based on user blacklist) value "{BC7D8DE8-EF3D-4F44-8B54-03759FAC1367}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:20 PM Denied (based on user blacklist) value "{c900b400-cdfe-11d3-976a-00e02913a9e0}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:20 PM Denied (based on user blacklist) value "{cf021f40-3e14-23a5-cba2-717765728274}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:20 PM Denied (based on user blacklist) value "{fc3a74e5-f281-4f10-ae1e-733078684f3c}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:20 PM Denied (based on user blacklist) value "{ffff0001-0002-101a-a3c9-08002b2f49fb}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:20 PM Denied (based on user blacklist) value "yayXrrOe" (new data: "") deleted in Winlogon Notifiers!
    5/8/2008 3:14:23 PM Denied (based on user blacklist) value "{63F7460B-C831-4142-A4AA-5EC303EC4343}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:23 PM Denied (based on user blacklist) value "{BC7D8DE8-EF3D-4F44-8B54-03759FAC1367}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:23 PM Denied (based on user blacklist) value "{c900b400-cdfe-11d3-976a-00e02913a9e0}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:23 PM Denied (based on user blacklist) value "{cf021f40-3e14-23a5-cba2-717765728274}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:23 PM Denied (based on user blacklist) value "{fc3a74e5-f281-4f10-ae1e-733078684f3c}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:23 PM Denied (based on user blacklist) value "{ffff0001-0002-101a-a3c9-08002b2f49fb}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:24 PM Denied (based on user blacklist) value "yayXrrOe" (new data: "") deleted in Winlogon Notifiers!
    5/8/2008 3:14:26 PM Denied (based on user blacklist) value "{63F7460B-C831-4142-A4AA-5EC303EC4343}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:26 PM Denied (based on user blacklist) value "{BC7D8DE8-EF3D-4F44-8B54-03759FAC1367}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:26 PM Denied (based on user blacklist) value "{c900b400-cdfe-11d3-976a-00e02913a9e0}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:26 PM Denied (based on user blacklist) value "{cf021f40-3e14-23a5-cba2-717765728274}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:27 PM Denied (based on user blacklist) value "{fc3a74e5-f281-4f10-ae1e-733078684f3c}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:27 PM Denied (based on user blacklist) value "{ffff0001-0002-101a-a3c9-08002b2f49fb}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:27 PM Denied (based on user blacklist) value "yayXrrOe" (new data: "") deleted in Winlogon Notifiers!
    5/8/2008 3:14:29 PM Denied (based on user blacklist) value "{63F7460B-C831-4142-A4AA-5EC303EC4343}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:30 PM Denied (based on user blacklist) value "{BC7D8DE8-EF3D-4F44-8B54-03759FAC1367}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:30 PM Denied (based on user blacklist) value "{c900b400-cdfe-11d3-976a-00e02913a9e0}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:30 PM Denied (based on user blacklist) value "{cf021f40-3e14-23a5-cba2-717765728274}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:30 PM Denied (based on user blacklist) value "{fc3a74e5-f281-4f10-ae1e-733078684f3c}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:30 PM Denied (based on user blacklist) value "{ffff0001-0002-101a-a3c9-08002b2f49fb}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:30 PM Denied (based on user blacklist) value "yayXrrOe" (new data: "") deleted in Winlogon Notifiers!
    5/8/2008 3:14:33 PM Denied (based on user blacklist) value "{63F7460B-C831-4142-A4AA-5EC303EC4343}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:33 PM Denied (based on user blacklist) value "{BC7D8DE8-EF3D-4F44-8B54-03759FAC1367}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:33 PM Denied (based on user blacklist) value "{c900b400-cdfe-11d3-976a-00e02913a9e0}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:33 PM Denied (based on user blacklist) value "{cf021f40-3e14-23a5-cba2-717765728274}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:33 PM Denied (based on user blacklist) value "{fc3a74e5-f281-4f10-ae1e-733078684f3c}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:33 PM Denied (based on user blacklist) value "{ffff0001-0002-101a-a3c9-08002b2f49fb}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:35 PM Denied (based on user blacklist) value "yayXrrOe" (new data: "") deleted in Winlogon Notifiers!
    5/8/2008 3:14:37 PM Denied (based on user blacklist) value "{63F7460B-C831-4142-A4AA-5EC303EC4343}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:38 PM Denied (based on user blacklist) value "{BC7D8DE8-EF3D-4F44-8B54-03759FAC1367}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:38 PM Denied (based on user blacklist) value "{c900b400-cdfe-11d3-976a-00e02913a9e0}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:38 PM Denied (based on user blacklist) value "{cf021f40-3e14-23a5-cba2-717765728274}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:38 PM Denied (based on user blacklist) value "{fc3a74e5-f281-4f10-ae1e-733078684f3c}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:38 PM Denied (based on user blacklist) value "{ffff0001-0002-101a-a3c9-08002b2f49fb}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:38 PM Denied (based on user blacklist) value "yayXrrOe" (new data: "") deleted in Winlogon Notifiers!
    5/8/2008 3:14:41 PM Denied (based on user blacklist) value "{63F7460B-C831-4142-A4AA-5EC303EC4343}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:41 PM Denied (based on user blacklist) value "{BC7D8DE8-EF3D-4F44-8B54-03759FAC1367}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:41 PM Denied (based on user blacklist) value "{c900b400-cdfe-11d3-976a-00e02913a9e0}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:41 PM Denied (based on user blacklist) value "{cf021f40-3e14-23a5-cba2-717765728274}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:41 PM Denied (based on user blacklist) value "{fc3a74e5-f281-4f10-ae1e-733078684f3c}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:41 PM Denied (based on user blacklist) value "{ffff0001-0002-101a-a3c9-08002b2f49fb}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:42 PM Denied (based on user blacklist) value "yayXrrOe" (new data: "") deleted in Winlogon Notifiers!
    5/8/2008 3:14:45 PM Denied (based on user blacklist) value "{63F7460B-C831-4142-A4AA-5EC303EC4343}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:45 PM Denied (based on user blacklist) value "{BC7D8DE8-EF3D-4F44-8B54-03759FAC1367}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:45 PM Denied (based on user blacklist) value "{c900b400-cdfe-11d3-976a-00e02913a9e0}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:45 PM Denied (based on user blacklist) value "{cf021f40-3e14-23a5-cba2-717765728274}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:45 PM Denied (based on user blacklist) value "{fc3a74e5-f281-4f10-ae1e-733078684f3c}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:45 PM Denied (based on user blacklist) value "{ffff0001-0002-101a-a3c9-08002b2f49fb}" (new data: "") deleted in Browser Helper Object!
    5/8/2008 3:14:46 PM Denied (based on user blacklist) value "yayXrrOe" (new data: "") deleted in Winlogon Notifiers!

    This pattern continues every 1-4 seconds according to the remainder of the logs.
    Reply With Quote Reply With Quote
  6. 2008-05-09, 12:07 #6
    md usa spybot fan
    md usa spybot fan is offline
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    Supplyer:

    It appears that you are in the loop because you must have done a "Deny change" and checked the "Remember this decision" option on changes which instructed TeaTimer to deny all subsequent similar registry changes. Actually since most of the changes a the deletions of Browser Helper Objects, I suspect that you were using TeaTime 1.4 checked the "Remember this decision" and exited the registry change dialog without checking either the "Allow change or "Deny change" buttons. The reason I suspect that is because "Deny change" is not an option deletions of Browser Helper Objects. In any case the

    If you check "Remember this decision" on a change, the information concerning that change it is stored in a file. TeaTimer uses that information to automatically "Allow" or "Deny" similar registry changes for all future changes. To edit that information:
    • Right click on the TeaTimer system tray icon and select Settings. This will bring up TeaTimer's "White & Black List". There are four (4) Buttons across the top of the "White & Black List":
      • Allowed registry changes
      • Blocked registry changes
      • Allowed processes
      • Blocked processes
    • You can review all the entries that you have stored by clicking on these buttons. The entries that you should review are in "Blocked registry changes".
    • You can delete entries by clicking on the scripted black "X" to the right of the entry that you want to delete, answering "Yes" to the confirmation dialog and then clicking the "OK" button when you're done.
    After you have done that, the next time a similar registry change occurs TeaTimer will issue a registry change dialog rather than automatically deny the change. At that time you should allow the change and I suggest that you do not use the "Remember this decision" option.

    If you find that you cannot access the TeaTimer's "White & Black List" because of the loop, exit TeaTimer by right clicking on Spybot's TeaTimer System Tray Icon and selecting Exit Spybot-S&D Resident. After you have exited TeaTimer, delete the RegKeyBlack.sbe file where the automatic "Deny change" records are stored. You will find the RegKeyBlack.sbe file in one of the following locations:
    • Windows 95 or 98:
      C:\Windows\Application Data\Spybot - Search & Destroy\Excludes
    • Windows ME:
      C:\Windows\All Users\Application Data\Spybot - Search & Destroy\Excludes
    • Windows NT, 2000 or XP:
      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Excludes
    • Windows Vista:
      C:\ProgramData\Spybot - Search & Destroy\Excludes

    Reboot your system.

    After you have done that, the next time a similar registry changes occur TeaTimer will issue a registry change dialog rather than automatically deny the change. At that time you should allow the change and I suggest that you do not use the "Remember this decision" option.

    Getting an answer is one thing, learning is another.

    Microsoft Windows XP Home Edition running on a 2.40GHz IntelŪ PentiumŪ 4 Processor with 512 MB of RAM and a 533 MHz System Bus.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules