Question about TeaTimer

**tomdkat** · 2010-04-05, 23:18

I currently run Spybot 1.6.2 w/ TeaTimer enabled on a Windows 2000 system I use for testing.

My Windows 2000 installation recently (and INTENTIONALLY) got infected with "AntiVirus Soft" and was able to get it removed with Malwarebytes.

Before running Malwarebytes, I ran a Spybot scan and it detected "Fake.Sysguard". It removed the registry entry and subsequent Spybot scans were clean.

In the TeaTimer log, I see where the malware added its registry entries without problem.

My question: if Spybot was able to detect this malware as "Fake.Sysguard", why didn't TeaTimer block it from updating the registry?

Thanks!

Peace...

**Matt** · 2010-04-05, 23:21

Hi tomdkat,

was Spybot able to remove this Rogue or only parts of it?

Can you sent me a PM where you downloaded the installer for this Rogue?

**tomdkat** · 2010-04-06, 00:25

Spybot removed part of it. I'll send you a PM with the requested info.

Peace...

**Matt** · 2010-04-06, 10:24

Originally Posted by tomdkat

Spybot removed part of it. I'll send you a PM with the requested info.

Thank you for your PMs.

I will analyse this Rogue on my virtual machine.

This seems to be a new variant of "Fraud.Sysgaurd". Well, I've already sent Team Spybot some detection rules against this Rogue on the weekend. But I'll try to sent them some samples as well.

**tomdkat** · 2010-04-06, 18:10

Thanks!

So, if this is a new variant of "Fraud.Sysguard" is that why TeaTimer didn't block the installer from updating the registry, in the first place?

When the malware was installing itself, TeaTimer didn't prompt me to allow or deny the registry updates so I'm a bit confused.

Peace...

**Matt** · 2010-04-06, 20:08

Originally Posted by tomdkat

So, if this is a new variant of "Fraud.Sysguard" is that why TeaTimer didn't block the installer from updating the registry, in the first place?

Yeah, that could be a reason. When Spybot has this new variant in its database (tomorrow or next week), also TeaTimer should block it or give out a message.

Originally Posted by tomdkat

When the malware was installing itself, TeaTimer didn't prompt me to allow or deny the registry updates so I'm a bit confused.

Right click on the TeaTimer icon and choose "paranoid mode". Does TeaTimer now give out a message?

**tomdkat** · 2010-04-18, 19:19

Originally Posted by Matt

Right click on the TeaTimer icon and choose "paranoid mode". Does TeaTimer now give out a message?

I enabled "Paranoid mode" and attempted to install another rogue security app and TeaTimer did notify me of a blocked process that was trying to update the registry (I believe). It even mentioned the name of the threat in the popup.

The rogue app was blocked from being fully installed.

Peace...

Thread: Question about TeaTimer

Thread Tools

Display

Question about TeaTimer

Posting Permissions