Settings, Allowed Processes

[Frank C]

Hello,
I have this notification in my Resident log. This could be a masquerading Trojan:

8/18/2013 6:58:19 AM Allowed (based on user white list) value "C:\Program Files (x86)\Logitech\Logitech Harmony Remote
Software 7\HarmonyRemote.exe" (new data: "C:\Program Files (x86)\Logitech\Logitech Harmony Remote Software 7
\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7") added in Firewall Authorized Applications!

Identical notifications have been occurring at the rate of two per day since June 6. Once I noticed the log entries I removed the entry from The Black & White List, Allowed Processes. I did this on 8/17/2013. Today, 8/18/2013, I found two more of the same notices at 6:58:19 EDT USA. There are no allowed processes in the white list.

I do have the HarmonyRemote.exe on my computer

Paranoid mode is selected, Source white list selected. Where is this List? Can this be the problem?

I have Spybot 1.6.2.46 on Vista SP2 64 bit

[Zenobia]

This is info on the Source Whitelist:
http://forums.spybot.info/showthread...ist-What-is-it
This post has info about Firewall Authorized Applications.
http://forums.spybot.info/showthread...l=1#post397129

Here are some of the listed Harmony remotes,from logitech:
http://www.logitech.com/en-ca/harmony-remotes
and http://myharmony.com/
Do you have a Harmony remote from Logitech?
Harmony Remote software:
http://download.cnet.com/Logitech-Ha...-10964391.html
The Harmony Remote seems to have Harmony Remote software,or there is Harmony Remote software separate from that,I'm unsure exactly which right now.
You would likely know of it on your computer.

I don't currently have Spybot 1.6.2 installed to check anything out,since I moved to the current version.It's hard going from memory,so bear with me.
As I recall,the Source Whitelist is separate from the Black&White list.The things listed in the Black & White list are user selected,I think.If that is correct,it might indicate that HarmonyRemote.exe was put into Allowed Processes by you at some point,and perhaps forgotten.

The Source whitelist,separate from the user defined black & white list,used to Allow changes known to be okay.
You do have Paranoid mode selected,which used to have Teatimer act the way it did before the source whitelist was used.However,I wonder if having Source white list selected causes Teatimer to not prompt on things that are known to be okay,considering it would still be going by it's own whitelist?

To add on to that,I do think I remember noticing that the Teatimer logfile had a quirk of listing some allowed things as if it had been done by me,when I knew for sure that I hadn't,and that it must've been going by the Source White List.So that might explain the two additional log file entries,if they say they are based on user white list.So a bit convoluted,I know,but that is all possible,I think.

Also,I do remember that if you made a change in the Black&White list,but hit the close button on the window instead of pressing "OK",that the entry was not removed.You did say there were no entries in the Allowed Processes list,but doublechecking wouldn't hurt.

[Frank C]

Thanks for the reply Zenobia,
I do have Logitech installed at the location reported in the Resident.log
C:\Program Files (x86)\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe"

It is used to set up the remote unit that controls my entertainment center.
I wanted to look at the Whitelist to see if Logitech was allowed there. I can not find it in :

C:\Program Files (x86)\Spybot - Search & Destroy\Includes

If it is X509White.sbs, I can't edit that file.

If I can't change the source whitelist I will deselect it and see how that goes.
I did not update to Spybot 2 because I did not want to be bothered learning a completely new interface. I am planning to get the Spybot paid version at the end of this year.

Frank C

[Zenobia]

Ok,let me know how it goes.

[Frank C]

Zenobia,
Un-checking the "Use Source Whitelist had no effect. I still got two entries for logitech in the log this morning.
On closer inspection of the Allowed Registry changes in the Black and White list, I expanded the column so I could see the entire entry, I found four entries for logitech. I removed them. I will have to wait at least one day to see if this fixes the problem.
Frank C

[Zenobia]

Okay,good luck.