Results 1 to 10 of 10

Thread: Settings, Allowed Processes

  1. #1
    Senior Member
    Join Date
    Oct 2005
    Location
    Potomac MD USA
    Posts
    119

    Default Settings, Allowed Processes

    Hello,
    I have this notification in my Resident log. This could be a masquerading Trojan:

    8/18/2013 6:58:19 AM Allowed (based on user white list) value "C:\Program Files (x86)\Logitech\Logitech Harmony Remote
    Software 7\HarmonyRemote.exe" (new data: "C:\Program Files (x86)\Logitech\Logitech Harmony Remote Software 7
    \HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7") added in Firewall Authorized Applications!

    Identical notifications have been occurring at the rate of two per day since June 6. Once I noticed the log entries I removed the entry from The Black & White List, Allowed Processes. I did this on 8/17/2013. Today, 8/18/2013, I found two more of the same notices at 6:58:19 EDT USA. There are no allowed processes in the white list.

    I do have the HarmonyRemote.exe on my computer

    Paranoid mode is selected, Source white list selected. Where is this List? Can this be the problem?

    I have Spybot 1.6.2.46 on Vista SP2 64 bit
    Last edited by Frank C; 2013-08-18 at 19:47. Reason: spacing

  2. #2
    Spybot Advisor Team Zenobia's Avatar
    Join Date
    Oct 2005
    Posts
    5,484

    Default

    This is info on the Source Whitelist:
    http://forums.spybot.info/showthread...ist-What-is-it
    This post has info about Firewall Authorized Applications.
    http://forums.spybot.info/showthread...l=1#post397129

    Here are some of the listed Harmony remotes,from logitech:
    http://www.logitech.com/en-ca/harmony-remotes
    and http://myharmony.com/
    Do you have a Harmony remote from Logitech?
    Harmony Remote software:
    http://download.cnet.com/Logitech-Ha...-10964391.html
    The Harmony Remote seems to have Harmony Remote software,or there is Harmony Remote software separate from that,I'm unsure exactly which right now.
    You would likely know of it on your computer.

    I don't currently have Spybot 1.6.2 installed to check anything out,since I moved to the current version.It's hard going from memory,so bear with me.
    As I recall,the Source Whitelist is separate from the Black&White list.The things listed in the Black & White list are user selected,I think.If that is correct,it might indicate that HarmonyRemote.exe was put into Allowed Processes by you at some point,and perhaps forgotten.

    The Source whitelist,separate from the user defined black & white list,used to Allow changes known to be okay.
    You do have Paranoid mode selected,which used to have Teatimer act the way it did before the source whitelist was used.However,I wonder if having Source white list selected causes Teatimer to not prompt on things that are known to be okay,considering it would still be going by it's own whitelist?

    To add on to that,I do think I remember noticing that the Teatimer logfile had a quirk of listing some allowed things as if it had been done by me,when I knew for sure that I hadn't,and that it must've been going by the Source White List.So that might explain the two additional log file entries,if they say they are based on user white list.So a bit convoluted,I know,but that is all possible,I think.

    Also,I do remember that if you made a change in the Black&White list,but hit the close button on the window instead of pressing "OK",that the entry was not removed.You did say there were no entries in the Allowed Processes list,but doublechecking wouldn't hurt.

  3. #3
    Senior Member
    Join Date
    Oct 2005
    Location
    Potomac MD USA
    Posts
    119

    Default Settings, Allowed Processes

    Thanks for the reply Zenobia,
    I do have Logitech installed at the location reported in the Resident.log
    C:\Program Files (x86)\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe"

    It is used to set up the remote unit that controls my entertainment center.
    I wanted to look at the Whitelist to see if Logitech was allowed there. I can not find it in :

    C:\Program Files (x86)\Spybot - Search & Destroy\Includes

    If it is X509White.sbs, I can't edit that file.

    If I can't change the source whitelist I will deselect it and see how that goes.
    I did not update to Spybot 2 because I did not want to be bothered learning a completely new interface. I am planning to get the Spybot paid version at the end of this year.

    Frank C

  4. #4
    Spybot Advisor Team Zenobia's Avatar
    Join Date
    Oct 2005
    Posts
    5,484

    Default

    Ok,let me know how it goes.

  5. #5
    Senior Member
    Join Date
    Oct 2005
    Location
    Potomac MD USA
    Posts
    119

    Default Settings, Allowed Pricess

    Zenobia,
    Un-checking the "Use Source Whitelist had no effect. I still got two entries for logitech in the log this morning.
    On closer inspection of the Allowed Registry changes in the Black and White list, I expanded the column so I could see the entire entry, I found four entries for logitech. I removed them. I will have to wait at least one day to see if this fixes the problem.
    Frank C

  6. #6
    Spybot Advisor Team Zenobia's Avatar
    Join Date
    Oct 2005
    Posts
    5,484

    Default

    Okay,good luck.

  7. #7
    Senior Member
    Join Date
    Oct 2005
    Location
    Potomac MD USA
    Posts
    119

    Default Settings, Allowed Process

    Zenobia,
    After removing four entries for logitech from Allowed Registry changes I got a request to allow the logitech entry every second. I denied and said remember this decision. When I looked at the log the blocking was occurring once per second

    I Un-Installed Logictec Harmony Remote Software.

    It looks like it has now stopped. I sent a request for help to Logitech on 8/17 and I have not gotten a response.
    I have the original Install disk for the Logitech Harmony remote so I can re-install it if I need it.

    I wonder if I need to back out registry changes. Do these firewall policy entries refer to the Windows Firewall? I am using the AVG Firewall.
    Frank C

  8. #8
    Spybot Advisor Team Zenobia's Avatar
    Join Date
    Oct 2005
    Posts
    5,484

    Default

    Yes,from this post,it looks to me like the firewall policy entries refer to Windows Firewall only:
    http://forums.spybot.info/showthread...l=1#post397060
    The post by this person states that the prompts still happen even though they have windows firewall turned off,though:
    http://forums.spybot.info/showthread...l=1#post397125

    The solution posted in that thread was to turn off Paranoid mode for Teatimer to avoid the constant prompts from Teatimer about the Firewall Authorized Applications:
    http://forums.spybot.info/showthread...Timer-Firewall

    Since you've uninstalled the Logictech Harmony Remote Software,yes,it would probably be best to remove the denied entries from Teatimer's black&white list for now,so the entries are not forgotten about if you need to reinstall it,so it can be configured in a workable way that is best for you if you do reinstall the Harmony Remote Software.

  9. #9
    Senior Member
    Join Date
    Oct 2005
    Location
    Potomac MD USA
    Posts
    119

    Default

    Zenobia,
    I remove one registry entry:

    HKEY_LOCAL_MACHINE\System\ControlSet002 \Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:ProgramFiles (X86)\Logitech\Logitech Harmony Remote Software 7\Harmony Remote.exe=C:ProgramFiles (X86)\Logitech\Logitech Harmony Remote

    I removed two entries regarding Logitech from blocked registry changes. I kept the one that refers to the above registry delete.

    I think I am OK now
    Thanks for the help
    Frank C

  10. #10
    Spybot Advisor Team Zenobia's Avatar
    Join Date
    Oct 2005
    Posts
    5,484

    Default

    Ok,good.
    You're welcome.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •