vluadded - spybotdeleting(string) tea timer - then shows in system internals

[hampster]

Hello, Jeremy Hall here. Semi-pro user. A new tea timer behavior has surfaced for me recently. This has happened on my compaq presario, and re-occoured after a coincidental reformat. I run full scans w/ removal of ALL available tracks. Normal initial hits surface, such as alexia, and double click (shows up before I get completely updated), and usage tracks in initial scan. The following appearance of request for registry change has also appeared after all windows updating for me, under varied websurfing conditions, when I have apparently had no highlighted hits, or known intrusions. I have 2000pro, sp4, and use the "labmice.com" checklist to set my services and permissions to a higher state of computer protection. It is not likely I have the standard cookie, trojan, or worm, although I am still vulnerable to them, if they get in. I use free avg, and zone alarm, with ad-aware 2007, on broadband. I also keep my "lock hosts file" w s & d checked full-time.

Immed after selecting fix selected tracks, permission shell asks:
Category: startup user entry, Change: value added, [B]SpybotDeletingB6098, (where the numerical portion is stringlike) (also, this may re-occur with several permission windows, with SpybotDeleting and several varied numerical strings), NewData: command \c del C:\WINNT\SchedLgU.txt_tobedeleted

What raised a red flag for me regarding this issue, was that I had given permission for these changes, then, before restarting, I ran the System Internals check, and all of the spybotdeleting strings appeared as inconsistencies, with (if I remember correctly...) broken links. I then deleted those, before restarting. I think that when I do nothing, the issue comes right back. The entry also appears in my registry run once file.

When I look through registry editor in the local machine - software - microsoft - windows - current version - run once file, I see 3 entries I think should not be there. My normal startups safely appear in the run file, the run once file should only have one generic entry, if I am correct. Entries are: as above, & as above with "cmd" instead of "command", and the third reads: REG_SZ C:\Program Files\ Spybot - Search & Destroy\SpybotSD.exe" /autocheck. Apparently a few of these have snuck past me without permission before I get set up. Previously, when I was secure in my last installation, this issue first occured alongside a "read address violation" with s & d. I don't view the run files often, but I remember that there should not be run once files unless I am using periferial stuff. (I may have just sounded computer ignorant there,,, but I'm not sure).

Question: What are these entries? Are they safe to allow? Is this a sign of intrusion?
(please email me if response posted, h a m p s t e r 7 k 7 @ y a h o o . c o m) I did search the forums for schedlgu.txt, but found no relevant results.

[hampster]

Just ran system internals, and the mentioned files in the run once folder appear, with "startup file does not exist"

I'm not allowing the latest one, and am going to delete these ones. I'll post again, if they keep coming back.

!!!!!!! when I deny the entry, it creates a new string, and keeps trying!!!!! Then I deleted the internals, and the string tried again, then when denied again, gave me value added "SpybotSnD" new data C:\program files\spybot - search _destroy (cut off)(did not allow, as it is a value added). Now finally quiet.

"O glorious ghost in the machine, have mercy."

[stolvsik]

I also have the same problem. It comes up with these once per day, and there are two entries each day.

I've so far allowed them, but I haven't rebooted yet. When using the nice tool from Sysinternals called "Autoruns", I have 6 of each, and the key name is always SpybotDeletingAxxxx and SpybotDeletingCxxxx, where x apparently is a random number which so far haven't strayed outside 359 and 9375.

The A ones read:
command /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted

.. while the C ones read:
cmd /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"

What is this stupidity??

[tashi]

Hello.

I have left a note regarding this for team attention.

Best regards.

[Yodama]

hello,

these autorun entries are generates by Spybot S&D if it encounters files that cannot be deleted during runtime because they are locked by other processes.
C:\WINDOWS\SchedLgU.Txt
for instance is the scheduler log file and is locked by Windodws as long as it runs.

For operating system compatibility reasons the autorun entries are generated with cmd and command.

The system internals check shows these autorun settings as inconsistencies because the file path is not explicitly given. Meaning that the system internals check does not check the path variable for a possible file path and thus says that the link is broken.

I hope that this clearifies this issue.

[Jon Northup]

Hello, I have a big problem with these 'SpybotDeletingAxxx' and 'SpybotDeletingCxxx' messages from TeaTimer, one each at every reboot. Many of these were followed by a string 'C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted', which happens to coincide with a S&D scan reporting the same SENDKEY.DLL under the problem category of VirtuMonde.

Tried several times let Spybot run at reboot to eliminate VirtuMonde to no avial. No other removal tools can seem to find VirtuMonde on my machine. I do not know if this is real.

I found SENDKEY.DLL under system32, could not find a justification for it, so I renamed it to see what would happen. I still get these messages:

08/24/07 12:56:38 Allowed value "Spybot - Search & Destroy" (new data: ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck") added in System Startup global entry!
08/24/07 12:56:46 Allowed value "SpybotDeletingB7667" (new data: "command /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"") added in System Startup user entry!
08/24/07 12:56:50 Allowed value "SpybotDeletingD3432" (new data: "cmd /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"") added in System Startup user entry!
08/24/07 12:56:53 Allowed value "SpybotDeletingA939" (new data: "command /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"") added in System Startup global entry!
08/24/07 12:56:54 Allowed value "SpybotDeletingC6643" (new data: "cmd /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"") added in System Startup global entry!
08/31/07 01:11:12 Allowed value "Spybot - Search & Destroy" (new data: ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck") added in System Startup global entry!
08/31/07 07:51:49 Allowed value "SpybotDeletingB8915" (new data: "command /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"") added in System Startup user entry!
08/31/07 07:52:01 Allowed value "SpybotDeletingD4225" (new data: "cmd /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"") added in System Startup user entry!
08/31/07 07:52:02 Allowed value "SpybotDeletingA778" (new data: "command /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"") added in System Startup global entry!
08/31/07 07:52:03 Allowed value "SpybotDeletingC5113" (new data: "cmd /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"") added in System Startup global entry!
08/31/07 09:44:52 Allowed value "SpybotDeletingB8915" (new data: "") deleted in System Startup user entry!
08/31/07 09:45:02 Allowed value "SpybotDeletingD4225" (new data: "") deleted in System Startup user entry!
08/31/07 14:52:18 Denied value "SpybotDeletingA8135" (new data: "") deleted in System Startup global entry!
08/31/07 14:52:21 Denied value "SpybotDeletingC4004" (new data: "") deleted in System Startup global entry!
08/31/07 19:40:34 Denied value "SpybotDeletingA8135" (new data: "") deleted in System Startup global entry!
08/31/07 19:40:40 Denied value "SpybotDeletingC4004" (new data: "") deleted in System Startup global entry!
08/31/07 19:57:09 Denied value "SpybotDeletingA8135" (new data: "") deleted in System Startup global entry!
08/31/07 19:57:11 Denied value "SpybotDeletingC4004" (new data: "") deleted in System Startup global entry!
08/31/07 20:04:11 Denied value "SpybotDeletingA8135" (new data: "") deleted in System Startup global entry!
08/31/07 20:04:19 Denied value "SpybotDeletingC4004" (new data: "") deleted in System Startup global entry!
08/31/07 20:09:43 Allowed value "SpybotDeletingA8135" (new data: "") deleted in System Startup global entry!
08/31/07 20:09:43 Denied value "SpybotDeletingC4004" (new data: "") deleted in System Startup global entry!
08/31/07 20:10:31 Allowed value "SpybotDeletingC4004" (new data: "") deleted in System Startup global entry!
08/31/07 20:36:46 Allowed value "SpybotDeletingA8135" (new data: "") deleted in System Startup global entry!
08/31/07 20:36:48 Allowed value "SpybotDeletingC4004" (new data: "") deleted in System Startup global entry!
08/31/07 21:01:58 Allowed value "SpybotDeletingA8135" (new data: "") deleted in System Startup global entry!
08/31/07 21:02:06 Allowed value "SpybotDeletingC4004" (new data: "") deleted in System Startup global entry!

Please help.
Jon

Other topic response: http://forums.spybot.info/showthread.php?p=117060

[spybotsandra]

Hello,

I suggest to upgrade to Spybot - Search & Destroy version 1.5 and make a scan in safe mode.
http://www.computerhope.com/issues/chsafe.htm
That should fix it.

Best regards
Sandra
Team Spybot

[hampster]

Thank you for the clarification on the processes. However, I'm still confused as to if I should allow these entries.

When I run the check, and click all hits, even green, instead of a normal value deleted (as I remove entries found), I get a value added: spybot deleting (string).

Also, I view activity that should not be there in the registry under the run once, or second run once file. (that is basically the manual way of checking for autostartup programs that are hiding from you). This entry is a mirror of the value added title, that appears, (in the permission box from spybot), when I am trying to remove all the hits that show, choosing to search for everything possible, and select everything for removal.

Should I allow these entries? It seems like in my history of using sypbot, I don't remember being asked to allow any values, during spyware removal. Usually usage tracks were just wiped out, and did not ADD a "spybot deleting (random end)" entry.

I had mentioned how they appear in the check for system inconsistencies screen, immediately after I just allowed them. You did clarify why they appear there, but is it safe to allow them in the first place? Does spybot clean usage tracks, that cannot be "on the spot" cleaned, because they are locked by use, by adding a "value added: spybot deleting(random)" registry entry? It seems like that's what's happening, but it's so unusual. T

This happens every time usage tracks are selected during normal scans. The titles of the strings change, and they appear in the run once file, even after restarts.