Results 1 to 7 of 7

Thread: Question about TeaTimer

  1. #1
    Member
    Join Date
    Dec 2007
    Posts
    54

    Default Question about TeaTimer

    I currently run Spybot 1.6.2 w/ TeaTimer enabled on a Windows 2000 system I use for testing.

    My Windows 2000 installation recently (and INTENTIONALLY) got infected with "AntiVirus Soft" and was able to get it removed with Malwarebytes.

    Before running Malwarebytes, I ran a Spybot scan and it detected "Fake.Sysguard". It removed the registry entry and subsequent Spybot scans were clean.

    In the TeaTimer log, I see where the malware added its registry entries without problem.

    My question: if Spybot was able to detect this malware as "Fake.Sysguard", why didn't TeaTimer block it from updating the registry?

    Thanks!

    Peace...

  2. #2
    Senior Member Matt's Avatar
    Join Date
    Aug 2006
    Location
    Bavaria
    Posts
    1,169

    Default

    Hi tomdkat,

    was Spybot able to remove this Rogue or only parts of it?

    Can you sent me a PM where you downloaded the installer for this Rogue?
    Best regards - Beste Grüße,

    Matt

  3. #3
    Member
    Join Date
    Dec 2007
    Posts
    54

    Default

    Spybot removed part of it. I'll send you a PM with the requested info.

    Peace...

  4. #4
    Senior Member Matt's Avatar
    Join Date
    Aug 2006
    Location
    Bavaria
    Posts
    1,169

    Default

    Quote Originally Posted by tomdkat View Post
    Spybot removed part of it. I'll send you a PM with the requested info.
    Thank you for your PMs. I will analyse this Rogue on my virtual machine.

    This seems to be a new variant of "Fraud.Sysgaurd". Well, I've already sent Team Spybot some detection rules against this Rogue on the weekend. But I'll try to sent them some samples as well.
    Best regards - Beste Grüße,

    Matt

  5. #5
    Member
    Join Date
    Dec 2007
    Posts
    54

    Default

    Thanks!

    So, if this is a new variant of "Fraud.Sysguard" is that why TeaTimer didn't block the installer from updating the registry, in the first place?

    When the malware was installing itself, TeaTimer didn't prompt me to allow or deny the registry updates so I'm a bit confused.

    Peace...

  6. #6
    Senior Member Matt's Avatar
    Join Date
    Aug 2006
    Location
    Bavaria
    Posts
    1,169

    Default

    Quote Originally Posted by tomdkat View Post
    So, if this is a new variant of "Fraud.Sysguard" is that why TeaTimer didn't block the installer from updating the registry, in the first place?
    Yeah, that could be a reason. When Spybot has this new variant in its database (tomorrow or next week), also TeaTimer should block it or give out a message.

    Quote Originally Posted by tomdkat View Post
    When the malware was installing itself, TeaTimer didn't prompt me to allow or deny the registry updates so I'm a bit confused.
    Right click on the TeaTimer icon and choose "paranoid mode". Does TeaTimer now give out a message?
    Best regards - Beste Grüße,

    Matt

  7. #7
    Member
    Join Date
    Dec 2007
    Posts
    54

    Default

    Quote Originally Posted by Matt View Post
    Right click on the TeaTimer icon and choose "paranoid mode". Does TeaTimer now give out a message?
    I enabled "Paranoid mode" and attempted to install another rogue security app and TeaTimer did notify me of a blocked process that was trying to update the registry (I believe). It even mentioned the name of the threat in the popup.

    The rogue app was blocked from being fully installed.

    Peace...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •