as of now we have not confirmed any incompatibilities between TeaTimer and Windows Defender. But it seems that TeaTimer can produce random false positives if it is unable to properly read a file. This is usually not reproducible after TeaTimer gets restarted or the computer gets rebooted.
Did you reboot your computer after this occurrence and did another TeaTimer false positive occur?
Yes I rebooted, and no TT false positive at logon or subsequent logons.
Checked for signs of infection of Vario.Antivirus per this post
http://forums.spybot.info/showthread.php?t=37774&highlight=vario.antivirus
None of the files or registry entries mentioned there were present.
From S&D resident.log...
"19/10/2010 18:22:21 Allowed (based on user decision) value "ZoneAlarm Client" (new data: "") deleted in System Startup global entry!
19/10/2010 18:22:34 Allowed (based on user decision) value "CheckPoint Cleanup" (new data: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cpes_clean_launcher.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cpes_clean.exe") added in System Startup global entry!
19/10/2010 18:25:34 Allowed (based on lassh blacklist) value "Windows Defender" (new data: ""C:\Program Files\Windows Defender\MSASCui.exe" -hide") added in System Startup global entry!
19/10/2010 18:26:12 Allowed (based on authenticode whitelist) value "SunJavaUpdateSched" (new data: ""C:\Program Files\Common Files\Java\Java Update\jusched.exe"") added in System Startup global entry!
19/10/2010 18:26:13 Encountered and terminated Vario.AntiVirus in C:\WINDOWS\system32\winlogon.exe!
19/10/2010 18:26:26 Allowed (based on authenticode whitelist) value "avgnt" (new data: ""C:\ProThere was alsogram Files\Avira\AntiVir Desktop\avgnt.exe" /min") added in System Startup global entry!
19/10/2010 18:26:35 Allowed (based on authenticode whitelist) value "Adobe Reader Speed Launcher" (new data: ""C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"") added in System Startup global entry!
19/10/2010 18:26:41 Allowed (based on authenticode whitelist) value "Adobe ARM" (new data: ""C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"") added in System Startup global entry!
19/10/2010 18:28:34 Allowed (based on user decision) value "ZoneAlarm Client" (new data: ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"") added in System Startup global entry!"
I uninstalled ZA, rebooted and installed new ZA. I also did an Adobe Reader update and a Java update. I know I should have done them one at a time, but was pushed for time.
Guess there was a good chance of a locked file while TT was scanning, but why did it alert on winlogon.exe?
The reason I mentioned Windows Defender was that the alert occurred immediately following an update to its definitions. Windows defender also detected something at the same time but couldn't classify it.
From the system log...
"19/10/2010
18:38:51
Information
WinDefend
Error ID 3005
Windows Defender Real-Time Protection agent has taken action to protect this machine from spyware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {264B8DB4-2281-4067-ABAE-A64E19923A0E}
User: WINDOWSXP\Administrator
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Alert Type: Unclassified software
Action: Ignore"
From the WinDefend log...
"Unknown Program, Unknown Alert level, Action Taken Permit, 19/10/2010 18:38, Succeeded
Description:
This program has potentially unwanted behavior.
Advice:
Permit this detected item only if you trust the program or the software publisher.
Resources:
file:
C:\WINDOWS\system32\drivers\etc\hosts
Category:
Not Yet Classified"
What do you think?
zcx
