I have 3 systems that have shown this behavior.

Two are Win XP Sp2
One is Server Enterprise 2003 R2
All have IE7
All have Spybot is 1.5.1.15 (Corp)
All definitions update every day

Spybot is finding "Naupoint" in certain startup entries (entries that I am pretty sure are legitimate).

Spybot will remove these entries, which prevents these programs from starting, which has various odd effects on the system.

Spybot also finds entries in the hosts file that it attempts to remove.

Upon rebooting and a subsequent scan, the host file entries are found once again and legitimate startup entries are again found to be "Naupoint."

Here the log from once such scan:

--- Search result list ---
Naupoint: [SBI $89F4134C] Autorun settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1803905534-2379313150-3934839200-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eraser

Naupoint: [SBI $89F4134C] Autorun settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1803905534-2379313150-3934839200-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe

Naupoint: [SBI $89F4134C] Program file (File, nothing done)
C:\WINDOWS\system32\ctfmon.exe

Naupoint: [SBI $89F4134C] Autorun settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vptray

Naupoint: [SBI $89F4134C] Program file (File, nothing done)
C:\PROGRA~1\SYMANT~1\VPTray.exe

Naupoint: [SBI $89F4134C] Autorun settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccApp

Naupoint: [SBI $89F4134C] Autorun settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender

Naupoint: [SBI $89F4134C] Autorun settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vptray

Naupoint: [SBI $89F4134C] Autorun settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccApp

Naupoint: [SBI $89F4134C] Autorun settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender

Microsoft.Windows.RedirectedHosts: [SBI $82672CA1] Redirected host (Redirected host, nothing done)
net-integration.net=127.0.0.1

Microsoft.Windows.RedirectedHosts: [SBI $7F540B12] Redirected host (Redirected host, nothing done)
www.net-integration.net=127.0.0.1

-----

I personally installed all of these startup programs, so I know what they are and why they're there. What I do not know is why Spybot sees them as Naupoint.

On all these systems, I see the same identifier in the scan: SBI $89F4134C

Any idea what SBI is? I searched Google for "$89F4134C" and found nothing.

Anyone see anything similar with entries being detected as “Naupoint??”

Thanks,
Erminator

hello,

$89F4134C refers to a ruleset within Spybot S&D, as you can see in the log file the Naupoint findings are all found by the same ruleset.
This ruleset is not supposed to detect the items in the log file as Naupoint, there will be a detection update that will fix this false positive tomorrow.

About the hosts file please make sure that it is not write protected.

hello,

$89F4134C refers to a ruleset within Spybot S&D, as you can see in the log file the Naupoint findings are all found by the same ruleset.
This ruleset is not supposed to detect the items in the log file as Naupoint, there will be a detection update that will fix this false positive tomorrow.

About the hosts file please make sure that it is not write protected.

Yodama, I appreciate your prompt response. I'm happy that this is indeed a false positive and not some crazy malware that has infected all my startup items. :laugh:

I will check into the hosts file and make sure it's not write protected.

Thank you,
Erminator

hello,

$89F4134C refers to a ruleset within Spybot S&D, as you can see in the log file the Naupoint findings are all found by the same ruleset.
This ruleset is not supposed to detect the items in the log file as Naupoint, there will be a detection update that will fix this false positive tomorrow.

About the hosts file please make sure that it is not write protected.

Yodama:

It looks like the updates dated 11/7 fixed the "Naupoint" issue. Thank you!!

As far as the hosts file is concern, it was set as read-only.

What's odd is that I made it writable before "fixing selected." Immediately after that, the file is marked read-only. Okay. No biggie. Spybot says the fixes were applied.

Reboot. Scan again, Spybot finds the hosts file problem again.

Apply the fix. Reboot. Scan again. Spybot finds them again.

Now, I know a little history about this, so I know that those two "net-integration" URLs *SHOULD* be in the hosts file. Right?

When I view the hosts file, I see those entries. So my question is, if I have the appropriate entries in the hosts file, why is it that Spybot continually thinks it needs to add these entries?


Thank you,
Erminator

double post.

hi,

sorry, it appears I forgot something about the net-integration issue :oops:
so, it is correct that the sites are added as blocked to the hosts file, but this should not be detected by Spybot S&D.

You may need to check the date of the security.sbi installed on your computer, to do this, make a scan and then go to advanced mode - tools - view report - view report

the date for the security.sbi should be 2007-05-30 and the securityC.sbi should be dated 2007-11-07

if this is not the case and no newer updates are shown with the updater, the manual update (http://www.spybotupdates.com/updates/files/spybotsd_includes.exe) may solve this issue.

hi,
...
if this is not the case and no newer updates are shown with the updater, the manual update (http://www.spybotupdates.com/updates/files/spybotsd_includes.exe) may solve this issue.

Ah ha! Here’s the culprit:

2006-12-08 Includes\Security.sbi

I’ve got the corporate edition and updates are maintained by the centralized server. It’s odd that the other machines have the correct version (05/30) and this one did not.

Anyhow, I manually deleted that file and copied a 5/30 version from another machine. Next, I ran a scan and everything turned out groovy groovy.

:bigthumb:

One final question (and then I’ll shut up): What’s the deal with the date stamp below?

2008-12-24 Plugins\TCPIPAddress.dll

One final question (and then I’ll shut up): What’s the deal with the date stamp below?

2008-12-24 Plugins\TCPIPAddress.dll

The plugins need to have a date newer than other Spybot files to be accepted, otherwise the plugin will be deactivated.