* Operating System=in sig -windows xp home sp3

* Browser and Version=Internet Explorer 7, FireFox 3

* Version of Spybot S&D and Date of the latest update: 1.6 with latest updates as of 12/2/08 ( i know updates come tomorrow, sorry i reported so late; i just found it yesterday.)

* where did the false positive occur: in internet explorer 7 using hp system check tool. Problem occurred with teatimer.

Ok, i use the laptop system health utility provided by hp, its available on there website here (http://h20239.www2.hp.com/techcenter/HP_SystemCheck/hp_syscheck.htm).

When i went to run the tool like always, (by clicking scan my system) teatimer popped up and stated the following: spybot has encountered and terminated a process that is listed as part of malicious software.

Then says: process id: 3428
filename: hpdiags.exe
found in: c:/docume``1\user\locals``1\temp\hi...then trails off.
identified as: ZombieRat

Thats the info it gives me. I chose never tell me again and let it run; as i know darn well that it is perfectaly legit tool that checks your computers health and state of drives, memory etc. It's a Diagnostic tool. Screenshot is attached and i recommend a look at it. I have never had this happen before when i was on this website. Thanks for any help you can offer. :)

hello,

this is really odd, since the ZombieRat detection rules do not fit in here at all (they are very very specific).
I tried to recreate your issue anyway and was not able to until I made new rules that specifically detected the hpdiags.exe.

I think there are 2 points we need to check:

- Version of hpdiags.exe
we may have gotten different hpdiags.exe based on our locations and/or computers.
The one I got has the following properties filesize=69632,md5=967E3EA1C9E45E2077BE48AF6903129B
and was located in: c:\documents and settings\user\local settings\temp\HPISPz

- Version of Teatimer
current public file version of Teatimer is 1.6.3.25

So i am really stumped on this one.....I know the tool will only run on a compaq or hp computer. Maybe that is the reason why you could not reproduce it..hmm..i don't know. As shown in the screenshot, the message occurred from teatimer after the hardware tests were finished....when i get home i will double check on the file size of the file, and i will also try to have it happen again. I will also double check that i have the latest version of teatimer, but i am positive i have it. Anyway's, i will get back to you and let you know further on this issue. Thanks for the help yodama!

i did the recent updates, including all the updates available today, and now it is no longer happening. :) Thats awesome haha. So ya, just thought i would report that, i don't know if the updates fixed the issue, or if it was a one time thing that caused it. Its weird, but ya, thanks for everything. :angel:

thanks for your feedback