There have been recent user reports on Teatimer producing false positves.
This began after the recent Teatimer Update to Teatimer version 1.6.6.32.

The threads that appear to be related to this issue will be merged into this thread on Monday 2009-03-30. If your case possibly matches this issue, do not start a new thread but append to this one.

These false positves do not appear to be signature based false positives, meaning that finding and fixing the issue is more difficult and requires user feedback.

If you have the Teatimer activated and you get a message similar to this one:
(detected file and the name in "identified as" are different in most cases)

http://bw38fg.bay.livefilestore.com/y1pNm-CzxHPUSPl3xe9hdsFJrEZoAiFl4kXyC83tWkM14VRDCMGxWcy0LBorcX2uyGzlDhUOW7UtCg/teatimer%20adobe%20fp.jpg


please do the following:

* attach the detected file to an email to referencing this thread
* include the resident log to your email
* also include a full spybot S&D report to your email (scan , then right-click scan result and select to save full report)
* state when you did the Teatimer update and if there were other parts of Spybot S&D updated as well (best attach the downloaded.ini located in C:\program files\Spybot - Search & Destroy\Updates)
* also state if you rebooted the computer after the update and if there were any error messages
* please also tell us if the false positive is reoccurring on your computer

__________________
born in the shadow to die in the shadow, that is the fate of the shinobi

Spybot S&D Downloads

Please help us improving Spybot and download our distributed testing client.

* Operating System-Windows 7 beta (it was flagged in windows xp though also)
* Browser and Version-Internet Explorer 7, Firefox latest version
* Version of Spybot S&D and Date of the latest update: latest spybot and teatimer, latest update: March 11th 2009

Teatimer about says: version 1.6.2.0 system settings protector 1.6.6.32

* where did the false positive occur:

o Teatimer message when a program was executed

See screen shot for details.

This happened when installing the latest update for adobe reader that has come out recently. The options are the ones i selected when i took the screenshot, because i knew it was a FP. Those were not the default selections when the window popped up.

http://bw38fg.bay.livefilestore.com/y1pNm-CzxHPUSPl3xe9hdsFJrEZoAiFl4kXyC83tWkM14VRDCMGxWcy0LBorcX2uyGzlDhUOW7UtCg/teatimer%20adobe%20fp.jpg

hi,

thanks for reporting this false positive.

However I am not able to reproduce the false positive, it could be the case that Adobe changed the installer or I get a different one because of my IP.
To shorten things please send me the Airshareinstaller.exe, it should still be present in the Adobe setup files folder sub folder.
Please email to detections@spybot.info with a reference to this thread.

hi,

thanks for reporting this false positive.

However I am not able to reproduce the false positive, it could be the case that Adobe changed the installer or I get a different one because of my IP.
To shorten things please send me the Airshareinstaller.exe, it should still be present in the Adobe setup files folder sub folder.
Please email to detections@spybot.info with a reference to this thread.

as requested. Let me know if you need the file from the XP computer as well that flagged this false positive. The one I sent was the one from the windows 7 beta.

Thank you for sending in the file, I have compared it to the one I got while installing Adobe Reader 9.1 on Windows XP. The AirShareInstaller.exe for Windows 7 Beta and Windows XP are identical.

However I have not been able to reproduce the false positive with the Teatimer.
I have also checked our detection database for Virtumonde rules which could be responsible for this detection, but did not find one.

This is really a strange case, could you please check if the false positive still occurs after a restart of the Teatimer?

Well, here is the thing. I only got it once while i was installing adobe as shown in the screen shot. I haven't repeatedly gotten it at all. Only that one time. This is weird though, because this is the second time I have gotten a false positive that you could not produce. Sorry for wasting your time.....I am very confused as to why this is happening. Maybe i should fully uninstall spybot and install again. Thanks for getting back to me.

You need not apologize, we have to go after such false positives and it is good that you report them.
There may have been special circumstances that prevented the correct reading of the file properties. Since this happened after the Teatimer update this may be related.
It appears that a similar false positive occurred with unlockerassistant.
I will be going after this issue since such false positives can be very dangerous.

I installed Adobe Reader 9.1 today. (This was because of a security advisory for 9.0 reported by Secunia PSI.)

I received a security alert from TeaTimer similar to the one above, but for Cydoor. Here is the log entry:

3/17/2009 9:15:11 AM Encountered and terminated Cydoor in C:\Program Files\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A91000000001}\AirShareInstaller.exe!

This alert occurred once at the end of the Adobe Reader installation. It has not yet occurred again.

My operating system is Windows XP Home Edition SP3.

My browser is Google Chrome 1.0.154.48.

About TeaTimer gives 1.6.2.0, system settings protector 1.6.6.32. Info & License gives 1.6.2.46, latest detection update 3/11/2009.

Best wishes,

Edward

hello,
thank you for reporting this issue.

I still have not been able to recreate the circumstances which provokes these false positives. Since Teatimer identifies the same AirShareInstaller.exe as Cydoor now it is very likely that Teatimer was not able to properly determine the file properties and went wrong.
Are you running other active protection software or other software in background which may scan and/or lock files on access? If that is the case we may have an incompatibility issue.

@yodama:

Thank you. I just thought that this is really odd behavior for teatimer. Also, maybe this might help, since you mentioned there is a possible issue with incompatibility with another program.

I run the following security programs:

Windows defender, spybot (of course), Avast!, and malware bytes. Although malware bytes is scan only and does not run unless the program is launched, i thought i would still mention it. I was not running any scans or anything during that time. Just installing the latest update for adobe.

@metaed:

It's interesting that you and I have this flagged by teatimer as something different. Like Yodama stated, it might be a compatibility issue. Can you check and see if you have the same security software that i have above listed?

These two other applications are also resident on my PC and scanning files for signatures.

Secunia PSI 1.0.0.3
Avast On-Access Scanner, part of Avast 4.8 Professional, build Feb2009 (4.8.1335)

Thank you for your information on this.
Since both of you have Avast installed I will check on this first to see if there are any issues combined with Teatimer.
I will keep you updated on the results.

Test with Avast and Teatimer is done and they do not appear to collide.

Looks like I have to continue checking on the other apps.

I also forgot to mention that i had secunia psi installed as well, that is what offered me the update to adobe. I just noticed that the other user had that as well. I wonder if secunia psi is the root of the compatibility issue? I highly doubt it, but it might be worth a look...

Also, thanks Yodama for looking into this. Hopefully we can figure out what is going on here with teatimer. ;)

I got a similar thing yesterday afternoon:

3/18/2009 11:35:07 PM Allowed (based on user decision) value "Adobe Reader Speed Launcher" (new data: ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"") added in System Startup global entry!
3/18/2009 11:35:07 PM Encountered and terminated PestCapture in C:\WINDOWS\System32\msiexec.exe!

Pest Capture? Both log entries have identical times and it happened during the Adobe automatic update.

This is on a WinXP Pro system, SP3 - SpyBot 1.6.2.0, System Settings Protector 1.6.6.32

Sunbelt Personal Firewall, IDBlaster, MRUBlaster, KeyScrambler, NOD32, TH Guard all running resident. Pete

I forgot to mention that I have Secunia PSI running here, too. Pete

thank you for the additional information.

I checked Secunia PSI. There is no indication that it is involved in the Teatimer issue. There appear to be no issues between Teatimer and Secunia PSI.

Maybe I have to look at this issue from a different angle.

any more updates Yodama on what is going on? Thanks :)

I currently have no good news on this issue. Only a couple more similar reports.
These Teatimer false positives appear to be random. We may be needing a new version of Teatimer which gives us a bit more output, for instance the SBI ID.

I currently have no good news on this issue. Only a couple more similar reports.
These Teatimer false positives appear to be random. We may be needing a new version of Teatimer which gives us a bit more output, for instance the SBI ID.

Hmm interesting....I hope we can figure out what is going on here...

Why - when I right-click on the Resident SYSTRAY icon, then click on "Show Log" - doesn't anything happen?

No log shows up. Shouldn't it have since it terminated "PestCapture"?

Or have I just got a setting wrong somewhere?

Also, all the fields in the "Settings" box are empty - are they supposed to be that way? Pete

spy1, do you use CCleaner? If Spybot is ticked in CCleaner that explains why there is no TeaTimer logs coming up when you look for it.

Windows Vista Ultimate 64bit
Internet Explorer 7, Maxthon 2.5.1 (uses IE as a base), FireFox 3.0.8
Spybot S&D 1.6.2.46, Last update 3/25/2009
Teatimer message when using the plugin KeeForm with Keepass to auto-enter login info website.

Log for teatimer contains:


3/28/2009 10:16:24 AM Encountered and terminated Spambot.mib in D:\Program Files\KeePass Password Safe\KeeForm.exe!
3/28/2009 10:27:35 AM Encountered and terminated Spambot.mib in D:\Program Files\KeePass Password Safe\KeeForm.exe!


Picture of false positive:
http://i6.photobucket.com/albums/y216/StopSpazzing/falsepositivespybot.jpg

Keepass v1.15
Link to Keepass website: http://www.keepass.info/

Plugin: KeeForm v2.01
Link to KeeForm: http://keeform.sourceforge.net/

Yes indeed - I did have CCleaner set to clean all the SBS&D stuff, so that's where the log went. Thanks. Pete

Thank you for reporting this false positive.
Keenform is not targeted and should not be detected as Spambot.mib.

This appears to be similar to other Teatimer FP issues since the recent Teatimer update. This thread will be merged with the other thread concerning this issue.

I have also had the same issue with Keepass & KeeFORM. Thought it might be a problem with those 2 apps so have spent several [fruitless as it turns out] hours ensuring that neither of those 2 apps had been compromised - they weren't!

I just need to know how to resolve the problem - there doesn't seem to be any way to undo an action carried out by Spybot and there SHOULD BE :).

I was able to confirm the Keeform false positive, this will be fixed with the next detection update scheduled for 2009-04-22.


I just need to know how to resolve the problem - there doesn't seem to be any way to undo an action carried out by Spybot and there SHOULD BE
Most actions performed by Spybot S&D can be undone, there are just a couple of deletions which cannot be reverted. If you specifiy the issue you want to undo I may be able to tell if it is possible with Spybot S&D.

Very recent clean Win XP Pro fully Service Packed, ie 8, only running MS Office. Was installing Acrobat Reader 9.1 for the first time using "open" from adobe installer page. Was running an Ad-Aware scan in the background. System tray also has SUPERAntiSpyware 4.26.1000 Core: 3589 Trace: 1811 and Trend Micro Client/Server Security Agent latest pattern 5.981.00. Also have Malwarebytes' Anti-Malware with latest updates. Spybot/SD resident is 1.6.2.0 ssp is 1.6.6.32. SD recommends Killing and Deleting...

Hello Wayne_D,

Please see the first post in this thread: http://forums.spybot.info/showpost.php?p=301405&postcount=1



please do the following:

* attach the detected file to an email to referencing this thread
* include the resident log to your email
* also include a full spybot S&D report to your email (scan , then right-click scan result and select to save full report)
* state when you did the Teatimer update and if there were other parts of Spybot S&D updated as well (best attach the downloaded.ini located in C:\program files\Spybot - Search & Destroy\Updates)
* also state if you rebooted the computer after the update and if there were any error messages
* please also tell us if the false positive is reoccurring on your computer



Best regards. :)

@Wayne_D

please make sure to have the most recent detection updates installed and restart the Teatimer or the computer after that update.
The adobe airshareinstaller.exe should be excluded by digital signature whitelist.

Hi, I use erunt 1.1j for a long time, teatimer never found anything.
I updated S&D yesterday (rules from 24.06.2009). Today I got a teatimer-message (autoback starts with a batch file and following command line:
C:\Programme\ERUNT\AUTOBACK.EXE %systemroot%\ERDNT\#Date#_#Time# /days:3 /alwayscreate /noconfirmdelete /noprogresswindow)

29.06.2009 09:45:15 Encountered and terminated Win32.Agent.Bbzv in C:\Programme\ERUNT\AUTOBACK.EXE!

My OS is windows XP home SP3. I send you autoback.exe attached as a zip file.

@rasmus

I can confirm the false positive with
C:\Programme\ERUNT\AUTOBACK.EXE

it will be corrected with the detection update scheduled for 2009-07-01,
after the update make sure to restart the TeaTimer or the computer.

:thanks:

Hi
TeaTimer found this.
Log:

"03-10-2009 22:05:18 Allowed (based on user decision) value "swg" (new data: "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe") Changed in System Startup user entry!
03-10-2009 22:05:18 Encountered and terminated MorpheusToolbar in C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe!
03-10-2009 22:05:35 Allowed (based on user decision) value "swg" (new data: ""C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"") Changed in System Startup user entry!"

JR

Hi
TeaTimer found this.
Log:


JR

Please make sure to fully update and upgrade Spybot S&D , then reboot your computer.
If the GoogleUpdaterService.exe should still be detected falsely please email it to detections@spybot.info with a reference to this thread.

Hi Yodama

Spybot S&D was updated. I had just made a reinstall of Spybot S&D, and rebooted, a few hours earlier (keeping app-data). I didn't delete the file and I haven't had any warnings later.
The program, GoogleToolbarNotifier.exe, has a valid certificate. That is why I think it was a false positive.

JR

thank you for these additional information, if you have not done so please email the GoogleToolbarNotifier.exe to detections@spybot.info with a reference to this thread so we can check if the file has a new digital signature which needs to be added to our white list.

Hi Yodama

First I apologize for mixing up two programs. As I wrote in my first post it was "GoogleUpdaterService.exe" not "GoogleToolbarNotifier.exe" that caused the warning.
I have just sent the program to you.
If anything like this should happen again with another program, wouldn't it be easier just to send the certificate instead of the program? If so, which format would you prefer?

JR

Hi Yodama

First I apologize for mixing up two programs. As I wrote in my first post it was "GoogleUpdaterService.exe" not "GoogleToolbarNotifier.exe" that caused the warning.
I have just sent the program to you.
If anything like this should happen again with another program, wouldn't it be easier just to send the certificate instead of the program? If so, which format would you prefer?

JR

Thank you for sending in the file, I have checked the digital signature and the file and added the signature to our white list.

In similar cases it would be better to send in the whole file and not only the certificate. Depending on the certificate it is not only important that the certificate itself is valid it is also important that the certificate belongs to the file it was attached to.
Having the file in question also allows us to check for a reason why it was flagged falsely in the first place.

Hi
SpyBot Tea Timer reported a problem whilst I was installing Zone Alarm ISS Upgrade V9.1.008.00. Is this a false positive?
I've not reproduced this occurence as I've not re-installed the ZoneAlarm Upgrade. Details:-

* Operating System Windows Vista Home Premium SP2
* Browser FireFox 3.5.4
* Version of Spybot S&D i.6.2.46
* Latest updates -

[teatimer166.zip]
InstallDate=2009-03-30
ReleaseDate=2009-03-11
URL=http://www.spybotupdates.biz/updates/files/teatimer166.zip
LocalFile=C:\Program Files\Spybot - Search & Destroy\Updates\teatimer166.zip
UpdateName=TeaTimer update 1.6.6
Description=!TeaTimer update (1011 KB)

[advcheck163.zip]
InstallDate=2009-07-31
ReleaseDate=2009-07-29
URL=http://www.spybotupdates.com/updates/files/advcheck163.zip
LocalFile=C:\Program Files\Spybot - Search & Destroy\Updates\advcheck163.zip
UpdateName=Advanced detection library 1.6.3
Description=!Advanced detection routines update (784 KB)

[advcheck164.zip]
InstallDate=2009-09-20
ReleaseDate=2009-09-09
URL=http://www.spybotupdates.com/updates/files/advcheck164.zip
LocalFile=C:\Program Files\Spybot - Search & Destroy\Updates\advcheck164.zip
UpdateName=Advanced detection library 1.6.4
Description=!Advanced detection routines update (792 KB)


* where did the false positive occur? - on installing Zone Alarm Update V9.1.008.00
o Scan result? - N/A not a scan
o after fix? - N/A not a scan
o Spybot message at start of scan? - not N/A a scan
o Teatimer message when a program was executed? - details not noted but similar to that shown in your original post re an Adobe install
o not reachable/restricted website? - ????
o SDHelper popup? - ???

Log report read:-
05/11/2009 09:29:52 Allowed (based on user decision) value "ISW" (new data: ""C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"") added in System Startup global entry!
05/11/2009 09:29:53 Encountered and terminated 2Search in C:\Program Files\CheckPoint\ZAForceField\ForceField.exe!

Thanks
Richard

Hi
SpyBot Tea Timer reported a problem whilst I was installing Zone Alarm ISS Upgrade V9.1.008.00. Is this a false positive?
I've not reproduced this occurence as I've not re-installed the ZoneAlarm

Hello I was also not able to reproduce this false positive, please try to restart the installation of Zone Alarm ISS Upgrade after restarting the TeaTimer.

restarting TeaTimer:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer


For the next update scheduled for Wednesday 2009-11-11 I have also added the digital signature for the ZoneAlarm update into our whitelist, just in case.

After the last update to Seek & Destroy, it decided to delete a bit of software called Netmeter. This only measures the upload & download rate of my internet connection (in graph form). So am wonder why..?!

PC OS Windows XP (SP3)
Mainly use Firefox (sometimes use IE8)

After the last update to Seek & Destroy, it decided to delete a bit of software called Netmeter. This only measures the upload & download rate of my internet connection (in graph form). So am wonder why..?!

PC OS Windows XP (SP3)
Mainly use Firefox (sometimes use IE8)

Please restart TeaTimer as described above, if the false positive reoccurs please send the respective file to detections@spybot.info for analysis.

I to have updated Spybot and have got the same problem as rn5577.Also when I got the error message it did not give me one file it indicated that it was the whole folder.

Computer was running FCEUX emulator just fine, then after definition update this weekend it's getting flagged as "rbot.skp". This, clearly, caused a little flip out where the program was deleted and reinstalled from an archived copy but having the same issue. Since the old file should be fine, I am relatively sure this is a false positive. The spybot update occurred somewhere around Nov 21, 2009 but I am not sure how long it had been since the update before that.

Why must Spybot hate on classic NES?

@acustomer

here (http://forums.spybot.info/showthread.php?t=53551) you will receive more information on why the false positive happens with Rbot.skp

@jonny109

we require more information on your issue, the TeaTimer does not flag folders, it monitors registry changes and file execution. Here (http://forums.spybot.info/showthread.php?t=19117) you will find information on how to provide more information so we can analyze this issue.

Thank you Yodama for your advise and responce :bigthumb: I have done what your linked asked me to do. Should I upload the file to this fourm or should I send it to an email address?
thanks

I am getting a false positive on the file windows_server.exe which is the teamspeak server executable labeling it as Rbot.skp this happened right after an update the day of this post. I am currently running a scan. Running Zonealarm Security suite on a Vista box. Have to go home will send more info later.

@jonny109
you can send the information to detections@spybot.info
attaching to the forums is also possible if the file size does not exceed the attachment limits for the forums.

@kentlowt
wait for the next detection udpate scheduled for Wednesday 2009-11-25 and restart the TeaTimer after the update, alternatively restart your computer after the update. This will fix the false positives regarding Rbot.skp.

Thank you.

Yodama, I have sent my report to you via the email as requested.

After an authentic-looking self-update by Java from V.17 to V.18 on 27th January 2010, A Spybot popup appeared and reported that it had identified the Java Quickstart Process JQS.EXE as Win32.Fraudload. Unfortunately, I can't send you the file as I allowed SBSD to delete it to be on the safe side.

I mention it only so that you can add it to any further reports you may get of SBSD reporting this file as malicious.

I updated to java 6 update 26 today, and within seconds of the update installing I got this.

Encountered and terminated Vario.AntiVirus in C:\Windows\SysWOW64\cmd.exe!

I believe this to be a false positive.

attached is also a hijackthis report.

spybot sd teatimer update was installed on 9/2/2011 version is 1.6.6.32.

--

Edit
How to report Possible False Positives (http://forums.spybot.info/showthread.php?t=19117)
Reason log was removed: Please don't post Malware logs in the Spybot forums, thanks :-) (http://forums.spybot.info/showthread.php?t=1266)

I updated to java 6 update 26 today, and within seconds of the update installing I got this.

Encountered and terminated Vario.AntiVirus in C:\Windows\SysWOW64\cmd.exe!

I believe this to be a false positive.

attached is also a hijackthis report.

spybot sd teatimer update was installed on 9/2/2011 version is 1.6.6.32.



Hello there is no Spybot S&D detection rule which detects the file. The information you provided on the file suggests that it is a legit file.

Since you are using another security software it is very likely that you are also using the live protection provided by that security software. In that case you should deactivate Teatimer since more than one live protection can cause low performance and like in this case errors during live protection scans.
The main scanners are usually not affected.

To disable the TeaTimer do the following:

start Spybot S&D
switch to advanced mode
navigate to tools - resident
uncheck the checkbox for Resident TeaTimer to shutdown TeaTimer and remove it from system start

thanks for the very much welcome reassurances that it was a false positive.

I'll have to keep teatimer active since my antivirus doesnt include a live resident shield service of any kind. (panda cloud antivirus basic protection)

I'll admit I panicked for a long moment when it spat out that false positive, lol.

anyways, thanks for the help and reassurances.

Don't know if you guys are still using this thread anymore for false positives by the teatimer, but I did have one today.

versions of the program are the same as mentioned in the first post of the thread. I can't remember when it was installed.

During a routine update of malwarebytes Anti-Malware, the teatimer popped up with a notice that it terminated c:\windows\system32\regsvr32.exe claiming that the file was part of "Moozy" and wanted to delete the file all together.

This is definitely a false positive as I checked the file mentioned, and it's the Microsoft Register Server installed with windows XP SP3. I also looked up Moozy on your forums, and that file is never mentioned as part of the removal process.

Don't know if you guys are still using this thread anymore for false positives by the teatimer, but I did have one today.

versions of the program are the same as mentioned in the first post of the thread. I can't remember when it was installed.

During a routine update of malwarebytes Anti-Malware, the teatimer popped up with a notice that it terminated c:\windows\system32\regsvr32.exe claiming that the file was part of "Moozy" and wanted to delete the file all together.

This is definitely a false positive as I checked the file mentioned, and it's the Microsoft Register Server installed with windows XP SP3. I also looked up Moozy on your forums, and that file is never mentioned as part of the removal process.

did this issue reoccur after a reboot of the computer?

No and Spybot S&D found absolutely nothing when a scan was run.

No and Spybot S&D found absolutely nothing when a scan was run.

Then this appears to be the TeaTimer bug which randomly occurs after updates without restarting the TeaTimer. A safe way restart the TeaTimer is to reboot the computer.
Since development of Spybot 1.6 has been ended in favor of Spybot 2, it is unlikely that this bug will be fixed.

yeah i'm not to sure if my false positive applies to this thred or not.

when you mean tea timer. is that a side prodict or dose spybot S&D roll in to that?

if so i already posted a spybot S&D thred false positive but i can move the text to here.

http://forums.spybot.info/showthread.php?69345-spybot-detects-zone-alarm-toolbar