PDA

View Full Version : Fixed: False positive with todays update


Broken Hope
2009-09-23, 19:12
Updated today and done a scan, getting the following result. I purposely disabled system restore myself, this hasn't been reported before today's update either.


Ertfor.bho: [SBI $C41D8ED7] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-03-07 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-09-07 advcheck.dll (1.6.4.18)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-09-22 Includes\AdwareC.sbi (*)
2009-09-22 Includes\Beta.sbi (*)
2007-11-06 Includes\Beta.uti
2009-01-22 Includes\Cookies.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2009-09-22 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-09-22 Includes\HijackersC.sbi (*)
2009-09-22 Includes\Keyloggers.sbi (*)
2009-09-22 Includes\KeyloggersC.sbi (*)
2009-08-19 Includes\Malware.sbi (*)
2009-09-22 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-09-22 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-09-22 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-09-22 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-09-15 Includes\Trojans.sbi (*)
2009-09-22 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
Yodama
2009-09-24, 07:12
Hello,

thank you for reporting this issue, it will be fixed with the next detection update scheduled for 2009-09-30. Until then you can set this detection to be ignored via the right click context menu.
antdude
2009-10-01, 20:17
Hello.

I think this is a similiar issue with yesterday's 9/30/2009 updates.

From Saved SpybotSD.Results.txt:
--- Search result list ---
Ertfor.bho: [SBI $C41D8ED7] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR
...

From Checks.090930-2002.log:
30.09.2009 20:02:00 - ##### check started #####
30.09.2009 20:02:00 - ### Version: 1.6.2
30.09.2009 20:02:00 - ### Date: 9/30/2009 8:02:00 PM
30.09.2009 20:02:04 - ##### checking bots #####
30.09.2009 20:11:13 - found: Ertfor.bho Settings
...

From Checks.090930-2027.txt:
--- Report generated: 2009-09-30 20:27 ---
Ertfor.bho: [SBI $C41D8ED7] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR
...

Exported my updated Windows XP Pro. SP2's registry key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR"=dword:00000001
"DisableConfig"=dword:00000000

I believe this is a false positive since I never had this in the past before 9/16/2009 updates.

Thank you in advance. :)
Broken Hope
2009-10-02, 08:45
Yeah this wasn't fixed in the update on the 30th, still showing the false positive.
antdude
2009-10-02, 08:53
Yeah this wasn't fixed in the update on the 30th, still showing the false positive.Thanks for confirmation. Now, Safer Network needs to fix this. :(
Yodama
2009-10-02, 10:38
Thank you for reporting this issue.

It appears that I fixed this issue at only one location while it persisted on another location :oops:

It is now fixed and tested at both locations and the fix will be release with the next detection update scheduled for Wednesday 2009-10-07
antdude
2009-10-02, 10:49
Thank you for reporting this issue.

It appears that I fixed this issue at only one location while it persisted on another location :oops:

It is now fixed and tested at both locations and the fix will be release with the next detection update scheduled for Wednesday 2009-10-07Thank you. I will follow-up if the problem still persists with 10/7/2009 updates. :)