JRE 2 Update 16 Win32.TDSS.rtk

[79ronin]

I was asked to post here, if it occured a FP.
My original post is located here: http://forums.spybot.info/showthread.php?t=50748
I am not absolutely sure if it is, but prehaps it is
Teatimer found during the installation of new Java 2 Runtime Environment (JRE) 6 Update 16,
a possible threat Win32.TDSS.rtk and stopped the process. It was found in file unpack200.exe in C:\Program files\Java\jre6\bin.
After that, i've made a full scan with Spybot and it found nothing.

My OS: Windows XP HE SP3
Browser: IE 7, Opera 9.64.10487
Spybot v. 1.6.2.46 definitions update 2009-08-12
Full System scan report: clean

Teatimer message when it found the threat:

Process ID: 4016
Found: Win32.TDSS.rtk
in file: unpack2000.exe in
in location: C:\Program Files\Java\jre6\bin

Just one more thing.
When i turned off TeaTimer, so i culd run HJT, an error occured with message,
that The Program terminated with error and this report should be send to Microsoft.
Maybe this was the cause of all of this.

File unpack200.exe has been scanned on these 2 sites: http://virusscan.jotti.org/pl and http://www.virustotal.com/pl/ and by file scanner of Spybot S&D and also my antivirus software, it came out clean.

[79ronin]

Probably, this has just been an error of Teatimer.
Just now i have uninstalled Java and installed it again.
The same version, the same file, even the same update definitions of SPybot with Teatimer on, and nothing occured, no warnings.
Like i wrote, this might've been the effect of error of the Teatimer, after the update.

[Yodama]

Thank you for reporting this.
The current version of the Teatimer can identify files based on a signature whitelist, this means that for instance the Java files that have this digital signature get an ok by Teatimer and do not get flagged.

However the older versions of Teatimer do not have this feature, so in combination with newer detection rules a false positive could occur with the old versions of Teatimer.

Appearently the Teatimer does not always get updated while the old version is still in use. The install routine then usually exchanges the version after a reboot of the computer.

79ronin in your case, do you remember if the false positive occured after a Teatimer upgrade without a computer reboot?

[branco]

I had a similar problem , see http://forums.spybot.info/showthread.php?t=50804 . Spybot resident detected jqs.exe (Java Quick Start) as the 2Search spyware immediately after I installed jre update 16 from a filehippo download so I thought immediately that it is a false positive and I didn't delete the file or prevent it from running as suggested . At the same time as I was installing the jre , Spybot was doing it's update so it's possilble that it was a false positive because of old resident code coupled with new detection rules as Yodama said .