Results 1 to 7 of 7

Thread: I let it delete dw20.exe not sure if it was false or not

  1. #1
    Junior Member
    Join Date
    Nov 2012
    Posts
    5

    Default I let it delete dw20.exe not sure if it was false or not

    Well apparently it detected the process "dw20.exe" and it asked me if it should kill and delete it or not. I said yes, seeing as I really had never seen the process before.

    I looked it up and found out that it belongs to Microsoft Office's error reporting service. Though, at least according to file.net, it may be malware masked as dw20.exe, seeing as it was in the WINDOWS directory. Granted file.net was the only site that even mentioned that possibility. I'll also note this occurred during a windows update.

    Unfortunately whatever file it caught is not in Recovery so I cannot really get it back...

    Also I didn't realize that Spybot actively checked processes...

  2. #2
    Junior Member
    Join Date
    Nov 2012
    Posts
    5

    Default

    Okay I checked "C:\Program Files\Common Files\Microsoft Shared\DW\" and dw20.exe is not there. Perhaps I was too tired to really remember the location of the detection.

    So yes, it must have been false. Too bad it deleted it with no way to get it back, which is... weird.

    I know that I basically see Dr. Watson (as the program's full name is called) running for no reason on various computers in the past. I hope I haven't wrecked Microsoft Office...

  3. #3
    Junior Member
    Join Date
    Nov 2012
    Posts
    5

    Default

    Windows update is unable to download the latest security update. Lovely. I may actually have an infection after all.

    Edit: Hmmn. Actually I tried using Windows Update through Microsoft's site and it says: "Download size: 0 KB , 0 minutes"

    Could the update be broken?
    Last edited by VicVegas; 2012-11-15 at 14:44.

  4. #4
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,492

    Default

    Hello VicVegas,

    Information on How to report Possible False Positives

    For assistance with an infection start a topic in the Malware Removal Forum and a volunteer analyst will advise when available.

    First see that forum's FAQ which also includes instructions in post #2 on how to provide DDS/aswMBR logs, which are the logs used in the preliminary analysis.
    http://forums.spybot.info/showthread.php?t=288

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  5. #5
    Junior Member
    Join Date
    Nov 2012
    Posts
    5

    Default

    I checked and it seems I may not be the only person having the problem with MS Updates. Even better, I may have to reinstall .NET Framework altogether. Great.

    OS: Windows XP Media Center Edition, Version 2002, Service Pack 3

    Browser: FireFox 16.0.2

    Spybot Version: Don't know, I foolishly updated and scanned after it occurred.

    Where did the false positive occur: Teatimer message.

    No log was produced because it wasn't from a scan...

  6. #6
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    hello,

    without the dw20.exe file in question I cannot confirm the false positive.
    TeaTimer is not supposed to delete files belonging to Windows.

    One way to recover the lost dw20.exe would be to perform a Windows repair installation
    however this will take a long time and may require patches and service packs to be reinstalled.

    Since Doctor Watson is only necessary for Windows error reporting, I am not sure if it is worth the trouble.

    If you suspect an infection please provide the information Tashi requested.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  7. #7
    Junior Member
    Join Date
    Nov 2012
    Posts
    5

    Default

    The only reason I would assume it would catch dw20.exe is because it's OLD and as far as I know it isn't even used in newer versions of Office. Or it's not in the same location for newer versions anyway. I didn't find it on my Windows Vista or 7.

    Like I said, I checked for where the real one should be for my version of Office and it isn't there, so I can only assume it was the legit file. I'll have to be more careful next time I get one of those messages.

    None of my five scanners have so much as picked up a trace so I'll assume there's no infection. A few weird things here and there but most likely unrelated.

    Moving on then...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •