Yet Unverified: I let it delete dw20.exe not sure if it was false or not

Well apparently it detected the process "dw20.exe" and it asked me if it should kill and delete it or not. I said yes, seeing as I really had never seen the process before.

I looked it up and found out that it belongs to Microsoft Office's error reporting service. Though, at least according to file.net, it may be malware masked as dw20.exe, seeing as it was in the WINDOWS directory. Granted file.net was the only site that even mentioned that possibility. I'll also note this occurred during a windows update.

Unfortunately whatever file it caught is not in Recovery so I cannot really get it back...

Also I didn't realize that Spybot actively checked processes...

Okay I checked "C:\Program Files\Common Files\Microsoft Shared\DW\" and dw20.exe is not there. Perhaps I was too tired to really remember the location of the detection. :laugh:

So yes, it must have been false. Too bad it deleted it with no way to get it back, which is... weird.

I know that I basically see Dr. Watson (as the program's full name is called) running for no reason on various computers in the past. I hope I haven't wrecked Microsoft Office... :blink:

Windows update is unable to download the latest security update. Lovely. I may actually have an infection after all. :sad:

Edit: Hmmn. Actually I tried using Windows Update through Microsoft's site and it says: "Download size: 0 KB , 0 minutes"

Could the update be broken?

Hello VicVegas,

Information on How to report Possible False Positives

For assistance with an infection start a topic in the Malware Removal Forum and a volunteer analyst will advise when available.

First see that forum's FAQ which also includes instructions in post #2 on how to provide DDS/aswMBR logs, which are the logs used in the preliminary analysis.
http://forums.spybot.info/showthread.php?t=288

Best regards.

I checked and it seems I may not be the only person having the problem with MS Updates. Even better, I may have to reinstall .NET Framework altogether. Great.

OS: Windows XP Media Center Edition, Version 2002, Service Pack 3

Browser: FireFox 16.0.2

Spybot Version: Don't know, I foolishly updated and scanned after it occurred.

Where did the false positive occur: Teatimer message.

No log was produced because it wasn't from a scan...

hello,

without the dw20.exe file in question I cannot confirm the false positive.
TeaTimer is not supposed to delete files belonging to Windows.

One way to recover the lost dw20.exe would be to perform a Windows repair installation
however this will take a long time and may require patches and service packs to be reinstalled.

Since Doctor Watson is only necessary for Windows error reporting, I am not sure if it is worth the trouble.

If you suspect an infection please provide the information Tashi requested.

The only reason I would assume it would catch dw20.exe is because it's OLD and as far as I know it isn't even used in newer versions of Office. Or it's not in the same location for newer versions anyway. I didn't find it on my Windows Vista or 7.

Like I said, I checked for where the real one should be for my version of Office and it isn't there, so I can only assume it was the legit file. I'll have to be more careful next time I get one of those messages.

None of my five scanners have so much as picked up a trace so I'll assume there's no infection. A few weird things here and there but most likely unrelated.

Moving on then... :shrug: