Need User Feedback: Teatimer 1.6.6.32 False Positives

thanks for getting back....

I currently have no good news on this issue. Only a couple more similar reports.
These Teatimer false positives appear to be random. We may be needing a new version of Teatimer which gives us a bit more output, for instance the SBI ID.

Hmm interesting....I hope we can figure out what is going on here...
 
Why - when I right-click on the Resident SYSTRAY icon, then click on "Show Log" - doesn't anything happen?

No log shows up. Shouldn't it have since it terminated "PestCapture"?

Or have I just got a setting wrong somewhere?

Also, all the fields in the "Settings" box are empty - are they supposed to be that way? Pete
 
spy1, do you use CCleaner? If Spybot is ticked in CCleaner that explains why there is no TeaTimer logs coming up when you look for it.
 
False Positive with Keepass's Plugin KeeForm

Windows Vista Ultimate 64bit
Internet Explorer 7, Maxthon 2.5.1 (uses IE as a base), FireFox 3.0.8
Spybot S&D 1.6.2.46, Last update 3/25/2009
Teatimer message when using the plugin KeeForm with Keepass to auto-enter login info website.

Log for teatimer contains:
Code:
3/28/2009 10:16:24 AM Encountered and terminated Spambot.mib in D:\Program Files\KeePass Password Safe\KeeForm.exe!
3/28/2009 10:27:35 AM Encountered and terminated Spambot.mib in D:\Program Files\KeePass Password Safe\KeeForm.exe!

Picture of false positive:
falsepositivespybot.jpg


Keepass v1.15
Link to Keepass website: http://www.keepass.info/

Plugin: KeeForm v2.01
Link to KeeForm: http://keeform.sourceforge.net/
 
Yes indeed - I did have CCleaner set to clean all the SBS&D stuff, so that's where the log went. Thanks. Pete
 
Thank you for reporting this false positive.
Keenform is not targeted and should not be detected as Spambot.mib.

This appears to be similar to other Teatimer FP issues since the recent Teatimer update. This thread will be merged with the other thread concerning this issue.
 
Keepass & keyform

I have also had the same issue with Keepass & KeeFORM. Thought it might be a problem with those 2 apps so have spent several [fruitless as it turns out] hours ensuring that neither of those 2 apps had been compromised - they weren't!

I just need to know how to resolve the problem - there doesn't seem to be any way to undo an action carried out by Spybot and there SHOULD BE :).
 
I was able to confirm the Keeform false positive, this will be fixed with the next detection update scheduled for 2009-04-22.

I just need to know how to resolve the problem - there doesn't seem to be any way to undo an action carried out by Spybot and there SHOULD BE
Most actions performed by Spybot S&D can be undone, there are just a couple of deletions which cannot be reverted. If you specifiy the issue you want to undo I may be able to tell if it is possible with Spybot S&D.
 
False Positive?

Very recent clean Win XP Pro fully Service Packed, ie 8, only running MS Office. Was installing Acrobat Reader 9.1 for the first time using "open" from adobe installer page. Was running an Ad-Aware scan in the background. System tray also has SUPERAntiSpyware 4.26.1000 Core: 3589 Trace: 1811 and Trend Micro Client/Server Security Agent latest pattern 5.981.00. Also have Malwarebytes' Anti-Malware with latest updates. Spybot/SD resident is 1.6.2.0 ssp is 1.6.6.32. SD recommends Killing and Deleting...
 
Hello Wayne_D,

Please see the first post in this thread: http://forums.spybot.info/showpost.php?p=301405&postcount=1

please do the following:

* attach the detected file to an email to referencing this thread
* include the resident log to your email
* also include a full spybot S&D report to your email (scan , then right-click scan result and select to save full report)
* state when you did the Teatimer update and if there were other parts of Spybot S&D updated as well (best attach the downloaded.ini located in C:\program files\Spybot - Search & Destroy\Updates)
* also state if you rebooted the computer after the update and if there were any error messages
* please also tell us if the false positive is reoccurring on your computer

Best regards. :)
 
@Wayne_D

please make sure to have the most recent detection updates installed and restart the Teatimer or the computer after that update.
The adobe airshareinstaller.exe should be excluded by digital signature whitelist.
 
false positive?: erunt\autoback.exe

Hi, I use erunt 1.1j for a long time, teatimer never found anything.
I updated S&D yesterday (rules from 24.06.2009). Today I got a teatimer-message (autoback starts with a batch file and following command line:
C:\Programme\ERUNT\AUTOBACK.EXE %systemroot%\ERDNT\#Date#_#Time# /days:3 /alwayscreate /noconfirmdelete /noprogresswindow)

29.06.2009 09:45:15 Encountered and terminated Win32.Agent.Bbzv in C:\Programme\ERUNT\AUTOBACK.EXE!

My OS is windows XP home SP3. I send you autoback.exe attached as a zip file.
 
@rasmus

I can confirm the false positive with
C:\Programme\ERUNT\AUTOBACK.EXE

it will be corrected with the detection update scheduled for 2009-07-01,
after the update make sure to restart the TeaTimer or the computer.
 
False positive? Google Toolbar Updater

Hi
TeaTimer found this.
Log:
"03-10-2009 22:05:18 Allowed (based on user decision) value "swg" (new data: "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe") Changed in System Startup user entry!
03-10-2009 22:05:18 Encountered and terminated MorpheusToolbar in C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe!
03-10-2009 22:05:35 Allowed (based on user decision) value "swg" (new data: ""C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"") Changed in System Startup user entry!"

JR
 
Hi Yodama

Spybot S&D was updated. I had just made a reinstall of Spybot S&D, and rebooted, a few hours earlier (keeping app-data). I didn't delete the file and I haven't had any warnings later.
The program, GoogleToolbarNotifier.exe, has a valid certificate. That is why I think it was a false positive.

JR
 
thank you for these additional information, if you have not done so please email the GoogleToolbarNotifier.exe to detections@spybot.info with a reference to this thread so we can check if the file has a new digital signature which needs to be added to our white list.
 
Hi Yodama

First I apologize for mixing up two programs. As I wrote in my first post it was "GoogleUpdaterService.exe" not "GoogleToolbarNotifier.exe" that caused the warning.
I have just sent the program to you.
If anything like this should happen again with another program, wouldn't it be easier just to send the certificate instead of the program? If so, which format would you prefer?

JR
 
Hi Yodama

First I apologize for mixing up two programs. As I wrote in my first post it was "GoogleUpdaterService.exe" not "GoogleToolbarNotifier.exe" that caused the warning.
I have just sent the program to you.
If anything like this should happen again with another program, wouldn't it be easier just to send the certificate instead of the program? If so, which format would you prefer?

JR

Thank you for sending in the file, I have checked the digital signature and the file and added the signature to our white list.

In similar cases it would be better to send in the whole file and not only the certificate. Depending on the certificate it is not only important that the certificate itself is valid it is also important that the certificate belongs to the file it was attached to.
Having the file in question also allows us to check for a reason why it was flagged falsely in the first place.
 
Back
Top