Need User Feedback: Teatimer 1.6.6.32 False Positives

[rbaker01]

Possible False Possible with Zone Alarm Install

Hi
SpyBot Tea Timer reported a problem whilst I was installing Zone Alarm ISS Upgrade V9.1.008.00. Is this a false positive?
I've not reproduced this occurence as I've not re-installed the ZoneAlarm Upgrade. Details:-

* Operating System Windows Vista Home Premium SP2
* Browser FireFox 3.5.4
* Version of Spybot S&D i.6.2.46
* Latest updates -

[teatimer166.zip]
InstallDate=2009-03-30
ReleaseDate=2009-03-11
URL=http://www.spybotupdates.biz/updates/files/teatimer166.zip
LocalFile=C:\Program Files\Spybot - Search & Destroy\Updates\teatimer166.zip
UpdateName=TeaTimer update 1.6.6
Description=!TeaTimer update (1011 KB)

[advcheck163.zip]
InstallDate=2009-07-31
ReleaseDate=2009-07-29
URL=http://www.spybotupdates.com/updates/files/advcheck163.zip
LocalFile=C:\Program Files\Spybot - Search & Destroy\Updates\advcheck163.zip
UpdateName=Advanced detection library 1.6.3
Description=!Advanced detection routines update (784 KB)

[advcheck164.zip]
InstallDate=2009-09-20
ReleaseDate=2009-09-09
URL=http://www.spybotupdates.com/updates/files/advcheck164.zip
LocalFile=C:\Program Files\Spybot - Search & Destroy\Updates\advcheck164.zip
UpdateName=Advanced detection library 1.6.4
Description=!Advanced detection routines update (792 KB)
​

* where did the false positive occur? - on installing Zone Alarm Update V9.1.008.00
o Scan result? - N/A not a scan
o after fix? - N/A not a scan
o Spybot message at start of scan? - not N/A a scan
o Teatimer message when a program was executed? - details not noted but similar to that shown in your original post re an Adobe install
o not reachable/restricted website? - ????
o SDHelper popup? - ???

Log report read:-
05/11/2009 09:29:52 Allowed (based on user decision) value "ISW" (new data: ""C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"") added in System Startup global entry!
05/11/2009 09:29:53 Encountered and terminated 2Search in C:\Program Files\CheckPoint\ZAForceField\ForceField.exe!

Thanks
Richard

 

[Yodama]

Hi
SpyBot Tea Timer reported a problem whilst I was installing Zone Alarm ISS Upgrade V9.1.008.00. Is this a false positive?
I've not reproduced this occurence as I've not re-installed the ZoneAlarm

Hello I was also not able to reproduce this false positive, please try to restart the installation of Zone Alarm ISS Upgrade after restarting the TeaTimer.

restarting TeaTimer:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer


For the next update scheduled for Wednesday 2009-11-11 I have also added the digital signature for the ZoneAlarm update into our whitelist, just in case.

 

[rn5577]

Another False Postive (I think)

After the last update to Seek & Destroy, it decided to delete a bit of software called Netmeter. This only measures the upload & download rate of my internet connection (in graph form). So am wonder why..?!

PC OS Windows XP (SP3)
Mainly use Firefox (sometimes use IE8)

 

[Yodama]

After the last update to Seek & Destroy, it decided to delete a bit of software called Netmeter. This only measures the upload & download rate of my internet connection (in graph form). So am wonder why..?!

PC OS Windows XP (SP3)
Mainly use Firefox (sometimes use IE8)

Please restart TeaTimer as described above, if the false positive reoccurs please send the respective file to detections@spybot.info for analysis.

 

[jonny109]

I to have updated Spybot and have got the same problem as rn5577.Also when I got the error message it did not give me one file it indicated that it was the whole folder.

 

[acustomer]

FCEUX False Positive

Computer was running FCEUX emulator just fine, then after definition update this weekend it's getting flagged as "rbot.skp". This, clearly, caused a little flip out where the program was deleted and reinstalled from an archived copy but having the same issue. Since the old file should be fine, I am relatively sure this is a false positive. The spybot update occurred somewhere around Nov 21, 2009 but I am not sure how long it had been since the update before that.

Why must Spybot hate on classic NES?

 

[Yodama]

@acustomer

here you will receive more information on why the false positive happens with Rbot.skp

@jonny109

we require more information on your issue, the TeaTimer does not flag folders, it monitors registry changes and file execution. Here you will find information on how to provide more information so we can analyze this issue.

 

[jonny109]

Thank you Yodama for your advise and responce :bigthumb: I have done what your linked asked me to do. Should I upload the file to this fourm or should I send it to an email address?
thanks

 

[kentlowt]

I am getting a false positive on the file windows_server.exe which is the teamspeak server executable labeling it as Rbot.skp this happened right after an update the day of this post. I am currently running a scan. Running Zonealarm Security suite on a Vista box. Have to go home will send more info later.

 

[Yodama]

@jonny109
you can send the information to detections@spybot.info
attaching to the forums is also possible if the file size does not exceed the attachment limits for the forums.

@kentlowt
wait for the next detection udpate scheduled for Wednesday 2009-11-25 and restart the TeaTimer after the update, alternatively restart your computer after the update. This will fix the false positives regarding Rbot.skp.

 

[kentlowt]

Thank you.

 

[jonny109]

Yodama, I have sent my report to you via the email as requested.

 

[Graham_G]

JQS.EXE (Java Quickstart in version 18 ) false positive?

After an authentic-looking self-update by Java from V.17 to V.18 on 27th January 2010, A Spybot popup appeared and reported that it had identified the Java Quickstart Process JQS.EXE as Win32.Fraudload. Unfortunately, I can't send you the file as I allowed SBSD to delete it to be on the safe side.

I mention it only so that you can add it to any further reports you may get of SBSD reporting this file as malicious.

 

[XRaiderV1]

I updated to java 6 update 26 today, and within seconds of the update installing I got this.

Encountered and terminated Vario.AntiVirus in C:\Windows\SysWOW64\cmd.exe!

I believe this to be a false positive.

attached is also a hijackthis report.

spybot sd teatimer update was installed on 9/2/2011 version is 1.6.6.32.

--

Edit
How to report Possible False Positives
Reason log was removed: Please don't post Malware logs in the Spybot forums, thanks

 

[Yodama]

I updated to java 6 update 26 today, and within seconds of the update installing I got this.

Encountered and terminated Vario.AntiVirus in C:\Windows\SysWOW64\cmd.exe!

I believe this to be a false positive.

attached is also a hijackthis report.

spybot sd teatimer update was installed on 9/2/2011 version is 1.6.6.32.

Hello there is no Spybot S&D detection rule which detects the file. The information you provided on the file suggests that it is a legit file.

Since you are using another security software it is very likely that you are also using the live protection provided by that security software. In that case you should deactivate Teatimer since more than one live protection can cause low performance and like in this case errors during live protection scans.
The main scanners are usually not affected.

To disable the TeaTimer do the following:

start Spybot S&D
switch to advanced mode
navigate to tools - resident
uncheck the checkbox for Resident TeaTimer to shutdown TeaTimer and remove it from system start

 

[XRaiderV1]

thanks for the very much welcome reassurances that it was a false positive.

I'll have to keep teatimer active since my antivirus doesnt include a live resident shield service of any kind. (panda cloud antivirus basic protection)

I'll admit I panicked for a long moment when it spat out that false positive, lol.

anyways, thanks for the help and reassurances.

 

[jasoncollege24]

Don't know if you guys are still using this thread anymore for false positives by the teatimer, but I did have one today.

versions of the program are the same as mentioned in the first post of the thread. I can't remember when it was installed.

During a routine update of malwarebytes Anti-Malware, the teatimer popped up with a notice that it terminated c:\windows\system32\regsvr32.exe claiming that the file was part of "Moozy" and wanted to delete the file all together.

This is definitely a false positive as I checked the file mentioned, and it's the Microsoft Register Server installed with windows XP SP3. I also looked up Moozy on your forums, and that file is never mentioned as part of the removal process.

 

[Yodama]

Don't know if you guys are still using this thread anymore for false positives by the teatimer, but I did have one today.

versions of the program are the same as mentioned in the first post of the thread. I can't remember when it was installed.

During a routine update of malwarebytes Anti-Malware, the teatimer popped up with a notice that it terminated c:\windows\system32\regsvr32.exe claiming that the file was part of "Moozy" and wanted to delete the file all together.

This is definitely a false positive as I checked the file mentioned, and it's the Microsoft Register Server installed with windows XP SP3. I also looked up Moozy on your forums, and that file is never mentioned as part of the removal process.

did this issue reoccur after a reboot of the computer?

 

[jasoncollege24]

No and Spybot S&D found absolutely nothing when a scan was run.

 

[Yodama]

No and Spybot S&D found absolutely nothing when a scan was run.

Then this appears to be the TeaTimer bug which randomly occurs after updates without restarting the TeaTimer. A safe way restart the TeaTimer is to reboot the computer.
Since development of Spybot 1.6 has been ended in favor of Spybot 2, it is unlikely that this bug will be fixed.