McAfee 4368 Virus Definitions detects Spywareblaster components as a virus

Discussion in 'SpywareBlaster & Other Forum' started by Hammertail, Jun 23, 2004.

Thread Status:
Not open for further replies.
  1. Doh!

    Doh! Guest

    Here's the promised post: I got a reply from McAfee with an extra.dat file to work around this problem. Sbautoupdate.exe is not infected. McAfee VirusScan has detected a false positive. They said that it would be fixed in the next DAT release. I don't have a way to share this file with everyone (not that you should trust some stranger with a random file).

    They were quick to send me the extra.dat. I sent in the suspected file at 10:23 AM EST and I received the fix at 1:07 PM EST. I've tested the fix and it seems to work.

    Here's is part of McAfee's reply after reviewing the sbautoupdate.exe file I sent them:

    > Thank you for submitting your suspicious file.

    > Synopsis -

    > Our Senior Virus Research Engineers have examined the file in question and
    > no virus was found.

    > Solution -

    > Attached is an extra.dat with correct detection. This correction will be
    > included in the next DAT update.

    PS javacool, thanks for all your hard work in the products you put out there for our free use. Keep up the good work. To this day I've never had a problem with SpywareBlaster.
     
  2. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Good to hear, Doh!

    Thanks for your help, and for letting us know. :D

    Regards,

    snap
     
  3. Hammertail

    Hammertail Guest

    McAfee just released their 4369 Virus Definitions that fix the Spyware Blaster false positive issue:

    The 4369 dat files are being released early due to an incorrect identification in the 4368 dat files.

    The 4368 dat files are incorrectly identifying:
    Dcpp.exe, from securstar.com
    Server.exe - access-remote-pc.com
    SlingoDeluxe.exe - Shockwave.com
    Armadillo.exe - The Silicon Realms Toolworks
    GE2001.exe - Xinox Software
    MagicInlay.exe, from shockwave.com
    SBautoupdate.exe, from javacoolsoftware.com
    HotfixManager.exe, from majorgeeks.com
    Timesheets.exe, from timesheetsmts.com as being W32/Gaobot.worm.gen.e.

    If you are not seeing this incorrect identification within your environment there is no need to update your dat files to this new release.

    The 4369 dat files have been posted to the initial NAI servers as of 18:30 GMT, on 06/24/2004. Please allow up to an hour from this posting time for the dat files to be available on all download servers worldwide.

    The various 4369 dat file packages can be found at <<http://www.networkassociates.com/us/downloads/updates/>>.
     
  4. Xaq

    Xaq Registered Member

    Joined:
    Mar 5, 2004
    Posts:
    33
    Location:
    My House, it's on that street with the thing
    I know Dread, just messin around :D
     
  5. dread

    dread Registered Member

    Joined:
    May 18, 2004
    Posts:
    195
  6. Hammertail

    Hammertail Guest

    Dread, your a day late and a dollar short. Take a look two post up. (2:01pm)
     
  7. arereal

    arereal Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    1
    Thanks very much for the info guys, I'm all sorted after reading this forum.

    -J
     
  8. Peeved McAfee User

    Peeved McAfee User Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    76
    I didn’t get a reply from McAfee VirusScan. However, it looks like McAfee fixed their problem.

    Corrective action:

    (1) Down load McAfee DAT 4.0.4369 (6/24/2004).
    (2) Reinstall SpywareBlaster 3.1.
    (3) Run (Execute) SpywareBlaster 3.1.
    (4) In SpywareBlaster - Download Latest updates to bring the definition files up to date (6/23/04).

    Peeved McAfee User
    :blink:
     
    Last edited: Jun 24, 2004
  9. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,278
    Location:
    New England
    Well, it is unfortunate, but these things do happen. I don't know of any anti-virus program that hasn't had a false positive in a legitimate program at some time or another. The important thing is they did respond and did fix it.
     
  10. fhurst

    fhurst Registered Member

    Joined:
    Mar 8, 2004
    Posts:
    1
    Location:
    TallaBama
    Same thing happened to me.

    How in the world can we submit a sample if McAssy keeps deleting the file they want us to submit? You think it would do any good to tell them to install Spyware Blaster and see for themselves how "asinine" (Mindless or Vacuous)the request for samples is.
     
  11. drbillie

    drbillie Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    5
    Here is my email back from McAfee last night. Did not work:
    Dear James,

    Thank you for contacting McAfee Consumer Online Support. My name is Samuel. Having reviewed your e-mail regarding removing the infected files from your computer]; I would be happy to support you in resolving this issue.

    To check/remove the virus you need to disable the system restore feature of Windows Xp then boot your computer in Safe Mode and then run a scan on your computer with the help pf McAfee VirusScan.
    Please also install the Adware removal program on your computer. We are suggesting this software as we believe it will resolve your issue; however, it is a third party software and we do not support it nor can we be held responsible for its results.
    1. You can get a free version of Adware from http://www.lavasoft.de/support/download
    2. Once downloaded and installed, please try running the updater of the program, to make sure it has all updates that are available.
    3. After doing that, go ahead and run the program. This will detect pretty much any Spyware and Adware that's on your machine. If you need help with the Adware program, you'll have to go to http://www.lavasoft.de/support, but its a very easy program. After running this and removing everything that the Adware is detecting,

    Click on the link below for the instructions to disable the system restore feature.
    http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

    Click on the link below for the instructions to boot your computer in Safe Mode.
    http://ts.mcafeehelp.com/faq3.asp?docid=68053

    I hope that I?ve answered your questions effectively. If not, feel free to contact support again. Please include all previous correspondence when replying.

    You may receive a survey from McAfee in the next couple of days that will give you an opportunity to provide feedback on the support I?ve offered. This information will be used to further improve our support. The survey will provide an ?Assigned Technician? number and the scores will be tied to my technician number: 36486.

    Regards,
    Samuel S.
    Technical Support Agent
    McAfee Online Technical Support
    JHI1001

    Like other, mine just had autoupdate deleted, but worked fine otherwise.

    GOOD NEW. MCAFEE RELEASED 4369 TODAY, AND I REINSTALLED SPYWAREBLASTER, IT WORKS FINE, I SCANNED IT'S FILE WITH MCAFEE AND FOUND NO WORM. LOOKS LIKE A MCAFEE ERROR THAT THEY CORRECTED IN 24 HOURS.
    :D
    JIM
     
  12. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    One hard-learned lesson out of this mess -- I'd be very leery of using any a-v which auto-deletes what it finds and doesn't give you other options like quarantining.

    Probably every a-v in the world comes up with some false-positives once in a while, we all know that. But auto-deletion is a "cure" almost worse than the disease in such a case.
     
  13. Stuart Foote

    Stuart Foote Guest

    Looks like McAfee is working on new DAT

    Here is Tech note from McAfee KB

    http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101447

    --Update 06/24/2004
    An incorrect identification of some modified ASPacked files as W32/Gaobot.worm.gen.e has been identified in the 4368 DAT files. The 4369 DAT files are being released to resolve this incorrect identification.

    The following files have been submitted to AVERT

    Dcpp.exe, from securstar.com
    Server.exe - access-remote-pc.com
    SlingoDeluxe.exe - Shockwave.com
    Armadillo.exe - The Silicon Realms Toolworks
    GE2001.exe - Xinox Software
    MagicInlay.exe, from shockwave.com
    SBautoupdate.exe, from javacoolsoftware.com
    HotfixManager.exe, from majorgeeks.com
    Timesheets.exe, from timesheetsmts.com
     
  14. Okay....Mine didn't go very smooth!! I did everything as indicated and now I have lost all English language after I rebooted the machine. I did a virus scan and it founf multiple infected files.
     
  15. Stuart Foote

    Stuart Foote Guest

    Loaded the McAfee 4369 DAT and recovered copy of sbautoupdate.exe

    I was not a subscriber so I'm not sure if account needs to be reestablished for those users that are.
     
  16. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,278
    Location:
    New England
    I'm not sure what you mean VPU? This was a McAfee false positive so there were no "real" infected files involved at all. If you have the new 4369 defs and they turn up infections in other files, then it is not the same issue as is being discussed here. Maybe you've found real infected files or maybe you are seeing other false positives. You'll need to provide more details. If these are not related to SpywareBlaster, then start a new thread in say "viruses and worms" or "trojans and backdoors".
     
  17. G. V. Rama Rao

    G. V. Rama Rao Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    2
    I too have gone through all the convulsions reported in this thread and updated with McAfee 4369 Dat file.

    However, I'm unable to find 'sbautoupdate.exe' file on my computer. This I checked through 'Search,' with folder option to show all files.

    What should I do now? Do I have to uninstall SpywareBlaster, download again and re-install, or is there a way to work around this problem?

    Hope some of you can help me.

    Rama Rao
     
  18. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,278
    Location:
    New England
    Well, unfortunately that is the result if you were affected by the McAfee false positive. It deleted that file on you so you won't be able to find it now. The only way to restore it (if you don't have a system backup available) would be to reinstall SpywareBlaster.

    However, that program is only the auto-updating module. If you aren't using that, which is a separate pay option anyway, you don't actually need to bother restoring that file. If you did license the auto-update service, then reinstalling would be necessary.
     
  19. G. V. Rama Rao

    G. V. Rama Rao Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    2
    Oh! Thank you, for you relieved me of a lot of bother.

    Rama Rao
     
  20. Mike Candelori

    Mike Candelori Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    1
    I have been trying to download Spyblaster 3.1 with no sucess. I use McAfee ver 8.0. I receive an error message that reads; "This program has been damaged by a bad sector of the hard disk or a virus. Please reinstall it." I have tried every thing that is recommended on your web site.
     
  21. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,278
    Location:
    New England
    That's actually not the error that was associated with the McAfee false postive... The error you mention is explained in this three-page thread:

    https://www.wilderssecurity.com/showthread.php?t=26534

    Within that thread are many user supplied fixes and work-arounds for this problem. And on the third page is a link to a German site that offers a file download that may automatically fix the problem. (It's near a 100% solution if you first download, install and update Ad-aware to latest levels, run a full Ad-aware scan first then immediately run the download fix file from that site.) So it may take a little research and work to resolve this yourself. The other option is that Javacool is trying to automate the cleanup of the base infection that causes this error, and he might include that in the next version of SpywareBlaster.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.