Spybot Search & Destroy

I'm getting something strange with Spybot Search & Destroy. I have Symantec's Norton AV on my system and this file is associated with that software (I believe). Why would Spybot wand to delete this NAV file? Why is it identifying this file as FunWebProducts? Please see the screenshot that follows and tell me what I need to do to find out what's going on. Thanks

 

Hi Dallen,

That's the teatimer alerting you to a "blacklisted" process ... it maybe just a F/P ... NMain.exe ... is that the Norton System Works main UI .exe ... it has also generated a F/P with the Ewido Updater. If you sure it's a safe process unselect delete file, and select allow ... if you later need to remove the entry ... goto Doc & settings/all users/Spybot/excludes -> open ProcWhite.sbe with notepad, delete the specific entry and resave.

HTH,

dog -

ps. you should also post your findings at NI in the Spybot 1.X forum - so Team Spybot and Patrick are aware of this issue.

 

dog,
Thanks for the help.

Sorry, but what is a F/P?

Yes, I believe it is.

What is NI and where is that forum?
It also gave me the following when I clicked on the One Button Check within System Works:

 

Its pretends to be a part of norton software but its not so delete it...

http://uk.trendmicro-europe.com/ent...tail.php?id=59864&VName=TROJ_AGENT.DC&VSect=T

 

Hi Dallen,

F/P = False/Positive

They're definitely F/P's then ... all of Norton's Products seem to contact one of their servers when you access them while online (I'm not sure of the purpose) I have always blocked those communication attempts, and rarely ever use System Works will online. I guess Spybot's picking up this process as some kind of Phone Home.

Net Intergration Forums

HTH,

dog -

 

Hi Dallen,

Just to add to my above post ... I tried to duplicate your findings but couldn't ... ~strange~ What version of System Works are you using? (I'm using 2003 Pro.)

I tough maybe the Ewido entry I mention above (which is also found as a Fun Web Products process), maybe effecting this ... edited ProcWhite.sbe and deleted that entry ... still no dice. I can't see FW blocks preventing the catch ... I deleted those 2 blocks ... still no dice. It could have been corrected with one of the updates ... latest updates are 06/23/2004 ... Are yours the same? ... I also take the beta updates ... hmmm ... I look into that. If you post at NI could please post a link in this thread ... so we can follow along ... you could also post a link in your NI post linking to this thread.

HTH,

dog -

 

dog,
Once again thanks for the continued support on this issue. I did as you asked and registered with Net-Integration Forums and started a thread there. I have Norton System Works 2004 Pro. Here is the link that you requested:

Net-Integration Forum Thread

 

Hi Dallen,

I couldn't get you're link to work, so I'll post this one.Dallen's NI - Spybot Thread

dog -

 

Damn...you're too quick on your responses. I got the URL and the text backwards. I fixed it, but you replied too quickly.

 

Hi Dallen,

What update def's have you got? (located under info & lic - advance mode)

What did you select when you got the Tea-Timer PopUp? Did you leave delete ass' file checked?

Could you try running those two process again ... once online, once offline?

dog -

Ps. Bubba (Global Mod) is pretty good with this sort of thing ... hopefully he'll comment on this thread ... LWM also has a vast knowledge.

 

2004-06-23

I haven't selected anything yet. I just left the 2 windows open. They are still waiting for my response.

I'm never offline, that's the problem. I have cable modem and when my computer is on, I'm online. I could manually disconnect it, but I would rather not.

To add some additional information. NMain.exe is a protected process within Diamond CS's Process Guard and in its log there are 3 seperate attempts (all today within minutes of one another) to gain terminate access that teatimer.exe has made against NMain.exe.

 

Hey dallen,

I do not have much to add to the wonderful help you have received from dog other than to check the properties of the files in question. If they indeed are legit....I would suggest selecting Allow this process to run in Spybot. I would then follow that with an update to your post @ Net-Integration reflecting your findings. I would also suggest via the Spybot program Advanced mode\Tools\Bug Report detailing your findings concerning this False Positive.

 

Hi Dallen,

The directions are in Post 2 ... if you should ever have to undo that allow ... Sorry I just noticed you edited your post with that addition info, I wasn't aware they were still sitting there. I would allow the process, uncheck delete the assoc' file as Bubba suggested.

Thanks Bubba,

dog -

 

Sorry to be a pain, but I'm confused now. I wanted to check the legitimacy of the files in question. So I went into the Windows Search function and searched all files for "NMain.exe" I found 3 Items. How do I know which NMain.exe that is being referred to by SBS&D? A search for "OBC.exe" found 6 itmes. Here are 2 screenshots of the files:

 

If you make a selection in the pop-up window....preferably Inform me again....now that your showing 3 items....you should see the location Spybot is referring to via it's Report function.

 

Hi Dallen,

It is Nmain.exe ... program/common/symantec - 610kb & OBC ... program/system works - 454kb

If you click the properties of those others ... there MSDOS files/shortcuts ... you can double click the two point out above and they will load the Main UI & One button check respectively.

HTH,

dog -

Ps. I have all the same entries ... l'm using TDS too! Actually Diamonds whole line up.

 

It's fixed!!! I think. I uninstalled SB S&D and cleared the includes folder, then reinstalled and updated. Now the problem seems to have disappeared. Thanks Bubba and dog.

I have PE, PG, TDS, and WG. I haven't seen a need for CS, but maybe that's because I don't know much about it and it's functionality yet.

 

Hi Dallen,

I'm pretty certain those are just F/P's ... select "allow" ... remember, you always have the option of reversing that decision.

Please let us know what you've decided. And will keep a tab on your NI thread.

dog -

*edit* - This time you beat me to the punch! ... Glad it's been straighten out!

My Pleasure!

 

I had selected "tell me next time" (or whatever that option said), so every time I would load the UI that warning would appear, then when I would select One Button Checkup, the OBC.exe warning would appear. However, since the reinstallation, those warnings no longer appear.

 

Hi Dallen,
I had analogous problems with S&D resident:
https://www.wilderssecurity.com/showthread.php?t=36699
https://www.wilderssecurity.com/showthread.php?t=37030

and with wormguard creating zerobytes:

https://www.wilderssecurity.com/showthread.php?t=22198
https://www.wilderssecurity.com/showthread.php?t=8913
https://www.wilderssecurity.com/showthread.php?t=36523

there are more threads, but i think this is sufficient to get an idea, isn't?
I hope this information was useful and not "offtopic".

 

I notice Spybot S&D has been having a few FP's lately. Are there any unresolved bugs in the program?

 

Not really; unlike other applications of its kind, SpyBot actually issues public beta definitions before making the final ones available.

That's what beta testing is for...to find bugs, and if you configure SpyBot to ignore Beta definitions and stick to the final ones you'll find that you'll actually get remarkably few False Positives...