Spybot Search & Destroy

Discussion in 'other anti-malware software' started by dallen, Jun 27, 2004.

Thread Status:
Not open for further replies.
  1. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    I'm getting something strange with Spybot Search & Destroy. I have Symantec's Norton AV on my system and this file is associated with that software (I believe). Why would Spybot wand to delete this NAV file? Why is it identifying this file as FunWebProducts? Please see the screenshot that follows and tell me what I need to do to find out what's going on. Thanks
     

    Attached Files:

    Last edited by a moderator: Jun 29, 2004
  2. dog

    dog Guest

    Hi Dallen, ;)

    That's the teatimer alerting you to a "blacklisted" process ... it maybe just a F/P ... NMain.exe ... is that the Norton System Works main UI .exe ... it has also generated a F/P with the Ewido Updater. If you sure it's a safe process unselect delete file, and select allow ... if you later need to remove the entry ... goto Doc & settings/all users/Spybot/excludes -> open ProcWhite.sbe with notepad, delete the specific entry and resave.

    HTH,

    dog - *puppy*

    ps. you should also post your findings at NI in the Spybot 1.X forum - so Team Spybot and Patrick are aware of this issue.
     
  3. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    dog,
    Thanks for the help.
    Sorry, but what is a F/P?
    Yes, I believe it is.
    What is NI and where is that forum?
    It also gave me the following when I clicked on the One Button Check within System Works:
     

    Attached Files:

    Last edited by a moderator: Jun 29, 2004
  4. klinkers

    klinkers Guest

  5. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,779
    Location:
    Texas

    Net-Integration forum here
     
  6. dog

    dog Guest

    Hi Dallen, ;)

    F/P = False/Positive

    They're definitely F/P's then ... all of Norton's Products seem to contact one of their servers when you access them while online (I'm not sure of the purpose) I have always blocked those communication attempts, and rarely ever use System Works will online. I guess Spybot's picking up this process as some kind of Phone Home.

    Net Intergration Forums

    HTH, ;)

    dog - *puppy*
     
  7. dog

    dog Guest

    Hi Dallen, ;)

    Just to add to my above post ... I tried to duplicate your findings but couldn't ... ~strange~ What version of System Works are you using? (I'm using 2003 Pro.)

    I tough maybe the Ewido entry I mention above (which is also found as a Fun Web Products process), maybe effecting this ... edited ProcWhite.sbe and deleted that entry ... still no dice. I can't see FW blocks preventing the catch ... I deleted those 2 blocks ... still no dice. It could have been corrected with one of the updates ... latest updates are 06/23/2004 ... Are yours the same? ... I also take the beta updates ... hmmm ... I look into that. If you post at NI could please post a link in this thread ... so we can follow along ... you could also post a link in your NI post linking to this thread.

    HTH, ;)

    dog - *puppy*
     
  8. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    dog,
    Once again thanks for the continued support on this issue. I did as you asked and registered with Net-Integration Forums and started a thread there. I have Norton System Works 2004 Pro. Here is the link that you requested:

    Net-Integration Forum Thread
     
  9. dog

    dog Guest

  10. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Damn...you're too quick on your responses. I got the URL and the text backwards. I fixed it, but you replied too quickly.
     
  11. dog

    dog Guest

    Hi Dallen, ;)

    What update def's have you got? (located under info & lic - advance mode)

    What did you select when you got the Tea-Timer PopUp? Did you leave delete ass' file checked?

    Could you try running those two process again ... once online, once offline?

    dog - *puppy*

    Ps. Bubba (Global Mod) is pretty good with this sort of thing ... hopefully he'll comment on this thread ... LWM also has a vast knowledge. ;)
     
  12. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    2004-06-23
    I haven't selected anything yet. I just left the 2 windows open. They are still waiting for my response.
    I'm never offline, that's the problem. I have cable modem and when my computer is on, I'm online. I could manually disconnect it, but I would rather not.

    To add some additional information. NMain.exe is a protected process within Diamond CS's Process Guard and in its log there are 3 seperate attempts (all today within minutes of one another) to gain terminate access that teatimer.exe has made against NMain.exe.
     
    Last edited: Jun 27, 2004
  13. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Hey dallen,

    I do not have much to add to the wonderful help you have received from dog other than to check the properties of the files in question. If they indeed are legit....I would suggest selecting Allow this process to run in Spybot. I would then follow that with an update to your post @ Net-Integration reflecting your findings. I would also suggest via the Spybot program Advanced mode\Tools\Bug Report detailing your findings concerning this False Positive.
     
  14. dog

    dog Guest

    Hi Dallen, ;)

    The directions are in Post 2 ... if you should ever have to undo that allow ... Sorry I just noticed you edited your post with that addition info, I wasn't aware they were still sitting there. I would allow the process, uncheck delete the assoc' file as Bubba suggested. ;)

    Thanks Bubba, ;)

    dog - *puppy*
     
  15. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Sorry to be a pain, but I'm confused now. I wanted to check the legitimacy of the files in question. So I went into the Windows Search function and searched all files for "NMain.exe" I found 3 Items. How do I know which NMain.exe that is being referred to by SBS&D? A search for "OBC.exe" found 6 itmes. Here are 2 screenshots of the files:
     

    Attached Files:

    Last edited by a moderator: Jun 29, 2004
  16. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    If you make a selection in the pop-up window....preferably Inform me again....now that your showing 3 items....you should see the location Spybot is referring to via it's Report function.
     
  17. dog

    dog Guest

    Hi Dallen, ;)

    It is Nmain.exe ... program/common/symantec - 610kb & OBC ... program/system works - 454kb

    If you click the properties of those others ... there MSDOS files/shortcuts ... you can double click the two point out above and they will load the Main UI & One button check respectively.

    HTH, ;)

    dog - *puppy*

    Ps. I have all the same entries ... l'm using TDS too! Actually Diamonds whole line up.
     
  18. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    It's fixed!!! I think. I uninstalled SB S&D and cleared the includes folder, then reinstalled and updated. Now the problem seems to have disappeared. Thanks Bubba and dog.
    I have PE, PG, TDS, and WG. I haven't seen a need for CS, but maybe that's because I don't know much about it and it's functionality yet.
     
  19. dog

    dog Guest

    Hi Dallen, ;)

    I'm pretty certain those are just F/P's ... select "allow" ... remember, you always have the option of reversing that decision.

    Please let us know what you've decided. And will keep a tab on your NI thread. ;)

    dog - *puppy*

    *edit* - This time you beat me to the punch! :D ;) ... Glad it's been straighten out!

    My Pleasure! ;)
     
  20. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    I had selected "tell me next time" (or whatever that option said), so every time I would load the UI that warning would appear, then when I would select One Button Checkup, the OBC.exe warning would appear. However, since the reinstallation, those warnings no longer appear.
     
  21. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    Hi Dallen,
    I had analogous problems with S&D resident:
    https://www.wilderssecurity.com/showthread.php?t=36699
    https://www.wilderssecurity.com/showthread.php?t=37030

    and with wormguard creating zerobytes:

    https://www.wilderssecurity.com/showthread.php?t=22198
    https://www.wilderssecurity.com/showthread.php?t=8913
    https://www.wilderssecurity.com/showthread.php?t=36523

    there are more threads, but i think this is sufficient to get an idea, isn't?
    I hope this information was useful and not "offtopic". ;)
     
  22. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    I notice Spybot S&D has been having a few FP's lately. Are there any unresolved bugs in the program?
     
  23. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Not really; unlike other applications of its kind, SpyBot actually issues public beta definitions before making the final ones available.

    That's what beta testing is for...to find bugs, and if you configure SpyBot to ignore Beta definitions and stick to the final ones you'll find that you'll actually get remarkably few False Positives...
     
Loading...
Thread Status:
Not open for further replies.