Author Topic: ===> False Positives <===  (Read 82212 times)

0 Members and 1 Guest are viewing this topic.

Reply #255December 11, 2017, 04:37:02 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2033
  • Reputation:
    75
    • View Profile
Re: ===> False Positives <===
« Reply #255 on: December 11, 2017, 04:37:02 pm »
Hi Twixxin,

Welcome to Adlice.com Forum.
RogueKiller is detecting MalwareBytes malware database.

This issue has been fixed when MBAM is installed on standard location but since you run it from the D: drive, the detection is still present.

Regards.

Reply #256December 12, 2017, 09:26:20 am

khuntim

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #256 on: December 12, 2017, 09:26:20 am »
Anydesk? I have been using it...

Reply #257December 12, 2017, 02:35:28 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2033
  • Reputation:
    75
    • View Profile
Re: ===> False Positives <===
« Reply #257 on: December 12, 2017, 02:35:28 pm »
Hi khuntim,

This false positive should be fixed in RogueKiller latest version.
Could you please make sure you are using V12.11.28 ?

Regards.

Reply #258December 14, 2017, 04:08:38 am

tch

  • Newbie

  • Offline
  • *

  • 1
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #258 on: December 14, 2017, 04:08:38 am »
Hi.  This Windows 7 PC presents no performance or usage issues but MsMpEng.exe is showing as high risk.  I am 99% certain this is simply a false positive as the Malwarebytes false positive earlier in this thread though would greatly appreciate confirmation. I will provide some details of what I have done and after that will follow the RK text file.

If all you need is the text file then you can simply proceed to it and do not need to read anything I have written below!  :)  It is all simply details surrounding this which you may not need.

The RogueKiller version I am using is "12.11.28.0 (up to date)", I have tried portable and non-portable modes.  The MsMpEng.exe (definition is 1.259.284.0 from 12/13/2017) shows as such within RogueKiller:

Detection: Root.Wajam | Adw.Elex
Type: Process
Path: [6380] MsMpEng.exe, c:\Program Files\Microsoft Security Client\MsMpEng.exe
(yes, the 6380 above is the proper MSE PID, or at least it's the PID of that specific file.)

I uploaded the copy of MsMpEng.exe to VirusTotal and it was found very clean.

Uninstalling and reinstalling MSE seemed to resolve this entry.  However, once I had re-downloaded the definitions for MSE, and then re-scanned with RogueKiller, the entry returned to RogueKiller.

I ran RKill, TDSS Killer (with verify digital signatures and also detect TDLFS), Malwarebytes, Malwarebytes Anti-Rootkit, AdwCleaner and system file checker (sfc /scannow), all of which found various PUP but nothing serious I could tell.

I tried also removing the process via RogueKiller, and this resulted in the MsMpEng.exe process being successfully killed.  MSE immediately threw up a message asking me to reactivate it.

I tested this on a different PC and the behavior was the same, without definitions MsMpEng.exe scanned fine and with definitions scanned dirty.  On Windows 10 it appears to not occur for what it is worth.


Here is the text file showing the MsMpEng.exe detection, any verification you can provide will be very much appreciated!


RogueKiller V12.11.28.0 (x64) [Dec 11 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : tch [Administrator]
Started from : C:\Users\tch\Downloads\RogueKiller_portable64.exe
Mode : Scan -- Date : 12/13/2017 19:17:08 (Duration : 00:13:24)

¤¤¤ Processes : 1 ¤¤¤
[Root.Wajam|Adw.Elex] MsMpEng.exe(6380) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe[7] -> Found


¤¤¤ Registry : 10 ¤¤¤
[PUP] (X64) HKEY_USERS\S-1-5-21-3702010971-1532561053-2380342961-1670\Software\Microsoft\Windows\CurrentVersion\RunOnce | Application Restart #1 : C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe --appletID=CCM_UI --workflow=CCM_workflow_launch --appletVersion=1.0 --mode=LBS --helperBridgeName={6D0FD104-A851-485A-813C-2090DC17FF87} --lbsWorkflowID={BC7B50A6-7824-4B06-A8C7-5E72FB2DC34A} --lbsInstallerWorkflowID={37D3BAE5-E140-4F2C-8805-9B2B87E0914B} --userGuid= /RestartByRestartManager:B5757D87-38D0-4d1e-BECC-8B5A6D1DD94B
  • -> Found
[PUP] (X86) HKEY_USERS\S-1-5-21-3702010971-1532561053-2380342961-1670\Software\Microsoft\Windows\CurrentVersion\RunOnce | Application Restart #1 : C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe --appletID=CCM_UI --workflow=CCM_workflow_launch --appletVersion=1.0 --mode=LBS --helperBridgeName={6D0FD104-A851-485A-813C-2090DC17FF87} --lbsWorkflowID={BC7B50A6-7824-4B06-A8C7-5E72FB2DC34A} --lbsInstallerWorkflowID={37D3BAE5-E140-4F2C-8805-9B2B87E0914B} --userGuid= /RestartByRestartManager:B5757D87-38D0-4d1e-BECC-8B5A6D1DD94B
  • -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.1.2 208.67.222.222 10.0.1.3 ([][-][])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.0.1.2 208.67.222.222 10.0.1.3 ([][-][])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{50FE4215-80B5-46E0-BD24-9105019A6FF4} | DhcpNameServer : 10.0.1.2 208.67.222.222 10.0.1.3 ([][-][])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F738259E-C6E0-414D-A129-E6EE5C8B6C3A} | DhcpNameServer : 10.0.1.2 208.67.222.222 10.0.1.3 ([][-][])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{50FE4215-80B5-46E0-BD24-9105019A6FF4} | DhcpNameServer : 10.0.1.2 208.67.222.222 10.0.1.3 ([][-][])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{F738259E-C6E0-414D-A129-E6EE5C8B6C3A} | DhcpNameServer : 10.0.1.2 208.67.222.222 10.0.1.3 ([][-][])  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3702010971-1532561053-2380342961-1670\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3702010971-1532561053-2380342961-1670\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[Hj.Shortcut][File] C:\Users\tch\Desktop\TimeStar PUNCH.lnk [LNK@] C:\PROGRA~1\INTERN~1\iexplore.exe https://www.timestaronline.com/site/clock.php -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ADATA XM11 256GB-V2 ATA Device +++++
--- User ---
[MBR] b7e62e8b0434274887588696af470fc6
[BSP] 647fd931d64e61570068ccad787e4ddb : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 130 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 270336 | Size: 244061 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


Reply #259December 14, 2017, 02:01:44 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2033
  • Reputation:
    75
    • View Profile
Re: ===> False Positives <===
« Reply #259 on: December 14, 2017, 02:01:44 pm »
Hi Hi Scott,

Welcome to Adlice.com Forum.

This detection is indeed a false positive resulting of a conflict with Windows Defender database. We will fix this as soon as possible.
For the time being, you can safely ignore it.

Regards.

Reply #260December 14, 2017, 05:52:20 pm

khuntim

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #260 on: December 14, 2017, 05:52:20 pm »
yes, 12.11.28 did get rid of Anydesk. the last one is Sharks Codecs. thanks

Reply #261December 14, 2017, 10:14:12 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2033
  • Reputation:
    75
    • View Profile
Re: ===> False Positives <===
« Reply #261 on: December 14, 2017, 10:14:12 pm »
Hi khuntim,

Thanks for the confirmation.
We wil check this out.

Edit : Is Anydesk reported as [PUP.AdInstaller] ?

Regards.
« Last Edit: December 14, 2017, 10:30:05 pm by Curson »

Reply #262December 16, 2017, 01:03:09 am

Kylyx

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #262 on: December 16, 2017, 01:03:09 am »
Hello!

Technician License holder here.

3 items I see regularly detected when scanning my customers PC's are:

MetaStream (a graphics plugin used by AOL)
ViewPoint (a media player used by AOL)
Carbonite (a cloud backup service)

Would love to either not see them detected or at least not checked by default?

Thanks!

Reply #263December 16, 2017, 07:25:23 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2033
  • Reputation:
    75
    • View Profile
Re: ===> False Positives <===
« Reply #263 on: December 16, 2017, 07:25:23 pm »
Hi Kylyx,

Welcome to Adlice.com Forum and thanks for your feedback.
Could you please provide us RogueKiller reports showing such false positives ? It will help us in the whitelisting process.

Regards.

Reply #264January 17, 2018, 06:42:11 pm

Kylyx

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #264 on: January 17, 2018, 06:42:11 pm »
Hi Kylyx,

Welcome to Adlice.com Forum and thanks for your feedback.
Could you please provide us RogueKiller reports showing such false positives ? It will help us in the whitelisting process.

Regards.

Sorry for the delay! Here's the pertinent Carbonite log entry and I'll post the others as they occur:

¤¤¤ Tasks : 1 ¤¤¤
[Suspicious.Path] \{5F6010C8-60E5-41f3-BF5B-C3AF5DBE12D4} -- "C:\ProgramData\Carbonite\Carbonite Backup\CarboniteUpgrade.exe" (/silent $(Arg0)) -> Found

Thanks!

Reply #265January 20, 2018, 07:25:31 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2033
  • Reputation:
    75
    • View Profile
Re: ===> False Positives <===
« Reply #265 on: January 20, 2018, 07:25:31 pm »
Hi Kylyx,

We will whitelist Carbonite.
Waiting for the others.

Regards.

Reply #266January 29, 2018, 03:25:12 pm

Peter.Lannisters

  • Newbie

  • Offline
  • *

  • 1
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #266 on: January 29, 2018, 03:25:12 pm »
Dear Ladies an Gentlemen,

i have scanned my computer with the free version and Roguekiller has found something.
After deleting the file through Roguekiller and after a re-start the computerfile is showed up again.
Is this a serious problem?

Thank you for your help :-)

RogueKiller V12.12.2.0 (x64) [Jan 29 2018] (Free) von Adlice Software
Mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Betriebssystem : Windows 10 (10.0.16299) 64 bits version
Gestartet in : Normalmodus
User : MusicMachine [Administrator]
Gestartet von : C:\Program Files\RogueKiller\RogueKiller64.exe
Modus : Scannen -- Datum : 01/29/2018 14:45:12 (Dauer : 00:15:34)

¤¤¤ Prozesse : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Dateien : 1 ¤¤¤
[Hidden.ADS][Stream] C:\ProgramData:3B6E8F68802753B9 -> Gefunden <------ When deleting this it shows up again after restarting the computer

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts-Datei : 0 ¤¤¤

¤¤¤ Anti-Rootkit : 0 (Driver: Geladen) ¤¤¤

¤¤¤ Webbrowser : 0 ¤¤¤

¤¤¤ MBR-Übeprüfung : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 850 PRO 512GB +++++
--- User ---
[MBR] 6ff527a6d5026731cf00e93795bb1138
[BSP] ee3d88ee0e3639852ed70d721bffed19 : Empty|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 488384 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Samsung SSD 960 EVO 500GB +++++
--- User ---
[MBR] 44a4c8065f73c467c78b705ccd731cc3
[BSP] 52d63966f7bdfae97059f61492bf883c : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 500 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1026048 | Size: 475964 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 975802368 | Size: 472 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Unzulässige Funktion. )


Reply #267January 29, 2018, 08:47:31 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2033
  • Reputation:
    75
    • View Profile
Re: ===> False Positives <===
« Reply #267 on: January 29, 2018, 08:47:31 pm »
Hi Peter,

Welcome to Adlice.com Forum.
Such ADS are apparently created with Windows 10 updates. Since it's linked to the system, it's normal that RogueKiller is unable to delete it. You can safetly ignore it.

Regards.

Reply #268February 10, 2018, 12:38:03 am

Kylyx

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #268 on: February 10, 2018, 12:38:03 am »
Hi Kylyx,

We will whitelist Carbonite.
Waiting for the others.

Regards.

Thanks! Here's the other AOL related items...

¤¤¤ Registry : 3 ¤¤¤
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\MetaStream -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Viewpoint -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer -> Found

¤¤¤ Files : 3 ¤¤¤
[PUP.Gen1][Folder] C:\ProgramData\Viewpoint -> Found
[PUP.Gen1][Folder] C:\ProgramData\Viewpoint -> Found
[PUP.Gen1][Folder] C:\Program Files (x86)\Viewpoint -> Found

Reply #269February 10, 2018, 01:31:17 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2033
  • Reputation:
    75
    • View Profile
Re: ===> False Positives <===
« Reply #269 on: February 10, 2018, 01:31:17 pm »
Hi Kylyx,

Thanks for your feedback again.
I'm sorry but these won't be whitelisted. Viewpoint Media Player is detected as PUP since it's often being installed without user consent and actively collect user data.

However, as a Premium user, you can manually whitelist it using RogueKiller External Scanner.

Regards.