Adlice forum

Software feedback => RogueKiller => Topic started by: Tigzy on October 20, 2014, 11:44:25 AM

Title: ===> False Positives <===
Post by: Tigzy on October 20, 2014, 11:44:25 AM

This is a common thread to report all false positives.
Please put the entire line of the text report, no screenshot as much as possible.

Thanks :)

VT.Unknown specific case:
VT.Unknown means the file was unknown on Virus Total, and normally it has been uploaded at the same time.
So, after the file is uploaded, it's analysed by Virus Total. It can take a few hours.

If you redo a scan later enough, there's a high chance that the Virus Total report is available.
RogueKiller will grab it and not see it as unknown anymore (and not flag it).
Then depending on the VirusTotal results, if it's malware it will be flagged and you will see a VT.Something detection.

So, please when you see a VT.Unknown detection, it's because the file is quite new on the web.
Be patient, and redo a scan an hour later to check if it has changed. You can also upload it on VirusTotal by yourself to know if it's legit or not.

Title: Re: ===> False Positives <===
Post by: Irrelevant on October 20, 2014, 02:20:49 PM

Hello, are these false positives or is my computer infected ?

¤¤¤ Antirootkit : 34 (Driver: Loaded) ¤¤¤
[IAT:Addr] (explorer.exe @ POWRPROF.dll) SETUPAPI.dll - CM_Get_DevNode_Status : C:\Windows\system32\CFGMGR32.dll @ 0x7fefd2030c0
[IAT:Addr] (explorer.exe @ POWRPROF.dll) SETUPAPI.dll - CM_Get_Device_IDW : C:\Windows\system32\CFGMGR32.dll @ 0x7fefd204034
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CLSIDFromString : C:\Windows\system32\ole32.dll @ 0x7fefe6f0680
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - StringFromCLSID : C:\Windows\system32\ole32.dll @ 0x7fefe6e9370
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetClassObject : C:\Windows\system32\ole32.dll @ 0x7fefe712e18
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoCreateInstance : C:\Windows\system32\ole32.dll @ 0x7fefe707490
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoInitializeEx : C:\Windows\system32\ole32.dll @ 0x7fefe702a30
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoUnmarshalInterface : C:\Windows\system32\ole32.dll @ 0x7fefe70ea20
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoSetProxyBlanket : C:\Windows\system32\ole32.dll @ 0x7fefe71bf00
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetTreatAsClass : C:\Windows\system32\ole32.dll @ 0x7fefe6f3e90
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoFreeUnusedLibraries : C:\Windows\system32\ole32.dll @ 0x7fefe6e8284
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoCreateGuid : C:\Windows\system32\ole32.dll @ 0x7fefe6ed9d0
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetMarshalSizeMax : C:\Windows\system32\ole32.dll @ 0x7fefe70ef20
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoMarshalInterface : C:\Windows\system32\ole32.dll @ 0x7fefe70f1ac
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - StringFromGUID2 : C:\Windows\system32\ole32.dll @ 0x7fefe703560
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CLSIDFromProgID : C:\Windows\system32\ole32.dll @ 0x7fefe6f9980
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - FreePropVariantArray : C:\Windows\system32\ole32.dll @ 0x7fefe809440
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoTaskMemAlloc : C:\Windows\system32\ole32.dll @ 0x7fefe708e70
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoTaskMemFree : C:\Windows\system32\ole32.dll @ 0x7fefe708e20
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoUninitialize : C:\Windows\system32\ole32.dll @ 0x7fefe701314
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\VERSION.dll @ 0x7fefc0a193c
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\VERSION.dll @ 0x7fefc0a15e0
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\VERSION.dll @ 0x7fefc0a14e8
[IAT:Addr] (explorer.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\VERSION.dll @ 0x7fefc0a15e0
[IAT:Addr] (explorer.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\VERSION.dll @ 0x7fefc0a193c
[IAT:Addr] (explorer.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\VERSION.dll @ 0x7fefc0a14e8
[IAT:Addr] (explorer.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\VERSION.dll @ 0x7fefc0a15e0
[IAT:Addr] (explorer.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\VERSION.dll @ 0x7fefc0a14e8
[IAT:Addr] (explorer.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\VERSION.dll @ 0x7fefc0a193c
[IAT:Addr] (explorer.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueA : C:\Windows\system32\VERSION.dll @ 0x7fefc0a1b94
[IAT:Addr] (explorer.exe @ nvapi64.dll) SETUPAPI.dll - CM_Get_DevNode_Status_Ex : C:\Windows\system32\CFGMGR32.dll @ 0x7fefd202fb4
[IAT:Addr] (explorer.exe @ nvapi64.dll) SETUPAPI.dll - CM_Reenumerate_DevNode : C:\Windows\system32\CFGMGR32.dll @ 0x7fefd20cff0
[IAT:Addr] (explorer.exe @ nvapi64.dll) SETUPAPI.dll - CM_Get_Device_ID_ExW : C:\Windows\system32\CFGMGR32.dll @ 0x7fefd202d90
[IAT:Addr] (explorer.exe @ acppage.dll) sfc.dll - SfcIsFileProtected : C:\Windows\system32\sfc_os.DLL @ 0x7fef2a516f0

Title: Re: ===> False Positives <===
Post by: Tigzy on October 20, 2014, 05:21:00 PM

Hello
Yes, they are already fixed and waiting for the next release :)

Title: Re: ===> False Positives <===
Post by: davec on October 22, 2014, 06:20:13 AM

Are these also all false positives???????? TIA for your consideration.

¤¤¤ Antirootkit : 108 (Driver: Loaded) ¤¤¤
[IAT:Addr] (explorer.exe) ntdll.dll - NtSetSystemInformation : Unknown @ 0x80690000
[IAT:Addr] (explorer.exe @ kernel32.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x80610000
[IAT:Addr] (explorer.exe @ kernel32.dll) ntdll.dll - NtCreateSection : Unknown @ 0x806c0000
[IAT:Addr] (explorer.exe @ kernel32.dll) ntdll.dll - NtSetSystemInformation : Unknown @ 0x80690000
[IAT:Addr] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateSection : Unknown @ 0x806c0000
[IAT:Addr] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenSection : Unknown @ 0x806f0000
[IAT:Addr] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x80610000
[IAT:Addr] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateThreadEx : Unknown @ 0x80720000
[IAT:Addr] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtTerminateThread : Unknown @ 0x80580000
[IAT:Addr] (explorer.exe @ ADVAPI32.dll) ntdll.dll - NtTerminateThread : Unknown @ 0x80580000
[IAT:Addr] (explorer.exe @ ADVAPI32.dll) ntdll.dll - NtSetSystemInformation : Unknown @ 0x80690000
[IAT:Addr] (explorer.exe @ sechost.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x80610000
[IAT:Addr] (explorer.exe @ RPCRT4.dll) ntdll.dll - NtAlpcSendWaitReceivePort : Unknown @ 0x80000000
[IAT:Addr] (explorer.exe @ RPCRT4.dll) ntdll.dll - NtCreateSection : Unknown @ 0x806c0000
[IAT:Addr] (explorer.exe @ GDI32.dll) ntdll.dll - NtCreateSection : Unknown @ 0x806c0000
[IAT:Addr] (explorer.exe @ ole32.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x80610000
[IAT:Addr] (explorer.exe @ MSCTF.dll) ntdll.dll - NtAlpcSendWaitReceivePort : Unknown @ 0x80000000
[IAT:Addr] (explorer.exe @ POWRPROF.dll) SETUPAPI.dll - CM_Get_DevNode_Status : C:\Windows\system32\CFGMGR32.dll @ 0x7fefd4430c0
[IAT:Addr] (explorer.exe @ POWRPROF.dll) SETUPAPI.dll - CM_Get_Device_IDW : C:\Windows\system32\CFGMGR32.dll @ 0x7fefd444034
[IAT:Addr] (explorer.exe @ dwmapi.dll) ntdll.dll - NtCreateSection : Unknown @ 0x806c0000
[IAT:Addr] (explorer.exe @ Secur32.dll) ntdll.dll - NtOpenSection : Unknown @ 0x806f0000
[IAT:Addr] (explorer.exe @ guard64.dll) ntdll.dll - ZwCreateSection : Unknown @ 0x806c0000
[IAT:Addr] (explorer.exe @ apphelp.dll) ntdll.dll - NtCreateSection : Unknown @ 0x806c0000
[IAT:Addr] (explorer.exe @ ntmarta.dll) ntdll.dll - NtOpenSection : Unknown @ 0x806f0000
[IAT:Addr] (explorer.exe @ authui.dll) ntdll.dll - NtSetSystemInformation : Unknown @ 0x80690000
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CLSIDFromString : C:\Windows\system32\ole32.dll @ 0x7feff380680
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoUnmarshalInterface : C:\Windows\system32\ole32.dll @ 0x7feff39ea20
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetClassObject : C:\Windows\system32\ole32.dll @ 0x7feff3a2e18
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoCreateInstance : C:\Windows\system32\ole32.dll @ 0x7feff397490
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoSetProxyBlanket : C:\Windows\system32\ole32.dll @ 0x7feff3abf00
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoFreeUnusedLibraries : C:\Windows\system32\ole32.dll @ 0x7feff378284
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - StringFromCLSID : C:\Windows\system32\ole32.dll @ 0x7feff379370
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoCreateGuid : C:\Windows\system32\ole32.dll @ 0x7feff37d9d0
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetMarshalSizeMax : C:\Windows\system32\ole32.dll @ 0x7feff39ef20
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoMarshalInterface : C:\Windows\system32\ole32.dll @ 0x7feff39f1ac
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - StringFromGUID2 : C:\Windows\system32\ole32.dll @ 0x7feff393560
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CLSIDFromProgID : C:\Windows\system32\ole32.dll @ 0x7feff389980
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetTreatAsClass : C:\Windows\system32\ole32.dll @ 0x7feff383e90
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - FreePropVariantArray : C:\Windows\system32\ole32.dll @ 0x7feff499440
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoTaskMemAlloc : C:\Windows\system32\ole32.dll @ 0x7feff398e70
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoTaskMemFree : C:\Windows\system32\ole32.dll @ 0x7feff398e20
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoInitializeEx : C:\Windows\system32\ole32.dll @ 0x7feff392a30
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoUninitialize : C:\Windows\system32\ole32.dll @ 0x7feff391314
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\VERSION.dll @ 0x7fefd0b193c
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\VERSION.dll @ 0x7fefd0b15e0
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\VERSION.dll @ 0x7fefd0b14e8
[IAT:Addr] (explorer.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\VERSION.dll @ 0x7fefd0b15e0
[IAT:Addr] (explorer.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\VERSION.dll @ 0x7fefd0b193c
[IAT:Addr] (explorer.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\VERSION.dll @ 0x7fefd0b14e8
[IAT:Addr] (explorer.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\VERSION.dll @ 0x7fefd0b14e8
[IAT:Addr] (explorer.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueA : C:\Windows\system32\VERSION.dll @ 0x7fefd0b1b94
[IAT:Addr] (explorer.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\VERSION.dll @ 0x7fefd0b15e0
[IAT:Addr] (explorer.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\VERSION.dll @ 0x7fefd0b193c
[IAT:Addr] (explorer.exe @ WINSTA.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x80610000
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoTaskMemAlloc : C:\Windows\system32\ole32.dll @ 0x7feff398e70
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoWaitForMultipleHandles : C:\Windows\system32\ole32.dll @ 0x7feff49a1a0
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - StringFromGUID2 : C:\Windows\system32\ole32.dll @ 0x7feff393560
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoTaskMemFree : C:\Windows\system32\ole32.dll @ 0x7feff398e20
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CreateStreamOnHGlobal : C:\Windows\system32\ole32.dll @ 0x7feff455fb0
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoSetProxyBlanket : C:\Windows\system32\ole32.dll @ 0x7feff3abf00
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoCreateInstance : C:\Windows\system32\ole32.dll @ 0x7feff397490
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoDisconnectObject : C:\Windows\system32\ole32.dll @ 0x7feff378420
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoCreateInstanceEx : C:\Windows\system32\ole32.dll @ 0x7feff37de90
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetCurrentLogicalThreadId : C:\Windows\system32\ole32.dll @ 0x7feff371d60
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoUninitialize : C:\Windows\system32\ole32.dll @ 0x7feff391314
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetObjectContext : C:\Windows\system32\ole32.dll @ 0x7feff38c920
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoInitializeEx : C:\Windows\system32\ole32.dll @ 0x7feff392a30
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoMarshalInterThreadInterfaceInStream : C:\Windows\system32\ole32.dll @ 0x7feff4c3f90
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CLSIDFromProgID : C:\Windows\system32\ole32.dll @ 0x7feff389980
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - StringFromCLSID : C:\Windows\system32\ole32.dll @ 0x7feff379370
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - IIDFromString : C:\Windows\system32\ole32.dll @ 0x7feff378d18
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoRevokeInitializeSpy : C:\Windows\system32\ole32.dll @ 0x7feff37ad64
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoRegisterInitializeSpy : C:\Windows\system32\ole32.dll @ 0x7feff3963a8
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoReleaseMarshalData : C:\Windows\system32\ole32.dll @ 0x7feff375da4
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetApartmentType : C:\Windows\system32\ole32.dll @ 0x7feff396cf0
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - GetHGlobalFromStream : C:\Windows\system32\ole32.dll @ 0x7feff439d20
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoMarshalInterface : C:\Windows\system32\ole32.dll @ 0x7feff39f1ac
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - ProgIDFromCLSID : C:\Windows\system32\ole32.dll @ 0x7feff4bf850
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CLSIDFromString : C:\Windows\system32\ole32.dll @ 0x7feff380680
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoRevokeClassObject : C:\Windows\system32\ole32.dll @ 0x7feff3787e8
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoFreeUnusedLibraries : C:\Windows\system32\ole32.dll @ 0x7feff378284
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoCreateFreeThreadedMarshaler : C:\Windows\system32\ole32.dll @ 0x7feff3a2c60
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetInterfaceAndReleaseStream : C:\Windows\system32\ole32.dll @ 0x7feff4ca130
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoRegisterMessageFilter : C:\Windows\system32\ole32.dll @ 0x7feff38ca98
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetMalloc : C:\Windows\system32\ole32.dll @ 0x7feff393540
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetClassObject : C:\Windows\system32\ole32.dll @ 0x7feff3a2e18
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoUnmarshalInterface : C:\Windows\system32\ole32.dll @ 0x7feff39ea20
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - PropVariantClear : C:\Windows\system32\ole32.dll @ 0x7feff396da4
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - PropVariantCopy : C:\Windows\system32\ole32.dll @ 0x7feff4730a0
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetTreatAsClass : C:\Windows\system32\ole32.dll @ 0x7feff383e90
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetMarshalSizeMax : C:\Windows\system32\ole32.dll @ 0x7feff39ef20
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoRegisterClassObject : C:\Windows\system32\ole32.dll @ 0x7feff3740c0
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoCreateGuid : C:\Windows\system32\ole32.dll @ 0x7feff37d9d0
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoInitializeSecurity : C:\Windows\system32\ole32.dll @ 0x7feff388220
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoRevertToSelf : C:\Windows\system32\ole32.dll @ 0x7feff375a58
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoImpersonateClient : C:\Windows\system32\ole32.dll @ 0x7feff375a14
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\VERSION.dll @ 0x7fefd0b14e8
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\VERSION.dll @ 0x7fefd0b15e0
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\VERSION.dll @ 0x7fefd0b193c
[IAT:Addr] (explorer.exe @ AVRT.dll) ntdll.dll - NtAlpcSendWaitReceivePort : Unknown @ 0x80000000
[IAT:Addr] (explorer.exe @ AVRT.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x80610000
[IAT:Addr] (explorer.exe @ AUDIOSES.DLL) ntdll.dll - NtAlpcSendWaitReceivePort : Unknown @ 0x80000000
[IAT:Addr] (explorer.exe @ NSI.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x80610000
[IAT:Addr] (explorer.exe @ WS2_32.dll) ntdll.dll - NtLoadDriver : Unknown @ 0x80640000
[IAT:Addr] (explorer.exe @ gameux.dll) ntdll.dll - NtCreateSection : Unknown @ 0x806c0000
[IAT:Addr] (explorer.exe @ wer.dll) ntdll.dll - NtAlpcSendWaitReceivePort : Unknown @ 0x80000000
[IAT:Addr] (explorer.exe @ bcrypt.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x80610000
[IAT:Addr] (explorer.exe @ bcryptprimitives.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x80610000

Title: Re: ===> False Positives <===
Post by: Shola on October 22, 2014, 07:21:37 AM

My report, I'm still getting redirect virus even though none of the anti virus I've downloaded are finding anything :(

RogueKiller V10.0.2.0 (x64) [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : User [Administrator]
Mode : Scan -- Date : 10/22/2014  12:17:54

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 activate.adobe.com

¤¤¤ Antirootkit : 75 (Driver: Loaded) ¤¤¤
[IAT:Addr] (explorer.exe @ POWRPROF.dll) SETUPAPI.dll - CM_Get_DevNode_Status : C:\Windows\system32\CFGMGR32.dll @ 0x7fefda230c0
[IAT:Addr] (explorer.exe @ POWRPROF.dll) SETUPAPI.dll - CM_Get_Device_IDW : C:\Windows\system32\CFGMGR32.dll @ 0x7fefda24034
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetMarshalSizeMax : C:\Windows\system32\ole32.dll @ 0x7feff8bef20
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - StringFromGUID2 : C:\Windows\system32\ole32.dll @ 0x7feff8b3560
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CLSIDFromProgID : C:\Windows\system32\ole32.dll @ 0x7feff8a9980
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoCreateGuid : C:\Windows\system32\ole32.dll @ 0x7feff89d9d0
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoUnmarshalInterface : C:\Windows\system32\ole32.dll @ 0x7feff8bea20
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetTreatAsClass : C:\Windows\system32\ole32.dll @ 0x7feff8a3e90
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoMarshalInterface : C:\Windows\system32\ole32.dll @ 0x7feff8bf1ac
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - StringFromCLSID : C:\Windows\system32\ole32.dll @ 0x7feff899370
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoInitializeEx : C:\Windows\system32\ole32.dll @ 0x7feff8b2a30
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoTaskMemFree : C:\Windows\system32\ole32.dll @ 0x7feff8b8e20
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoSetProxyBlanket : C:\Windows\system32\ole32.dll @ 0x7feff8cbf00
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoFreeUnusedLibraries : C:\Windows\system32\ole32.dll @ 0x7feff898284
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CLSIDFromString : C:\Windows\system32\ole32.dll @ 0x7feff8a0680
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetClassObject : C:\Windows\system32\ole32.dll @ 0x7feff8c2e18
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoCreateInstance : C:\Windows\system32\ole32.dll @ 0x7feff8b7490
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoTaskMemAlloc : C:\Windows\system32\ole32.dll @ 0x7feff8b8e70
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoUninitialize : C:\Windows\system32\ole32.dll @ 0x7feff8b1314
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - FreePropVariantArray : C:\Windows\system32\ole32.dll @ 0x7feff9b9440
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\version.DLL @ 0x7fefc7814e8
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\version.DLL @ 0x7fefc7815e0
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\version.DLL @ 0x7fefc78193c
[IAT:Addr] (explorer.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\version.DLL @ 0x7fefc7815e0
[IAT:Addr] (explorer.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\version.DLL @ 0x7fefc78193c
[IAT:Addr] (explorer.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\version.DLL @ 0x7fefc7814e8
[IAT:Addr] (explorer.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\version.DLL @ 0x7fefc7814e8
[IAT:Addr] (explorer.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\version.DLL @ 0x7fefc7815e0
[IAT:Addr] (explorer.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\version.DLL @ 0x7fefc78193c
[IAT:Addr] (explorer.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueA : C:\Windows\system32\version.DLL @ 0x7fefc781b94
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoTaskMemAlloc : C:\Windows\system32\ole32.dll @ 0x7feff8b8e70
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoWaitForMultipleHandles : C:\Windows\system32\ole32.dll @ 0x7feff9ba1a0
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - StringFromGUID2 : C:\Windows\system32\ole32.dll @ 0x7feff8b3560
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoTaskMemFree : C:\Windows\system32\ole32.dll @ 0x7feff8b8e20
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CreateStreamOnHGlobal : C:\Windows\system32\ole32.dll @ 0x7feff975fb0
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoSetProxyBlanket : C:\Windows\system32\ole32.dll @ 0x7feff8cbf00
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoCreateInstance : C:\Windows\system32\ole32.dll @ 0x7feff8b7490
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoDisconnectObject : C:\Windows\system32\ole32.dll @ 0x7feff898420
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoCreateInstanceEx : C:\Windows\system32\ole32.dll @ 0x7feff89de90
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetCurrentLogicalThreadId : C:\Windows\system32\ole32.dll @ 0x7feff891d60
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoUninitialize : C:\Windows\system32\ole32.dll @ 0x7feff8b1314
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetObjectContext : C:\Windows\system32\ole32.dll @ 0x7feff8ac920
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoInitializeEx : C:\Windows\system32\ole32.dll @ 0x7feff8b2a30
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoMarshalInterThreadInterfaceInStream : C:\Windows\system32\ole32.dll @ 0x7feff9e3f90
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CLSIDFromProgID : C:\Windows\system32\ole32.dll @ 0x7feff8a9980
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - StringFromCLSID : C:\Windows\system32\ole32.dll @ 0x7feff899370
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - IIDFromString : C:\Windows\system32\ole32.dll @ 0x7feff898d18
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoRevokeInitializeSpy : C:\Windows\system32\ole32.dll @ 0x7feff89ad64
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoRegisterInitializeSpy : C:\Windows\system32\ole32.dll @ 0x7feff8b63a8
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoReleaseMarshalData : C:\Windows\system32\ole32.dll @ 0x7feff895da4
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetApartmentType : C:\Windows\system32\ole32.dll @ 0x7feff8b6cf0
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - GetHGlobalFromStream : C:\Windows\system32\ole32.dll @ 0x7feff959d20
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoMarshalInterface : C:\Windows\system32\ole32.dll @ 0x7feff8bf1ac
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - ProgIDFromCLSID : C:\Windows\system32\ole32.dll @ 0x7feff9df850
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CLSIDFromString : C:\Windows\system32\ole32.dll @ 0x7feff8a0680
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoRevokeClassObject : C:\Windows\system32\ole32.dll @ 0x7feff8987e8
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoFreeUnusedLibraries : C:\Windows\system32\ole32.dll @ 0x7feff898284
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoCreateFreeThreadedMarshaler : C:\Windows\system32\ole32.dll @ 0x7feff8c2c60
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetInterfaceAndReleaseStream : C:\Windows\system32\ole32.dll @ 0x7feff9ea130
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoRegisterMessageFilter : C:\Windows\system32\ole32.dll @ 0x7feff8aca98
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetMalloc : C:\Windows\system32\ole32.dll @ 0x7feff8b3540
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetClassObject : C:\Windows\system32\ole32.dll @ 0x7feff8c2e18
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoUnmarshalInterface : C:\Windows\system32\ole32.dll @ 0x7feff8bea20
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - PropVariantClear : C:\Windows\system32\ole32.dll @ 0x7feff8b6da4
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - PropVariantCopy : C:\Windows\system32\ole32.dll @ 0x7feff9930a0
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetTreatAsClass : C:\Windows\system32\ole32.dll @ 0x7feff8a3e90
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetMarshalSizeMax : C:\Windows\system32\ole32.dll @ 0x7feff8bef20
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoRegisterClassObject : C:\Windows\system32\ole32.dll @ 0x7feff8940c0
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoCreateGuid : C:\Windows\system32\ole32.dll @ 0x7feff89d9d0
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoInitializeSecurity : C:\Windows\system32\ole32.dll @ 0x7feff8a8220
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoRevertToSelf : C:\Windows\system32\ole32.dll @ 0x7feff895a58
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoImpersonateClient : C:\Windows\system32\ole32.dll @ 0x7feff895a14
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\version.DLL @ 0x7fefc7814e8
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\version.DLL @ 0x7fefc7815e0
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\version.DLL @ 0x7fefc78193c

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10EARX-22N0YB0 +++++
--- User ---
[MBR] 10f00f4bc6194841d91ecd066bf1c8d3
[BSP] 388aac444daf538198df578a2d4fadbb : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 205001 MB
1 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 419842710 | Size: 743218 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Apacer AC203 USB Device +++++
--- User ---
[MBR] b711af9ead283f324f04ee82c252b1ad
[BSP] 4727881d2de01fb0fadbfc2b65e21c88 : Empty MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 63 | Size: 305242 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive2: Generic- Multi-Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_DEL_10212014_142034.log - RKreport_DEL_10212014_142109.log - RKreport_DEL_10212014_142136.log - RKreport_DEL_10212014_142541.log
RKreport_DEL_10212014_142556.log - RKreport_SCN_10212014_140633.log - RKreport_SCN_10212014_142451.log

Title: Re: ===> False Positives <===
Post by: Tigzy on October 22, 2014, 11:07:42 AM

Please pay attention to what is above you when you post :)
Those lines are already reported, and are on their path to the new version.

Title: Re: ===> False Positives <===
Post by: davec on October 23, 2014, 12:17:41 AM

Tigzy......

Please RE-READ what was sent. The items ARE different. If providing a courteous response isn't within your capabilities, do something else. All you had to say was "Those lines are already reported, and are on their path to the new version."

Title: Re: ===> False Positives <===
Post by: Tigzy on October 23, 2014, 02:56:17 PM

Was not just for you davec.  ;)
The same lines are :

Quote

C:\Windows\system32\ole32.dll
C:\Windows\system32\VERSION.dll
C:\Windows\system32\CFGMGR32.dll

Unknown modules cannot be treated.
Sorry for the rude answer, but yes they are the same :)

Title: Re: ===> False Positives <===
Post by: ROUGEXIII on October 26, 2014, 05:11:40 PM

Hi,

I dont know if they are already given as false positive or if they are true positive:

Quote

¤¤¤ Antirootkit : 4 (Driver: Chargé) ¤¤¤
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\DRIVERS\kbdclass.sys - IRP_MJ_READ[3] : C:\WINDOWS\system32\DRIVERS\ETD.sys @ 0xb8cc0232
[IAT:Addr] (explorer.exe @ sti.dll) CFGMGR32.dll - CM_Reenumerate_DevNode : C:\WINDOWS\system32\SETUPAPI.dll @ 0x779526a5
[IAT:Addr] (explorer.exe @ sti.dll) CFGMGR32.dll - CM_Get_DevNode_Status : C:\WINDOWS\system32\SETUPAPI.dll @ 0x778ec6eb
[IAT:Addr] (explorer.exe @ sti.dll) CFGMGR32.dll - CM_Get_Parent : C:\WINDOWS\system32\SETUPAPI.dll @ 0x77957a5d

Thanks for help

Title: Re: ===> False Positives <===
Post by: Tigzy on October 27, 2014, 08:36:41 AM

Thanks, I've added them when I saw your forum thread :)

Title: Re: ===> False Positives <===
Post by: Aceinthewhatever on October 29, 2014, 08:06:56 AM

Hi, I recently downloaded AVG and on the first scan it told me I had rootkit, which eventually led me here. Anyways, I don't know much about this kind of stuff, so here my results from the scan:

¤¤¤ Processes : 5 ¤¤¤
[Suspicious.Path] HostAppServiceUpdater.exe -- C:\Users\BC234_000\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[7] -> Killed [TermProc]
[Suspicious.Path] HostAppService.exe -- C:\Users\BC234_000\AppData\Local\Pokki\Engine\HostAppService.exe[7] -> Killed [TermProc]
[Suspicious.Path] HostAppService.exe -- C:\Users\BC234_000\AppData\Local\Pokki\Engine\HostAppService.exe[7] -> Killed [TermThr]
[Suspicious.Path] StartMenuIndexer.exe -- C:\Users\BC234_000\AppData\Local\Pokki\Engine\StartMenuIndexer.exe[7] -> Killed [TermProc]
[PUP] (SVC) vToolbarUpdater18.1.10 -- C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.10\ToolbarUpdater.exe[7] -> Stopped

¤¤¤ Registry : 14 ¤¤¤
[PUP] (X64) HKEY_CLASSES_ROOT\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233} -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233} -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233} -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | vProt : "C:\Program Files (x86)\AVG Web TuneUp\vprot.exe"  -> Found
[PUP] (X64) HKEY_USERS\S-1-5-21-2771827557-3564350607-803193336-1001\Software\Microsoft\Windows\CurrentVersion\Run | Pokki : "%LOCALAPPDATA%\Pokki\Engine\HostAppServiceUpdater.exe" /LOGON  -> Found
[PUP] (X86) HKEY_USERS\S-1-5-21-2771827557-3564350607-803193336-1001\Software\Microsoft\Windows\CurrentVersion\Run | Pokki : "%LOCALAPPDATA%\Pokki\Engine\HostAppServiceUpdater.exe" /LOGON  -> Found
[PUP] (X64) HKEY_USERS\S-1-5-21-2771827557-3564350607-803193336-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce | Application Restart #1 : C:\Users\BC234_000\AppData\Local\Pokki\Engine\HostAppService.exe  --disable-internal-flash --noerrdialogs --no-message-box --disable-extensions --disable-web-security --disable-web-resources --disable-client-side-phishing-detection --enable-file-cookies --disable-sync --disable-breakpad --disable-bundled-ppapi-flash --disable-sync-tabs --disable-speech-input --disable-custom-jumplist --process-per-tab --debug-devtools-frontend="C:\Users\BC234_000\AppData\Local\Pokki\Engine\inspector" --no-first-run --lang=en-US --disable-component-update --disable-prompt-on-repost --no-startup-window --disable-translate --disable-logging --disable-desktop-notifications --disable-gpu-process-prelaunch --flag-switches-begin --flag-switches-end --restore-last-session  -> Found
[PUP] (X86) HKEY_USERS\S-1-5-21-2771827557-3564350607-803193336-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce | Application Restart #1 : C:\Users\BC234_000\AppData\Local\Pokki\Engine\HostAppService.exe  --disable-internal-flash --noerrdialogs --no-message-box --disable-extensions --disable-web-security --disable-web-resources --disable-client-side-phishing-detection --enable-file-cookies --disable-sync --disable-breakpad --disable-bundled-ppapi-flash --disable-sync-tabs --disable-speech-input --disable-custom-jumplist --process-per-tab --debug-devtools-frontend="C:\Users\BC234_000\AppData\Local\Pokki\Engine\inspector" --no-first-run --lang=en-US --disable-component-update --disable-prompt-on-repost --no-startup-window --disable-translate --disable-logging --disable-desktop-notifications --disable-gpu-process-prelaunch --flag-switches-begin --flag-switches-end --restore-last-session  -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vToolbarUpdater18.1.10 (C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.10\ToolbarUpdater.exe) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vToolbarUpdater18.1.10 (C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.10\ToolbarUpdater.exe) -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 3 (Driver: Loaded) ¤¤¤
[IAT:Addr] (explorer.exe @ WSShared.dll) SLC.dll - SLClose : C:\Windows\SYSTEM32\sppc.dll @ 0x7ffa1b59566c
[IAT:Addr] (explorer.exe @ WSShared.dll) SLC.dll - SLOpen : C:\Windows\SYSTEM32\sppc.dll @ 0x7ffa1b5978e8
[IAT:Addr] (explorer.exe @ Windows.UI.Xaml.dll) api-ms-win-core-winrt-robuffer-l1-1-0.dll - RoGetBufferMarshaler : C:\Windows\System32\WinTypes.dll @ 0x7ffa0d55bf60

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10JPVX-22JC3T0 +++++
--- User ---
[MBR] 4eb748eb2bad407088f7494c6ed510e9
[BSP] 4602f267e28c59160c125920bff66dfd : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097152 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_10292014_022328.log - RKreport_SCN_10292014_024954.log



Thanks for the help :)

Title: Re: ===> False Positives <===
Post by: Tigzy on October 29, 2014, 08:42:56 AM

Thanks, that's already added :)

Title: Re: ===> False Positives <===
Post by: Aceinthewhatever on October 29, 2014, 09:14:17 AM

Oh, sorry, I think I posted in the wrong thread, I thought this was for asking if results were false positives or not, my bad. I really have no clue if these are false positives or not, so I was hoping if you guys could enlighten me.

Title: Re: ===> False Positives <===
Post by: Tigzy on October 29, 2014, 10:12:32 AM

Mmh, well, for Rootkit section yes it is.
For the rest, it's adware (PUP) and shall be removed

Title: Re: ===> False Positives <===
Post by: patweb on November 05, 2014, 08:51:12 PM

SYSFER.DLL identified as rootkit (yellow).

This program is part of Symantec Endpoint Protection and Norton 360.  I assume this is normal, and a false positive.

Log-

¤¤¤ Antirootkit : 218 (Driver: Loaded) ¤¤¤
[IAT:Inl] (explorer.exe @ kernel32.dll) ntdll.dll - NtTerminateProcess : C:\Windows\System32\SYSFER.DLL @ 0x74b39e19 (jmp 0xfffffffffdaf88a9)
[IAT:Inl] (explorer.exe @ kernel32.dll) ntdll.dll - NtMapViewOfSection : C:\Windows\System32\SYSFER.DLL @ 0x74b39c39 (jmp 0xfffffffffdaf8709)
[IAT:Inl] (explorer.exe @ kernel32.dll) ntdll.dll - NtDeleteValueKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39bfd (jmp 0xfffffffffdaf7dbd)
[IAT:Inl] (explorer.exe @ kernel32.dll) ntdll.dll - NtCreateKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39b49 (jmp 0xfffffffffdaf86c9)
[IAT:Inl] (explorer.exe @ kernel32.dll) ntdll.dll - NtSetValueKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39ddd (jmp 0xfffffffffdaf852d)
[IAT:Inl] (explorer.exe @ kernel32.dll) ntdll.dll - NtOpenKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39cb1 (jmp 0xfffffffffdaf88e1)
[IAT:Inl] (explorer.exe @ kernel32.dll) ntdll.dll - NtSetInformationFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39da1 (jmp 0xfffffffffdaf8881)
[IAT:Inl] (explorer.exe @ kernel32.dll) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (explorer.exe @ kernel32.dll) ntdll.dll - NtOpenFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39c75 (jmp 0xfffffffffdaf8695)
[IAT:Inl] (explorer.exe @ kernel32.dll) ntdll.dll - NtCreateUserProcess : C:\Windows\System32\SYSFER.DLL @ 0x74b39b85 (jmp 0xfffffffffdaf7e05)
[IAT:Inl] (explorer.exe @ kernel32.dll) ntdll.dll - NtDeleteKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39d29 (jmp 0xfffffffffdaf7f19)
[IAT:Inl] (explorer.exe @ kernel32.dll) ntdll.dll - NtOpenKeyEx : C:\Windows\System32\SYSFER.DLL @ 0x74b39ced (jmp 0xfffffffffdaf7aed)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtSetInformationFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39da1 (jmp 0xfffffffffdaf8881)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39c75 (jmp 0xfffffffffdaf8695)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39cb1 (jmp 0xfffffffffdaf88e1)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtMapViewOfSection : C:\Windows\System32\SYSFER.DLL @ 0x74b39c39 (jmp 0xfffffffffdaf8709)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtTerminateProcess : C:\Windows\System32\SYSFER.DLL @ 0x74b39e19 (jmp 0xfffffffffdaf88a9)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtTerminateThread : C:\Windows\System32\SYSFER.DLL @ 0x74b39e55 (jmp 0xfffffffffdaf8675)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtSetValueKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39ddd (jmp 0xfffffffffdaf852d)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39b49 (jmp 0xfffffffffdaf86c9)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtDeleteKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39d29 (jmp 0xfffffffffdaf7f19)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtDeleteValueKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39bfd (jmp 0xfffffffffdaf7dbd)
[IAT:Inl] (explorer.exe @ ADVAPI32.dll) ntdll.dll - NtOpenKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39cb1 (jmp 0xfffffffffdaf88e1)
[IAT:Inl] (explorer.exe @ ADVAPI32.dll) ntdll.dll - NtOpenFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39c75 (jmp 0xfffffffffdaf8695)
[IAT:Inl] (explorer.exe @ ADVAPI32.dll) ntdll.dll - NtCreateKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39b49 (jmp 0xfffffffffdaf86c9)
[IAT:Inl] (explorer.exe @ ADVAPI32.dll) ntdll.dll - NtSetValueKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39ddd (jmp 0xfffffffffdaf852d)
[IAT:Inl] (explorer.exe @ ADVAPI32.dll) ntdll.dll - NtDeleteKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39d29 (jmp 0xfffffffffdaf7f19)
[IAT:Inl] (explorer.exe @ ADVAPI32.dll) ntdll.dll - NtTerminateThread : C:\Windows\System32\SYSFER.DLL @ 0x74b39e55 (jmp 0xfffffffffdaf8675)
[IAT:Inl] (explorer.exe @ ADVAPI32.dll) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (explorer.exe @ ADVAPI32.dll) ntdll.dll - NtRenameKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39d65 (jmp 0xfffffffffdaf76d5)
[IAT:Inl] (explorer.exe @ ADVAPI32.dll) ntdll.dll - NtOpenKeyEx : C:\Windows\System32\SYSFER.DLL @ 0x74b39ced (jmp 0xfffffffffdaf7aed)
[IAT:Inl] (explorer.exe @ sechost.dll) ntdll.dll - NtTerminateProcess : C:\Windows\System32\SYSFER.DLL @ 0x74b39e19 (jmp 0xfffffffffdaf88a9)
[IAT:Inl] (explorer.exe @ RPCRT4.dll) ntdll.dll - NtOpenKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39cb1 (jmp 0xfffffffffdaf88e1)
[IAT:Inl] (explorer.exe @ RPCRT4.dll) ntdll.dll - NtSetInformationFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39da1 (jmp 0xfffffffffdaf8881)
[IAT:Inl] (explorer.exe @ GDI32.dll) ntdll.dll - NtMapViewOfSection : C:\Windows\System32\SYSFER.DLL @ 0x74b39c39 (jmp 0xfffffffffdaf8709)
[IAT:Inl] (explorer.exe @ GDI32.dll) ntdll.dll - NtOpenFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39c75 (jmp 0xfffffffffdaf8695)
[IAT:Inl] (explorer.exe @ GDI32.dll) ntdll.dll - NtOpenKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39cb1 (jmp 0xfffffffffdaf88e1)
[IAT:Inl] (explorer.exe @ USER32.dll) ntdll.dll - NtOpenKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39cb1 (jmp 0xfffffffffdaf88e1)
[IAT:Inl] (explorer.exe @ USER32.dll) ntdll.dll - NtCreateKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39b49 (jmp 0xfffffffffdaf86c9)
[IAT:Inl] (explorer.exe @ USER32.dll) ntdll.dll - NtSetValueKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39ddd (jmp 0xfffffffffdaf852d)
[IAT:Inl] (explorer.exe @ USER32.dll) ntdll.dll - NtDeleteValueKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39bfd (jmp 0xfffffffffdaf7dbd)
[IAT:Inl] (explorer.exe @ SHELL32.dll) ntdll.dll - NtOpenFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39c75 (jmp 0xfffffffffdaf8695)
[IAT:Inl] (explorer.exe @ SHELL32.dll) ntdll.dll - NtSetInformationFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39da1 (jmp 0xfffffffffdaf8881)
[IAT:Inl] (explorer.exe @ SHELL32.dll) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (explorer.exe @ ole32.dll) ntdll.dll - ZwOpenKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39cb1 (jmp 0xfffffffffdaf88e1)
[IAT:Inl] (explorer.exe @ ole32.dll) ntdll.dll - ZwCreateKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39b49 (jmp 0xfffffffffdaf86c9)
[IAT:Inl] (explorer.exe @ ole32.dll) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (explorer.exe @ ole32.dll) ntdll.dll - NtMapViewOfSection : C:\Windows\System32\SYSFER.DLL @ 0x74b39c39 (jmp 0xfffffffffdaf8709)
[IAT:Inl] (explorer.exe @ ole32.dll) ntdll.dll - ZwDeleteValueKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39bfd (jmp 0xfffffffffdaf7dbd)
[IAT:Inl] (explorer.exe @ ole32.dll) ntdll.dll - ZwDeleteKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39d29 (jmp 0xfffffffffdaf7f19)
[IAT:Inl] (explorer.exe @ ole32.dll) ntdll.dll - NtOpenKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39cb1 (jmp 0xfffffffffdaf88e1)
[IAT:Inl] (explorer.exe @ ole32.dll) ntdll.dll - NtTerminateProcess : C:\Windows\System32\SYSFER.DLL @ 0x74b39e19 (jmp 0xfffffffffdaf88a9)
[IAT:Inl] (explorer.exe @ ole32.dll) ntdll.dll - NtSetInformationFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39da1 (jmp 0xfffffffffdaf8881)
[IAT:Inl] (explorer.exe @ MSCTF.dll) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (explorer.exe @ MSCTF.dll) ntdll.dll - NtOpenKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39cb1 (jmp 0xfffffffffdaf88e1)
[IAT:Inl] (explorer.exe @ SETUPAPI.dll) ntdll.dll - NtSetInformationFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39da1 (jmp 0xfffffffffdaf8881)
[IAT:Inl] (explorer.exe @ dwmapi.dll) ntdll.dll - NtMapViewOfSection : C:\Windows\System32\SYSFER.DLL @ 0x74b39c39 (jmp 0xfffffffffdaf8709)
[IAT:Inl] (explorer.exe @ Secur32.dll) ntdll.dll - NtMapViewOfSection : C:\Windows\System32\SYSFER.DLL @ 0x74b39c39 (jmp 0xfffffffffdaf8709)
[IAT:Inl] (explorer.exe @ WINSTA.dll) ntdll.dll - NtTerminateProcess : C:\Windows\System32\SYSFER.DLL @ 0x74b39e19 (jmp 0xfffffffffdaf88a9)
[IAT:Inl] (explorer.exe @ CRYPTBASE.dll) ntdll.dll - NtOpenFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39c75 (jmp 0xfffffffffdaf8695)
[IAT:Inl] (explorer.exe @ apphelp.dll) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (explorer.exe @ apphelp.dll) ntdll.dll - NtDeleteFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39bc1 (jmp 0xfffffffffdaf7dc1)
[IAT:Inl] (explorer.exe @ apphelp.dll) ntdll.dll - NtMapViewOfSection : C:\Windows\System32\SYSFER.DLL @ 0x74b39c39 (jmp 0xfffffffffdaf8709)
[IAT:Inl] (explorer.exe @ apphelp.dll) ntdll.dll - NtDeleteValueKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39bfd (jmp 0xfffffffffdaf7dbd)
[IAT:Inl] (explorer.exe @ apphelp.dll) ntdll.dll - NtCreateKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39b49 (jmp 0xfffffffffdaf86c9)
[IAT:Inl] (explorer.exe @ apphelp.dll) ntdll.dll - NtSetValueKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39ddd (jmp 0xfffffffffdaf852d)
[IAT:Inl] (explorer.exe @ apphelp.dll) ntdll.dll - NtDeleteKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39d29 (jmp 0xfffffffffdaf7f19)
[IAT:Inl] (explorer.exe @ apphelp.dll) ntdll.dll - NtOpenFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39c75 (jmp 0xfffffffffdaf8695)
[IAT:Inl] (explorer.exe @ apphelp.dll) ntdll.dll - NtOpenKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39cb1 (jmp 0xfffffffffdaf88e1)
[IAT:Inl] (explorer.exe @ CSCDLL.dll) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (explorer.exe @ CSCAPI.dll) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (explorer.exe @ ntshrui.dll) ntdll.dll - NtOpenFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39c75 (jmp 0xfffffffffdaf8695)
[IAT:Inl] (explorer.exe @ srvcli.dll) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (explorer.exe @ rsaenh.dll) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (explorer.exe @ rsaenh.dll) ntdll.dll - NtOpenKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39cb1 (jmp 0xfffffffffdaf88e1)
[IAT:Inl] (explorer.exe @ ntmarta.dll) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (explorer.exe @ ntmarta.dll) ntdll.dll - NtOpenFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39c75 (jmp 0xfffffffffdaf8695)
[IAT:Inl] (explorer.exe @ gameux.dll) ntdll.dll - NtOpenFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39c75 (jmp 0xfffffffffdaf8695)
[IAT:Inl] (explorer.exe @ gameux.dll) ntdll.dll - NtMapViewOfSection : C:\Windows\System32\SYSFER.DLL @ 0x74b39c39 (jmp 0xfffffffffdaf8709)
[IAT:Inl] (explorer.exe @ gameux.dll) ntdll.dll - NtOpenKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39cb1 (jmp 0xfffffffffdaf88e1)
[IAT:Inl] (explorer.exe @ gameux.dll) ntdll.dll - NtDeleteFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39bc1 (jmp 0xfffffffffdaf7dc1)
[IAT:Inl] (explorer.exe @ gameux.dll) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (explorer.exe @ CRYPT32.dll) ntdll.dll - NtCreateKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39b49 (jmp 0xfffffffffdaf86c9)
[IAT:Inl] (explorer.exe @ CRYPT32.dll) ntdll.dll - NtOpenKeyEx : C:\Windows\System32\SYSFER.DLL @ 0x74b39ced (jmp 0xfffffffffdaf7aed)
[IAT:Inl] (explorer.exe @ iertutil.dll) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (explorer.exe @ WININET.dll) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (explorer.exe @ WININET.dll) ntdll.dll - NtSetInformationFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39da1 (jmp 0xfffffffffdaf8881)
[IAT:Inl] (explorer.exe @ ksuser.dll) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (explorer.exe @ AVRT.dll) ntdll.dll - NtOpenKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39cb1 (jmp 0xfffffffffdaf88e1)
[IAT:Inl] (explorer.exe @ AVRT.dll) ntdll.dll - NtTerminateProcess : C:\Windows\System32\SYSFER.DLL @ 0x74b39e19 (jmp 0xfffffffffdaf88a9)
[IAT:Inl] (explorer.exe @ WS2_32.dll) ntdll.dll - NtOpenFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39c75 (jmp 0xfffffffffdaf8695)
[IAT:Inl] (explorer.exe @ WS2_32.dll) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (explorer.exe @ NSI.dll) ntdll.dll - NtTerminateProcess : C:\Windows\System32\SYSFER.DLL @ 0x74b39e19 (jmp 0xfffffffffdaf88a9)
[IAT:Inl] (explorer.exe @ netutils.dll) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (explorer.exe @ netshell.dll) ntdll.dll - NtOpenFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39c75 (jmp 0xfffffffffdaf8695)
[IAT:Inl] (explorer.exe @ IPHLPAPI.DLL) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (explorer.exe @ dhcpcsvc.DLL) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (explorer.exe @ wkscli.dll) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (explorer.exe @ sfc_os.DLL) ntdll.dll - NtOpenFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39c75 (jmp 0xfffffffffdaf8695)
[IAT:Inl] (explorer.exe @ DEVRTL.dll) ntdll.dll - NtSetInformationFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39da1 (jmp 0xfffffffffdaf8881)
[IAT:Inl] (explorer.exe @ drprov.dll) ntdll.dll - NtOpenFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39c75 (jmp 0xfffffffffdaf8695)
[IAT:Inl] (explorer.exe @ drprov.dll) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (explorer.exe @ ntlanman.dll) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (explorer.exe @ ntlanman.dll) ntdll.dll - NtOpenFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39c75 (jmp 0xfffffffffdaf8695)
[IAT:Inl] (explorer.exe @ dfscli.dll) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (explorer.exe @ browcli.dll) ntdll.dll - NtOpenFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39c75 (jmp 0xfffffffffdaf8695)
[IAT:Inl] (explorer.exe @ browcli.dll) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (explorer.exe @ mswsock.dll) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (explorer.exe @ mswsock.dll) ntdll.dll - NtSetInformationFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39da1 (jmp 0xfffffffffdaf8881)
[IAT:Inl] (explorer.exe @ mswsock.dll) ntdll.dll - NtOpenKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39cb1 (jmp 0xfffffffffdaf88e1)
[IAT:Inl] (explorer.exe @ wshtcpip.dll) ntdll.dll - NtTerminateProcess : C:\Windows\System32\SYSFER.DLL @ 0x74b39e19 (jmp 0xfffffffffdaf88a9)
[IAT:Inl] (explorer.exe @ wship6.dll) ntdll.dll - NtTerminateProcess : C:\Windows\System32\SYSFER.DLL @ 0x74b39e19 (jmp 0xfffffffffdaf88a9)
[IAT:Inl] (explorer.exe @ rasadhlp.dll) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (iexplore.exe @ kernel32.dll) ntdll.dll - NtTerminateProcess : C:\Windows\System32\SYSFER.DLL @ 0x74b39e19 (jmp 0xfffffffffdaf88a9)
[IAT:Inl] (iexplore.exe @ kernel32.dll) ntdll.dll - NtMapViewOfSection : C:\Windows\System32\SYSFER.DLL @ 0x74b39c39 (jmp 0xfffffffffdaf8709)
[IAT:Inl] (iexplore.exe @ kernel32.dll) ntdll.dll - NtDeleteValueKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39bfd (jmp 0xfffffffffdaf7dbd)
[IAT:Inl] (iexplore.exe @ kernel32.dll) ntdll.dll - NtCreateKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39b49 (jmp 0xfffffffffdaf86c9)
[IAT:Inl] (iexplore.exe @ kernel32.dll) ntdll.dll - NtSetValueKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39ddd (jmp 0xfffffffffdaf852d)
[IAT:Inl] (iexplore.exe @ kernel32.dll) ntdll.dll - NtOpenKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39cb1 (jmp 0xfffffffffdaf88e1)
[IAT:Inl] (iexplore.exe @ kernel32.dll) ntdll.dll - NtSetInformationFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39da1 (jmp 0xfffffffffdaf8881)
[IAT:Inl] (iexplore.exe @ kernel32.dll) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (iexplore.exe @ kernel32.dll) ntdll.dll - NtOpenFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39c75 (jmp 0xfffffffffdaf8695)
[IAT:Inl] (iexplore.exe @ kernel32.dll) ntdll.dll - NtCreateUserProcess : C:\Windows\System32\SYSFER.DLL @ 0x74b39b85 (jmp 0xfffffffffdaf7e05)
[IAT:Inl] (iexplore.exe @ kernel32.dll) ntdll.dll - NtDeleteKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39d29 (jmp 0xfffffffffdaf7f19)
[IAT:Inl] (iexplore.exe @ kernel32.dll) ntdll.dll - NtOpenKeyEx : C:\Windows\System32\SYSFER.DLL @ 0x74b39ced (jmp 0xfffffffffdaf7aed)
[IAT:Inl] (iexplore.exe @ KERNELBASE.dll) ntdll.dll - NtSetInformationFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39da1 (jmp 0xfffffffffdaf8881)
[IAT:Inl] (iexplore.exe @ KERNELBASE.dll) ntdll.dll - NtOpenFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39c75 (jmp 0xfffffffffdaf8695)
[IAT:Inl] (iexplore.exe @ KERNELBASE.dll) ntdll.dll - NtCreateFile : C:\Windows\System32\SYSFER.DLL @ 0x74b39b0d (jmp 0xfffffffffdaf830d)
[IAT:Inl] (iexplore.exe @ KERNELBASE.dll) ntdll.dll - NtOpenKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39cb1 (jmp 0xfffffffffdaf88e1)
[IAT:Inl] (iexplore.exe @ KERNELBASE.dll) ntdll.dll - NtMapViewOfSection : C:\Windows\System32\SYSFER.DLL @ 0x74b39c39 (jmp 0xfffffffffdaf8709)
[IAT:Inl] (iexplore.exe @ KERNELBASE.dll) ntdll.dll - NtTerminateProcess : C:\Windows\System32\SYSFER.DLL @ 0x74b39e19 (jmp 0xfffffffffdaf88a9)
[IAT:Inl] (iexplore.exe @ KERNELBASE.dll) ntdll.dll - NtTerminateThread : C:\Windows\System32\SYSFER.DLL @ 0x74b39e55 (jmp 0xfffffffffdaf8675)
[IAT:Inl] (iexplore.exe @ KERNELBASE.dll) ntdll.dll - NtSetValueKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39ddd (jmp 0xfffffffffdaf852d)
[IAT:Inl] (iexplore.exe @ KERNELBASE.dll) ntdll.dll - NtCreateKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39b49 (jmp 0xfffffffffdaf86c9)
[IAT:Inl] (iexplore.exe @ KERNELBASE.dll) ntdll.dll - NtDeleteKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39d29 (jmp 0xfffffffffdaf7f19)
[IAT:Inl] (iexplore.exe @ KERNELBASE.dll) ntdll.dll - NtDeleteValueKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39bfd (jmp 0xfffffffffdaf7dbd)
[IAT:Inl] (iexplore.exe @ USER32.dll) ntdll.dll - NtOpenKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39cb1 (jmp 0xfffffffffdaf88e1)
[IAT:Inl] (iexplore.exe @ USER32.dll) ntdll.dll - NtCreateKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39b49 (jmp 0xfffffffffdaf86c9)
[IAT:Inl] (iexplore.exe @ USER32.dll) ntdll.dll - NtSetValueKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39ddd (jmp 0xfffffffffdaf852d)
[IAT:Inl] (iexplore.exe @ USER32.dll) ntdll.dll - NtDeleteValueKey : C:\Windows\System32\SYSFER.DLL @ 0x74b39bfd (jmp 0xfffffffffdaf7dbd)
[IAT:Inl] (iexplore.exe @ GDI32.dll) ntdll.dll - NtMapViewOfSection : C:\Windows\System32\SYSFER.DLL @ 0x74b39c39 (jmp 0xfffffffffdaf8709)
(truncated too big)


Thanks, Pat

Title: Re: ===> False Positives <===
Post by: Tigzy on November 06, 2014, 09:04:41 AM

Thanks, added.

Title: Re: ===> False Positives <===
Post by: nitrousable on November 06, 2014, 01:55:30 PM

[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\PCIIDEX.SYS - IRP_MJ_CREATE[0] : Unknown @ 0x40a0c2c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\PCIIDEX.SYS - IRP_MJ_CLOSE[2] : Unknown @ 0x40a0c2c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\PCIIDEX.SYS - IRP_MJ_DEVICE_CONTROL[14] : Unknown @ 0x40a0c2c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\PCIIDEX.SYS - IRP_MJ_INTERNAL_DEVICE_CONTROL[15] : Unknown @ 0x40a0c2c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\PCIIDEX.SYS - IRP_MJ_POWER[22] : Unknown @ 0x40a0c2c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\PCIIDEX.SYS - IRP_MJ_SYSTEM_CONTROL[23] : Unknown @ 0x40a0c2c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\PCIIDEX.SYS - IRP_MJ_PNP[27] : Unknown @ 0x40a0c2c0
[IAT:Addr] (explorer.exe @ combase.dll) ext-ms-win-com-clbcatq-l1-1-0.dll - GetCatalogObject2 : C:\Windows\SYSTEM32\clbcatq.dll @ 0x7fff606c24b0
[IAT:Addr] (explorer.exe @ combase.dll) ext-ms-win-com-clbcatq-l1-1-0.dll - GetCatalogObject : C:\Windows\SYSTEM32\clbcatq.dll @ 0x7fff606c23c0
[IAT:Addr] (explorer.exe @ twinui.appcore.dll) ext-ms-win-session-wtsapi32-l1-1-0.dll - WTSRegisterSessionNotification : C:\Windows\SYSTEM32\WTSAPI32.dll @ 0x7fff5eeb1be0
[IAT:Addr] (explorer.exe @ wpncore.dll) ext-ms-win-session-wtsapi32-l1-1-0.dll - WTSQuerySessionInformationW : C:\Windows\SYSTEM32\WTSAPI32.dll @ 0x7fff5eeb16a0
[IAT:Addr] (explorer.exe @ wpncore.dll) ext-ms-win-session-wtsapi32-l1-1-0.dll - WTSRegisterSessionNotification : C:\Windows\SYSTEM32\WTSAPI32.dll @ 0x7fff5eeb1be0
[IAT:Addr] (explorer.exe @ wpncore.dll) ext-ms-win-session-wtsapi32-l1-1-0.dll - WTSFreeMemory : C:\Windows\SYSTEM32\WTSAPI32.dll @ 0x7fff5eeb1330
[IAT:Addr] (explorer.exe @ wpncore.dll) ext-ms-win-session-winsta-l1-1-0.dll - WinStationQueryInformationW : C:\Windows\SYSTEM32\WINSTA.dll @ 0x7fff5f6c1160
[IAT:Addr] (explorer.exe @ Windows.Globalization.dll) ext-ms-win-globalization-input-l1-1-0.dll - WGIGetCurrentInputLanguage : C:\Windows\SYSTEM32\globinputhost.dll @ 0x7fff567d62f4

Title: Re: ===> False Positives <===
Post by: Tigzy on November 07, 2014, 10:30:25 AM

Thanks, added.
Our monitoring system starts to give very good results about top detections.
That'll be easier to remove lot of FPs.

Title: Re: ===> False Positives <===
Post by: Crazykid on November 27, 2014, 06:33:47 PM

I hope these are just false positives xD


¤¤¤ Antirootkit : 31 (Driver: Loaded) ¤¤¤
[IAT:Addr] (explorer.exe @ VERSION.dll) api-ms-win-appmodel-runtime-l1-1-1.dll - GetPackagesByPackageFamily : C:\Windows\System32\windows.immersiveshell.serviceprovider.dll @ 0x7ffbda2dd140
[IAT:Addr] (explorer.exe @ cryptnet.dll) OLEAUT32.dll - BSTR_UserMarshal64 : C:\WINDOWS\System32\WSCAPI.dll @ 0x7ffbdcbed410
[IAT:Addr] (explorer.exe @ cryptnet.dll) OLEAUT32.dll - BSTR_UserUnmarshal64 : C:\WINDOWS\System32\WSCAPI.dll @ 0x7ffbdcbed3e0
[IAT:Addr] (explorer.exe @ cryptnet.dll) OLEAUT32.dll - BSTR_UserFree64 : C:\WINDOWS\System32\WSCAPI.dll @ 0x7ffbdcbed340
[IAT:Addr] (explorer.exe @ cryptnet.dll) OLEAUT32.dll - BSTR_UserSize64 : C:\WINDOWS\System32\WSCAPI.dll @ 0x7ffbdcbed310
[IAT:Addr] (explorer.exe @ cryptnet.dll) SHELL32.dll - ShellExecuteW : C:\WINDOWS\System32\WSCAPI.dll @ 0x7ffbdcbed540
[IAT:Addr] (explorer.exe @ cryptnet.dll) SHELL32.dll - ShellExecuteExW : C:\WINDOWS\System32\WSCAPI.dll @ 0x7ffbdcbed5e0
[IAT:Addr] (explorer.exe @ cryptnet.dll) WINHTTP.dll - WinHttpTimeToSystemTime : C:\WINDOWS\System32\WSCAPI.dll @ 0x7ffbdcbed690
[IAT:Addr] (explorer.exe @ cryptnet.dll) WINTRUST.dll - WinVerifyTrust : C:\WINDOWS\System32\WSCAPI.dll @ 0x7ffbdcbed730
[IAT:Addr] (explorer.exe @ cryptnet.dll) DUI70.dll - StrToID : C:\WINDOWS\System32\WSCAPI.dll @ 0x7ffbdcbed8b0
[IAT:Addr] (explorer.exe @ cryptnet.dll) DUI70.dll - InitProcessPriv : C:\WINDOWS\System32\WSCAPI.dll @ 0x7ffbdcbeda30
[IAT:Addr] (explorer.exe @ cryptnet.dll) DUI70.dll - InitThread : C:\WINDOWS\System32\WSCAPI.dll @ 0x7ffbdcbeda50
[IAT:Addr] (explorer.exe @ cryptnet.dll) DUI70.dll - UnInitThread : C:\WINDOWS\System32\WSCAPI.dll @ 0x7ffbdcbeda70
[IAT:Addr] (explorer.exe @ cryptnet.dll) DUI70.dll - UnInitProcessPriv : C:\WINDOWS\System32\WSCAPI.dll @ 0x7ffbdcbeda90
[IAT:Addr] (explorer.exe @ cryptnet.dll) api-ms-win-service-management-l1-1-0.dll - OpenServiceW : C:\WINDOWS\System32\WSCAPI.dll @ 0x7ffbdcbef0c0
[IAT:Addr] (explorer.exe @ cryptnet.dll) api-ms-win-service-management-l1-1-0.dll - OpenSCManagerW : C:\WINDOWS\System32\WSCAPI.dll @ 0x7ffbdcbef0a0
[IAT:Addr] (explorer.exe @ cryptnet.dll) api-ms-win-service-management-l1-1-0.dll - CloseServiceHandle : C:\WINDOWS\System32\WSCAPI.dll @ 0x7ffbdcbef000
[IAT:Addr] (explorer.exe @ cryptnet.dll) api-ms-win-service-winsvc-l1-2-0.dll - QueryServiceStatus : C:\WINDOWS\System32\WSCAPI.dll @ 0x7ffbdcbef0e0
[IAT:Addr] (explorer.exe @ cryptnet.dll) api-ms-win-service-management-l2-1-0.dll - QueryServiceConfigW : C:\WINDOWS\System32\WSCAPI.dll @ 0x7ffbdcbef200
[IAT:Addr] (explorer.exe @ taskschd.dll) api-ms-win-core-winrt-error-l1-1-1.dll - SetRestrictedErrorInfo : C:\WINDOWS\System32\MMDevApi.dll @ 0x7ffbde67f5f0
[IAT:Addr] (explorer.exe @ taskschd.dll) api-ms-win-power-base-l1-1-0.dll - PowerRegisterSuspendResumeNotification : C:\WINDOWS\System32\MMDevApi.dll @ 0x7ffbde67f680
[IAT:Addr] (explorer.exe @ taskschd.dll) api-ms-win-power-base-l1-1-0.dll - PowerUnregisterSuspendResumeNotification : C:\WINDOWS\System32\MMDevApi.dll @ 0x7ffbde67f750
[IAT:Addr] (explorer.exe @ taskschd.dll) api-ms-win-service-management-l2-1-0.dll - QueryServiceStatusEx : C:\WINDOWS\System32\MMDevApi.dll @ 0x7ffbde67f810
[IAT:Addr] (explorer.exe @ taskschd.dll) api-ms-win-devices-query-l1-1-1.dll - DevFreeObjectProperties : C:\WINDOWS\System32\MMDevApi.dll @ 0x7ffbde67f950
[IAT:Addr] (explorer.exe @ taskschd.dll) api-ms-win-devices-query-l1-1-1.dll - DevGetObjectProperties : C:\WINDOWS\System32\MMDevApi.dll @ 0x7ffbde67f8c0
[IAT:Addr] (explorer.exe @ taskschd.dll) api-ms-win-devices-query-l1-1-1.dll - DevCreateObjectQuery : C:\WINDOWS\System32\MMDevApi.dll @ 0x7ffbde67f970
[IAT:Addr] (explorer.exe @ taskschd.dll) api-ms-win-devices-query-l1-1-1.dll - DevCloseObjectQuery : C:\WINDOWS\System32\MMDevApi.dll @ 0x7ffbde67f990
[IAT:Addr] (explorer.exe @ taskschd.dll) api-ms-win-core-psm-appnotify-l1-1-0.dll - UnregisterAppStateChangeNotification : C:\WINDOWS\System32\MMDevApi.dll @ 0x7ffbde67fa40
[IAT:Addr] (explorer.exe @ taskschd.dll) api-ms-win-core-psm-appnotify-l1-1-0.dll - RegisterAppStateChangeNotification : C:\WINDOWS\System32\MMDevApi.dll @ 0x7ffbde67f9b0
[IAT:Addr] (explorer.exe @ taskschd.dll) ext-ms-win-session-winsta-l1-1-0.dll - WinStationFreePropertyValue : C:\WINDOWS\System32\MMDevApi.dll @ 0x7ffbde67fb60
[IAT:Addr] (explorer.exe @ taskschd.dll) ext-ms-win-session-winsta-l1-1-0.dll - WinStationGetConnectionProperty : C:\WINDOWS\System32\MMDevApi.dll @ 0x7ffbde67fad0

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Hitachi HTS545050A7E380 +++++
--- User ---
[MBR] 349e38587d586de91a46bf864a56e4dd
[BSP] a4a8aa4dd53b613db3654ee9f099e922 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097152 MB
User = LL1 ... OK
User = LL2 ... OK

Title: Re: ===> False Positives <===
Post by: Tigzy on November 28, 2014, 08:16:06 AM

Names look legit, they'll be added to the whitelist. Thanks.

Title: Re: ===> False Positives <===
Post by: ryderjj89 on December 29, 2014, 10:18:43 PM

Hey, found that the latest RK as of 12/23/2014 is marking ChicaPC as TR.Zeus. This is an AV program similar to Malware-bytes. Please whitelist.

http://i.imgur.com/wIarvTx.png Screenshot to show its being killed during pre-scan.

Title: Re: ===> False Positives <===
Post by: Tigzy on December 30, 2014, 09:08:38 AM

ryderjj89
Can you please post the text report line instead? Easier to whitelist.

Title: Re: ===> False Positives <===
Post by: ryderjj89 on December 31, 2014, 02:52:48 AM

Is this what you're looking for?

[Tr.Zeus] cpcs.exe -- C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe[7] -> Killed [DrvNtTerm]

I noticed that RK will only kill ChicaPC if its in the middle of a scan. Tested it without running a scan and it didnt touch it.

Title: Re: ===> False Positives <===
Post by: Tigzy on December 31, 2014, 09:15:30 AM

Thanks, that'll be added :)

Quote

I noticed that RK will only kill ChicaPC if its in the middle of a scan. Tested it without running a scan and it didnt touch it.

Who is scanning? RK or ChicaPC?

That's "normal", it's an antivirus, and we have probably the same signature for Zeus, so when it loads its database in memory, RK will scan it (process memory) and will detect the signature... Definitely an "antivirus conflict".

Title: Re: ===> False Positives <===
Post by: ryderjj89 on December 31, 2014, 09:42:26 PM

If Chica is already in a scan and then I start a scan with RogueKiller, it will kill Chica. This behavior is also recent. Before version 10, it wouldnt do this. Im guessing because of signature additions, maybe? Either way, be nice if they would play nice together lol.

Title: Re: ===> False Positives <===
Post by: Tigzy on January 02, 2015, 09:03:42 AM

Yes, it's fixed for next version.

Title: Re: ===> False Positives <===
Post by: ryderjj89 on February 18, 2015, 09:11:53 PM

Now that RK has been updated to 10.4, it is falsely closing out LogMeIn Rescue during the pre-scan. Would like this to be whitelisted please. Here's a picture of what was found in the pre-scan.

http://i.imgur.com/O0r9Ann.png

I will get the log from the report here in a little bit and edit this post. Just figured I'd make a preemptive strike.

Title: Re: ===> False Positives <===
Post by: nitrousable on February 19, 2015, 01:35:30 AM

[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) MF.dll - MFGetService : C:\Windows\SysWOW64\MFCORE.DLL @ 0x6c68f090
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68
[IAT:Addr(Hook.IEAT)] (chrome.exe @ dwrite.dll) ntdll.dll - NtAlpcConnectPort : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x53311b7a
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pdf.dll) GDI32.dll - GetFontData : C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll @ 0x52ebfa68

Title: Re: ===> False Positives <===
Post by: Curson on February 19, 2015, 04:38:49 PM

Hi nitrousable,

These false positives will be whitelisted in the next version of RogueKiller.

Regards.

Title: Re: ===> False Positives <===
Post by: nitrousable on February 20, 2015, 04:17:41 AM

[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtProtectVirtualMemory : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d36160 (jmp 0xfffffffff891612a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtAllocateVirtualMemory : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d36270 (jmp 0xfffffffff88e623a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtTerminateProcess : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d38a00 (jmp 0xfffffffff82489ca)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNELBASE.dll - CreateProcessInternalA : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d381f0 (jmp 0xfffffffff82e81ba)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNELBASE.dll - CreateProcessInternalW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d380c0 (jmp 0xfffffffff82b808a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - MoveFileW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35490 (jmp 0xfffffffff83d545a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - CopyFileW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35620 (jmp 0xfffffffff84355ea)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - MoveFileA : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35550 (jmp 0xfffffffff840551a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - WinExec : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d38500 (jmp 0xfffffffff84984ca)
[IAT:Inl(Hook.IEAT)] (chrome.exe) SHELL32.dll - ShellExecuteW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d385c0 (jmp 0xfffffffff84c858a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - CopyFileA : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d356f0 (jmp 0xfffffffff84656ba)
[IAT:Inl(Hook.IEAT)] (chrome.exe) WININET.dll - InternetReadFile : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d37cc0 (jmp 0xfffffffff8677c8a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) WININET.dll - InternetReadFileExW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d37da0 (jmp 0xfffffffff86a7d6a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) WININET.dll - HttpOpenRequestW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d37460 (jmp 0xfffffffff85b742a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) WININET.dll - HttpSendRequestExW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d378b0 (jmp 0xfffffffff873787a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) WININET.dll - HttpSendRequestW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d376b0 (jmp 0xfffffffff86d767a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) WININET.dll - InternetOpenUrlW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d37a90 (jmp 0xfffffffff8617a5a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtProtectVirtualMemory : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d36160 (jmp 0xfffffffff891612a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtAllocateVirtualMemory : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d36270 (jmp 0xfffffffff88e623a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtTerminateProcess : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d38a00 (jmp 0xfffffffff82489ca)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNELBASE.dll - CreateProcessInternalA : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d381f0 (jmp 0xfffffffff82e81ba)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNELBASE.dll - CreateProcessInternalW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d380c0 (jmp 0xfffffffff82b808a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - MoveFileW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35490 (jmp 0xfffffffff83d545a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - MoveFileA : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35550 (jmp 0xfffffffff840551a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - CopyFileW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35620 (jmp 0xfffffffff84355ea)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtProtectVirtualMemory : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d36160 (jmp 0xfffffffff891612a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtAllocateVirtualMemory : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d36270 (jmp 0xfffffffff88e623a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtTerminateProcess : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d38a00 (jmp 0xfffffffff82489ca)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNELBASE.dll - CreateProcessInternalA : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d381f0 (jmp 0xfffffffff82e81ba)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNELBASE.dll - CreateProcessInternalW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d380c0 (jmp 0xfffffffff82b808a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - MoveFileW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35490 (jmp 0xfffffffff83d545a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - MoveFileA : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35550 (jmp 0xfffffffff840551a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - CopyFileW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35620 (jmp 0xfffffffff84355ea)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtProtectVirtualMemory : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d36160 (jmp 0xfffffffff891612a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtAllocateVirtualMemory : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d36270 (jmp 0xfffffffff88e623a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtTerminateProcess : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d38a00 (jmp 0xfffffffff82489ca)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNELBASE.dll - CreateProcessInternalA : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d381f0 (jmp 0xfffffffff82e81ba)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNELBASE.dll - CreateProcessInternalW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d380c0 (jmp 0xfffffffff82b808a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - MoveFileW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35490 (jmp 0xfffffffff83d545a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - MoveFileA : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35550 (jmp 0xfffffffff840551a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - CopyFileW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35620 (jmp 0xfffffffff84355ea)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtProtectVirtualMemory : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d36160 (jmp 0xfffffffff891612a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtAllocateVirtualMemory : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d36270 (jmp 0xfffffffff88e623a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtTerminateProcess : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d38a00 (jmp 0xfffffffff82489ca)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNELBASE.dll - CreateProcessInternalA : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d381f0 (jmp 0xfffffffff82e81ba)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNELBASE.dll - CreateProcessInternalW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d380c0 (jmp 0xfffffffff82b808a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - MoveFileW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35490 (jmp 0xfffffffff83d545a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - MoveFileA : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35550 (jmp 0xfffffffff840551a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - CopyFileW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35620 (jmp 0xfffffffff84355ea)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtProtectVirtualMemory : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d36160 (jmp 0xfffffffff891612a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtAllocateVirtualMemory : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d36270 (jmp 0xfffffffff88e623a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtTerminateProcess : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d38a00 (jmp 0xfffffffff82489ca)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNELBASE.dll - CreateProcessInternalA : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d381f0 (jmp 0xfffffffff82e81ba)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNELBASE.dll - CreateProcessInternalW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d380c0 (jmp 0xfffffffff82b808a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - MoveFileW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35490 (jmp 0xfffffffff83d545a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - MoveFileA : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35550 (jmp 0xfffffffff840551a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - CopyFileW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35620 (jmp 0xfffffffff84355ea)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtProtectVirtualMemory : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d36160 (jmp 0xfffffffff891612a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtAllocateVirtualMemory : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d36270 (jmp 0xfffffffff88e623a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtTerminateProcess : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d38a00 (jmp 0xfffffffff82489ca)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNELBASE.dll - CreateProcessInternalA : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d381f0 (jmp 0xfffffffff82e81ba)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNELBASE.dll - CreateProcessInternalW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d380c0 (jmp 0xfffffffff82b808a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - MoveFileW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35490 (jmp 0xfffffffff83d545a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - MoveFileA : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35550 (jmp 0xfffffffff840551a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - CopyFileW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35620 (jmp 0xfffffffff84355ea)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtProtectVirtualMemory : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d36160 (jmp 0xfffffffff891612a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtAllocateVirtualMemory : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d36270 (jmp 0xfffffffff88e623a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtTerminateProcess : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d38a00 (jmp 0xfffffffff82489ca)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNELBASE.dll - CreateProcessInternalA : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d381f0 (jmp 0xfffffffff82e81ba)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNELBASE.dll - CreateProcessInternalW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d380c0 (jmp 0xfffffffff82b808a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - MoveFileW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35490 (jmp 0xfffffffff83d545a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - MoveFileA : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35550 (jmp 0xfffffffff840551a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - CopyFileW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35620 (jmp 0xfffffffff84355ea)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtProtectVirtualMemory : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d36160 (jmp 0xfffffffff891612a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtAllocateVirtualMemory : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d36270 (jmp 0xfffffffff88e623a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtTerminateProcess : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d38a00 (jmp 0xfffffffff82489ca)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNELBASE.dll - CreateProcessInternalA : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d381f0 (jmp 0xfffffffff82e81ba)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNELBASE.dll - CreateProcessInternalW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d380c0 (jmp 0xfffffffff82b808a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - MoveFileW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35490 (jmp 0xfffffffff83d545a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - MoveFileA : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35550 (jmp 0xfffffffff840551a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - CopyFileW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35620 (jmp 0xfffffffff84355ea)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtProtectVirtualMemory : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d36160 (jmp 0xfffffffff891612a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtAllocateVirtualMemory : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d36270 (jmp 0xfffffffff88e623a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtTerminateProcess : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d38a00 (jmp 0xfffffffff82489ca)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNELBASE.dll - CreateProcessInternalA : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d381f0 (jmp 0xfffffffff82e81ba)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNELBASE.dll - CreateProcessInternalW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d380c0 (jmp 0xfffffffff82b808a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - MoveFileW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35490 (jmp 0xfffffffff83d545a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - MoveFileA : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35550 (jmp 0xfffffffff840551a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - CopyFileW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35620 (jmp 0xfffffffff84355ea)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtProtectVirtualMemory : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d36160 (jmp 0xfffffffff891612a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtAllocateVirtualMemory : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d36270 (jmp 0xfffffffff88e623a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtTerminateProcess : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d38a00 (jmp 0xfffffffff82489ca)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNELBASE.dll - CreateProcessInternalA : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d381f0 (jmp 0xfffffffff82e81ba)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNELBASE.dll - CreateProcessInternalW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d380c0 (jmp 0xfffffffff82b808a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - MoveFileW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35490 (jmp 0xfffffffff83d545a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - MoveFileA : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35550 (jmp 0xfffffffff840551a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - CopyFileW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35620 (jmp 0xfffffffff84355ea)
[IAT:Inl(Hook.IEAT)] (chrome.exe) SHELL32.dll - ShellExecuteW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d385c0 (jmp 0xfffffffff84c858a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtProtectVirtualMemory : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d36160 (jmp 0xfffffffff891612a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtAllocateVirtualMemory : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d36270 (jmp 0xfffffffff88e623a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtTerminateProcess : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d38a00 (jmp 0xfffffffff82489ca)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNELBASE.dll - CreateProcessInternalA : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d381f0 (jmp 0xfffffffff82e81ba)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNELBASE.dll - CreateProcessInternalW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d380c0 (jmp 0xfffffffff82b808a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - MoveFileW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35490 (jmp 0xfffffffff83d545a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - MoveFileA : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35550 (jmp 0xfffffffff840551a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - CopyFileW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35620 (jmp 0xfffffffff84355ea)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtProtectVirtualMemory : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d36160 (jmp 0xfffffffff891612a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtAllocateVirtualMemory : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d36270 (jmp 0xfffffffff88e623a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - NtTerminateProcess : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d38a00 (jmp 0xfffffffff82489ca)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNELBASE.dll - CreateProcessInternalA : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d381f0 (jmp 0xfffffffff82e81ba)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNELBASE.dll - CreateProcessInternalW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d380c0 (jmp 0xfffffffff82b808a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - MoveFileW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35490 (jmp 0xfffffffff83d545a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - MoveFileA : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35550 (jmp 0xfffffffff840551a)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32.DLL - CopyFileW : C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll @ 0x69d35620 (jmp 0xfffffffff84355ea)

Title: Re: ===> False Positives <===
Post by: Curson on February 20, 2015, 08:47:20 AM

Hi nitrousable,

MBAE will be whitelisted as well.

Regards.

Title: Re: ===> False Positives <===
Post by: Bacho on February 21, 2015, 01:32:12 AM

Quote from: ryderjj89 on February 18, 2015, 09:11:53 PM

Now that RK has been updated to 10.4, it is falsely closing out LogMeIn Rescue during the pre-scan. Would like this to be whitelisted please. Here's a picture of what was found in the pre-scan.

http://i.imgur.com/O0r9Ann.png

I will get the log from the report here in a little bit and edit this post. Just figured I'd make a preemptive strike.

I've noticed the same, here are the lines from the log report I captured, it would be awesome if LogMeIn could be whitelisted.

¤¤¤ Processes : 3 ¤¤¤
[Suspicious.Path] LMI_Rescue_srv.exe(1200) -- C:\Users\Danielm\AppData\Local\LOGMEI~1\LMIR0001.tmp\LMI_Rescue_srv.exe[7] -> Killed [TermProc]
[Suspicious.Path] LMI_Rescue_srv.exe(1608) -- C:\Users\Danielm\AppData\Local\LOGMEI~1\LMIR0001.tmp\LMI_Rescue_srv.exe[7] -> Killed [TermThr]
[Suspicious.Path] lmi_rescue.exe(744) -- C:\Users\Danielm\AppData\Local\LOGMEI~1\LMIR0001.tmp\LMI_Rescue.exe[7] -> Killed [TermProc]

¤¤¤ Registry : 15 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LMIRescue_6c263ea2-6835-4ed5-ac51-dac642e23d70 ("C:\Users\Danielm\AppData\Local\LOGMEI~1\LMIR0001.tmp\LMI_Rescue_srv.exe" -service -sid 6c263ea2-6835-4ed5-ac51-dac642e23d70) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LMIRescue_6c263ea2-6835-4ed5-ac51-dac642e23d70 ("C:\Users\Danielm\AppData\Local\LOGMEI~1\LMIR0001.tmp\LMI_Rescue_srv.exe" -service -sid 6c263ea2-6835-4ed5-ac51-dac642e23d70) -> Found

Title: Re: ===> False Positives <===
Post by: Tigzy on February 21, 2015, 09:52:52 AM

Hello

Thanks for the feedback.
Any chance to get the full path for this?

Quote

C:\Users\Danielm\AppData\Local\LOGMEI~1\LMIR0001.tmp\LMI_Rescue_srv.exe

Especially the part: LOGMEI~1

Title: Re: ===> False Positives <===
Post by: prummells on February 23, 2015, 05:16:51 PM

Hello RogueKiller,

Would the following please be added to the whitelist?

¤¤¤ Processes : 1 ¤¤¤
[ZeroAccess] SBAMSvc.exe(4072) -- C:\PROGRA~2\ADVANC~1\managedav\SBAMSvc.exe[7] -> Killed [TermProc]

SBAMSvc.exe is part of a product called MAX RemoteManagement and the Antivirus is called Managed Antivirus.

The location of SBAMSvc.exe can be in a few different File Path Names depending on the method used to install the Advanced Monitoring Agent:

C:Program Files\Advanced Monitoring Agent\managedav\SBAMSvc.exe
C:Program Files\Advanced Monitoring Agent GP\managedav\SBAMSvc.exe
C:Program Files(x86)\Advanced Monitoring Agent\managedav\SBAMSvc.exe
C:Program Files(x86)\Advanced Monitoring Agent GP\managedav\SBAMSvc.exe

Thank you

Title: Re: ===> False Positives <===
Post by: Curson on February 23, 2015, 05:24:33 PM

Hi prummells,

Welcome to Adlice.com Forum!
Thanks for you contribution. Managed Antivirus will be whitelisted in the next version of RogueKiller.

Regards.

Title: Re: ===> False Positives <===
Post by: Bacho on February 23, 2015, 06:48:21 PM

Quote from: Tigzy on February 21, 2015, 09:52:52 AM

Hello

Thanks for the feedback.
Any chance to get the full path for this?

Quote

C:\Users\Danielm\AppData\Local\LOGMEI~1\LMIR0001.tmp\LMI_Rescue_srv.exe

Especially the part: LOGMEI~1

Sorry about that, the full path is:

C:\Users\username\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_src.exe
C:\Users\username\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue.exe

Thanks.

Title: Re: ===> False Positives <===
Post by: Curson on February 23, 2015, 07:11:40 PM

Hi Bacho,

Thanks for your contribution.
In its current version, RogueKiller should no longer reports LogMeIn Rescue anymore.

Regards.

Title: Re: ===> False Positives <===
Post by: greysmouth on February 24, 2015, 01:10:53 AM

Hello guys. Please take a look to my files attached. Something's wrong with RK 10.4.2 or my laptop is getting insane? In few words the application seems to be into a loop, asking every time I launch it if I want to update it. My best regards, greysmouth BO IT.

Title: Re: ===> False Positives <===
Post by: Curson on February 24, 2015, 12:28:16 PM

Hi greysmouth,

RogueKiller 10.4.3 is out.
Could you please retry with this version ?

Regards.

Title: Re: ===> False Positives <===
Post by: mist63 on February 27, 2015, 02:55:27 PM

Hi,
I think there is something wrong when Symantec Endpoint Protection is installed:

[Suspicious.Path] (SVC) BHDrvx86 -- \??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\BASHDefs\20150224.015\BHDrvx86.sys[7] -> [NoKill]
[Suspicious.Path] (SVC) IDSxpx86 -- \??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150226.013\IDSxpx86.sys[7] -> [NoKill]

[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BHDrvx86 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\BASHDefs\20150224.015\BHDrvx86.sys) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IDSxpx86 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150226.013\IDSxpx86.sys) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVENG (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150226.018\NAVENG.SYS) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVEX15 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150226.018\NAVEX15.SYS) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BHDrvx86 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\BASHDefs\20150224.015\BHDrvx86.sys) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDSxpx86 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150226.013\IDSxpx86.sys) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVENG (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150226.018\NAVENG.SYS) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVEX15 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150226.018\NAVEX15.SYS) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\BHDrvx86 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\BASHDefs\20150224.015\BHDrvx86.sys) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IDSxpx86 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150225.012\IDSxpx86.sys) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NAVENG (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150226.002\NAVENG.SYS) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NAVEX15 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150226.002\NAVEX15.SYS) -> Non sélectionné

 full scan attached

Title: Re: ===> False Positives <===
Post by: Curson on February 27, 2015, 03:02:46 PM

Hi mist63,

Thanks for your contribution.
Symantec Endpoint Protection will be whitelisted in RogueKiller's next release.

Regards.

Title: Re: ===> False Positives <===
Post by: greysmouth on February 27, 2015, 04:33:00 PM

Quote from: Curson on February 24, 2015, 12:28:16 PM

Hi greysmouth,

RogueKiller 10.4.3 is out.
Could you please retry with this version ?

Regards.

Hello. That's fine!
Regards, greysmouth BO IT.

Title: Re: ===> False Positives <===
Post by: Curson on March 01, 2015, 10:36:58 PM

Hi greysmouth,

Thanks for letting us know.

Regards.

Title: Re: ===> False Positives <===
Post by: ryderjj89 on March 02, 2015, 03:32:48 AM

As of the latest version 10.4.3, its still killing logmein rescue during the pre-scan. I will try to get more info if I can.

Title: Re: ===> False Positives <===
Post by: Curson on March 02, 2015, 06:43:38 PM

Hi ryderjj89,

RogueKiller 10.5.0 is out.
Could you please retry with this version ?

Regards.

Title: Re: ===> False Positives <===
Post by: mist63 on March 03, 2015, 02:51:52 PM

Hi Curson,

Same issue with RK v10.5.0 and Symantec:

RogueKiller V10.5.0.0 [Mar  2 2015] par Adlice Software
¤¤¤ Processus : 1 ¤¤¤
[Suspicious.Path] (SVC) IDSxpx86 -- \??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150302.011\IDSxpx86.sys[7] -> [NoKill]

¤¤¤ Registre : 25 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IDSxpx86 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150302.011\IDSxpx86.sys) -> Trouvé(e)
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVEX15 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150302.019\NAVEX15.SYS) -> Trouvé(e)
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDSxpx86 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150302.011\IDSxpx86.sys) -> Trouvé(e)
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVEX15 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150302.019\NAVEX15.SYS) -> Trouvé(e)
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IDSxpx86 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150228.011\IDSxpx86.sys) -> Trouvé(e)
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NAVEX15 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150302.002\NAVEX15.SYS) -> Trouvé(e)

Regards

Title: Re: ===> False Positives <===
Post by: Curson on March 03, 2015, 03:46:28 PM

Hi mist63,

Thanks for your contribution.
These entries will be whitelisted in the next version of RogueKiller.

Regards.

Title: Fail detection
Post by: laclac on March 05, 2015, 12:12:41 AM

For information RogueKiller detects "Sandboxie" and "Unlocker" of malware.
But they are trust software very good.

http://www.sandboxie.com/
http://www.emptyloop.com/unlocker/

Title: Re: Fail detection
Post by: Curson on March 05, 2015, 06:26:06 PM

Hi laclac,

Welcome to Adlice.com Forum!
Could you please post RogueKiller's report showing detections of these two softwares ?

Regards.

Note : Your thread has been merged with the "===> False Positives <===" thread for clarity.

Title: Re: ===> False Positives <===
Post by: ryderjj89 on March 05, 2015, 09:26:05 PM

Quote from: Curson on March 02, 2015, 06:43:38 PM

Hi ryderjj89,

RogueKiller 10.5.0 is out.
Could you please retry with this version ?

Regards.

Tried with 10.5.1, still killing LogMeIn Rescue during pre-scan.

Here's the log entry:

[Suspicious.Path] (SVC) LMIRescue_9c5cee35-34cc-4e1a-a350-ef13abfc5d98 -- "C:\Users\Violet\AppData\Local\LOGMEI~1\LMIR0002.tmp\LMI_Rescue_srv.exe" -service -sid 9c5cee35-34cc-4e1a-a350-ef13abfc5d98[7] -> Stopped

Title: Re: ===> False Positives <===
Post by: Curson on March 05, 2015, 10:46:26 PM

Hi ryderjj89,

That's strange.
Could you please give me the full path of the service, specially the part which appeared as LOGMEI~1 ?

Regards.

Title: Re: ===> False Positives <===
Post by: ryderjj89 on March 06, 2015, 07:44:19 PM

Someone posted the full path for you guys last month on page 3. Here they are again.

C:\Users\username\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_src.exe
C:\Users\username\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue.exe

Title: Re: ===> False Positives <===
Post by: Curson on March 09, 2015, 03:06:20 PM

Hi ryderjj89,

We are unable te reproduce the issue.
Could you please tell me which version of LogMeIn is installed on your system ?

Regards.

Title: Re: ===> False Positives <===
Post by: ryderjj89 on March 09, 2015, 07:35:47 PM

Its the Rescue Applet, not the technician console. I'm not sure how you can't reproduce the issue. Its happened for multiple people as of 10.5.1....

Title: Re: ===> False Positives <===
Post by: roushi on March 10, 2015, 08:49:54 AM

hello
this my log

RogueKiller V10.5.2.0 (x64) [Mar  9 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : fajar [Administrator]
Started from : C:\Users\fajar\Downloads\RogueKillerX64 (1).exe
Mode : Scan -- Date : 03/10/2015  14:35:36

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 10 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 192.168.250.1 203.161.30.1 203.161.30.2  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.250.1 203.161.30.1 203.161.30.2  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9626352A-45DB-4514-A4E4-F37C1C798476} | DhcpNameServer : 192.168.250.1 203.161.30.1 203.161.30.2  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C7491737-1EF7-4C2E-8F23-E2631A37F61E} | DhcpNameServer : 192.13.128.24  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9626352A-45DB-4514-A4E4-F37C1C798476} | DhcpNameServer : 192.168.250.1 203.161.30.1 203.161.30.2 [INDONESIA (ID)][INDONESIA (ID)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{C7491737-1EF7-4C2E-8F23-E2631A37F61E} | DhcpNameServer : 192.13.128.24 [UNITED STATES (US)]  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000LM024 HN-M101MBB +++++
--- User ---
[MBR] 35d34ea0725b15bfc5585d344d1a1ee4
[BSP] 9bc2edaef5de5c63af0852ed1c97e416 : Empty MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 100 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 206848 | Size: 900 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2050048 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2312192 | Size: 381096 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 782796800 | Size: 450 MB
5 - Basic data partition | Offset (sectors): 783718400 | Size: 150704 MB
6 - Basic data partition | Offset (sectors): 1092360192 | Size: 399999 MB
7 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1911560192 | Size: 20490 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Kingston DT 101 G2 USB Device +++++
--- User ---
[MBR] 0d8a95f0177a129bfb88face59b8bdbb
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_SCN_03092015_115351.log

Is this a false positive or my computer has been infected?

thanks

Title: Re: ===> False Positives <===
Post by: Curson on March 10, 2015, 11:16:47 PM

Hi roushi,

Welcome to Adlice.com Forum!
Your report is clean.

Regards.

Title: Re: ===> False Positives <===
Post by: roushi on March 11, 2015, 04:52:10 AM

thanks a lot curson  :D

Title: Re: ===> False Positives <===
Post by: Vtech on March 11, 2015, 07:16:48 AM

Hi,

VIPRE Antivirus / Internet Security is getting detected as  ZeroAccess


Logs from RogueKiller below:

RogueKiller V10.5.3.0 [Mar 10 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : homeuser [Administrator]
Started from : C:\Users\homeuser\Desktop\RogueKiller.exe
Mode : Scan -- Date : 03/11/2015  13:45:34

¤¤¤ Processes : 1 ¤¤¤
[ZeroAccess] SBAMSvc.exe(1840) -- C:\Program Files (x86)\VIPRE\SBAMSvc.exe[-] -> ERROR [12]

¤¤¤ Registry : 12 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.134.0.2 8.8.8.8 [(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.134.0.2 8.8.8.8 [(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.134.0.2 8.8.8.8 [(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{FF6B266C-A68E-4703-AABD-3CD8908DD5EB} | DhcpNameServer : 10.134.0.2 8.8.8.8 [(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{FF6B266C-A68E-4703-AABD-3CD8908DD5EB} | DhcpNameServer : 10.134.0.2 8.8.8.8 [(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{FF6B266C-A68E-4703-AABD-3CD8908DD5EB} | DhcpNameServer : 10.134.0.2 8.8.8.8 [(Private Address) (XX)]  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3519769749-2856167998-2871467416-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3519769749-2856167998-2871467416-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] a96e3be04bff67e29b1dcdbca25ab636
[BSP] 5821089cd6275c700f6874710cdeda40 : Windows Vista/7/8 MBR Code
Partition table:
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_03072015_195806.log

Title: Re: ===> False Positives <===
Post by: Curson on March 11, 2015, 11:08:21 PM

Hi Vtech,

Welcome to Adlice.com Forum!

Thanks for bringing this to our attention.
This will be fixed in the next version of RogueKiller.

Regards.

Title: Re: ===> False Positives <===
Post by: mist63 on March 12, 2015, 02:12:06 PM

Hello,

ESET File security processus detected :

RogueKiller V10.5.3.0 (x64) [Mar 10 2015] par Adlice Software

Système d'exploitation : Windows Server 2008 R2 (6.1.7601 Service Pack 1) 64 bits version
Démarré en  : Mode normal
Utilisateur : root [Administrateur]
Démarré depuis : C:\Archives Système\anti-spyware\RogueKillerX64.exe
Mode : Scan -- Date : 03/12/2015  10:16:01

¤¤¤ Processus : 1 ¤¤¤
[Proc.Injected] ekrn.exe(37200) -- C:\Program Files\ESET\ESET File Security\x86\ekrn.exe[7] -> Tué(e) [DrvNtTerm]

Best regards

Title: Re: ===> False Positives <===
Post by: Curson on March 12, 2015, 04:35:08 PM

Hi mist63,

Thanks for bringing this up.
This entry will be whitelisted in the next version of RogueKiller.

Regards.

Title: Re: ===> False Positives <===
Post by: signal.vol@gmail.com on March 13, 2015, 07:12:05 PM

[SSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[17] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451109c
[SSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[19] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4511c66
[SSDT:Addr(Hook.SSDT)] NtClose[25] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4514b6a
[SSDT:Addr(Hook.SSDT)] NtConnectPort[31] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb45133f6
[SSDT:Addr(Hook.SSDT)] unknown[37] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451293a
[SSDT:Addr(Hook.SSDT)] NtCreateKey[41] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4513aee
[SSDT:Addr(Hook.SSDT)] NtCreateProcess[47] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4511ebc
[SSDT:Addr(Hook.SSDT)] NtCreateProcessEx[48] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4511f72
[SSDT:Addr(Hook.SSDT)] NtCreateSection[50] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451225c
[SSDT:Addr(Hook.SSDT)] NtCreateThread[53] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4510a0c
[SSDT:Addr(Hook.SSDT)] NtDeviceIoControlFile[66] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4513c5e
[SSDT:Addr(Hook.SSDT)] NtDuplicateObject[68] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb45180f8
[SSDT:Addr(Hook.SSDT)] NtFsControlFile[84] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4513f16
[SSDT:Addr(Hook.SSDT)] NtLoadDriver[97] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4511572
[SSDT:Addr(Hook.SSDT)] NtMakeTemporaryObject[105] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4514912
[SSDT:Addr(Hook.SSDT)] NtOpenFile[116] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451272c
[SSDT:Addr(Hook.SSDT)] NtOpenProcess[122] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4517b50
[SSDT:Addr(Hook.SSDT)] NtOpenSection[125] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451202c
[SSDT:Addr(Hook.SSDT)] NtOpenThread[128] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4517e00
[SSDT:Addr(Hook.SSDT)] NtProtectVirtualMemory[137] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4510f20
[SSDT:Addr(Hook.SSDT)] NtQueueApcThread[180] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4511d8e
[SSDT:Addr(Hook.SSDT)] NtReplaceKey[193] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4514760
[SSDT:Addr(Hook.SSDT)] NtRequestPort[199] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4513564
[SSDT:Addr(Hook.SSDT)] NtRequestWaitReplyPort[200] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4512ef8
[SSDT:Addr(Hook.SSDT)] NtRestoreKey[204] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb45147ea
[SSDT:Addr(Hook.SSDT)] NtSecureConnectPort[210] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451397e
[SSDT:Addr(Hook.SSDT)] NtSetContextThread[213] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4510b7c
[SSDT:Addr(Hook.SSDT)] NtSetSecurityObject[237] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb45146ba
[SSDT:Addr(Hook.SSDT)] NtSetSystemInformation[240] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451176c
[SSDT:Addr(Hook.SSDT)] NtShutdownSystem[249] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451487c
[SSDT:Addr(Hook.SSDT)] NtSuspendProcess[253] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4510df8
[SSDT:Addr(Hook.SSDT)] NtSuspendThread[254] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4510cd2
[SSDT:Addr(Hook.SSDT)] NtSystemDebugControl[255] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4511b98
[SSDT:Addr(Hook.SSDT)] NtTerminateProcess[257] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4517a48
[SSDT:Addr(Hook.SSDT)] NtTerminateThread[258] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb45182ea
[SSDT:Addr(Hook.SSDT)] NtUnloadDriver[262] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb45149a8
[SSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[277] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4510890
[ShwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[307] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4510478
[ShwSSDT:Addr(Hook.Shadow)] NtUserCallNoParam[322] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4510680
[ShwSSDT:Addr(Hook.Shadow)] NtUserCallOneParam[323] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb45105d2
[ShwSSDT:Addr(Hook.Shadow)] NtUserDdeSetQualityOfService[347] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb45103de
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[383] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451037a
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[414] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451020c
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[416] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb45101a8
[ShwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[460] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb450feb2
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[475] : C:\Program Files\Bitdefender\Antivirus Free

The following should not be considered as suspicious as they are marked as part of Bitdefender Antivirus. However, it probably should be verified by Bitdefender.

Edition\bdselfpr.sys @ 0xb450fcb8
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[476] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb450fd38
[ShwSSDT:Addr(Hook.Shadow)] NtUserRegisterRawInputDevices[491] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb450ff3a
[ShwSSDT:Addr(Hook.Shadow)] NtUserSendInput[502] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb450fc66
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[549] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb450f2b8
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[552] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb450f746

Title: Re: ===> False Positives <===
Post by: ryderjj89 on March 14, 2015, 05:19:15 AM

I dont know if you support Windows XP but here's another for ya with LogMeIn Rescue.

[Suspicious.Path] lmi_rescue.exe(4232) -- C:\Documents and Settings\username\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe[7] -> Killed [TermProc]
[Suspicious.Path] LMI_Rescue_srv.exe(4360) -- C:\Documents and Settings\username\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe[7] -> Killed [TermProc]
[Suspicious.Path] LMI_Rescue_srv.exe(4580) -- C:\Documents and Settings\username\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe[7] -> Killed [TermThr]
[Suspicious.Path] lmi_rescue.exe(4820) -- C:\Documents and Settings\username\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue.exe[7] -> Killed [TermProc]

Title: Re: ===> False Positives <===
Post by: Curson on March 16, 2015, 11:05:00 AM

Hi signal.vol,

Welcome to Adlice.com Forum!

Thanks for your contribution.
BitDefender's driver will be whitelisted in the next version of RogueKiller.

Regards.

Title: Re: ===> False Positives <===
Post by: Curson on March 16, 2015, 11:13:55 AM

Hi ryderjj89,

Quote from: ryderjj89

I dont know if you support Windows XP but here's another for ya with LogMeIn Rescue.

Windows XP is still fully supported and theses processes should be whitelisted in RogueKiller current version.
Which version did you run ?

Regards.

Title: Re: ===> False Positives <===
Post by: roushi on March 19, 2015, 01:49:51 AM

hello,
recently I use RK and found that my cloud security program, tresorit (tresorit.exe) is suspected malicious program. I download it from their offcial website (https://tresorit.com/). For security concern, I have uninstalled tresorit. But I still want to know whether false positive or rogue application. thanks  ;D

Title: Re: ===> False Positives <===
Post by: Curson on March 19, 2015, 08:30:06 AM

Hi roushi,

This is likely a false positive.
Could you please post the full path of the detected process ?

Regards.

Title: Re: ===> False Positives <===
Post by: roushi on March 19, 2015, 05:33:45 PM

sorry curson, I uninstalled it as soon as detected by RK and I forgot to record full path of the detected process.  :(

Title: Re: ===> False Positives <===
Post by: Curson on March 19, 2015, 10:32:09 PM

Hi roushi,

That's no big deal.
I think I managed to discover the location of the executable by myself.

Regards.

Title: Re: ===> False Positives <===
Post by: roushi on March 24, 2015, 04:25:18 PM

Hi curson,
I scan with newer version of rogue killer

however, i got warning about userland rootkit, IAT hook

here is my log:
RogueKiller V10.5.7.0 (x64) [Mar 22 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : fajar [Administrator]
Started from : F:\New folder\Softwares\RogueKillerX64.exe
Mode : Scan -- Date : 03/24/2015  22:14:42

¤¤¤ Processes : 1 ¤¤¤
[Suspicious.Path] (SVC) SLEE_18_DRIVER -- \??\C:\WINDOWS\Sleen1864.sys[7] -> Stopped

¤¤¤ Registry : 13 ¤¤¤
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Partizan (system32\drivers\Partizan.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SLEE_18_DRIVER (\??\C:\WINDOWS\Sleen1864.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SLEE_18_DRIVER (\??\C:\WINDOWS\Sleen1864.sys) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8EF8906D-A45A-4663-8558-C4D00C3B3B13} | NameServer : 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 [UNITED STATES (US)][UNITED STATES (US)][PHILIPPINES (PH)][UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8EF8906D-A45A-4663-8558-C4D00C3B3B13} | NameServer : 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 [UNITED STATES (US)][UNITED STATES (US)][PHILIPPINES (PH)][UNITED STATES (US)]  -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-4056015360-625216753-3323311208-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-4056015360-625216753-3323311208-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-4056015360-625216753-3323311208-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-4056015360-625216753-3323311208-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-4056015360-625216753-3323311208-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-4056015360-625216753-3323311208-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-4056015360-625216753-3323311208-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-4056015360-625216753-3323311208-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 61 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53f40 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000LM024 HN-M101MBB +++++
--- User ---
[MBR] 35d34ea0725b15bfc5585d344d1a1ee4
[BSP] 9bc2edaef5de5c63af0852ed1c97e416 : Empty MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 100 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 206848 | Size: 900 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2050048 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2312192 | Size: 381096 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 782796800 | Size: 450 MB
5 - Basic data partition | Offset (sectors): 783718400 | Size: 150704 MB
6 - Basic data partition | Offset (sectors): 1092360192 | Size: 399999 MB
7 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1911560192 | Size: 20490 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_03182015_223955.log - RKreport_SCN_03092015_115351.log - RKreport_SCN_03102015_143536.log - RKreport_SCN_03182015_213128.log
RKreport_SCN_03182015_223747.log

I use bitdefender, malwarebytes anti malware and anti exploit, zemana anti logger.

can you give clues whether false positive or rootkit?

thanks a lot

Title: Re: ===> False Positives <===
Post by: Curson on March 25, 2015, 08:11:31 PM

Hi roushi,

They are probably false positives.
Could you please give me the full path and name of the following dll ?

Quote

C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL

Regards.

Title: Re: ===> False Positives <===
Post by: roushi on March 26, 2015, 10:13:51 AM

Hi curson,
I don't know how to find full path. I'm not advanced user. However, I search and found that this .dll file belongs to zemana anti logger (I use anti keylogger)
and located in :
C:\Program Files (x86)\KeyCryptSDK
thanks

Title: Re: ===> False Positives <===
Post by: Curson on March 26, 2015, 02:24:11 PM

Hi roushi,

Thanks for the information.
At first sight, it will be enough to whitelist the dll.

Regards.

Title: Re: ===> False Positives <===
Post by: laclac on May 25, 2015, 05:34:47 PM

Hi,

Thank you very much for this very good tool.
I think my computer is safe but when I scanned with RogueKiller I had 720 suspects elements.
I think it's false positives with the applis:
- SandBoxie (95% of the alert)
- GData (antivirus)
- Free download Manager (Lite Edition)
- OneDrive (on the Register)
- SyncCenter (??? by defaut in windows I think but not sure (scan ok by virusTotal)

I attached the report

Thank you

Title: Re: ===> False Positives <===
Post by: Curson on May 25, 2015, 06:32:15 PM

Hi laclac,

Theses detections are indeed false positives and will be fixed as soon as possible.
Thanks for bringing this to your attention.

Regards.

Title: Re: ===> False Positives <===
Post by: Porthos on June 18, 2015, 03:10:41 AM

RogueKiller V10.8.4.0 (x64) [Jun 15 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Owner [Administrator]
Started from : G:\1a Malware removal\A-Rouge Killer Tech\RogueKillerX64.exe
Mode : Scan -- Date : 06/17/2015  20:03:05

¤¤¤ Processes : 1 ¤¤¤
[VT.Unknown] explorer.exe(1612) -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamext.dll[7] -> Unloaded

¤¤¤ Registry : 2 ¤¤¤
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3159029859-3327715070-1988989244-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3159029859-3327715070-1988989244-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 36 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost
[C:\Windows\System32\drivers\etc\hosts] ::1       localhost
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 media.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 api.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.betterinstaller.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.filebulldog.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 inno.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 nsis.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.file2desktop.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.goateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.guttastatdk.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.inskinmedia.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.oibundles2.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.playbryte.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.llogetfastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.montiera.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.msdwnld.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.mypcbackup.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.ppdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.riceateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.shyapotato.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.solimba.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.tuto4pc.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.appround.biz
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bigspeedpro.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bispd.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.cdndp.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.download.sweetpacks.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.dpdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.visualbee.net

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD1003FZEX-00MK2 SCSI Disk Device +++++
--- User ---
[MBR] 34259e1b6e4cb47f9b754ce648c27c5f
[BSP] f6b5837cc939bcb42bb962bb25ef3332 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 953766 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: ST315005 41AS SCSI Disk Device +++++
--- User ---
[MBR] 8419b53418a44a8df2ae728761506c81
[BSP] 067f6f979de26751f61eeba52c8e72aa : Windows XP|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 1430796 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: SanDisk Extreme USB Device +++++
--- User ---
[MBR] bfc2508142cb31e56488e57ad8f80c9c
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 32 | Size: 30532 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_SCN_05202015_071126.log - RKreport_DEL_05202015_071233.log - RKreport_SCN_06022015_085035.log - RKreport_SCN_06092015_

Title: Re: ===> False Positives <===
Post by: laclac on June 19, 2015, 10:07:26 AM

Hi,

A new false positive, the antivirus eset:

RogueKiller V10.8.4.0 (x64) [Jun 15 2015] par Adlice Software
email : http://www.adlice.com/contact/
Remontées : http://forum.adlice.com
Site web : http://www.adlice.com/fr/logiciels/roguekiller/
Blog : http://www.adlice.com

Système d'exploitation : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Démarré en  : Mode normal
Utilisateur : stephane.chadeyron [Administrateur]
Démarré depuis : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Scan -- Date : 06/19/2015  10:04:43

¤¤¤ Processus : 1 ¤¤¤
[Proc.Injected] ekrn.exe(1908) -- C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[7] -> Tué(e) [DrvNtTerm]

¤¤¤ Registre : 2 ¤¤¤
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1618730201-3606924439-1700900945-13376\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Trouvé(e)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1618730201-3606924439-1700900945-13376\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Trouvé(e)

¤¤¤ Tâches : 0 ¤¤¤

¤¤¤ Fichiers : 0 ¤¤¤

¤¤¤ Fichier Hosts : 4 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 0 (Driver: Chargé) ¤¤¤

¤¤¤ Navigateurs web : 0 ¤¤¤

¤¤¤ Vérification MBR : ¤¤¤
+++++ PhysicalDrive0: ST320LT007-9ZV142 +++++
--- User ---
[MBR] 67cdd999a773c0f41e4ba3a8f11c844d
[BSP] 2dc1c207c6c27aac80441500ced12459 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 305143 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Title: Re: ===> False Positives <===
Post by: Curson on June 19, 2015, 11:31:27 AM

Hi laclac,

Thanks for bringing this false positive to your attention.
It will be fixed as soon as possible.

Regards.

Title: Re: ===> False Positives <===
Post by: o_ryry on June 19, 2015, 09:47:30 PM

Greetings! I registered just to make this post, so I'll use this first line to say "Hey!" and to commend the AdlICE Software team for their contributions to the security community. That being said, I'm here to report a false positive.

What?
BOMGAR end-user client

RogueKiller detects the process that this applet creates as malicious and attempts to terminate it. Although RogueKiller is not actually able to terminate the process (thankfully), it highlights the row YELLOW and lists the status as "Killed".

STATUS: Killed [TermProc]
DETECTION: VT.Unknown
NAME: bomgar-scc.exe
PATH: C:\ProgramData\bomgar-scc-0x55846070\bomgar-scc.exe

Thanks for your help. Please let me know if any additional information is required. My company is a RogueKiller Premium licensee.

Title: Re: ===> False Positives <===
Post by: Curson on June 21, 2015, 06:00:17 PM

Hi o_ryry,

Welcome to Adlice.com Forum.
Thanks for supporting our product.

This process will be whitelisted in RogueKiller's next release.  :)

Regards.

Title: Re: ===> False Positives <===
Post by: coldi on June 24, 2015, 03:31:35 PM

¤¤¤ Prozesse : 1 ¤¤¤
[AV.Killer] avp.exe(1656) -- C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\avp.exe[7] -> beendet [DrvNtTerm]

No Idea what happened there but suddenly it showed Kaspersky as a threat. I'd presume it's just a false positive.
Seems like there was a patch http://forum.kaspersky.com/index.php?showtopic=325739 maybe that caused the issue.

Title: Re: ===> False Positives <===
Post by: Jim1108 on June 24, 2015, 08:08:17 PM

I'm getting the following error:

¤¤¤ Processes : 1 ¤¤¤
[AV.Killer] LogMeIn.exe(3112) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe[7] -> Killed [TermProc]

I use the paid LogMeIn service all the time. Is there something wrong with this executable or is this just a "false positive"?

Jim

Title: Re: ===> False Positives <===
Post by: Curson on June 24, 2015, 10:46:54 PM

Hi coldi, hi Jim1108

Welcome to Adlice.com Forum.

These entries are indeed false positives. Thanks for bringing them to our attention.
This will be fixed as soon as possible.

Regards.

Title: Re: ===> False Positives <===
Post by: cinder on June 25, 2015, 09:04:22 AM

I think this one has already been reported, but here it is:

¤¤¤ Processes : 1 ¤¤¤
[Tr.Zeus|AV.Killer] mbamservice.exe(3092) -- D:\Programs\Malwarebytes Anti-Malware\mbamservice.exe[7] -> Killed [TermProc]

Can this be ignored? I'm confused because I have 2 PCs running Malwarebytes and this one reports this process and my other PC does not - both same version of RogueKiller.

Title: Re: ===> False Positives <===
Post by: Curson on June 25, 2015, 10:26:22 PM

Hi Nathalie,

You are running mbamservice.exe from an unusual location. This is the reason why RogueKiller detect it as a thread.
You can totally ignore it. :)

Regards.

Title: Re: ===> False Positives <===
Post by: cinder on June 26, 2015, 02:59:09 AM

Hi Curson,

Yes, I have an SSD so I keep most programs on the D:\ drive instead. Ok thanks for clarifying.

- Natalie.

Title: Re: ===> False Positives <===
Post by: Curson on July 03, 2015, 03:37:54 PM

Hi Natalie,

You are very welcome. ;)

Regards.

Title: Re: ===> False Positives <===
Post by: cinder on July 06, 2015, 07:40:56 AM

Hi Curson,

One more for you:

¤¤¤ Processes : 1 ¤¤¤
[VT.Generic.317] Panda_URL_Filteringb.exe(7964) -- C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filteringb.exe[7] VT(6) -> Killed [TermProc]

Safe to ignore?

Using Panda AV on my Media PC.

Thanks.

Title: Re: ===> False Positives <===
Post by: vyosek on July 06, 2015, 09:41:22 AM

Hi Tigzy,

I would like to report FP:

Quote

[Proc.RunPE] hasplms.exe(1728) -- C:\Windows\System32\hasplms.exe[7] -> Zastaveno [TermProc]
[VT.Unknown] IRPnlServer.exe(368) -- C:\Program Files\Inner Range\Insight\IRPnlServer.EXE[-] -> Zastaveno [TermProc]
[VT.Unknown] IRLaunchPad.exe(3428) -- C:\Program Files\Inner Range\Insight\IRLaunchPad.exe[-] -> Zastaveno [TermProc]
[VT.Unknown] IRDBTaskbar.exe(3452) -- C:\Program Files\Inner Range\Insight\IRDBTaskbar.exe[-] -> Zastaveno [TermProc]
[VT.Unknown] Graphics.exe(3964) -- C:\Program Files\Inner Range\Insight\Graphics.exe[-] -> Zastaveno [TermProc]
[VT.Unknown] IRDBService.exe(3496) -- C:\Program Files\Inner Range\Insight\IRDBService.EXE[-] -> Zastaveno [TermProc]
[VT.Unknown] IRTracker.exe(1012) -- C:\Program Files\Inner Range\Insight\IRTracker.EXE[-] -> Zastaveno [TermProc]

hasplms.exe
http://www.file.net/process/hasplms.exe.html

Inner Range\Insight
It is the software used by security guards (anti bulgar SW)


Regards,
vyosek

Title: Re: ===> False Positives <===
Post by: LarrySabo on July 07, 2015, 04:45:20 AM

Greetings from a new Technician license user.  As a tech, I use all kinds of tools that are likely to be flagged as malware.  Having just started using the program, I'm reluctant to do a scan on my main system for fear of quarantining my tools. In the pre-scan, I see it killed AmmyyAdmin (my remote support program, renamed to "Sabo Remote Support.exe") and TrayIt! (a utility I depend upon). 

I'm going to hold off on doing the actual scan until I've made a fresh drive image, but am asking for assurance that the scan will offer the option to whitelist whatever if considers malicious and not remove the items until I approve. That option is not in the pre-scan, and it killed off processes I need.

Title: Re: ===> False Positives <===
Post by: Curson on July 08, 2015, 04:28:48 PM

Hi Natalie,

Quote from: cinder on July 06, 2015, 07:40:56 AM

Hi Curson,

One more for you:

¤¤¤ Processes : 1 ¤¤¤
[VT.Generic.317] Panda_URL_Filteringb.exe(7964) -- C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filteringb.exe[7] VT(6) -> Killed [TermProc]

Safe to ignore?

Using Panda AV on my Media PC.

Thanks.

Yes, it's safe.
Thanks for reporting it. :)

Regards.

Title: Re: ===> False Positives <===
Post by: Curson on July 08, 2015, 04:30:23 PM

Hi vyosek,

Quote from: vyosek on July 06, 2015, 09:41:22 AM

Hi Tigzy,

I would like to report FP:

Quote

[Proc.RunPE] hasplms.exe(1728) -- C:\Windows\System32\hasplms.exe[7] -> Zastaveno [TermProc]
[VT.Unknown] IRPnlServer.exe(368) -- C:\Program Files\Inner Range\Insight\IRPnlServer.EXE[-] -> Zastaveno [TermProc]
[VT.Unknown] IRLaunchPad.exe(3428) -- C:\Program Files\Inner Range\Insight\IRLaunchPad.exe[-] -> Zastaveno [TermProc]
[VT.Unknown] IRDBTaskbar.exe(3452) -- C:\Program Files\Inner Range\Insight\IRDBTaskbar.exe[-] -> Zastaveno [TermProc]
[VT.Unknown] Graphics.exe(3964) -- C:\Program Files\Inner Range\Insight\Graphics.exe[-] -> Zastaveno [TermProc]
[VT.Unknown] IRDBService.exe(3496) -- C:\Program Files\Inner Range\Insight\IRDBService.EXE[-] -> Zastaveno [TermProc]
[VT.Unknown] IRTracker.exe(1012) -- C:\Program Files\Inner Range\Insight\IRTracker.EXE[-] -> Zastaveno [TermProc]

hasplms.exe
http://www.file.net/process/hasplms.exe.html

Inner Range\Insight
It is the software used by security guards (anti bulgar SW)


Regards,
vyosek

Thanks for reporting this false positive.
It will be whitelisted as soon as possible.

Regards.

Title: Re: ===> False Positives <===
Post by: Curson on July 08, 2015, 04:40:56 PM

Hi LarrySabo,

Welcome to Adlice.com Forum.

Quote from: LarrySabo on July 07, 2015, 04:45:20 AM

Greetings from a new Technician license user.  As a tech, I use all kinds of tools that are likely to be flagged as malware.  Having just started using the program, I'm reluctant to do a scan on my main system for fear of quarantining my tools. In the pre-scan, I see it killed AmmyyAdmin (my remote support program, renamed to "Sabo Remote Support.exe") and TrayIt! (a utility I depend upon). 

I'm going to hold off on doing the actual scan until I've made a fresh drive image, but am asking for assurance that the scan will offer the option to whitelist whatever if considers malicious and not remove the items until I approve. That option is not in the pre-scan, and it killed off processes I need.

Thanks for supporting our product. :)
RogueKiller won't quarantine any files during the pre-scan and the scan itself. You are able to select the files to be deleted/quarantined after the scan is complete.

Thats being said, could you please provide a sample of a RogueKiller scan log showing the detections in order for us to whiteliste the legit items ?

Regards.

Title: Re: ===> False Positives <===
Post by: LarrySabo on July 10, 2015, 02:50:43 PM

Thanks, Curson.  I'll do a scan sometime today or tomorrow and post the log.

Cheers, Larry

Title: Re: ===> False Positives <===
Post by: LarrySabo on July 12, 2015, 06:41:26 PM

Hi again.  Just did a scan (after imaging my system drive as a precaution). Scan log is attached. Not sure the JSON file format is what you prefer, so I attached both and the Text format.

Title: Re: ===> False Positives <===
Post by: offchopx on July 14, 2015, 10:29:40 PM

Hi everyone, I'm new member please mistake me if i'm wrong on this:


¤¤¤ Registry : 6 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : [IP of DNS 1] [IP of DNS 2] [IP of DNS 3] 192.168.1.1 ([AUSTRALIA (AU)][AUSTRALIA (AU)][AUSTRALIA (AU)][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : [IP of DNS 1] [IP of DNS 2] [IP of DNS 3] 192.168.1.1 ([AUSTRALIA (AU)][AUSTRALIA (AU)][AUSTRALIA (AU)][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : [IP of DNS 1] [IP of DNS 2] [IP of DNS 3] 192.168.1.1 ([AUSTRALIA (AU)][AUSTRALIA (AU)][AUSTRALIA (AU)][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E673EA29-A1AA-4851-8940-0922B5D15F24} | DhcpNameServer : [IP of DNS 1] [IP of DNS 2] [IP of DNS 3] 192.168.1.1 ([AUSTRALIA (AU)][AUSTRALIA (AU)][AUSTRALIA (AU)][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E673EA29-A1AA-4851-8940-0922B5D15F24} | DhcpNameServer : [IP of DNS 1] [IP of DNS 2] [IP of DNS 3] 192.168.1.1 ([AUSTRALIA (AU)][AUSTRALIA (AU)][AUSTRALIA (AU)][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{E673EA29-A1AA-4851-8940-0922B5D15F24} | DhcpNameServer : [IP of DNS 1] [IP of DNS 2] [IP of DNS 3] 192.168.1.1 ([AUSTRALIA (AU)][X][AUSTRALIA (AU)][-])  -> Found


I replace actual IP Address with square bracket [IP of DNS 1, 2, 3].

I think this is a false positive, as these are the IP addresses assigned by my ISP (Optus Cable, double checked router status settings and with a ping -a on all the IP's). I've never had this before, but now with a cable modem, which im not sure why exactly, it must reconfigure my dhcpnameservers.

Can anyone else confirm? Or do I have malware lol. Also I love this product, must have in a suite of tools.

Title: Re: ===> False Positives <===
Post by: Curson on July 16, 2015, 12:08:51 AM

Hi LarrySabo,

Thanks for the feedback.

You are running AMMYY Admin Remote Control from an unusual location. This is the reason why RogueKiller detect it as a thread.
ESET SysInspector, Copy and Lightshot will be whitelisted in the next version of RogueKiller. TrayIt! was not present in the report.

Regards.

Title: Re: ===> False Positives <===
Post by: Curson on July 16, 2015, 12:10:56 AM

Hi offchopx,

Welcome to Adlice.com Forum.
Such entries are indeed perfectly legit.

Regards.

Title: Re: ===> False Positives <===
Post by: AAVmech2141 on July 22, 2015, 04:43:07 PM

I am wondering if someone could explain if these results are legitimate rootkits or not:

 ¤¤¤ Antirootkit : 45 (Driver: Loaded) ¤¤¤
[SSDT:Addr(Hook.SSDT)] NtAlertResumeThread[13] : Unknown @ 0x41e11fee0f000000
[SSDT:Addr(Hook.SSDT)] NtAlertThread[14] : Unknown @ 0x41e11fee22000000
[SSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[19] : Unknown @ 0x41e11200ca000000
[SSDT:Addr(Hook.SSDT)] NtAlpcConnectPort[22] : Unknown @ 0x41e108c571000000
[SSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[43] : Unknown @ 0x41e11ff1f2000000
[SSDT:Addr(Hook.SSDT)] NtCreateMutant[74] : Unknown @ 0x41e11ff070000000
[SSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[86] : Unknown @ 0x41e11ff1b1000000
[SSDT:Addr(Hook.SSDT)] NtCreateThread[87] : Unknown @ 0x41e11201e1000000
[SSDT:Addr(Hook.SSDT)] NtCreateThreadEx[88] : Unknown @ 0x41e11ff1c6000000
[SSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[96] : Unknown @ 0x41e11ff00d000000

Title: Re: ===> False Positives <===
Post by: Curson on July 22, 2015, 05:20:24 PM

Hi AAVmech2141,

Welcome to Adlice.com Forum.
Could you please copy/paste RogueKiller full report in your next post ?

Regards.

Title: Re: ===> False Positives <===
Post by: AAVmech2141 on July 22, 2015, 05:35:45 PM

Sorry, here is the complete log:

RogueKiller V10.9.3.0 [Jul 21 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : User [Administrator]
Started from : C:\Users\User\Downloads\RogueKiller.exe
Mode : Scan -- Date : 07/21/2015 16:08:39

¤¤¤ Processes : 30 ¤¤¤
[Proc.Injected] ccSvcHst.exe(3748) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe[7] -> Killed [TermProc]
[Proc.Injected] dwm.exe(3900) -- C:\Windows\System32\dwm.exe

• -> [NoKill]

[Proc.Injected] taskhost.exe(3944) -- C:\Windows\System32\taskhost.exe[7] -> Killed [TermProc]
[Proc.Injected] explorer.exe(3996) -- C:\Windows\explorer.exe[7] -> Killed [TermProc]
[Proc.Injected] igfxtray.exe(3240) -- C:\Windows\System32\igfxtray.exe[7] -> Killed [TermProc]
[Proc.Injected] hkcmd.exe(3528) -- C:\Windows\System32\hkcmd.exe[7] -> Killed [TermProc]
[Proc.Injected] igfxpers.exe(3224) -- C:\Windows\System32\igfxpers.exe[7] -> Killed [TermProc]
[Proc.Injected] SPEnroll.exe(3984) -- C:\Windows\System32\SPEnroll.exe[7] -> Killed [TermProc]
[Proc.Injected] lync.exe(3740) -- C:\Program Files\Microsoft Office 15\root\office15\lync.exe[7] -> Killed [TermProc]
[Proc.Injected] AeXAgentUIHost.exe(5456) -- C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe[7] -> Killed [TermProc]
[Proc.Injected] OUTLOOK.EXE(4384) -- C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[7] -> Killed [TermProc]
[Proc.Injected] taskhost.exe(7844) -- C:\Windows\System32\taskhost.exe[7] -> Killed [TermProc]
[Proc.Injected] hpqtra08.exe(760) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[7] -> Killed [TermProc]
[Proc.Injected] taskeng.exe(7420) -- C:\Windows\System32\taskeng.exe[7] -> Killed [TermProc]
[Proc.Injected] hpwuschd2.exe(6424) -- C:\Program Files\HP\HP Software Update\hpwuschd2.exe[7] -> Killed [TermProc]
[Proc.Injected] ScanToPCActivationApp.exe(2764) -- C:\Program Files\HP\HP Officejet Pro 8500 A910\Bin\ScanToPCActivationApp.exe[7] -> Killed [TermProc]
[Proc.Injected] rundll32.exe(3776) -- C:\Windows\System32\rundll32.exe[7] -> Killed [TermProc]
[Proc.Injected] iexplore.exe(6600) -- C:\Program Files\Internet Explorer\iexplore.exe[7] -> Killed [TermProc]
[Proc.Injected] EXCEL.EXE(7952) -- C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXE[7] -> Killed [TermProc]
[Proc.Injected] AeXAgentUIHost.exe(6668) -- C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe[7] -> Killed [TermProc]
[Proc.Injected] ccSvcHst.exe(7960) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe[7] -> Killed [TermProc]
[Proc.Injected] dwm.exe(7776) -- C:\Windows\System32\dwm.exe

• -> [NoKill]

[Proc.Injected] taskhost.exe(6096) -- C:\Windows\System32\taskhost.exe[7] -> Killed [TermProc]
[Proc.Injected] explorer.exe(6976) -- C:\Windows\explorer.exe[7] -> Killed [TermProc]
[Proc.Injected] hkcmd.exe(484) -- C:\Windows\System32\hkcmd.exe[7] -> Killed [TermProc]
[Proc.Injected] igfxpers.exe(7056) -- C:\Windows\System32\igfxpers.exe[7] -> Killed [TermProc]
[Proc.Injected] SPEnroll.exe(5628) -- C:\Windows\System32\SPEnroll.exe[7] -> Killed [TermProc]
[Proc.Injected] mswinext.exe(5728) -- C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe[7] -> Killed [TermProc]
[Proc.Injected] hpwuschd2.exe(5508) -- C:\Program Files\HP\HP Software Update\hpwuschd2.exe[7] -> Killed [TermProc]
[Proc.Injected] hpqtra08.exe(1968) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[7] -> Killed [TermProc]

¤¤¤ Registry : 12 ¤¤¤
[PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : andeconnect.andent.andersonsinc.com  -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-21-1781805705-461526871-837300805-51550\Software\Microsoft\Internet Explorer\Main | Start Page : http://andeconnect.andent.andersonsinc.com/wps/portal/Andeconnect/andehome  -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : andeconnect.andent.andersonsinc.com  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.200 10.0.0.201 10.6.11.1 ([(Private Address) (XX)][(Private Address) (XX)][(Private Address) (XX)])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.200 10.0.0.201 10.6.11.1 ([(Private Address) (XX)][(Private Address) (XX)][(Private Address) (XX)])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.200 10.0.0.201 10.6.11.1 ([(Private Address) (XX)][(Private Address) (XX)][(Private Address) (XX)])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C004DD39-8A7C-4F4E-96CB-88F009CD6DC8} | DhcpNameServer : 10.0.0.200 10.0.0.201 10.6.11.1 ([(Private Address) (XX)][(Private Address) (XX)][(Private Address) (XX)])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{C004DD39-8A7C-4F4E-96CB-88F009CD6DC8} | DhcpNameServer : 10.0.0.200 10.0.0.201 10.6.11.1 ([(Private Address) (XX)][(Private Address) (XX)][(Private Address) (XX)])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{C004DD39-8A7C-4F4E-96CB-88F009CD6DC8} | DhcpNameServer : 10.0.0.200 10.0.0.201 10.6.11.1 ([(Private Address) (XX)][(Private Address) (XX)][(Private Address) (XX)])  -> Found
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1781805705-461526871-837300805-51550\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1781805705-461526871-837300805-78429\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 45 (Driver: Loaded) ¤¤¤
[SSDT:Addr(Hook.SSDT)] NtAlertResumeThread[13] : Unknown @ 0x41e11fee0f000000
[SSDT:Addr(Hook.SSDT)] NtAlertThread[14] : Unknown @ 0x41e11fee22000000
[SSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[19] : Unknown @ 0x41e11200ca000000
[SSDT:Addr(Hook.SSDT)] NtAlpcConnectPort[22] : Unknown @ 0x41e108c571000000
[SSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[43] : Unknown @ 0x41e11ff1f2000000
[SSDT:Addr(Hook.SSDT)] NtCreateMutant[74] : Unknown @ 0x41e11ff070000000
[SSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[86] : Unknown @ 0x41e11ff1b1000000
[SSDT:Addr(Hook.SSDT)] NtCreateThread[87] : Unknown @ 0x41e11201e1000000
[SSDT:Addr(Hook.SSDT)] NtCreateThreadEx[88] : Unknown @ 0x41e11ff1c6000000
[SSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[96] : Unknown @ 0x41e11ff00d000000
[SSDT:Addr(Hook.SSDT)] NtDuplicateObject[111] : Unknown @ 0x41e11200ea000000
[SSDT:Addr(Hook.SSDT)] NtFreeVirtualMemory[131] : Unknown @ 0x41e11212b1000000
[SSDT:Addr(Hook.SSDT)] NtImpersonateAnonymousToken[145] : Unknown @ 0x41e11ff085000000
[SSDT:Addr(Hook.SSDT)] NtImpersonateThread[147] : Unknown @ 0x41e11ff094000000
[SSDT:Addr(Hook.SSDT)] NtLoadDriver[155] : Unknown @ 0x41e108eb4f000000
[SSDT:Addr(Hook.SSDT)] NtMapViewOfSection[168] : Unknown @ 0x41e112129e000000
[SSDT:Addr(Hook.SSDT)] NtOpenEvent[177] : Unknown @ 0x41e11ff05d000000
[SSDT:Addr(Hook.SSDT)] NtOpenProcess[190] : Unknown @ 0x41e11201d0000000
[SSDT:Addr(Hook.SSDT)] NtOpenProcessToken[191] : Unknown @ 0x41e11200db000000
[SSDT:Addr(Hook.SSDT)] NtOpenSection[194] : Unknown @ 0x41e11ff037000000
[SSDT:Addr(Hook.SSDT)] NtOpenThread[198] : Unknown @ 0x41e11201bf000000
[SSDT:Addr(Hook.SSDT)] NtProtectVirtualMemory[215] : Unknown @ 0x41e11ff1dd000000
[SSDT:Addr(Hook.SSDT)] NtQueueApcThread[269] : Unknown @ 0x41e11ff19c000000
[SSDT:Addr(Hook.SSDT)] NtQueueApcThreadEx[270] : Unknown @ 0x41e11ff187000000
[SSDT:Addr(Hook.SSDT)] NtReadVirtualMemory[277] : Unknown @ 0x41e11ff172000000
[SSDT:Addr(Hook.SSDT)] NtResumeThread[304] : Unknown @ 0x41e11fee35000000
[SSDT:Addr(Hook.SSDT)] NtSetContextThread[316] : Unknown @ 0x41e11fee6e000000
[SSDT:Addr(Hook.SSDT)] NtSetInformationProcess[333] : Unknown @ 0x41e11fee81000000
[SSDT:Addr(Hook.SSDT)] NtSetSystemInformation[350] : Unknown @ 0x41e11ff020000000
[SSDT:Addr(Hook.SSDT)] NtSuspendProcess[366] : Unknown @ 0x41e11ff04a000000
[SSDT:Addr(Hook.SSDT)] NtSuspendThread[367] : Unknown @ 0x41e11fee48000000
[SSDT:Addr(Hook.SSDT)] NtTerminateProcess[370] : Unknown @ 0x41e1121598000000
[SSDT:Addr(Hook.SSDT)] unknown[371] : Unknown @ 0x41e11fee5b000000
[SSDT:Addr(Hook.SSDT)] NtUnmapViewOfSection[385] : Unknown @ 0x41e112128b000000
[SSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[399] : Unknown @ 0x41e11212c2000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[318] : Unknown @ 0x41e1564064000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[402] : Unknown @ 0x41e1550977000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[434] : Unknown @ 0x41e1561f69000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[436] : Unknown @ 0x41e1550885000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetRawInputData[448] : Unknown @ 0x41e1556f17000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[490] : Unknown @ 0x41e1504ce7000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[508] : Unknown @ 0x41e1563d98000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[509] : Unknown @ 0x41e0b5a2ff000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[585] : Unknown @ 0x41e1508cc5000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[588] : Unknown @ 0x41e0b58222000000

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST250DM000-1BD141 +++++
--- User ---
[MBR] aef303c4bef24d2153d8a81fad4f5016
[BSP] 000d6524b2f3e7099403d0f2ac284232 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 612 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1255424 | Size: 237861 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Title: Re: ===> False Positives <===
Post by: Curson on July 22, 2015, 05:54:11 PM

Hi AAVmech2141,

Thoses hooks and [Proc.Injected] detections seems linked to Symantec Endpoint Protection.
Please follow the following process.

• Restart your computer.
• Download Process Explorer (http://live.sysinternals.com/procexp.exe) and save it to your desktop.
  
• Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  
• Locate the process named taskeng.exe, right click select Create Dump > Create Full Dump...
  
• Save the dump on your desktop, compress it and upload it on Google Drive/Dropbox.
• Share the link in your next reply.

We will analyse what is really injected, and whitelist if needed.

Regards.

Title: Re: ===> False Positives <===
Post by: AAVmech2141 on July 22, 2015, 11:12:20 PM

Here is the link for the taskeng.exe compressed file:

https://drive.google.com/open?id=0B-odu-iO-tYIa2VTa0tuRHFWNVU

Thank you!

Title: Re: ===> False Positives <===
Post by: Curson on July 23, 2015, 11:53:23 AM

Hi AAVmech2141,

I don't have access to the file.
Could you please make it public access ?

Regards.

Title: Re: ===> False Positives <===
Post by: AAVmech2141 on July 23, 2015, 02:50:00 PM

Sorry I didn't catch that and thanks for working with me. It should be good now.

https://drive.google.com/file/d/0B-odu-iO-tYIa2VTa0tuRHFWNVU/view?usp=sharing

Title: Re: ===> False Positives <===
Post by: Curson on July 23, 2015, 06:20:56 PM

Hi AAVmech2141,

Symantec Endpoint Protection is indeed the culprit.
Theses false positives will be fixed in the next version of RogueKiller. Thanks for reporting them.

Regards.

Title: Re: ===> False Positives <===
Post by: AAVmech2141 on July 23, 2015, 07:20:28 PM

Curson,

Awesome thank you so much for your help.

Title: Re: ===> False Positives <===
Post by: AAVmech2141 on July 23, 2015, 07:26:24 PM

Curson,

FYI rouge killer only acted like that to Symantec Endpoint Protection on 32 bit OS and not 64 bit

Title: Re: ===> False Positives <===
Post by: Curson on July 24, 2015, 12:14:17 AM

Hi AAVmech2141,

You are very welcome.
Symantec Endpoint Protection was already whitelisted for 64 bits OSs but, for some reasons, not on 32 bits ones. ;)

Regards.

Title: Re: ===> False Positives <===
Post by: LarrySabo on July 24, 2015, 03:18:04 PM

Quote from: Curson on July 08, 2015, 04:40:56 PM

RogueKiller won't quarantine any files during the pre-scan and the scan itself. You are able to select the files to be deleted/quarantined after the scan is complete.

Hi again,

RogueKiller terminates any AmmyAdin processes during the pre-scan, which makes it impossible to use the product remotely for me, since Ammyy is my remoye support app.  Is there a way to tell RogueKiller to exempt this or other specified processes?

Larry

Title: Re: ===> False Positives <===
Post by: Curson on July 25, 2015, 09:49:17 PM

Hi LarrySabo,

Yes, you can achieve this using RogueKiller External Scanner.
For more information, please read : RogueKiller External Scanner (http://www.adlice.com/softwares/roguekiller/external-scanner/).

Regards.

Title: Re: ===> False Positives <===
Post by: Tigzy on July 26, 2015, 02:51:41 PM

Hey all,
@LarrySabo you can also give us a scan report and we will whitelist it.
Thanks.

Title: Re: ===> False Positives <===
Post by: ATUONA on August 13, 2015, 08:17:43 AM

Hello, are these false positives or is my computer infected ?
¤¤¤ Registre : 3 ¤¤¤
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VBoxAswDrv (\??\C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys) -> Trouvé(e)
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2406841604-1318200101-2111424369-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Trouvé(e)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2406841604-1318200101-2111424369-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Trouvé(e)
Thanks

Title: Re: ===> False Positives <===
Post by: Curson on August 13, 2015, 09:41:04 PM

Hi ATUONA,

Welcome to Adlice.com Forum.
The following entry is a false positive. Thanks for bringing it to our attention.

Quote

[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VBoxAswDrv (\??\C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys) -> Trouvé(e)

It will be whitelisted as soon as possible.

The others entries are Potentially Unwanted Modification (PUM). In your case, they are perfectly legit.

Regards.

Title: Re: ===> False Positives <===
Post by: oscarxp on August 15, 2015, 11:31:18 PM

Hey Guys

im new to this forum but i been using Roguekiller for some time, i downloaded latest version and scanned my labtop. Only problem is i get the below results attached showing up not sure if they are false positives or i been infected.

I have scanned the system using ESET, Malwarebytes Anti Malware latest versions and nothing comes up as infected.

Please can you verify this.. Thanks

Below is my attached Log file of RogueKiller

Title: Re: ===> False Positives <===
Post by: Curson on August 17, 2015, 02:06:30 PM

Hi oscarxp,

Welcome to Adlice.com Forum.
These hooks seems legit.

Regards.

Title: Re: ===> False Positives <===
Post by: Nickerbocker on August 21, 2015, 05:36:23 AM

Hello All,

Updated to 10.10.1.0 ran a scan and noticed IAT hooks in the 'AntiRootKit' tab. Just wondering if these are false positives, or if I am still infected. I use the word "still" because I recently dealt with the conduit virus.

I have ran MWB Anti-Malware, adwcleaner, Hitman Pro and find no remaning traces. I also ran MWB Anti-Rootkit, Bootkit Removal (BitDefender) , TDSS Killer (Kaspersky) and of course RogueKiller. RogueKiller is the only scan to detect these IAT hooks. Log attached.

Thanks in advance,

Title: Re: ===> False Positives <===
Post by: Curson on August 21, 2015, 03:29:02 PM

Hi Nickerbocker,

Welcome to Adlice.com Forum.
These hooks are legit.

Regards.

Title: Re: ===> False Positives <===
Post by: oscarxp on August 25, 2015, 03:10:17 PM

Quote from: Curson on August 17, 2015, 02:06:30 PM

Hi oscarxp,

Welcome to Adlice.com Forum.
These hooks seems legit.

Regards.

Thanks but i did a new scan and now show my svchost.exe(4616) was terminated as its infected.

I have scanned with ESET, and Malwarebytes Anti Malware and shows nonthing infected. Is this another false positive i have attached new scan log

Title: Re: ===> False Positives <===
Post by: Curson on August 25, 2015, 08:36:44 PM

Hi oscarxp,

Could you please attach RogueKiller JSON report in your next post ?

Regards.

Title: Re: ===> False Positives <===
Post by: oscarxp on August 27, 2015, 03:19:01 AM

Quote from: Curson on August 25, 2015, 08:36:44 PM

Hi oscarxp,

Could you please attach RogueKiller JSON report in your next post ?

Regards.

Here i have done new scan with new rogue killer and attached both txt and Json file.

Title: Re: ===> False Positives <===
Post by: WaterBourne on August 27, 2015, 08:32:21 AM

¤¤¤ Processes : 3 ¤¤¤
[VT.Trojan/Win32.BTSGeneric] Service_KMS.exe(2664) -- C:\Program Files\KMSpico\Service_KMS.exe[-] -> Killed [TermProc]
[VT.Unknown] EpicGamesLauncher.exe(7504) -- F:\Program Files\Epic Games\Launcher\Portal\Binaries\Win64\EpicGamesLauncher.exe[7] -> Killed [TermProc]
[VT.Unknown] UnrealCEFSubProcess.exe(4892) -- F:\Program Files\Epic Games\Launcher\Engine\Binaries\Win64\UnrealCEFSubProcess.exe[7] -> Killed [TermThr]

¤¤¤ Registry : 3 ¤¤¤
[VT.Unknown] (X64) HKEY_USERS\S-1-5-21-2703859281-3180650423-3785014512-1001\Software\Microsoft\Windows\CurrentVersion\Run | EADM : "C:\Program Files (x86)\Origin\Origin.exe" -AutoStart [7]

• -> Found

[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found

Title: Re: ===> False Positives <===
Post by: Curson on August 27, 2015, 04:49:05 PM

Hi oscarxp,

There is probably a bug witch such detection. We are working on it.
Thanks for bringing this to our attention.

Regards.

Title: Re: ===> False Positives <===
Post by: Curson on August 27, 2015, 04:59:55 PM

Hi WaterBourne,

Quote

[VT.Trojan/Win32.BTSGeneric] Service_KMS.exe(2664) -- C:\Program Files\KMSpico\Service_KMS.exe[-] -> Killed [TermProc]

This program is used to trick Windows activation scheme and is flagged by VirusTotal. It won't be whitelisted.

Quote

[VT.Unknown] EpicGamesLauncher.exe(7504) -- F:\Program Files\Epic Games\Launcher\Portal\Binaries\Win64\EpicGamesLauncher.exe[7] -> Killed [TermProc]
[VT.Unknown] UnrealCEFSubProcess.exe(4892) -- F:\Program Files\Epic Games\Launcher\Engine\Binaries\Win64\UnrealCEFSubProcess.exe[7] -> Killed [TermThr]

¤¤¤ Registry : 3 ¤¤¤
[VT.Unknown] (X64) HKEY_USERS\S-1-5-21-2703859281-3180650423-3785014512-1001\Software\Microsoft\Windows\CurrentVersion\Run | EADM : "C:\Program Files (x86)\Origin\Origin.exe" -AutoStart [7] -> Found

These entries show up because they were not present in VirusTotal database at the time of the scan. If you allowed the files to be uploaded, they won't appear anymore.

Quote

[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found

PUM stands for Potentially Unwanted Modification. In your case, thoses entries are perfectly legit and necessary to access Internet.
For more information, please read RogueKiller Documentation (http://www.adlice.com/softwares/roguekiller/documentation/).

Regards.

Title: Re: ===> False Positives <===
Post by: oscarxp on August 30, 2015, 01:48:42 AM

Quote from: Curson on August 27, 2015, 04:49:05 PM

Hi oscarxp,

There is probably a bug witch such detection. We are working on it.
Thanks for bringing this to our attention.

Regards.

Thanks for the reply so do i need to do anything??

Title: Re: ===> False Positives <===
Post by: Curson on August 31, 2015, 01:36:18 PM

Hi oscarxp,

No, you don't need to do anything at all.

Regards.

Title: Re: ===> False Positives <===
Post by: 1PW on September 21, 2015, 09:19:10 PM

Hello All:

While running version 10.10.6.0, the following was reported, in part, regarding Malwarebytes Anti-Exploit (MBAE) version 1.08.1.1025 Beta Preview:

Code: [Select]

¤¤¤ Processes : 1 ¤¤¤
[VT.Unknown] mbae64.exe(3972) -- C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[7] -> Killed [DrvNtTerm]
Manually submitting the identical mbae64.exe file to VirusTotal.com, yielded  https://www.virustotal.com/en/file/abc0a4e0ae2485862b54f92fa7c90e39959730dab6b441e3603f6bdff270e0b0/analysis/1442859057/ (https://www.virustotal.com/en/file/abc0a4e0ae2485862b54f92fa7c90e39959730dab6b441e3603f6bdff270e0b0/analysis/1442859057/)

The version of MBAE in question may be downloaded from https://malwarebytes.box.com/s/2nhlislxnicldrtfs6qx073pa2rrk0zz (https://malwarebytes.box.com/s/2nhlislxnicldrtfs6qx073pa2rrk0zz)

Please examine these reports and reply with your theory as to what is happening.

Thank you.

Title: Re: ===> False Positives <===
Post by: Curson on September 24, 2015, 12:21:11 AM

Hi 1P,

Welcome to Adlice.com Forum.

This entry show up because the file was not present in VirusTotal database at the time of the scan. If you allowed the file to be uploaded, it won't appear anymore.

Regards.

Title: Re: ===> False Positives <===
Post by: 1PW on September 24, 2015, 08:55:23 AM

The above FP is gone now.

Thank you.

Title: Re: ===> False Positives <===
Post by: Curson on September 24, 2015, 03:21:19 PM

Hi 1PW,

You are welcome.

Regards.

Title: Re: ===> False Positives <===
Post by: Kaitengiri on October 07, 2015, 11:07:41 AM

Are these a legit... code... whatever... Or is it just a false alert? Im confused cause roguekiller suddenly found these IAT hooks on my pc... Copypasting the log...
Please help a confused fellah ;__;

RogueKiller V10.10.9.0 (x64) [Oct  5 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Niko [Administrator]
Started from : C:\Users\Niko\Downloads\RogueKillerX64.exe
Mode : Scan -- Date : 10/07/2015 11:40:24

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 3 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ALSysIO (\??\C:\Users\Niko\AppData\Local\Temp\ALSysIO64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALSysIO (\??\C:\Users\Niko\AppData\Local\Temp\ALSysIO64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ALSysIO (\??\C:\Users\Niko\AppData\Local\Temp\ALSysIO64.sys) -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 30 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (explorer.exe) ntdll.dll - NtSetSystemInformation : Unknown @ 0x772201e0 (jmp 0x161140|jmp 0xfffffffffffffe19|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll.dll - NtWriteVirtualMemory : Unknown @ 0x772203a0 (jmp 0x162650|jmp 0xfffffffffffffc59|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll.dll - NtDuplicateObject : Unknown @ 0x77220380 (jmp 0x162610|jmp 0xfffffffffffffc79|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll.dll - NtCreateEvent : Unknown @ 0x772202c0 (jmp 0x162490|jmp 0xfffffffffffffd39|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll.dll - NtNotifyChangeKey : Unknown @ 0x77220480 (jmp 0x161bf0|jmp 0xfffffffffffffb79|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x772203d0 (jmp 0x162760|jmp 0xfffffffffffffc29|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll.dll - NtOpenEvent : Unknown @ 0x772202d0 (jmp 0x162520|jmp 0xfffffffffffffd29|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll.dll - NtAssignProcessToJobObject : Unknown @ 0x77220390 (jmp 0x162160|jmp 0xfffffffffffffc69|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll.dll - NtSetContextThread : Unknown @ 0x772203f0 (jmp 0x161510|jmp 0xfffffffffffffc09|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll.dll - NtCreateSection : Unknown @ 0x77220300 (jmp 0x1624b0|jmp 0xfffffffffffffcf9|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll.dll - NtOpenProcess : Unknown @ 0x77220360 (jmp 0x162750|jmp 0xfffffffffffffc99|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll.dll - NtNotifyChangeMultipleKeys : Unknown @ 0x77220490 (jmp 0x161bf0|jmp 0xfffffffffffffb69|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll.dll - NtQueryObject : Unknown @ 0x77220440 (jmp 0x162990|jmp 0xfffffffffffffbb9|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateIoCompletion : Unknown @ 0x77220340 (jmp 0x162020|jmp 0xfffffffffffffcb9|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenSection : Unknown @ 0x77220310 (jmp 0x1625f0|jmp 0xfffffffffffffce9|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateSemaphore : Unknown @ 0x772202a0 (jmp 0x161e90|jmp 0xfffffffffffffd59|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenSemaphore : Unknown @ 0x772202b0 (jmp 0x161920|jmp 0xfffffffffffffd49|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateMutant : Unknown @ 0x77220280 (jmp 0x161f00|jmp 0xfffffffffffffd79|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenMutant : Unknown @ 0x77220290 (jmp 0x161950|jmp 0xfffffffffffffd69|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateTimer : Unknown @ 0x77220320 (jmp 0x161ee0|jmp 0xfffffffffffffcd9|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenTimer : Unknown @ 0x77220330 (jmp 0x161960|jmp 0xfffffffffffffcc9|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateThreadEx : Unknown @ 0x772203c0 (jmp 0x161f90|jmp 0xfffffffffffffc39|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtTerminateThread : Unknown @ 0x772203e0 (jmp 0x162500|jmp 0xfffffffffffffc19|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenThread : Unknown @ 0x77220370 (jmp 0x1619b0|jmp 0xfffffffffffffc89|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtSuspendThread : Unknown @ 0x77220420 (jmp 0x161290|jmp 0xfffffffffffffbd9|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ RPCRT4.dll) ntdll.dll - NtAlpcSendWaitReceivePort : Unknown @ 0x77220470 (jmp 0x162270|jmp 0xfffffffffffffb89|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ RPCRT4.dll) ntdll.dll - NtQueueApcThreadEx : Unknown @ 0x77220430 (jmp 0x161770|jmp 0xfffffffffffffbc9|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ GDI32.dll) ntdll.dll - NtVdmControl : Unknown @ 0x77220270 (jmp 0x160ff0|jmp 0xfffffffffffffd89|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ ntmarta.dll) ntdll.dll - NtOpenEventPair : Unknown @ 0x772202f0 (jmp 0x161a20|jmp 0xfffffffffffffd09|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ WS2_32.dll) ntdll.dll - NtLoadDriver : Unknown @ 0x772201d0 (jmp 0x161a30|jmp 0xfffffffffffffe29|call 0x5)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10EZEX-75M2NA0 ATA Device +++++
--- User ---
[MBR] 6bff5770c03e7cd9ad8c283232419a35
[BSP] 073100360ba840d05d0fb98b809d619c : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 953767 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Title: Re: ===> False Positives <===
Post by: Curson on October 07, 2015, 07:39:44 PM

H Kaitengiri,

Welcome to Adlice.com Forum.
Those hooks are legit.

Regards.

Title: Re: ===> False Positives <===
Post by: malware1 on October 19, 2015, 03:16:28 PM

[Hj.Name] (X64) HKEY_USERS\RK_Default_ON_G_5317\Software\Microsoft\Windows\CurrentVersion\RunOnce | mctadmin : C:\Windows\System32\mctadmin.exe [7]
[Hj.Name] (X86) HKEY_USERS\RK_Default_ON_G_5317\Software\Microsoft\Windows\CurrentVersion\RunOnce | mctadmin : C:\Windows\System32\mctadmin.exe [7]

Title: Re: ===> False Positives <===
Post by: Curson on October 20, 2015, 02:27:21 PM

Hi malware1,

Thanks for the report.
We will make our best to whitelist it in RogueKiller next release.

Regards.

Title: Re: ===> False Positives <===
Post by: oscarxp on October 21, 2015, 11:21:48 PM

Hey Admins

 its been a while so i decided to do some checks on my pc.  i downloaded latest version of RogueKiller and there seem to be some stuff again detected. Now im not sure if they are false positives as i have also scanned the system using ESET, Malwarebytes Anti Malware using latest versions and nothing comes up as infected..

I have attached files, please do check and let me know.

Title: Re: ===> False Positives <===
Post by: Curson on October 21, 2015, 11:34:25 PM

Hi oscarxp,

The following entry is indeed a false positive. Thanks for reporting it.

Code: [Select]

[Proc.Svchost] svchost.exe(6920) -- [x] -> Killed [TermThr]We will make our best to fix it as soon as possible.

Regards.

Title: Re: ===> False Positives <===
Post by: coldi on December 01, 2015, 06:40:03 AM

Hi there I happened to stumble onto something again and I kinda think it's a false positive - a check with the latest rk11 found
¤¤¤ Registry : 1 ¤¤¤
[PUP] (X64) HKEY_LOCAL_MACHINE\Software\Partner -> Found
The registry folder looks like this http://i.imgur.com/lHLwnzQ.png (not my screenshot)
best regards

Title: Re: ===> False Positives <===
Post by: Curson on December 01, 2015, 02:07:23 PM

Hi coldi,

This entry is not a false positive. It is linked to adware DealPly.
I advice you to remove it.

Regards.

Title: Re: ===> False Positives <===
Post by: coldi on December 01, 2015, 05:06:47 PM

Mhh ok I'll remove the key but it's a bit odd I can't observe any strange behaviour related to the description of the adware. Funnily I asked around a bit and that particular key seems to exist on a couple of windows10 systems without showing symptoms. Anyways interesting thanks for the information.

Title: Re: ===> False Positives <===
Post by: Curson on December 01, 2015, 11:27:13 PM

Hi coldi,

You are welcome.
This entry seems to be a leftover, so it presents no threat. ;)

Regards.

Title: Re: ===> False Positives <===
Post by: trooper on December 02, 2015, 01:04:26 PM

this cant be right, no other prog. (tdsskiller, aswmbr, mbam,...) finds anything  :-\

(files section)

also: i use patched tcpip.sys to remove half-open limit, i uploaded the file to virustotal and nothing was found

Title: Re: ===> False Positives <===
Post by: Curson on December 02, 2015, 02:28:58 PM

Hi trooper,

Welcome to Adlice.com Forum.

Thanks for your feedback.
These entries are indeed false positives. It will be fixed in RogueKiller next release.

Regards.

Title: Re: ===> False Positives <===
Post by: oscarxp on December 11, 2015, 01:03:19 AM

Hey admins

just installed new version and did a scan on my system but there seems to be lots of false positives. Can you please have a look and clarify.

Attached files.

Thank you

Title: Re: ===> False Positives <===
Post by: Curson on December 11, 2015, 01:27:20 PM

Hi oscarxp,

Quote

[VT.Unknown] IDMan.exe(8964) -- C:\Program Files\Internet Download Manager\IDMan.exe[-] -> Killed [TermProc]
[VT.Unknown] egui.exe(7280) -- C:\Program Files\ESET\ESET Smart Security\egui.exe[7] -> Killed [TermProc]

These entries show up because they were not present in VirusTotal database at the time of the scan. If you allowed the files to be uploaded, they won't appear anymore.

For the others entries, we will make whitelist them as soon as possible.
Thanks for your feedback.

Regards.

Title: Re: ===> False Positives <===
Post by: oscarxp on January 06, 2016, 10:22:01 PM

Hey Guys

Happy New Year, today downloaded new version and did a scan

And i get some Hidden ADS as a malware plus also the registry shows some entries.

Can you check if this is not a false positive please thanks.

files attached

Title: Re: ===> False Positives <===
Post by: Curson on January 06, 2016, 11:28:57 PM

Hi oscarxp,

Happy New Years !
This ADS detection is a known false positive. It will be fixed in RogueKiller next release.

Regards.

Title: Re: ===> False Positives <===
Post by: laclac on January 08, 2016, 01:27:29 AM

Pydio is a software for synchronize your cloud pydio (like dropbox)
[VT.Unknown] pydio-ui.exe(5060) -- D:\Program Files\PydioSync\bin\pydio-ui.exe[7] -> Tué(e) [TermProc]
[VT.Unknown] pydio-agent.exe(4400) -- D:\Program Files\PydioSync\bin\pydio-agent.exe[7] -> Tué(e) [TermProc]

Title: Re: ===> False Positives <===
Post by: Curson on January 08, 2016, 12:56:59 PM

Hi laclac,

These entries show up because they were not present in VirusTotal database at the time of the scan. If you allowed the files to be uploaded, they won't appear anymore.

Regards.

Title: Re: ===> False Positives <===
Post by: SlabBacon on January 13, 2016, 04:07:37 PM

Are these IAT hook detections false positives? Thanks.

RogueKiller V11.0.7.0 (x64) [Jan 11 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Doug [Administrator]
Started from : C:\Users\Doug\Desktop\Security\RogueKillerX64.exe
Mode : Scan -- Date : 01/13/2016 10:03:19

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 18 ¤¤¤
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyComputer : 2  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowControlPanel : 2  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 2  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 2  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 2  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 2  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 2  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowVideos : 2  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyComputer : 2  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowControlPanel : 2  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 2  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 2  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 2  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 2  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 2  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowVideos : 2  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 3 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtProtectVirtualMemory : Unknown @ 0x77b90040 (jmp 0xfffffffffffa2190)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtFreeVirtualMemory : Unknown @ 0x77b90028 (jmp 0xfffffffffffa2498)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtAllocateVirtualMemory : Unknown @ 0x77b90010 (jmp 0xfffffffffffa24e0)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5002AALX-00J37A0 ATA Device +++++
--- User ---
[MBR] 9debdbc5daad6cceb51027dde86ff823
[BSP] 79bcbb79a1dc3c4533ed9e69a5766432 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Title: Re: ===> False Positives <===
Post by: Curson on January 13, 2016, 08:02:13 PM

Hi SlabBacon,

These hooks are likely legit.
Which security softwares are you using ?

In order to help us whitelisting them, please follow the following process :

• Download Process Explorer (http://live.sysinternals.com/procexp.exe) and save it to your desktop.
  
• Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  
• When RogueKiller goes in a loop, locate the process named explorer.exe, do a right click on it and select Create Dump > Create Full Dump...
  
• Save the dump on your desktop and compress it.
• Upload it to Dropbox, Google Drive or similar services and share the link in your next reply.

Thanks for your help.

Regards.

Title: Re: ===> False Positives <===
Post by: oscarxp on February 03, 2016, 12:37:15 AM

Hey Guys

was Scanning a friends Labtop and found the following IAT hooks. Now not sure if they are malware but those to ask and check if there is any false positives.

I have attached the files.

Please check and let me know.

Title: Re: ===> False Positives <===
Post by: Curson on February 03, 2016, 04:43:28 PM

Hi oscarxp,

These hooks are indeed false positives.
We will fix this as soon as possible.

Regards.

Title: Re: ===> False Positives <===
Post by: blackcastro on February 07, 2016, 06:02:35 AM

Possible false positives, see text attached.

Title: Re: ===> False Positives <===
Post by: Curson on February 08, 2016, 12:03:11 AM

Hi blackcastro,

Quote

[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-185662957-2699151515-3144002599-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=120.138.97.225:8080  -> Found
[PUM.Proxy][FIREFX:Config] iurx8nq0.default : user_pref("network.proxy.http", "115.111.7.246"); -> Found
[PUM.Proxy][FIREFX:Config] iurx8nq0.default : user_pref("network.proxy.http_port", 3128); -> Found

Do you connect to proxy servers on purpose ?

Regards.

Title: Re: ===> False Positives <===
Post by: Raiken347 on February 08, 2016, 03:50:23 AM

Hey guys
can you help me check if these are false positives, please?

Scan logfile attached below

Title: Re: ===> False Positives <===
Post by: Curson on February 08, 2016, 01:32:54 PM

Hi Raiken347,

Welcome to Adlice.com Forum.
Your report is clean.

Regards.

Title: Re: ===> False Positives <===
Post by: Raiken347 on February 08, 2016, 03:30:06 PM

So the hooks in the log were false positives then?
Sry im tech-illiterate

Title: Re: ===> False Positives <===
Post by: Curson on February 08, 2016, 04:20:28 PM

Hi Raiken347,

Yes, they are. :)

Regards.

Title: Re: ===> False Positives <===
Post by: JRottef on February 12, 2016, 01:15:10 PM

Hi guys,

can U help me check if IAT hooks on attached .txt are false positives, please?

Thx

Title: Re: ===> False Positives <===
Post by: Curson on February 12, 2016, 04:13:05 PM

Hi JRottef,

Theses IAT hooks are known false positives. We will fix this as soon as possible.

Regards.

Title: Re: ===> False Positives <===
Post by: Atomic on February 12, 2016, 07:36:38 PM

Bomgar
False-Positive

The Bomgar client and rep console are getting terminated while running Rogue
bomgar is a server or VM that techs use to get remote access to computers/servers/phones etcetera.
We use Bomgar everyday, all-day, everyone of my employees. 
When we run a scan Rogue Kills our remote connection, then we have to wait for the service start again, if at all, and reconnect to the machine.

Killed [TermProc] - Detection: VT.Unknown - Name: bomgar-scc.exe - Path: C:\ProgramData\bomgar-scc-\bomgar-scc.exe
Killed [termproc] - Detection: VT.Unknown - Name: Bomgar-rep.exe - Path\program files\bomgar\bomgar representative console\domain name\bomgar-rep.exe

You can verify them: bomgar.com

Title: Re: ===> False Positives <===
Post by: JRottef on February 14, 2016, 03:30:23 PM

Hi Curson,

sorry for delayed answer. Tyvm for your help and good news. :)

Regards

Title: Re: ===> False Positives <===
Post by: baapdamper on February 14, 2016, 09:43:58 PM

Hi,

I was scanning my laptop with Rogue Killer, and got this results.

Can you help me out? By reporting of they are true or false?

Thanks in advance.

Regards.

baap

Title: Re: ===> False Positives <===
Post by: Curson on February 15, 2016, 02:02:24 AM

Hi,

@Atomic

Quote

Killed [TermProc] - Detection: VT.Unknown - Name: bomgar-scc.exe - Path: C:\ProgramData\bomgar-scc-\bomgar-scc.exe
Killed [termproc] - Detection: VT.Unknown - Name: Bomgar-rep.exe - Path\program files\bomgar\bomgar representative console\domain name\bomgar-rep.exe

These entries show up because they were not present in VirusTotal database at the time of the scan. If you allowed the files to be uploaded, they won't appear anymore.

@JRottef
You are very welcome. :)

@baapdamper,
Welcome to Adlice.com Forum.
Theses IAT hooks are known false positives. We will fix this as soon as possible.

Regards.

Title: Re: ===> False Positives <===
Post by: baapdamper on February 15, 2016, 02:24:38 AM

Quote from: Curson on February 15, 2016, 02:02:24 AM

Hi,

@Atomic

Quote

Killed [TermProc] - Detection: VT.Unknown - Name: bomgar-scc.exe - Path: C:\ProgramData\bomgar-scc-\bomgar-scc.exe
Killed [termproc] - Detection: VT.Unknown - Name: Bomgar-rep.exe - Path\program files\bomgar\bomgar representative console\domain name\bomgar-rep.exe

These entries show up because they were not present in VirusTotal database at the time of the scan. If you allowed the files to be uploaded, they won't appear anymore.

@JRottef
You are very welcome. :)

@baapdamper,
Welcome to Adlice.com Forum.
Theses IAT hooks are known false positives. We will fix this as soon as possible.

Regards.

Thanks for the answer and help Curson. Really appreciate that. But ive got still one question for you. How come that RogueKiller didn't see the IAT hooks as false positives in the begin on a relatively new fresh Installed Windows? Because a week ago, i formatted and reinstalled Windows and 2 days later i scanned with Roguekiller, and there was nothing wrong. But a friend of mine, downloaded a file on my pc from a sketchy website yesterday. And Roguekiller identified a process and some registry errors. I fixed the problem by repairing, and was scanning after that with my virusscanner (Avast) and Malwarebytes and they found nothing. I started RogueKiller again, and than i saw all the IAT hooks.

So there is nothing to worry about? And i dont have to format again? Thanks for the help again, and in March i will buy the premium version. Im a poor student so cant buy it right now ; ) Really like the program!

Regards,

baapdamper

Title: Re: ===> False Positives <===
Post by: Curson on February 15, 2016, 08:57:59 PM

Hi baapdamper,

These hooks were certainly added by a Windows KB on Windows 10. You are not the only user reporting them but it's quite difficult for us to whitelist list for technical reasons.
So, you don't have to format your system again.

Quote from: baapdamper

Thanks for the help again, and in March i will buy the premium version. Im a poor student so cant buy it right now ; ) Really like the program!

Thanks for your support and the kind words. :)

Regards.

Title: Re: ===> False Positives <===
Post by: shawnkhall on March 03, 2016, 06:54:03 AM

The current version of Chrome (49.0.2623.75, released today) is detecting as Proc.RunPE

Title: Re: ===> False Positives <===
Post by: Curson on March 03, 2016, 06:30:06 PM

Hi shawnkhall,

Could you please post RogueKiller full report in your next reply ?

Regards.

Title: Re: ===> False Positives <===
Post by: Yaakov A. Sternberg on March 11, 2016, 02:53:11 AM

Are all of these false positives?

RogueKiller V12.0.1.0 (x64) [Mar  7 2016] (Free) by Adlice Software

Operating System : Windows 10 (10.0.10586) 64 bits version
Started in : Normal mode
User : [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 03/10/2016 19:56:01

¤¤¤ Processes : 3 ¤¤¤
[Proc.RunPE] igfxtray.exe(5208) -- C:\Windows\System32\igfxTray.exe

• -> Found

[Tr.Zeus] mbar.exe(4336) -- C:\Users\Ima\Desktop\YAX\Antimalware\mbar\mbar.exe

• -> Found

[Suspicious.Path] {2016FF4C-9F2D-449D-9795-26CCF5FF66CC}.exe(3344) -- C:\Users\Ima\AppData\Local\Temp\{B5B979C1-C8E7-4616-B6AC-9CDD0F2D9BF0}\{2016FF4C-9F2D-449D-9795-26CCF5FF66CC}.exe

• -> Found

¤¤¤ Registry : 12 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-679388669-3697153169-3940493748-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com/?pc=ASJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-679388669-3697153169-3940493748-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com/?pc=ASJB  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-679388669-3697153169-3940493748-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com/?pc=ASJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-679388669-3697153169-3940493748-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com/?pc=ASJB  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-679388669-3697153169-3940493748-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com/?pc=ASJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-679388669-3697153169-3940493748-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com/?pc=ASJB  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-679388669-3697153169-3940493748-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com/?pc=ASJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-679388669-3697153169-3940493748-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com/?pc=ASJB  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-679388669-3697153169-3940493748-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com/?pc=ASJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-679388669-3697153169-3940493748-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com/?pc=ASJB  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-679388669-3697153169-3940493748-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com/?pc=ASJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-679388669-3697153169-3940493748-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com/?pc=ASJB  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[Hj.Name][File] C:\Users\Ima\AppData\Local\Temp\44645a3\winlogon.exe -> Found

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0x0]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST500LT012-1DG142 +++++
--- User ---
[MBR] beb9253c14cd2e84d0c7c51fca657a43
[BSP] b3fc247e62bdab1f7acf574a70a921f8 : Empty MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 100 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 206848 | Size: 900 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2050048 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2312192 | Size: 190776 MB
4 - Basic data partition | Offset (sectors): 393021440 | Size: 264545 MB
5 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 934809600 | Size: 20490 MB
User = LL1 ... OK
User = LL2 ... OK

Title: Re: ===> False Positives <===
Post by: Curson on March 11, 2016, 02:39:58 PM

Hi Yaakov A. Sternberg,

Quote

[Proc.RunPE] igfxtray.exe(5208) -- C:\Windows\System32\igfxTray.exe
[Tr.Zeus] mbar.exe(4336) -- C:\Users\Ima\Desktop\YAX\Antimalware\mbar\mbar.exe

These ones are false positives. This will be fixed as soon as possible.

Quote

[Suspicious.Path] {2016FF4C-9F2D-449D-9795-26CCF5FF66CC}.exe(3344) -- C:\Users\Ima\AppData\Local\Temp\{B5B979C1-C8E7-4616-B6AC-9CDD0F2D9BF0}\{2016FF4C-9F2D-449D-9795-26CCF5FF66CC}.exe
[Hj.Name][File] C:\Users\Ima\AppData\Local\Temp\44645a3\winlogon.exe

These ones are detected as suspicious because of the path and name but are perfectly legit.

PUM stands for Potentially Unwanted Modification. In your case, thoses entries are perfectly legit.
For more information, please read RogueKiller Documentation (http://www.adlice.com/software/roguekiller/documentation/).

Regards.

Title: Re: ===> False Positives <===
Post by: oscarxp on March 14, 2016, 05:06:57 PM

Hey Guys

Did a new scan with the new version, there seems to be some false positives.

Files attached.

Title: Re: ===> False Positives <===
Post by: Curson on March 14, 2016, 08:30:56 PM

Hi oscarxp,

These entries are PUMs (Potentially Unwanted Modification). In your case, they are perfectly legit and necessary to access Internet.
For more information, please read RogueKiller Documentation (http://www.adlice.com/software/roguekiller/documentation/).

Regards.

Title: Re: ===> False Positives <===
Post by: JukkaG on March 23, 2016, 03:12:06 PM

F-Secure Antivirus component is getting tagged as Zeus again.

Title: Re: ===> False Positives <===
Post by: Curson on March 23, 2016, 03:31:36 PM

Hi JukkaG,

Thanks for your feedback.
This false positive will be fixed as soon as possible.

Regards.

Title: Re: ===> False Positives <===
Post by: oscarxp on April 17, 2016, 07:50:38 PM

Hey Admins

Please can you check as there is some files flagged as malware and not sure if its true or not.

also PUMs detected.

Attached files

Title: Re: ===> False Positives <===
Post by: Curson on April 18, 2016, 03:06:50 PM

Hi oscarxp,

Thanks for your feedback.

Quote from: oscarxp

[VT.Unknown] IDMan.exe(7984) -- C:\Program Files\Internet Download Manager\IDMan.exe ->Found

This entry shows up because it was not present in VirusTotal database at the time of the scan. If you allowed the file to be uploaded, it won't appears anymore.

Quote from: oscarxp

[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{08737A4B-C649-4A48-B690-5089E5F1FAC5} | NameServer : 10.4.0.1 ([])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{08737A4B-C649-4A48-B690-5089E5F1FAC5} | NameServer : 10.4.0.1 ([])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{08737A4B-C649-4A48-B690-5089E5F1FAC5} | NameServer : 10.4.0.1 ([])  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-3866417636-918505807-1518629057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found

These entries are PUMs (Potentially Unwanted Modification). In your case, they are perfectly legit.
For more information, please read RogueKiller Documentation (http://www.adlice.com/software/roguekiller/documentation/)

Quote from: oscarxp

[Hidden.ADS][Stream] C:\Windows\System32\rpcss.dll:$CmdTcID -> Found

This is a legit Comodo ADS.
It will be whitelisted as soon as possible.

Regards.

Title: Re: ===> False Positives <===
Post by: 1PW on April 23, 2016, 10:17:27 PM

Hello All:

False Positive Check Request.  RogueKiller (Free) 12.1.3.0 64-bit

¤¤¤ Processes : 1 ¤¤¤
[VT.Unknown] mbae64.exe(4016) -- C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe-> Found

The above file is a part of Malwarebytes Anti-Exploit (MBAE) Free/Trial/Premium v1.08.1.1195

Reference: https://www.virustotal.com/en/file/e663232a48ffb3d730a1728ef72ab305517c2059d6d59db999a178e8ae726b6a/analysis/1461437900/ Digitally signed.

Thank you for your consideration,

1PW

Title: Re: ===> False Positives <===
Post by: Curson on April 24, 2016, 11:27:06 PM

Hi 1PW,

This entry show up because it was not present in VirusTotal database at the time of the scan.
If you allowed the file to be uploaded, it won't appear anymore.

Regards.

Title: Re: ===> False Positives <===
Post by: Germán Pc on April 27, 2016, 07:51:42 AM

Hi guys,

I just created my profile here and I just wanted to know if I should be worried about the log that RK created this time:

RogueKiller V12.1.4.0 (x64) [Apr 25 2016] (Free) by Adlice Software
correo : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Sitio web : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Sistema Operativo : Windows 10 (10.0.10586) 64 bits version
Iniciado en : Modo Normal
Usuario : gpc98_000 [Administrador]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Modo : Escanear -- Fecha : 04/27/2016 00:10:04

¤¤¤ Procesos : 1 ¤¤¤
[Proc.RunPE] NvStreamService.exe(2448) -- C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe

• -> Encontrado

¤¤¤ Registro : 10 ¤¤¤
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3070503474-1825489414-2760614103-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : proxy.unal.edu.co:8080  -> Encontrado
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3070503474-1825489414-2760614103-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : proxy.unal.edu.co:8080  -> Encontrado
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3070503474-1825489414-2760614103-1002\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com/  -> Encontrado
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3070503474-1825489414-2760614103-1002\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com/  -> Encontrado
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3070503474-1825489414-2760614103-1002\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com  -> Encontrado
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3070503474-1825489414-2760614103-1002\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com  -> Encontrado
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.2.9.116 10.3.9.116 ([][])  -> Encontrado
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.2.9.116 10.3.9.116 ([][])  -> Encontrado
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53d8aaec-47b2-470f-b616-d2696171eb68} | DhcpNameServer : 10.2.9.116 10.3.9.116 ([][])  -> Encontrado
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{53d8aaec-47b2-470f-b616-d2696171eb68} | DhcpNameServer : 10.2.9.116 10.3.9.116 ([][])  -> Encontrado

¤¤¤ Tareas : 0 ¤¤¤

¤¤¤ Archivos : 1 ¤¤¤
[PUP][Carpeta] C:\ProgramData\{FE8D473A-6F06-4F99-B5F4-BED72B2A038C} -> Encontrado

¤¤¤ Archivo de hosts : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Cargado) ¤¤¤

¤¤¤ Navegadores Web : 1 ¤¤¤
[PUM.Proxy][FIREFX:Config] 6t8gr3ik.default-1432495202606 : user_pref("network.proxy.type", 2); -> Encontrado

¤¤¤ Chequeo MBR : ¤¤¤
+++++ PhysicalDrive0: ST1000LM024 HN-M101MBB +++++
--- User ---
[MBR] 27e1843659451c18b582d4bcf7e5786c
[BSP] 9cb9bd99896f179553067dcea5b1f913 : Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 100 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 206848 | Size: 900 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2050048 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2312192 | Size: 381097 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 782798848 | Size: 450 MB
5 - Basic data partition | Offset (sectors): 783720448 | Size: 550703 MB
6 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1911560192 | Size: 20490 MB
User = LL1 ... OK
User = LL2 ... OK

NOTE: the unal.edu.co proxy is the proxy that I have to use in order to access the internet from my university.

I launched RK because I am actually having an issue updating my Nvidia GE Force 720m's drivers since a few months. I have tried downloading the drivers directly from Nvidia's website and it always stop installation with a message that says taht I already have the most recent drivers. But when I go to check that in devices administrator (I don't know which is the real name in english because I am colombian...) It says that it is not updated. So I have tried a lot of times updating it through the window that allows you to update it from this "devices administrators" page and shows me the error code 28.

Thanks for taking the time for reading this,

Regards :)

Title: Re: ===> False Positives <===
Post by: Curson on April 27, 2016, 07:26:59 PM

Hi Germán Pc,

Welcome to Adlice.com Forum.

Quote

[Proc.RunPE] NvStreamService.exe(2448) -- C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe ->  Encontrado

This entry is a false positive. You could safely ignore it.

Quote

[PUP][Carpeta] C:\ProgramData\{FE8D473A-6F06-4F99-B5F4-BED72B2A038C} -> Encontrado

This folder is malware-related. I advice you to delete it.

The rest of your report is clean.
For the issue you encounter with the update of the Nvidia drivers, you could try to completely uninstall them using the Windows control panel, then do a full reinstall with the ones you downloaded from Nvidia's website.

Regards.

Title: Re: ===> False Positives <===
Post by: Germán Pc on May 05, 2016, 05:15:39 AM

Thanks a lot for your help :). I'm going to uninstall it and a will write here how is it going.

Regards ;)

Title: Re: ===> False Positives <===
Post by: Curson on May 05, 2016, 07:34:43 PM

Hi Germán Pc,

You are very welcome. :)

Regards.

Title: Re: ===> False Positives <===
Post by: JukkaG on May 07, 2016, 12:25:12 AM

F-Secure Antivirus is again coming up as Zeus, as you can see in log attached.

Title: Re: ===> False Positives <===
Post by: Curson on May 08, 2016, 07:55:28 PM

Hi JukkaG,

Thanks for letting us known. It seems the path of the process has changed.
We will whitelist it again as soon as possible.

Regards.

Title: Re: ===> False Positives <===
Post by: gamefan on September 05, 2016, 08:36:43 AM

Hello

I am here to report false positives.

A scan of rougekiller found 2 potential files

[PUP.Gen][File] C:\Users\Gamefan\AppData\Local\RemoveTresoritTemp.exe -> Found
[PUP.Gen][File] C:\Users\Gamefan\AppData\Local\UninstallTresoritCompletely.exe -> Found

these are leftover uninstall exe's from Tresorit, which is a legit alternative to Dropbox, they've never been detected before on any of my scans.

I uploaded both to virus total

https://www.virustotal.com/en/file/619f1109e826eb98fee8573ee325033d6f6afa37fd94b49817826613cb79dda4/analysis/1473056903/
https://www.virustotal.com/en/file/8c85f3cc07e342cfd7e38870e3af676981c6b0f80d039969a68f7f41c002b369/analysis/1473056917/

what should I do? Are these both legit files? I believe DrWeb ended up labeling the second file as safe a few minutes after I uploaded it.

Title: Re: ===> False Positives <===
Post by: gamefan on September 05, 2016, 12:51:21 PM

Update:

both detections have diasappeared after running a scan in safe mode after updating RK. Has it alreadybeen whitelisted?

If they still doont show up after running itnagain in normal mode, doesnthat mean im fine?

also they didnt show up on the adwcleaner, JRT, Kaspersky anti root kit, mcaffe anti rootkit, malwarebytes, or hotman scans. none of them found anything malicious

Title: Re: ===> False Positives <===
Post by: Curson on September 05, 2016, 01:37:21 PM

Hi gamefan,

Thanks for your feedback.
These entries were indeed false positives but this if fixed in RogueKiller latest version released today.

Regards.

Title: Re: ===> False Positives <===
Post by: Punit Srivastava on September 27, 2016, 12:16:00 AM

 
Hi Team,
 
I would like to introduce our product “ReSOLV” , We provide predictive device management software for Tech Support Providers, SMBs, IT Helpdesks, and anyone who wants to manage end-user devices.
We are associated with the well known names of IT sector i.e. HP, DELL, IBM, TOSHIBA & and many more. My concern of writing this email to you is related with the white listing of our product. I am attaching here the exe & dll files of our product which have a 2762 version number. Please verify accordingly. I would request you to white list our product in your database.
 
Your favor in white listing process would be highly appreciable.

Regards,
Punit Srivastava
Sr. Software Engineer-Testing&Support
HFN Inc|Support Automation Delivered

 

Title: Re: ===> False Positives <===
Post by: Curson on September 27, 2016, 01:13:18 AM

Hi Punit,

Welcome to Adlice.com Forum.
Could you please provide a report of RogueKiller detecting your product ?

Regards.

Title: Re: ===> False Positives <===
Post by: firefoxthebomb on October 11, 2016, 04:31:59 PM

Think I have some false positives here, see log below, The items I feel are false positive are in RED

1. hasplms.exe file is part of the ScanSnap software that comes with my fi-6130Z scanner the virustotal results here: https://www.virustotal.com/en/file/22c58e4bf558420fee5b2d6a8f15531c768f5814a18d5f5b20cdbc8479090319/analysis/1476191969/

2. The 3 reg keys are part of my Symantec Endpoint Protection version 12.1.6 (12.1 RU6 MP5) build 7004 (12.1.7004.6500) (AntiVirus)

3. The slack ones are part of the slack messenger v2.2.1

RogueKiller V12.7.1.0 (x64) [Oct 10 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : firefox [Administrator]
Started from : L:\Flash Drives\128GB Flash Drive Backup 5-26-2016\Tech CD\Utils\Ad Aware\Bleeping Computer Stuff\RogueKiller by tigzy\RogueKillerX64 V12.7.1.exe
Mode : Scan -- Date : 10/11/2016 08:13:03 (Duration : 00:38:04)

¤¤¤ Processes : 1 ¤¤¤
[Proc.RunPE] hasplms.exe(5536) -- C:\Windows\System32\hasplms.exe[7] -> Found

¤¤¤ Registry : 11 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\BHDrvx64 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.7004.6500.105\Data\Definitions\BASHDefs\20160922.001\BHDrvx64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAVENG (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.7004.6500.105\Data\Definitions\VirusDefs\20161003.002\ENG64.SYS) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAVEX15 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.7004.6500.105\Data\Definitions\VirusDefs\20161003.002\EX64.SYS) -> Found

[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://dell13.msn.com/?pc=DCJB  -> Found
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell13.msn.com/?pc=DCJB  -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-1957994488-1563985344-1417001333-1107\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-1957994488-1563985344-1417001333-1107\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 3 ¤¤¤
[Suspicious.Path][File] C:\Users\firefox\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Slack.lnk [LNK@] C:\Users\firefox\AppData\Local\slack\Update.exe --processStart "slack.exe" -a "--startup" -> Found
[PUP][Folder] C:\Users\firefox\AppData\Roaming\Download Manager -> Found
[PUP][Folder] C:\Users\firefox\AppData\Local\PackageAware -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 2 ¤¤¤
[PUM.HomePage][FIREFX:Config] hcdjlx88.default : user_pref("browser.startup.homepage", "https://forums.malwarebytes.org/"); -> Found


¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ATA TOSHIBA DT01ACA2 SCSI Disk Device +++++
--- User ---
[MBR] 9a58401060fd78b7ced0042be99fe3e8
[BSP] a4478fcfe5b4c86f09d53598ed58a5e2 : HP|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 750 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1617920 | Size: 367112 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 753463296 | Size: 1539826 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive1: ATA TOSHIBA DT01ACA2 SCSI Disk Device +++++
--- User ---
[MBR] d4ecfbd1a1d3c4917af6d6d28c8c95d7
[BSP] 6f5fe8da57fa68252ca31cc6e5d209fd : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive2: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: Generic- SM/xD-Picture USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive5: Generic- M.S./M.S.Pro/HG USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive6: Kanguru SS3 USB Device +++++
--- User ---
[MBR] 94f9443d96441ecfcdafb5853a2e8a7e
[BSP] 39eaafe8c7c2f2a60c9df4ab5a671e21 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 8064 | Size: 120348 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

Title: Re: ===> False Positives <===
Post by: Curson on October 11, 2016, 09:33:07 PM

Hi firefoxthebomb,

Thanks for your feedback. These entries are indeed false positives.
Could you please follow the following process in order to help us whitelisting the [Proc.RunPE] one ?

• Download Process Explorer (http://live.sysinternals.com/procexp.exe) and save it to your desktop.
  
• Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  
• Locate the process hasplms.exe, right click select Create Dump > Create Full Dump...
  
• Save the dump on your desktop, compress it and upload it on Google Drive/Dropbox.
• Share the link in your next reply.

Could you also please attach the file hasplms.exe with your next reply.

Regards.

Title: Re: ===> False Positives <===
Post by: firefoxthebomb on October 11, 2016, 09:55:18 PM

Followed the instructions however the file size is 0, but I have included a copy of the exe file.

You can download it from here: https://we.tl/oJrPirkfXr (its the WeTransfer site)

Title: Re: ===> False Positives <===
Post by: coldi on October 12, 2016, 04:42:57 AM

Hi there,
I have a potential false positive. A scan with the latest version showed 15 hidden.ads detections and I think all of them are related to drivers of an older asus xonar audio card and the cmi chip on it I still have.
Obviously not sure if that's the case so I added the detected files and the report.
regards

Title: Re: ===> False Positives <===
Post by: Curson on October 12, 2016, 12:39:07 PM

Hi firefoxthebomb,

Thanks.
We will analyse the file.

Regards.

Title: Re: ===> False Positives <===
Post by: Curson on October 12, 2016, 12:40:28 PM

Hi coldi,

Thanks for your feedback.
These ADS are indeed false positives. We will fix this as soon as possible.

Regards.

Title: Re: ===> False Positives <===
Post by: randzonen on October 14, 2016, 03:44:00 PM

Seems like Rogue Killer 12.7.1.0 thinks everything from Intel  is malware and marked is for instant deletion...

[Hidden.ADS][Stream] C:\Windows\System32\common_clang64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\difx64.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\DPTopologyApp.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\DPTopologyAppv2_0.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\GfxResources.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\GfxUIEx.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\Gfxv2_0.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\Gfxv4_0.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\ig75icd64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igc64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igd10idpp64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igd10iumd64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igd11dxva64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igd12umd64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igdail64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igdbcl64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igdde64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igdfcl64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igdmcl64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igdmd64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igdrcl64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igdumdim64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igdusc64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfx11cmrt64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxcmjit64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxcmrt64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxCoIn_v4463.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxCUIService.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxCUIServicePS.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxDH.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxDHLib.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxDHLibv2_0.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxDI.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxDILib.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxDILibv2_0.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxDTCM.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxEM.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxEMLib.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxEMLibv2_0.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxexps.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxext.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxHK.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxLHM.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxLHMLib.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxLHMLibv2_0.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxOSP.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxSDK.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxSDKLib.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxSDKLibv2_0.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxTray.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\iglhcp64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\iglhsip64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\IntelCpHDCPSvc.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\IntelOpenCL64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\IntelWiDiMCComp64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\IntelWiDiUMS64.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\Intel_OpenCL_ICD64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\MetroIntelGenericUIFramework.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\OpenCL.DLL:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\common_clang32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\ig75icd32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igc32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igd10idpp32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igd10iumd32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igd11dxva32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igd12umd32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igdail32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igdbcl32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igdde32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igdfcl32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igdmcl32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igdmd32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igdrcl32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igdumdim32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igdusc32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igfx11cmrt32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igfxcmjit32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igfxcmrt32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igfxexps32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\iglhcp32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\iglhsip32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\IntelCpHeciSvc.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\IntelOpenCL32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\Intel_OpenCL_ICD32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\OpenCL.DLL:Zone.Identifier -> Gefunden

Title: Re: ===> False Positives <===
Post by: Curson on October 16, 2016, 11:13:51 PM

Hi randzonen,

Thanks for your feedback.
An emergency fix has been issued for this false positive.

Regards.

Title: Re: ===> False Positives <===
Post by: coldi on November 14, 2016, 03:56:21 AM

Hi there,
not sure if it's the case but I might have stumbled about something again.
The latest version shows [PUM.HomePage][Chrome:Config] Default : homepage [] -> Found but no additional information is given and as far as I can tell the browser is functioning as it should. I'll add the report but there doesn't seem to be anything more about it. The previous version doesn't detect it.
Regards

Title: Re: ===> False Positives <===
Post by: Curson on November 14, 2016, 03:13:42 PM

Hi coldi,

Thanks for your feedback. It seems like a bug on our end.
We will investigate this issue.

Regards.

Title: Re: ===> False Positives <===
Post by: pparent516 on December 18, 2016, 06:19:32 PM

Please, fix this false positive. Weathereye.exe is a not PUP nor virus. Weathereye is an weather's application and it's not dangerous. Here the link for downloading : https://www.theweathernetwork.com/weather-apps

Here RogueKiller report :

RogueKiller V12.8.5.0 (x64) [Dec 12 2016] (Premium) par Adlice Software
email : http://www.adlice.com/contact/
Remontées : http://forum.adlice.com
Site web : http://www.adlice.com/fr/download/roguekiller/
Blog : http://www.adlice.com

Système d'exploitation : Windows 10 (10.0.14393) 64 bits version
Démarré en  : Mode normal
Utilisateur : Paulo [Administrateur]
Démarré depuis : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 12/18/2016 11:25:34 (Durée : 00:19:52)

¤¤¤ Processus : 0 ¤¤¤

¤¤¤ Registre : 6 ¤¤¤
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2824724146-1966662352-9585513-1001\Software\Microsoft\Windows\CurrentVersion\Run | WeatherEye : C:\Users\Paulo\AppData\Local\MétéoMédia\weathereye.exe [7] -> Trouvé(e)
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2824724146-1966662352-9585513-1001\Software\Microsoft\Windows\CurrentVersion\Run | WeatherEye : C:\Users\Paulo\AppData\Local\MétéoMédia\weathereye.exe [7] -> Trouvé(e)
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2824724146-1966662352-9585513-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12182016110228673\Software\Microsoft\Windows\CurrentVersion\Run | WeatherEye : C:\Users\Paulo\AppData\Local\MétéoMédia\weathereye.exe [7] -> Trouvé(e)
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2824724146-1966662352-9585513-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12182016110228673\Software\Microsoft\Windows\CurrentVersion\Run | WeatherEye : C:\Users\Paulo\AppData\Local\MétéoMédia\weathereye.exe [7] -> Trouvé(e)
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2824724146-1966662352-9585513-500-{637FE20B-9A5B-4F51-B1BE-D10045625B40}-12182016110029563\Software\Microsoft\Windows\CurrentVersion\Run | WeatherEye : C:\Users\XAdmin\AppData\Local\MétéoMédia\weathereye.exe [7] -> Trouvé(e)
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2824724146-1966662352-9585513-500-{637FE20B-9A5B-4F51-B1BE-D10045625B40}-12182016110029563\Software\Microsoft\Windows\CurrentVersion\Run | WeatherEye : C:\Users\XAdmin\AppData\Local\MétéoMédia\weathereye.exe [7] -> Trouvé(e)

¤¤¤ Tâches : 0 ¤¤¤

¤¤¤ Fichiers : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Fichier Hosts : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Chargé) ¤¤¤

¤¤¤ Navigateurs web : 0 ¤¤¤

¤¤¤ Vérification MBR : ¤¤¤
+++++ PhysicalDrive0: INTEL SSDSC2BW240H6 +++++
--- User ---
[MBR] ab29a7e42e94628b34d1970a7578900b
[BSP] 05c1135502c1387ca20f9f871e6b4971 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 184320 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 377491456 | Size: 44614 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Title: Re: ===> False Positives <===
Post by: Curson on December 19, 2016, 02:47:24 PM

Hi pparent516,

Welcome to Adlice.com Forum and thanks for your feedback.
This false positive will be fixed as soon as possible.

Regards.

Title: Re: ===> False Positives <===
Post by: Suario on February 03, 2017, 09:13:16 AM

Hello, i recently do a scan with roguekiller and it shows MBAMService.exe as a Adw.Elex|PUP.Divcom so i was wondering if this is a false positive?

Here i add the report :

RogueKiller V12.9.6.0 (x64) [Jan 30 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Junito [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 02/03/2017 01:22:55 (Duration : 00:14:14)

¤¤¤ Processes : 2 ¤¤¤
[Adw.Elex|PUP.Divcom] MBAMService.exe(2696) -- Q:\Pgramas\Anti-Malware\mbamservice.exe[7] -> Found
[Suspicious.Path] (SVC) ALSysIO -- \??\C:\Users\JUNITO~1\AppData\Local\Temp\ALSysIO64.sys

• -> Found

¤¤¤ Registry : 3 ¤¤¤
[PUP.HackTool] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\NetCut_is1 -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALSysIO (\??\C:\Users\JUNITO~1\AppData\Local\Temp\ALSysIO64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ALSysIO (\??\C:\Users\JUNITO~1\AppData\Local\Temp\ALSysIO64.sys) -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 3 ¤¤¤
[PUP.Gen1][Folder] C:\Users\Junito\AppData\Roaming\Easeware -> Found
[PUP.Gen1][File] C:\Users\Junito\AppData\Roaming\Microsoft\Windows\Recent\client-stats.log.lnk [LNK@] C:\Users\JUNITO~1\AppData\Roaming\Easeware\DRIVER~1\CLIENT~1.LOG -> Found
[PUP.Gen1][File] C:\Users\Junito\AppData\Roaming\Microsoft\Windows\Recent\DriverEasy.lnk [LNK@] C:\Users\JUNITO~1\AppData\Roaming\Easeware\DRIVER~1 -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: HGST HTS545050A7E380 ATA Device +++++
--- User ---
[MBR] d8c3edb4bed2a3984bc767cd235ebc5e
[BSP] 403de67ba0e2f219f2b79355739651fe : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476937 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Maxtor 6L120M0 ATA Device +++++
--- User ---
[MBR] aa7415b7c5c1f25a0031f6eb43396297
[BSP] 8f89bcf184ff96be07bf6cdb6134749f : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 117244 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: KINGSTON SV300S37A240G ATA Device +++++
--- User ---
[MBR] c664ba19eded6725426e299ee13da4d1
[BSP] a27144b8b980601f0ab2ec1d08dde42b : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 228834 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Title: Re: ===> False Positives <===
Post by: Curson on February 03, 2017, 01:25:22 PM

Hi Suario,

Welcome to Adlice.com Forum and thanks for your feedback.
Yes, it's a false positive. RogueKiller is detecting MalwareBytes malware database. This issue has been fixed when MBAM is installed on standard location.

Regards.

Title: Re: ===> False Positives <===
Post by: counselorgene on February 07, 2017, 06:29:42 AM

Hi there,

First I want to tell you I love your program.
I analyzed my system with RogueKiller. Please see my output below. I've got Dr. Web Security Space as well as MalwareBytes on the machine. I also have Sophos Virus Removal Tool installed on the system. I used to have Advanced System Care on this machine but recently removed it because it was likely helping to compromise my system. I received several Proc.Injected, Root.Necurs, and PUM.HomePage entrees. I ran in Safe Mode.
Please let me know if this is a true infection or false positive, based on what you see:

----------------------------------------------------------------------------------------------------

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Safe mode
User : [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 02/06/2017 21:36:42 (Duration : 00:18:59)

¤¤¤ Processes : 12 ¤¤¤
[Proc.Injected] wininit.exe(456) -- C:\Windows\System32\wininit.exe[-] -> Found
[Proc.Injected] winlogon.exe(520) -- C:\Windows\System32\winlogon.exe[-] -> Found
[Proc.Injected] lsass.exe(572) -- C:\Windows\System32\lsass.exe[7] -> Found
[Proc.Injected] svchost.exe(648) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(680) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] dwm.exe(772) -- C:\Windows\System32\dwm.exe[-] -> Found
[Proc.Injected] svchost.exe(808) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(840) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(880) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] explorer.exe(348) -- C:\Windows\explorer.exe[7] -> Found
[Proc.Injected] ctfmon.exe(468) -- C:\Windows\System32\ctfmon.exe[-] -> Found
[Proc.Injected] dllhost.exe(1224) -- C:\Windows\System32\dllhost.exe[7] -> Found

¤¤¤ Registry : 9 ¤¤¤
[Root.Necurs] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4F97855176CB095D -> Found
[Root.Necurs] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4F9785531D1ACAC5 -> Found
[Root.Necurs] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4F978556B1AA1B1D -> Found
[Root.Necurs] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4F978557637EA65F -> Found
[Root.Necurs] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4F97856826CFAA11 -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-693542642-1096459626-489246537-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://acer13.msn.com  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-693542642-1096459626-489246537-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://acer13.msn.com  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-693542642-1096459626-489246537-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://acer13.msn.com  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-693542642-1096459626-489246537-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://acer13.msn.com  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000DM003-1CH162 +++++
--- User ---
[MBR] 7aa2b29e011ab8ad378df2d386190073
[BSP] b3b0a7523e12b5fb1cc53299d026348e : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 300 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1435648 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1697792 | Size: 937229 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1921142784 | Size: 450 MB
5 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1922064384 | Size: 15361 MB
User = LL1 ... OK
User = LL2 ... OK
-------------------------------------------------------------------------------------------------------

Thank you!

Title: Re: ===> False Positives <===
Post by: Curson on February 07, 2017, 11:54:34 AM

Hi counselorgene,

Welcome to Adlice.com Forum and thanks for your feedback.
This is really suspicious. Could you please follow the following process :

• Download Process Explorer (http://live.sysinternals.com/procexp64.exe) and save it to your desktop.
  
• Click on the setup file (procexp64.exe) and select Run as Administrator to start the tool.
  
• Locate the process named wininit.exe, right click select Create Dump > Create Full Dump...
  
• Save the dump on your desktop, compress it and upload it on Google Drive/Dropbox.
• Share the link in your next reply.

We will analyse what is really injected, and whitelist if needed.

Regards.

Title: Re: ===> False Positives <===
Post by: counselorgene on February 07, 2017, 07:08:18 PM

Hi Curson,

Thanks for getting back to me. I've done all this and here are links to the files on my google drive. I created a .ZIP and a .RAR just in case:

https://drive.google.com/file/d/0B5U9vVVDQn6iazYxa1V2anYyUGc/view (ZIP)
https://drive.google.com/file/d/0B5U9vVVDQn6idGRLMXA0a3VJWm8/view (RAR).

Let me know if you have any issues accessing or reading them.

Thanks for your help!

Title: Re: ===> False Positives <===
Post by: Curson on February 07, 2017, 09:46:00 PM

Hi counselorgene,

The injection is caused by Dr. Web. We will whitelist it as soon as possible.
However, I advice you to remove the [Root.Necurs] entries.
Could you please redo a scan in normal mode and attach RogueKiller report with your next reply ?

Regards.

Title: Re: ===> False Positives <===
Post by: counselorgene on February 08, 2017, 07:27:26 AM

Hi Curson,

Thanks for that info. I deleted the [Root.Necurs] entries. Here is what populates now. I believe this all related to Dr. Web, but maybe not. I ran the program in both Normal WIN operating conditions and Safe Mode. See the output below for both:

--------------------------------------------------------------------------------------------------------

Normal WIN Operating Conditions:

¤¤¤ Processes : 63 ¤¤¤
[Proc.Injected] wininit.exe(576) -- C:\Windows\System32\wininit.exe[-] -> Found
[Proc.Injected] winlogon.exe(636) -- C:\Windows\System32\winlogon.exe[-] -> Found
[Proc.Injected] lsass.exe(688) -- C:\Windows\System32\lsass.exe[7] -> Found
[Proc.Injected] svchost.exe(760) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(804) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] dwm.exe(896) -- C:\Windows\System32\dwm.exe[-] -> Found
[Proc.Injected] svchost.exe(932) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(976) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(1000) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] igfxCUIService.exe(504) -- C:\Windows\System32\igfxCUIService.exe[7] -> Found
[Proc.Injected] svchost.exe(652) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(884) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] spoolsv.exe(1228) -- C:\Windows\System32\spoolsv.exe[-] -> Found
[Proc.Injected] svchost.exe(1252) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] armsvc.exe(1456) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[7] -> Found
[Proc.Injected] taskhostex.exe(1480) -- C:\Windows\System32\taskhostex.exe[7] -> Found
[Proc.Injected] explorer.exe(1584) -- C:\Windows\explorer.exe[7] -> Found
[Proc.Injected] AdminService.exe(1636) -- C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AdminService.exe[-] -> Found
[Proc.Injected] officeclicktorun.exe(1656) -- C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[7] -> Found
[Proc.Injected] svchost.exe(1692) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] dasHost.exe(1708) -- C:\Windows\System32\dasHost.exe[-] -> Found
[Proc.Injected] dwservice.exe(1744) -- C:\Program Files\DrWeb\dwservice.exe[7] -> Found
[Proc.Injected] svchost.exe(1772) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] HeciServer.exe(1860) -- C:\Program Files\Intel\iCLS Client\HeciServer.exe[7] -> Found
[Proc.Injected] Jhi_service.exe(1940) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[7] -> Found
[Proc.Injected] HotkeyUtility.exe(1532) -- C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe[7] -> Found
[Proc.Injected] RosettaStoneDaemon.exe(2164) -- C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[7] -> Found
[Proc.Injected] svchost.exe(2272) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] dwengine.exe(2960) -- C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe[7] -> Found
[Proc.Injected] dwantispam.exe(2344) -- C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwantispam.exe[7] -> Found
[Proc.Injected] dwarkdaemon.exe(2436) -- C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwarkdaemon.exe[7] -> Found
[Proc.Injected] PresentationFontCache.exe(2520) -- C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[7] -> Found
[Proc.Injected] svchost.exe(3232) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] SearchIndexer.exe(3304) -- C:\Windows\System32\SearchIndexer.exe[-] -> Found
[Proc.Injected] igfxHK.exe(3496) -- C:\Windows\System32\igfxHK.exe[7] -> Found
[Proc.Injected] igfxTray.exe(3504) -- C:\Windows\System32\igfxTray.exe[7] -> Found
[Proc.Injected] igfxEM.exe(3676) -- C:\Windows\System32\igfxEM.exe[7] -> Found
[Proc.Injected] BtvStack.exe(3928) -- C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[-] -> Found
[Proc.Injected] RAVCpl64.exe(3960) -- C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[7] -> Found
[Proc.Injected] ActivateDesktop.exe(3976) -- C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[-] -> Found
[Proc.Injected] dwwatcher.exe(4008) -- C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwwatcher.exe[7] -> Found
[Proc.Injected] frwl_svc.exe(3936) -- C:\Program Files\DrWeb\frwl_svc.exe[7] -> Found
[Proc.Injected] dwnetfilter.exe(4128) -- C:\Program Files\DrWeb\dwnetfilter.exe[7] -> Found
[Proc.Injected] spideragent.exe(4136) -- C:\Program Files\DrWeb\spideragent.exe[7] -> Found
[Proc.Injected] ClassicStartMenu.exe(4336) -- C:\Program Files\Classic Shell\ClassicStartMenu.exe[-] -> Found
[Proc.Injected] netsession_win.exe(4360) -- C:\Users\Zoya\AppData\Local\Akamai\netsession_win.exe[7] -> Found
[Proc.Injected] netsession_win.exe(4456) -- C:\Users\Zoya\AppData\Local\Akamai\netsession_win.exe[7] -> Found
[Proc.Injected] CCleaner64.exe(4492) -- C:\Program Files\CCleaner\CCleaner64.exe[7] -> Found
[Proc.Injected] ArcServer.exe(4516) -- C:\Program Files (x86)\Acer Remote\ArcServer.exe[-] -> Found
[Proc.Injected] hpwuschd2.exe(4540) -- C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[7] -> Found
[Proc.Injected] wmplayer.exe(4636) -- C:\Program Files (x86)\Windows Media Player\wmplayer.exe[-] -> Found
[Proc.Injected] frwl_notify.exe(4648) -- C:\Program Files\DrWeb\frwl_notify.exe[7] -> Found
[Proc.Injected] firefox.exe(4444) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7] -> Found
[Proc.Injected] firefox.exe(4832) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7] -> Found
[Proc.Injected] DeviceDetector.exe(5368) -- C:\Program Files (x86)\CyberLink\MediaEspresso\DeviceDetector\DeviceDetector.exe[-] -> Found
[Proc.Injected] RIconMan.exe(588) -- C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe[-] -> Found
[Proc.Injected] IntuitUpdateService.exe(5496) -- C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe[7] -> Found
[Proc.Injected] LMS.exe(3792) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[7] -> Found
[Proc.Injected] NASvc.exe(5648) -- c:\Program Files (x86)\Nero\Update\NASvc.exe[7] -> Found
[Proc.Injected] UNS.exe(5624) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7] -> Found
[Proc.Injected] wmpnetwk.exe(2688) -- C:\Program Files\Windows Media Player\wmpnetwk.exe[-] -> Found
[Proc.Injected] drwupsrv.exe(6140) -- C:\Program Files\Common Files\Doctor Web\Updater\drwupsrv.exe[7] -> Found
[Proc.Injected] conhost.exe(2292) -- C:\Windows\System32\conhost.exe[-] -> Found

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000DM003-1CH162 +++++
--- User ---
[MBR] 7aa2b29e011ab8ad378df2d386190073
[BSP] b3b0a7523e12b5fb1cc53299d026348e : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 300 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1435648 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1697792 | Size: 937229 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1921142784 | Size: 450 MB
5 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1922064384 | Size: 15361 MB
User = LL1 ... OK
User = LL2 ... OK



SAFE MODE:

¤¤¤ Processes : 14 ¤¤¤
[Proc.Injected] wininit.exe(464) -- C:\Windows\System32\wininit.exe[-] -> Found
[Proc.Injected] winlogon.exe(516) -- C:\Windows\System32\winlogon.exe[-] -> Found
[Proc.Injected] lsass.exe(576) -- C:\Windows\System32\lsass.exe[7] -> Found
[Proc.Injected] svchost.exe(648) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(688) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] dwm.exe(784) -- C:\Windows\System32\dwm.exe[-] -> Found
[Proc.Injected] svchost.exe(832) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(908) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(948) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] explorer.exe(384) -- C:\Windows\explorer.exe[7] -> Found
[Proc.Injected] ctfmon.exe(376) -- C:\Windows\System32\ctfmon.exe[-] -> Found
[Proc.Injected] dllhost.exe(1220) -- C:\Windows\System32\dllhost.exe[7] -> Found
[Proc.Injected] WmiPrvSE.exe(1320) -- C:\Windows\System32\wbem\WmiPrvSE.exe[-] -> Found
[Proc.Injected] WmiPrvSE.exe(1800) -- C:\Windows\System32\wbem\WmiPrvSE.exe[-] -> Found

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000DM003-1CH162 +++++
--- User ---
[MBR] 7aa2b29e011ab8ad378df2d386190073
[BSP] b3b0a7523e12b5fb1cc53299d026348e : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 300 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1435648 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1697792 | Size: 937229 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1921142784 | Size: 450 MB
5 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1922064384 | Size: 15361 MB
User = LL1 ... OK
User = LL2 ... OK



--------------------------------------------------------------------------------------------------------

Let me know what you think. Thank you!

Title: Re: ===> False Positives <===
Post by: Curson on February 08, 2017, 01:18:32 PM

Hi counselorgene,

Thanks for your feedback.
All these injections are made by Dr. Web software, so no need to worry about them.

Regards.

Title: Re: ===> False Positives <===
Post by: counselorgene on February 08, 2017, 08:11:02 PM

Thank you, Curson!

I will strongly consider buying the premium version of your software. While some entries were false positives, I appreciate that it did find some entrees that were viral.

Thanks again!

Title: Re: ===> False Positives <===
Post by: Curson on February 08, 2017, 09:47:30 PM

Hi counselorgene,

You are welcome.
Thanks for the kind words.

Regards.

Title: Re: ===> False Positives <===
Post by: EmilioFr on February 16, 2017, 11:29:16 AM

Hello,
First, Thanks for all your Great Job !...
I just inform you, that i think it has a new "False Positive",
with the Last New Version of "Malwarebytes Antimalwares 3.06"...
Today, after different update & change of software,
including the installation of the new Malwarebytes 3.06, I wanted to do a Roguekiller scan control
and to my surprise, the only detection in red is the process service: "MBAMservices.exe" of Malwarebytes 3...
(*** [Tr.Zeus] MBAMService.exe(2224) -- C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe

• -> Trouvé(e) *)

For me is the first time, because i use malwarebytes, RogueKiller and Bitdefender from somes years now.
I read the news for *Remove "Zeus" * guide on the web page that opens after the scan,
who say to not consider this detection if it was and concern our "Antivirus".
Out there, apparently, this includes too the "Antimalware" softwares, now,
including the most complet, who analyses systems, with real time detection
and struggles against threats such as Malwarebytes 3...
So, for the record, if it is not already reported, please find attached
the report * Txt of Roguekiller indicating that, with this "false positive" (in my opinion).
Thanks for everything and let me know if this is really a "false positive"
or if I have to take measures against it, but with the risk of damaging
"Malwarebyte 3", as well as my system ?...
I wish you a good day to all...   8)
Kind regards.  :-*
EmilioFr (from France)   ;)

Title: Re: ===> False Positives <===
Post by: EmilioFr on February 16, 2017, 12:09:05 PM

Hello....
"Re" for the "Zeus False Positive" (???)
of "MBAMservices.exe" (process) from Malwarebytes 3.06 premium...
I send you the report in "Jason" format too...

Thanks for your answers...   :)
EmilioFr.

Title: Re: ===> False Positives <===
Post by: Curson on February 16, 2017, 06:48:17 PM

Hi Emilio,

You are using an outdated version of RogueKiller (12.1.2.0).
Could you please update it to latest version and check if this false positive is still present ?

Regards.

Title: Re: ===> False Positives <===
Post by: EmilioFr on February 19, 2017, 03:17:51 PM

hello...
Thanks for answer...
When i do the scan, i try to update Roguekiller before, but the message tell me that i have the last update (?)...
T'm going to try again and see if its the same with this false positive...  I tell you after...
I hav'nt the premium now, because no money at this time....
And no money for the moment to buy a "Lifetime" or "Technician" license....
I'm waiting to buy another Premium licence....   :-\

Title: Re: ===> False Positives <===
Post by: EmilioFr on February 19, 2017, 06:49:28 PM

Quote from: Curson on February 16, 2017, 06:48:17 PM

Hi Emilio,

You are using an outdated version of RogueKiller (12.1.2.0).
Could you please update it to latest version and check if this false positive is still present ?

Regards.

Re Hello....  (France - 19.02.2017)
After Update Roguekiller (to 12.9.7.0) there is no more "False Positiv" for "Malwarebytes"
and "MBAMservices.exe" !....
Thanks and very Great Job for Staff & Developpers !!!....

It Just found the usual changes to my homepage on Firefox
because I use the page and the Ixquick.com search engine...
After the rest, at the "Proxy" level, I think it's from the same reasons
and I do believe that it is not so very "dangerous" (in my opinion)...?
Please take a look in the "jason" report attached & that I join in the case of.
and in the "Browsers" part ...  (Thanks :) )

Thanks to you for answer & help too !....
Kinds regards...

EmilioFr.

Title: Re: ===> False Positives <===
Post by: Jatune on February 20, 2017, 11:01:27 AM

Hello, i have RK version 12.9.7.0 and it has found in "mbamservice.exe" a threat, is a FP? or i am really infected?. This is exactly what it says:
[Adw.Elex|PUP.Divcom] mbamservice.exe(1788) -- C:\Programas Instalados\Malwarebytes Anti-Malware\mbamservice.exe[7] -> Encontrado

I have Malwarebytes but not the v.3, but the 2.2.1.1043. I attach the report.
Both PUM.DNS, are changes made by me. There are some Suspicious, the two "mfe_rr.sys" are the antirootkit from McAfee (i think, i used it), and the two "HWiNFO64A" i think that are from the HWInfo32 program to watch temperature sensors and voltages."esihdrv" im not sure but i think it can be the EsetSysInspector, and "ALSysIO" don't have any idea of what it can be... I'm writin' all this just to see if it helps you.

Really infected or just a False Positive?

Title: Re: ===> False Positives <===
Post by: Curson on February 20, 2017, 04:07:07 PM

Hi Emilio,

I'm glad the issue is now solved.
Yes, these detections are PUMs, and in your case, they are perfectly legit.

Regards.

Title: Re: ===> False Positives <===
Post by: Curson on February 20, 2017, 04:20:09 PM

Hi Jatune,

Welcome to Adlice.com forum.
Your computer is indeed not infected. These are all false positives

RogueKiller is detecting MalwareBytes malware database. This issue has been fixed when MBAM is installed on standard location.

ALSysIO belongs to Core Temp and esihdrv indeed belongs to Eset SysInspector.
Currently, every process or system driver is detected as [Suspicious.Path] when located in temporary Windows folders. We hope to improve this in future versions of RogueKiller.

Regards.

Title: Re: ===> False Positives <===
Post by: tiberious35 on February 20, 2017, 11:52:05 PM

hello first time posting, my Roguekiller is detecting the dumpfve.sys file as being forged is this a false positice, has been detecting it for some time this way and ive been afraid to touch it.

log
RogueKiller V12.9.7.0 (x64) [Feb  6 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.14393) 64 bits version
Started in : Normal mode
User : JR [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 02/19/2017 19:29:44 (Duration : 00:19:26)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 1 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LicCtrlService (C:\WINDOWS\runservice.exe) -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[File.Forged][File] C:\Windows\System32\drivers\dumpfve.sys -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SK hynix SC210 2.5 7MM 128GB +++++
--- User ---
[MBR] 5b0b88d9030834f364e05f4d548da2a4
[BSP] 7a9f7d067d6e128e5215d64e37548ed4 : Empty MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 500 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1026048 | Size: 40 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1107968 | Size: 128 MB
3 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1370112 | Size: 750 MB
4 - Basic data partition | Offset (sectors): 2906112 | Size: 111920 MB
5 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 232118272 | Size: 450 MB
6 - [SYSTEM][MAN-MOUNT] Microsoft recovery partition | Offset (sectors): 233039872 | Size: 8314 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: TOSHIBA DT01ACA200 +++++
--- User ---
[MBR] 39e68f425841dc2464a3fec004ee98d5
[BSP] 45e6b52d9dc562e8c2278eddeaa9d81e : Empty MBR Code
Partition table:
0 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2048 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 1907600 MB
User = LL1 ... OK
User = LL2 ... OK

Title: Re: ===> False Positives <===
Post by: EmilioFr on February 21, 2017, 03:08:35 PM

Quote from: Curson on February 20, 2017, 04:07:07 PM

Hi Emilio,

I'm glad the issue is now solved.
Yes, these detections are PUMs, and in your case, they are perfectly legit.

Regards.

Hi & Thanks  Curson, and me Too....
but for me, with the (12.1.2.0 old version of Roguekiller) it was detected
not as a "PUM" in Grey or other,
but as a "ZEUS" Malwares, in "Red"...    :o  :'(

Ok, no problems and the new version run very well   8)
& nothing more with the "False Positive"....   ;D

Bests regards....  Maybe at a next time....   :D
EmilioFr.

Title: Re: ===> False Positives <===
Post by: Curson on February 22, 2017, 01:17:15 PM

Hi tiberious35,

Welcome to Adlice.com forum.
Could you please attach the corresponding JSON log with your next reply ?

Regards.

Title: Re: ===> False Positives <===
Post by: Curson on February 22, 2017, 01:19:41 PM

Hi EmilioFr,

That's normal, it was a false positive.
To be more minutely, The [Tr.Zeus] detection was not a PUP but a conflit with Malwarebytes signature database.

Regards.

Title: Re: ===> False Positives <===
Post by: tiberious35 on February 23, 2017, 04:36:42 AM

here ya go,

Title: Re: ===> False Positives <===
Post by: Curson on February 23, 2017, 05:02:05 PM

Hi tiberious35,

Thanks for your feedback. Your computer is not infected.
It seems to be a bug on our end.

Regards.

Title: Re: ===> False Positives <===
Post by: welbot on April 27, 2017, 03:44:52 AM

Hi,

Not sure if these have been reported yet, but I keep getting these 3 entries when I scan.

[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3591490448-2704826680-4139795447-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3591490448-2704826680-4139795447-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUP.Gen1][Folder] C:\Program Files\Windows Security -> Found

The first 2 I'm not 100% certain of their function, but at a guess, I think they're for placing recently used programs at the top of the start menu.
The 3rd entry has been confirmed as a new addition to version 1703 of Windows 10 by Microsoft. (The folder contains another folder called BrowserCore, and inside that is a BrowserCore.exe, a manifest.json file, and a folder named en-US.

Virus total scan of BrowserCore.exe found 0 reports of infection. (https://www.virustotal.com/en/file/9435f2f1d87523c13439887d0a76259cbb44dd6a37760fc353b7f1f023567160/analysis/1493256689/)

Title: Re: ===> False Positives <===
Post by: Curson on April 27, 2017, 06:43:00 PM

Hi welbot,

Welcome to Adlice.com Forum.

PUM stands for Potentially Unwanted Modification. In your case, thoses entries are perfectly legit and are, indeed, linked to recent entries in Windows Start Menu.
For more information, please read RogueKiller Documentation (http://www.adlice.com/software/roguekiller/documentation/).

The Windows Security folder is a well known false positive.
This will be fixed on RogueKiller next release.

Regards.

Title: Re: ===> False Positives <===
Post by: JeffF73 on May 04, 2017, 04:09:29 PM

Hello.
I did a scan and it came up with a false positive of:
[Adw.Elex|Tr.Zusy|PUP.Divcom] MBAMService.exe(4736) -- D:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[7] -> Found

Title: Re: ===> False Positives <===
Post by: Curson on May 04, 2017, 04:10:43 PM

Hi Jeff,

Welcome to Adlice.com Forum.
Could you please attach RogueKiller full report with your next reply ?

Regards.

Title: Re: ===> False Positives <===
Post by: JeffF73 on May 04, 2017, 04:14:25 PM

Hello Curson Thank you.
Surely here it is.

Title: Re: ===> False Positives <===
Post by: Curson on May 04, 2017, 04:19:57 PM

Hi Jeff,

Thanks for supporting our product.
RogueKiller is detecting MalwareBytes malware database.

This issue has been fixed when MBAM is installed on standard location but since you run it from the D: drive, the detection is still present.
As a Premium user, you can exclude it using RogueKiller External Scanner (http://www.adlice.com/documentation/roguekiller/external-scanner/).

Regards.

Title: Re: ===> False Positives <===
Post by: JeffF73 on May 04, 2017, 04:24:05 PM

You're welcome.

I kind of thought it maybe the Drive I have it installed on right after I attached the log.
I use an SSD for a Boot Drive/O.S Installation then my D: drive is for everything else lol. Glad to hear this.
Thank you

Title: Re: ===> False Positives <===
Post by: Curson on May 04, 2017, 04:55:04 PM

Hi Jeff,

You are welcome.
Don't hesitate to open a new thread if you need help with RogueKiller External Scanner.

Regards.

Title: Re: ===> False Positives <===
Post by: GCRaistlin on May 06, 2017, 08:20:07 PM

False positives:

• nncron.exe (http://mir.cr/1IKELNZH) - an executable of nnCron (http://nncron.ru/)
• netfilter.sys (http://mir.cr/1TGSZ7WM) - from Kerio Control

Title: Re: ===> False Positives <===
Post by: Curson on May 07, 2017, 01:59:13 PM

Hi GCRaistlin,

Welcome to Adlice.com Forum.
Could you please attach RogueKiller full report with your next reply ?

Regards.

Title: Re: ===> False Positives <===
Post by: GCRaistlin on May 07, 2017, 05:13:25 PM

Should I perform a rescan?

Title: Re: ===> False Positives <===
Post by: Curson on May 07, 2017, 05:25:58 PM

Hi GCRaistlin,

No need.
To export a report, go to the "History" tab, then to the "Scan Reports" section.
There, do a right click on the first line, the click on the "Export txt" button.

Regards.

Title: Re: ===> False Positives <===
Post by: GCRaistlin on May 07, 2017, 05:39:16 PM

I used RogueKillerCMD so there's nothing on this tab.

Title: Re: ===> False Positives <===
Post by: Curson on May 07, 2017, 05:43:57 PM

Hi GCRaistlin,

Could you please check C:\ProgramData\RogueKiller\Logs directory ?
If no log is there, please redo a scan.

Regards.

Title: Re: ===> False Positives <===
Post by: GCRaistlin on May 07, 2017, 06:06:40 PM

Logs (http://mir.cr/EDLTFTSR) (one for nncron.exe, one for netfilter.exe)

Title: Re: ===> False Positives <===
Post by: Curson on May 07, 2017, 06:35:52 PM

Hi GCRaistlin,

Thanks for the reports.
Kerio NetFilter driver will be whitelisted as soon as possible.

nnCron main process is detected as malicious by some anti-virus engines : nncron.exe (https://www.virustotal.com/fr/file/7b1835614a188484033a66f84a38a3a771d276a0250eb6114890858dab40b637/analysis/)
Since RogueKiller relies on results from VirusTotal for detection, there is little we can do. Your best bet is to get in touch with the nnCron team and ask them to ask these anti-virus companies to whitelist their product.

Regards.

Title: Re: ===> False Positives <===
Post by: GCRaistlin on May 08, 2017, 08:29:48 PM

What is the way RogueKiller relies on VirusTotal results? Is one red report there enough for RogueKiller to consider a file as a trojan?

Manually customizable white list would be good for such cases. To be precise, not a white list but ignore list for such non-adequate VirusTotal sources like Baidu.

Title: Re: ===> False Positives <===
Post by: Curson on May 08, 2017, 08:58:43 PM

Hi GCRaistlin,

Yes, if one vendor detect something malicious, it will be flagged by RogueKiller as well. This choice was made to maximize the detection surface.
Premium users can make custom detections rules using RogueKiller External Scanner (http://www.adlice.com/documentation/roguekiller/external-scanner/).

Regards.

Title: Re: ===> False Positives <===
Post by: Pierre [aka Terdef] on May 13, 2017, 03:20:54 PM

Quote from: Curson on May 08, 2017, 08:58:43 PM

if one vendor detect something malicious, it will be flagged by RogueKiller as well. This choice was made to maximize the detection surface.

Bonjour, Curson,

Les AV au panel de VT sont de qualités extrêmement variables. Il y en a qui sont écrits avec les pieds et les faux positifs sont légion.
Il serait préférable, et de loin, de ne pas donner d'audience aux AV marginaux afin de réduire la surface d'exposition aux faux positifs, au lieu d'agir en caisse de résonance d'erreurs.
Si RK attrape tout ce qui passe, il va se brûler les ailes. Il n'a plus sa propre existence, mais devient le reflet des autres.
En plus, certains, comme ClamAV, voient presque tout en PUP !
Je pense que, pour agir ainsi, il ne faut pas regarder si le ratio est > à zéro, mais regarder qui parle.
Des Bitdefender ou Kaspersky sont solides, avec Malwarebytes et Emsisoft, TrendMicro... Une petite liste à convenir et un nombre de détections (=> 3 ?) qui ne fait pas risquer le faux positif qui peut être beaucoup plus/trop dommageable.


Hello, Curson,

The AVs at the VT panel are of extremely variable qualities. There are some that are written with the feet and the false positives are legion.
It would be preferable, by far, not to give audience to the marginal AVs in order to reduce the area of exposure to false positives, instead of acting as a sounding board for errors.
If RK catches all that passes, it will burn its wings. It no longer has its own existence, but becomes the reflection of others.
In addition, some, like ClamAV, see almost everything in PUP!
I think that to do so, one should not look at whether the ratio is at zero, but look at who is speaking.
Bitdefender or Kaspersky are strong, with Malwarebytes and Emsisoft, TrendMicro ... A small list to agree and a number of detections (=> 3 ?) that does not risk the false positive that can be much more / too damaging.

Cordialement/Regards

Title: Re: ===> False Positives <===
Post by: Curson on May 14, 2017, 12:55:12 PM

Bonjour Pierre,

Bienvenue sur le forum Adlice.
Merci pour le commentaire et les suggestions.

Effectivement, certains AV ne sont pas avares en faux-positifs et cela nous a déjà posé certains problèmes dans le passé.
C'est pourquoi nous sommes en train de développer MalPE, une nouvelle technologie qui se base sur l'analyse de la structure des fichiers PE pour une meilleure détection des malware et qui nous permettra de nous distancer des résultats de VT.

Ton idée de définir une liste des AV de confiance est excellente, je vais voir avec Tigzy pour l'ajouter à la roadmap du projet.

Meilleures salutations.

Title: Re: ===> False Positives <===
Post by: Pierre [aka Terdef] on May 16, 2017, 02:12:57 PM

Bonjour, Curson,

Merci pour ton accueil.

Puisque nous sommes dans un fil de discussion sur les faux-positifs de RK, voici un truc qui la fou mal, non ?  ;)

Ce qui m'étonne, c'est que personne ne l'ait encore signalé. Je pensais que Malwarebytes Premium était plus utilisé que cela (la version gratuite n'est pas concernée par ce faux-positif).
Depuis combien de temps cela dure ?

Deux analyses, avec deux versions de RK, à 4 jours d’intervalle.
Chaque fois,
RK à jour
MB Premium à jour

Mon MBAMService.exe
SHA1 : aede492d3030e3e64413bf5ba82d751f5d4a6dca
SHA256 : bf1f9b4ac292238fa6ee541e325b220f311977f9d87d5bc7f90ad058fbf0b35a
VT : https://virustotal.com/fr/file/bf1f9b4ac292238fa6ee541e325b220f311977f9d87d5bc7f90ad058fbf0b35a/analysis/1494675157/


(http://assiste.com/Assiste/media/images/Perso_Adlice_RK_2017_05_13.png)


(http://assiste.com/Assiste/media/images/Perso_Adlice_RK_2017_05_16.png)


Cordialement

Pierre
Malwarebytes Expert

Title: Re: ===> False Positives <===
Post by: Curson on May 17, 2017, 03:28:19 PM

Bonjour Pierre,

En fait, RogueKiller detecte la base de données de malware de Malwarebytes comme contenu malveillant, d'où cette détection. Le problème à été résolu dans le cas ou Malwarebytes est installé dans le repertoire par défaut (%programfiles%\Malwarebytes\), mais pas encore si le programme est situé à un autre endroit.

Nous espérons introduire d'ici peu une liste blanche basée sur les certificats de signature de code, ce qui résoudra ce genre de problème.

Meilleures salutations.

Title: Re: ===> False Positives <===
Post by: Tigzy on May 25, 2017, 08:23:07 AM

Hello,

Just to clarify, a VT detection needs at least 5 vendors to be triggered, i.e a file that has 4/55 won't be detected whereas a file with 5/55 will be.
We think 5 is a fair number when it comes to VT detections.

Also, we have a FP mitigation that checks RogueKiller detections on VT: If a file is detected by heuristics and the file is less than 1 on VT the detection will be dropped.

---

Regarding MBAM (or any other AV), this is a database conflict or database collision. Usually AVs are loading and mapping their definitions in memory, they contain strings (or hex bytes) representing many malware. This is what RogueKiller detects, and you will notice only processes are affected, not files.

This is fixed in most of the case when you install those AVs in their default location because we whitelist by path. Later, we will replace that by Digisig whitelist.

Title: Re: ===> False Positives <===
Post by: Pierre [aka Terdef] on June 02, 2017, 10:47:21 AM

Bonjour,

Merci à vous deux.

Cordialement

Title: Re: ===> False Positives <===
Post by: Curson on June 02, 2017, 04:24:49 PM

Bonjour Pierre,

Si tu as d'autres questions/remarques, n'hésite surtout pas.

Meilleures salutations.

Title: Re: ===> False Positives <===
Post by: Jatune on June 04, 2017, 08:46:56 PM

Hi, today i downloaded last version of RK, 12.11.0.0 x64, and it found 7 MalPE. Are these FP? or i'm really infected?

Title: Re: ===> False Positives <===
Post by: Curson on June 05, 2017, 02:47:36 PM

Hi Jatune,

Thanks for your feedback.
RogueKiller V12.11.0 has a bug on the MalPE engine. This should be fixed in V12.11.1. Could you please give it a try ?

Regards.

Title: Re: ===> False Positives <===
Post by: fleks717 on August 02, 2017, 06:05:09 AM

Quote from: Curson on April 27, 2016, 07:26:59 PM

Hi Germán Pc,

Welcome to Adlice.com Forum.

Quote

[Proc.RunPE] NvStreamService.exe(2448) -- C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe ->  Encontrado

This entry is a false positive. You could safely ignore it.

Quote

[PUP][Carpeta] C:\ProgramData\{FE8D473A-6F06-4F99-B5F4-BED72B2A038C} -> Encontrado

This folder is malware-related. I advice you to delete it.

The rest of your report is clean.
For the issue you encounter with the update of the Nvidia drivers, you could try to completely uninstall them using the Windows control panel, then do a full reinstall with the ones you downloaded from Nvidia's website.

Regards.

How do you know "{FE8D473A-6F06-4F99-B5F4-BED72B2A038C}" is malware? ive googled and other forums says it is mostly jsut junkfiles? care to explain?

Title: Re: ===> False Positives <===
Post by: Curson on August 02, 2017, 11:08:16 AM

Hi fleks,

Welcome to Adlice.com Forum.

This folder is part of TuneUp 2014, flagged by antivirus engines as PUP. It's not really malicious in a way this is not part of an active infection (service or driver, linked to RUN or TASK Registry keys, etc.). For more information, please refer to Program.Optimizer (https://vms.drweb.com/virus/?i=4362210&virus_name=Program.Optimizer.13&lng=en) by Dr.WEB.
The folder may have been registred as system folder, which are not displayed even when the "Show hidden files, folders, and drives" option is selected.

Regards.

Title: Re: ===> False Positives <===
Post by: Twixxin on December 10, 2017, 03:00:20 AM

RogueKiller V12.11.27.0 (x64) [Dec  4 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.16299) 64 bits version
Started in : Normal mode
User : DuhBoyKX [Administrator]
Started from : D:\Downloads\RogueKiller_portable64.exe
Mode : Scan -- Date : 12/10/2017 02:48:02 (Duration : 00:07:52)

¤¤¤ Processes : 1 ¤¤¤
[Adw.Elex|Adw.Wizzcaster] MBAMService.exe(3212) -- D:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[7] -> Found

¤¤¤ Registry : 4 ¤¤¤
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1023082143-743398584-2786875222-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1023082143-743398584-2786875222-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10EZEX-00BN5A0 +++++
--- User ---
[MBR] 72d802927eba00916c896a4d2a5b29a4
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 953740 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: KINGSTON SHFS37A120G +++++
--- User ---
[MBR] 7814cad3328eceaeeee43659e092479c
[BSP] a072cf56184c0e5b3be65f6564f2cf7e : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 499 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 1024000 | Size: 100 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1228800 | Size: 16 MB
3 - Basic data partition | Offset (sectors): 1261568 | Size: 113857 MB
User = LL1 ... OK
User = LL2 ... OK

MBAMService?

Title: Re: ===> False Positives <===
Post by: Curson on December 11, 2017, 04:37:02 PM

Hi Twixxin,

Welcome to Adlice.com Forum.
RogueKiller is detecting MalwareBytes malware database.

This issue has been fixed when MBAM is installed on standard location but since you run it from the D: drive, the detection is still present.

Regards.

Title: Re: ===> False Positives <===
Post by: khuntim on December 12, 2017, 09:26:20 AM

Anydesk? I have been using it...

Title: Re: ===> False Positives <===
Post by: Curson on December 12, 2017, 02:35:28 PM

Hi khuntim,

This false positive should be fixed in RogueKiller latest version.
Could you please make sure you are using V12.11.28 ?

Regards.

Title: Re: ===> False Positives <===
Post by: tch on December 14, 2017, 04:08:38 AM

Hi.  This Windows 7 PC presents no performance or usage issues but MsMpEng.exe is showing as high risk.  I am 99% certain this is simply a false positive as the Malwarebytes false positive earlier in this thread though would greatly appreciate confirmation. I will provide some details of what I have done and after that will follow the RK text file.

If all you need is the text file then you can simply proceed to it and do not need to read anything I have written below!  :)  It is all simply details surrounding this which you may not need.

The RogueKiller version I am using is "12.11.28.0 (up to date)", I have tried portable and non-portable modes.  The MsMpEng.exe (definition is 1.259.284.0 from 12/13/2017) shows as such within RogueKiller:

Detection: Root.Wajam | Adw.Elex
Type: Process
Path: [6380] MsMpEng.exe, c:\Program Files\Microsoft Security Client\MsMpEng.exe
(yes, the 6380 above is the proper MSE PID, or at least it's the PID of that specific file.)

I uploaded the copy of MsMpEng.exe to VirusTotal and it was found very clean.

Uninstalling and reinstalling MSE seemed to resolve this entry.  However, once I had re-downloaded the definitions for MSE, and then re-scanned with RogueKiller, the entry returned to RogueKiller.

I ran RKill, TDSS Killer (with verify digital signatures and also detect TDLFS), Malwarebytes, Malwarebytes Anti-Rootkit, AdwCleaner and system file checker (sfc /scannow), all of which found various PUP but nothing serious I could tell.

I tried also removing the process via RogueKiller, and this resulted in the MsMpEng.exe process being successfully killed.  MSE immediately threw up a message asking me to reactivate it.

I tested this on a different PC and the behavior was the same, without definitions MsMpEng.exe scanned fine and with definitions scanned dirty.  On Windows 10 it appears to not occur for what it is worth.


Here is the text file showing the MsMpEng.exe detection, any verification you can provide will be very much appreciated!


RogueKiller V12.11.28.0 (x64) [Dec 11 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : tch [Administrator]
Started from : C:\Users\tch\Downloads\RogueKiller_portable64.exe
Mode : Scan -- Date : 12/13/2017 19:17:08 (Duration : 00:13:24)

¤¤¤ Processes : 1 ¤¤¤
[Root.Wajam|Adw.Elex] MsMpEng.exe(6380) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe[7] -> Found

¤¤¤ Registry : 10 ¤¤¤
[PUP] (X64) HKEY_USERS\S-1-5-21-3702010971-1532561053-2380342961-1670\Software\Microsoft\Windows\CurrentVersion\RunOnce | Application Restart #1 : C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe --appletID=CCM_UI --workflow=CCM_workflow_launch --appletVersion=1.0 --mode=LBS --helperBridgeName={6D0FD104-A851-485A-813C-2090DC17FF87} --lbsWorkflowID={BC7B50A6-7824-4B06-A8C7-5E72FB2DC34A} --lbsInstallerWorkflowID={37D3BAE5-E140-4F2C-8805-9B2B87E0914B} --userGuid= /RestartByRestartManager:B5757D87-38D0-4d1e-BECC-8B5A6D1DD94B

• -> Found

[PUP] (X86) HKEY_USERS\S-1-5-21-3702010971-1532561053-2380342961-1670\Software\Microsoft\Windows\CurrentVersion\RunOnce | Application Restart #1 : C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe --appletID=CCM_UI --workflow=CCM_workflow_launch --appletVersion=1.0 --mode=LBS --helperBridgeName={6D0FD104-A851-485A-813C-2090DC17FF87} --lbsWorkflowID={BC7B50A6-7824-4B06-A8C7-5E72FB2DC34A} --lbsInstallerWorkflowID={37D3BAE5-E140-4F2C-8805-9B2B87E0914B} --userGuid= /RestartByRestartManager:B5757D87-38D0-4d1e-BECC-8B5A6D1DD94B

• -> Found

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.1.2 208.67.222.222 10.0.1.3 ([][-][])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.0.1.2 208.67.222.222 10.0.1.3 ([][-][])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{50FE4215-80B5-46E0-BD24-9105019A6FF4} | DhcpNameServer : 10.0.1.2 208.67.222.222 10.0.1.3 ([][-][])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F738259E-C6E0-414D-A129-E6EE5C8B6C3A} | DhcpNameServer : 10.0.1.2 208.67.222.222 10.0.1.3 ([][-][])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{50FE4215-80B5-46E0-BD24-9105019A6FF4} | DhcpNameServer : 10.0.1.2 208.67.222.222 10.0.1.3 ([][-][])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{F738259E-C6E0-414D-A129-E6EE5C8B6C3A} | DhcpNameServer : 10.0.1.2 208.67.222.222 10.0.1.3 ([][-][])  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3702010971-1532561053-2380342961-1670\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3702010971-1532561053-2380342961-1670\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[Hj.Shortcut][File] C:\Users\tch\Desktop\TimeStar PUNCH.lnk [LNK@] C:\PROGRA~1\INTERN~1\iexplore.exe https://www.timestaronline.com/site/clock.php -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ADATA XM11 256GB-V2 ATA Device +++++
--- User ---
[MBR] b7e62e8b0434274887588696af470fc6
[BSP] 647fd931d64e61570068ccad787e4ddb : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 130 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 270336 | Size: 244061 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Title: Re: ===> False Positives <===
Post by: Curson on December 14, 2017, 02:01:44 PM

Hi Hi Scott,

Welcome to Adlice.com Forum.

This detection is indeed a false positive resulting of a conflict with Windows Defender database. We will fix this as soon as possible.
For the time being, you can safely ignore it.

Regards.

Title: Re: ===> False Positives <===
Post by: khuntim on December 14, 2017, 05:52:20 PM

yes, 12.11.28 did get rid of Anydesk. the last one is Sharks Codecs. thanks

Title: Re: ===> False Positives <===
Post by: Curson on December 14, 2017, 10:14:12 PM

Hi khuntim,

Thanks for the confirmation.
We wil check this out.

Edit : Is Anydesk reported as [PUP.AdInstaller] ?

Regards.

Title: Re: ===> False Positives <===
Post by: Kylyx on December 16, 2017, 01:03:09 AM

Hello!

Technician License holder here.

3 items I see regularly detected when scanning my customers PC's are:

MetaStream (a graphics plugin used by AOL)
ViewPoint (a media player used by AOL)
Carbonite (a cloud backup service)

Would love to either not see them detected or at least not checked by default?

Thanks!

Title: Re: ===> False Positives <===
Post by: Curson on December 16, 2017, 07:25:23 PM

Hi Kylyx,

Welcome to Adlice.com Forum and thanks for your feedback.
Could you please provide us RogueKiller reports showing such false positives ? It will help us in the whitelisting process.

Regards.

Title: Re: ===> False Positives <===
Post by: Kylyx on January 17, 2018, 06:42:11 PM

Quote from: Curson on December 16, 2017, 07:25:23 PM

Hi Kylyx,

Welcome to Adlice.com Forum and thanks for your feedback.
Could you please provide us RogueKiller reports showing such false positives ? It will help us in the whitelisting process.

Regards.

Sorry for the delay! Here's the pertinent Carbonite log entry and I'll post the others as they occur:

¤¤¤ Tasks : 1 ¤¤¤
[Suspicious.Path] \{5F6010C8-60E5-41f3-BF5B-C3AF5DBE12D4} -- "C:\ProgramData\Carbonite\Carbonite Backup\CarboniteUpgrade.exe" (/silent $(Arg0)) -> Found

Thanks!

Title: Re: ===> False Positives <===
Post by: Curson on January 20, 2018, 07:25:31 PM

Hi Kylyx,

We will whitelist Carbonite.
Waiting for the others.

Regards.

Title: Re: ===> False Positives <===
Post by: Peter.Lannisters on January 29, 2018, 03:25:12 PM

Dear Ladies an Gentlemen,

i have scanned my computer with the free version and Roguekiller has found something.
After deleting the file through Roguekiller and after a re-start the computerfile is showed up again.
Is this a serious problem?

Thank you for your help :-)

RogueKiller V12.12.2.0 (x64) [Jan 29 2018] (Free) von Adlice Software
Mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Betriebssystem : Windows 10 (10.0.16299) 64 bits version
Gestartet in : Normalmodus
User : MusicMachine [Administrator]
Gestartet von : C:\Program Files\RogueKiller\RogueKiller64.exe
Modus : Scannen -- Datum : 01/29/2018 14:45:12 (Dauer : 00:15:34)

¤¤¤ Prozesse : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Dateien : 1 ¤¤¤
[Hidden.ADS][Stream] C:\ProgramData:3B6E8F68802753B9 -> Gefunden <------ When deleting this it shows up again after restarting the computer

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts-Datei : 0 ¤¤¤

¤¤¤ Anti-Rootkit : 0 (Driver: Geladen) ¤¤¤

¤¤¤ Webbrowser : 0 ¤¤¤

¤¤¤ MBR-Übeprüfung : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 850 PRO 512GB +++++
--- User ---
[MBR] 6ff527a6d5026731cf00e93795bb1138
[BSP] ee3d88ee0e3639852ed70d721bffed19 : Empty|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 488384 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Samsung SSD 960 EVO 500GB +++++
--- User ---
[MBR] 44a4c8065f73c467c78b705ccd731cc3
[BSP] 52d63966f7bdfae97059f61492bf883c : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 500 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1026048 | Size: 475964 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 975802368 | Size: 472 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Unzulässige Funktion. )

Title: Re: ===> False Positives <===
Post by: Curson on January 29, 2018, 08:47:31 PM

Hi Peter,

Welcome to Adlice.com Forum.
Such ADS are apparently created with Windows 10 updates. Since it's linked to the system, it's normal that RogueKiller is unable to delete it. You can safetly ignore it.

Regards.

Title: Re: ===> False Positives <===
Post by: Kylyx on February 10, 2018, 12:38:03 AM

Quote from: Curson on January 20, 2018, 07:25:31 PM

Hi Kylyx,

We will whitelist Carbonite.
Waiting for the others.

Regards.

Thanks! Here's the other AOL related items...

¤¤¤ Registry : 3 ¤¤¤
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\MetaStream -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Viewpoint -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer -> Found

¤¤¤ Files : 3 ¤¤¤
[PUP.Gen1][Folder] C:\ProgramData\Viewpoint -> Found
[PUP.Gen1][Folder] C:\ProgramData\Viewpoint -> Found
[PUP.Gen1][Folder] C:\Program Files (x86)\Viewpoint -> Found

Title: Re: ===> False Positives <===
Post by: Curson on February 10, 2018, 01:31:17 PM

Hi Kylyx,

Thanks for your feedback again.
I'm sorry but these won't be whitelisted. Viewpoint Media Player is detected as PUP since it's often being installed without user consent and actively collect user data.

However, as a Premium user, you can manually whitelist it using RogueKiller External Scanner (http://www.adlice.com/documentation/roguekiller/external-scanner/).

Regards.

Title: Re: ===> False Positives <===
Post by: Kylyx on March 06, 2018, 11:04:31 PM

Quote from: Curson on February 10, 2018, 01:31:17 PM

Hi Kylyx,

Thanks for your feedback again.
I'm sorry but these won't be whitelisted. Viewpoint Media Player is detected as PUP since it's often being installed without user consent and actively collect user data.

However, as a Premium user, you can manually whitelist it using RogueKiller External Scanner (http://www.adlice.com/documentation/roguekiller/external-scanner/).

Regards.

No problem, thanks! Will look into whitelisting.

Title: Re: ===> False Positives <===
Post by: Curson on March 07, 2018, 02:21:47 PM

Hi Kylyx,

Thanks for your understanding

Regards.

Title: Re: ===> False Positives <===
Post by: Grahampembs on March 10, 2018, 11:15:55 PM

Would someone kindly have a look at this text file for me; it's the 3 items beginning Hj.Name that are of some concern but I believe them to be False Positives.  The others are generated mostly by my glasswire app.  Thank you.

Title: Re: ===> False Positives <===
Post by: Curson on March 10, 2018, 11:41:43 PM

Hi Grahampembs,

Welcome to Adlice.com Forum.
Do you run Hyper-V on this computer ?

Regards.

Title: Re: ===> False Positives <===
Post by: Grahampembs on March 11, 2018, 01:13:52 AM

Hello!  I've not enabled it in program features but it is capable of being run on this pc according to systeminfo32.

Title: Re: ===> False Positives <===
Post by: Curson on March 11, 2018, 08:40:55 PM

Hi Grahampembs,

Thanks for your feedback.
These entries are indeed false positives. We will fix this as soon as possible.

Regards.

Title: Re: ===> False Positives <===
Post by: Grahampembs on March 11, 2018, 10:17:10 PM

Hello again,
OK, thanks for confirming!

Title: Re: ===> False Positives <===
Post by: Curson on March 12, 2018, 02:06:54 AM

Hi Grahampembs,

You are very welcome.

Regards.

Title: Re: ===> False Positives <===
Post by: coldi on September 15, 2018, 05:20:00 PM

Hi there, I think I stumbled on a false positive. Latest scan detected the  world of warcraft .exe as something seemingly harmful. I add the report.
best regards

Title: Re: ===> False Positives <===
Post by: Curson on September 15, 2018, 07:11:37 PM

Hi coldi,

We need to retrieve more information.
Please follow the following process :

• Download Process Explorer (x64) (http://live.sysinternals.com/procexp64.exe) and save it to your desktop.
  
• Click on the setup file (procexp64.exe) and select Run as Administrator to start the tool.
  
• Locate the process named Wow.exe, do a right click on it and select Create Dump > Create Full Dump...
  
• Save the dump on your desktop and compress it.
• Upload it to Dropbox, Google Drive or similar services and share the link in your next reply.

Regards.

Title: Re: ===> False Positives <===
Post by: coldi on September 16, 2018, 03:09:02 PM

Sorry took a moment but here https://drive.google.com/file/d/15YH_ZymVP9ohOxTfGGwpVIbrhE77NpLG/view is the file.

regards

Title: Re: ===> False Positives <===
Post by: Curson on September 21, 2018, 08:49:21 PM

Hi coldi,

Thanks.
We will fix this as soon as possible.

Regards.

Title: Re: ===> False Positives <===
Post by: photix148 on October 30, 2018, 12:02:16 PM

Hi,

After analysis with RogueKiller, I received a report reporting "PUP"
files in my Wise Care 365 software. I attach this report to my
message.

Should I take this alert into account?

Best regards.

Jean-Claude Laffitte

---------------------------
RogueKiller V12.13.6.0 (x64) [Oct 22 2018] (Gratuit) par Adlice Software
email : http://www.adlice.com/fr/contact/
Remontées : https://forum.adlice.com
Site web : http://www.adlice.com/fr/download/roguekiller/
Blog : http://www.adlice.com/fr/

Système d'exploitation : Windows 10 (10.0.17763) 64 bits version
Démarré en  : Mode normal
Utilisateur : ASUS [Administrateur]
Démarré depuis : C:\Users\ASUS\Documents\RogueKiller_portable64.exe
Mode : Scan -- Date : 10/24/2018 21:59:41 (Durée : 00:21:51)

¤¤¤ Processus : 0 ¤¤¤

¤¤¤ Registre : 0 ¤¤¤

¤¤¤ Tâches : 0 ¤¤¤

¤¤¤ Fichiers : 4 ¤¤¤
[PUP.Wise][Fichier] C:\Users\ASUS\AppData\Roaming\Microsoft\Internet
Explorer\Quick Launch\User Pinned\TaskBar\Wise Care 365.lnk [LNK@]
C:\PROGRA~2\Wise\WISECA~1\WISECA~1.EXE -> Trouvé(e)
[PUP.Wise][Fichier] C:\ProgramData\Microsoft\Windows\Start
Menu\Programs\Wise Care 365\Wise Care 365.lnk [LNK@]
C:\PROGRA~2\Wise\WISECA~1\WISECA~1.EXE -> Trouvé(e)
[PUP.Wise][Fichier] C:\ProgramData\Microsoft\Windows\Start
Menu\Programs\Wise Data Recovery\Wise Data Recovery.lnk [LNK@]
C:\PROGRA~2\Wise\WISEDA~1\WISEDA~1.EXE -> Trouvé(e)
[PUP.Wise][Répertoire] C:\Program Files (x86)\Wise -> Trouvé(e)

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Fichier Hosts : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Chargé) ¤¤¤

¤¤¤ Navigateurs web : 1 ¤¤¤
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] :
session.startup_urls
[chrome://bookmarks/?id=26|http://flybox.home/home/index.html|https://mail.google.com/mail/u/0/h/15djwt4ojuram/?&]
-> Trouvé(e)

¤¤¤ Vérification MBR : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 850 EVO 500GB +++++
--- User ---
[MBR] e1b214c10207dab0acfd8e740c17e1fb
[BSP] 95d306160c073e793ff501013a9f2d28 : Windows Vista/7/8 MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048
| Size: 450 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 923648 | Size: 100 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors):
1128448 | Size: 16 MB
3 - Basic data partition | Offset (sectors): 1161216 | Size: 233536 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 479444992 | Size: 896 MB
5 - Basic data partition | Offset (sectors): 481282048 | Size: 241939 MB
User = LL1 ... OK
User = LL2 ... OK



2018-06-11 7:12 UTC, sales <sales@wisecleaner.com>:
> Dear Jean-Claude Laffitte,
>
> Thank you for your email.
> It is a reminder of renewing wise care 365 sent from Mycommerce system, it
> doesn't know you have renewed wise care 365 manually.
> Sorry for it, I will cancel it soon.
>
> Any further questions, please feel free to contact us.
>
> Have a nice day!
> Best regards,
> Ivan

Title: Re: ===> False Positives <===
Post by: Curson on October 30, 2018, 07:03:29 PM

Hi photix,

Welcome to Adlice.com Forum.

Wise products are labelled as PUP (potentially unwanted software), because Wise used shady commercial practises (aggressive marketing, buying bundles to be installed alongside with popular software, etc.). Usually, we use the same criteria as MalwareBytes to flag a product as PUP : https://www.malwarebytes.com/pup/ (https://www.malwarebytes.com/pup/)

However, if you bought it yourself, you can safely ignore the detections.

Regards.

Title: Re: ===> False Positives <===
Post by: photix148 on October 30, 2018, 08:21:37 PM

Hi Curson,

I finally understood the reasons for these PUPs.  I bought WiseCare myself, so I can safely ignore the detections. Thanks.
Best Regards.

Photix

Title: Re: ===> False Positives <===
Post by: Curson on October 30, 2018, 08:31:44 PM

Hi Photix,

You are welcome.

Regards.

Title: Re: ===> False Positives <===
Post by: coldi on November 03, 2018, 12:16:04 AM

Hi there, I may have stumbled upon a false positive again or at least an oddity. Version 13.0.6.0 seems to report the wmrprvse.exe as malware.

https://www.virustotal.com/#/file/b5c78bef3883e3099f7ef844da1446db29107e5c0223b97f29e7fafab5527f15/detection is the file in question - I add an archive with the report and the file. Strangely enough on a scan shortly afterwards it stopped detecting it.

Best regards

Title: Re: ===> False Positives <===
Post by: Curson on November 03, 2018, 04:56:33 PM

Hi coldi,

Thanks for your feedback.
Could you please export the JSON version of the report detecting the process and attach it with your next reply ?

Regards.

Title: Re: ===> False Positives <===
Post by: coldi on November 03, 2018, 09:51:47 PM

Sure thing

Title: Re: ===> False Positives <===
Post by: Curson on November 08, 2018, 08:23:11 PM

Hi coldi,

Thanks.
After much investigations, we were unfortunately unable to reproduce the issue, so we won't be able to fix it. Please don't hesitate to report it if it occurs again, so we have a chance to fix it.

Regards.

Title: Re: ===> False Positives <===
Post by: bloodfx on November 22, 2018, 04:24:05 PM

The new version of roguekiller keeps detecting windows\system32\consent.exe as proc.hidden and must be removed on windows 10 pro x64 latest build, is this a false positive?

Title: Re: ===> False Positives <===
Post by: Curson on November 22, 2018, 04:38:50 PM

Hi bloodfx,

Thanks for your feedback.
Could you please attach RogueKiller JSON report showing this detection with your next reply ?

Regards.

Title: Re: ===> False Positives <===
Post by: bloodfx on November 22, 2018, 05:13:23 PM

This?

Title: Re: ===> False Positives <===
Post by: bloodfx on November 22, 2018, 05:56:29 PM

Not sure if the format was correct so uploaded as .json to

Title: Re: ===> False Positives <===
Post by: Curson on November 22, 2018, 07:08:57 PM

Hi bloodfx,

Thanks, that's it.
This is a confirmed false positive. We will whitelist it as soon as possible.

Regards.

Title: Re: ===> False Positives <===
Post by: bloodfx on November 22, 2018, 07:22:37 PM

Wow that was fast great support, thanks :)

Title: Re: ===> False Positives <===
Post by: Curson on November 22, 2018, 07:43:38 PM

Hi bloodfx,

You are very welcome.

Regards.

Title: tinyBuild Launcher possible false-positives
Post by: SilenceEngaged on November 25, 2018, 05:11:28 AM

I have stumbled upon a possible false positive when scanning with RoguKiller. It picks up two registry items from the tinyBuild Launcher, which is used to launch the PC game "Rapture Rejects". Attached is the TXT file from a RogueKiller Report...

Title: Re: ===> False Positives <===
Post by: Curson on November 25, 2018, 04:01:32 PM

Hi SilenceEngaged,

Thanks for your feedback.
This is indeed a false positive. We will whitelist it as soon as possible.

Regards.

Title: Re: ===> False Positives <===
Post by: SilenceEngaged on December 06, 2018, 08:01:20 PM

Thanks for the prompt response! Sorry it took so long for me to respond. I was busy with the holidays. (Still am) I believe I have another false positive. This time, it is from AMD graphics card drivers.

 Also, a suggestion on it: VirusTotal uploads only come back positive if found to actually be something (Virus, what-have-you...) on VirusTotal.com

Title: Re: ===> False Positives <===
Post by: Curson on December 06, 2018, 10:14:56 PM

Hi SilenceEngaged,

Don't worry about that.
The [VT.Detection] entry show up because this file was not present in VirusTotal database at the time of the scan. If you allowed the file to be uploaded, it won't appear anymore.
A process reported as unknown to VirusTotal is a hint it may be part of a polymorphic-code infection, it's a clue that can be really useful sometimes.

Regards.

Title: Re: ===> False Positives <===
Post by: Pierre95 on December 10, 2018, 08:31:11 AM

Bonjour,
J'ai fait une signalisation de FP sur Roguekiller.
Mais je m'aperçois que je n'ai peut être pas fait au bon endroit.
Je l'ai déposé ici
https://forum.adlice.com/index.php?topic=3550.0
Dans l'attente de votre réponse
Pierre

Title: Re: ===> False Positives <===
Post by: Curson on December 10, 2018, 07:55:34 PM

Bonjour Pierre,

Merci pour le signalement.
Je t'ai répondu sur le thread en question.

Meilleures salutations.

Title: Re: ===> False Positives <===
Post by: Trombyl on December 25, 2018, 05:09:07 PM

Lately, roguekiller seem to occaisonally detect roguekiller's temporary installation/update files as suspicious, that seems odd. False positive or something else?
Attached details of such an occurrence

Title: Re: ===> False Positives <===
Post by: Curson on December 25, 2018, 05:50:34 PM

Hi Trombyl,

Welcome to Adlice.com Forum and thanks for your feedback.
This is indeed a false positive, most likely caused by an issue with RogueKiller latest version installer. We will investigate and fix this as soon as possible.

Regards.

Title: Re: ===> False Positives <===
Post by: Pierre95 on January 07, 2019, 01:44:32 PM

Bonjour à tous et bonne année  2019

Je vous signale un Faux Positif de Roguekiller ( du moins je le pense )

Roguekiller:  https://www.cjoint.com/c/IAev6vF8DWY

Pour les lignes suivantes:

 

Quote

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SWDUMon -- (AVG Technologies CZ, s.r.o.) C:\Windows\System32\drivers\SWDUMon.sys -> Trouvé(e)

[PUP.Slimware (Potentiellement Malicieux)] (file) SWDUMon.sys -- (AVG Technologies CZ, s.r.o.) C:\Windows\System32\drivers\SWDUMon.sys -> Trouvé(e)

Analyse Virus Total de

C:\Windows\System32\drivers\SWDUMon.sys  ==> https://www.virustotal.com/fr/file/b0746d93a46812608faf84167a178c118fa6318996e15c17df170e7b6b2d69f5/analysis/1546800717/

Fichier signé, signature verifiée , Propriétaire: AVG Technologies

Puis je avoir confirmation ?

Title: Re: ===> False Positives <===
Post by: Curson on January 08, 2019, 09:07:18 PM

Bonjour Pierre,

Bonne année à toi aussi.
SlimWare a été racheté par AVG Technologies et possède donc maintenant un certificat AVG. Cependant, il est toujours considéré comme PUP par de nombreux éditeurs, ce n'est donc pas à proprement parlé un FP.

Je te conseille de le faire désinstaller.

Meilleures salutations.

Title: Re: ===> False Positives <===
Post by: Pierre95 on January 09, 2019, 08:51:52 PM

Bonjour Curson,
merci pour l'information

Title: Re: ===> False Positives <===
Post by: Curson on January 10, 2019, 10:10:47 PM

Bonjout Pierre,

Mais de rien.

Title: Re: ===> False Positives <===
Post by: garioch7 on January 22, 2019, 08:00:47 PM

I am working topic over at Bleeping Computer where RogueKiller has identified some Intuit 2018 QuickBooks files as malicious.  Please see this link (https://www.bleepingcomputer.com/forums/t/689842/usb-drive-threat/page-2#entry4673146).  I think that these are false positives.

I purchased a 2-year subscription for RogueKiller Premium today and scanned my computer.  It is detecting a legitimate Cyberlink file as malicious and is also going after a Bitdefender uninstaller file, some detections that it is reporting as missing.  There is also a folder detection (C:\Program Data\Filter that I regard as a possible false positive.  Scan report attached.  See these URLs for analysis of the detections:

https://www.systemlookup.com/Drivers/10335-000_fcl.html (https://www.systemlookup.com/Drivers/10335-000_fcl.html)
https://www.hybrid-analysis.com/sample/401cd6a87b9bec1f027c081ad23320c91d668dc5dc7a11226493e6aa387be6b7?environmentId=100 (https://www.hybrid-analysis.com/sample/401cd6a87b9bec1f027c081ad23320c91d668dc5dc7a11226493e6aa387be6b7?environmentId=100)

I run Bitdefender 2019 Total Security and Malwarebytes Anti-Malware Premium, and neither program has detected any of these files.

I just registered on your Forums today.  Thank you and have a great day.

Regards,
-Phil

Title: Re: ===> False Positives <===
Post by: Curson on January 22, 2019, 11:18:18 PM

Hi Phil,

Welcome to Adlice.com Forum and thanks for supporting us.
It's always a pleasure to see a fellow malware fighter.

The QuickBooks were detected with the [VT.Unknown] tag because they were not present in VirusTotal database at the time of the scan. This should not happen again if the user has allowed the files to be uploaded.

BitDefender uninstaller is detected since it's run from a temporary folder, RogueKiller detects it as [Suspicious.Path] because numerous malware are run from there.

What is the content of the Filter folder ?
Could you please upload the 000.fcl file with your next reply ? Please zip it first, otherwise the upload form will reject it.

Regards.

Title: Re: ===> False Positives <===
Post by: garioch7 on January 23, 2019, 07:06:03 PM

Curzon:

Thank you for your explanations, but if a file is tagged as [VT.Unknown], should RogueKiller default to removing it, if the user selects the clean?  Many users are going to think that RogueKiller has detected the file(s) as malware and be inclined to accept the default.

The content of the C:\ProgramData\Filter folder is one file: images, 12 bytes.  It is marked read-only and hidden.  The content of the file in hex is below

Code: [Select]

03 99 4B D4 20 A6 F1 7D    62 87 46 C4

I am attaching the 000.fcl file in zipped format as requested.

Thank you and have a great day.

Regards,
-Phil

Title: Re: ===> False Positives <===
Post by: Curson on January 25, 2019, 07:17:58 PM

Hi Phil,

Thanks for your feedback.

Quote

Thank you for your explanations, but if a file is tagged as [VT.Unknown], should RogueKiller default to removing it, if the user selects the clean?  Many users are going to think that RogueKiller has detected the file(s) as malware and be inclined to accept the default.

I asked Tigzy's opinion about that and we are probably going to change this behaviour.

Additionally, the "Filter" folder and "000.fcl" file will be whitelisted shortly.

Regards.

Title: Re: ===> False Positives <===
Post by: garioch7 on January 25, 2019, 07:22:22 PM

Curzon:

Thank you for your reply.  Now that I have purchased RogueKiller Premium, I will be poking around and I will also be monitoring my Malware Removal Log topics even more closely, since, as a part of my standard anti-malware scans, I ask my users to run RogueKiller.  You can expect see me around in your Forums now that I am registered.

Thank you for looking into these issues for me.  Have a great weekend.

Regards,
-Phil

Title: Re: ===> False Positives <===
Post by: Curson on January 25, 2019, 07:28:16 PM

Hi Phil,

You are very welcome.
Please don't hesitate to report things that RogueKiller did not detect correctly.

Have a great weekend, too.

Regards.

Title: Re: ===> False Positives <===
Post by: Mops21 on February 06, 2019, 03:33:55 PM

Hi

I have 2 False Positives for you

iexplore.exe

https://www.virustotal.com/#/file/8cdc4cd6c75acff9744937efd1e286ad9e6ee9aff6a3049fd482f9a547f3498b/detection

DeepAV.exe

https://www.virustotal.com/#/file/4d20ff0e8ca634f9fa7d6b46e82118690654369e51c6b22e149fae2569d54cfe/detection

And I have some questions for you

1. Why stand by VT score not scanned what can I do

2. And can you check this Crashdump please

https://www.sendspace.com/file/kjuosl

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Curson on February 06, 2019, 08:23:05 PM

Hi Mops21,

Welcome to Adlice.com forum.
Thanks for your feedback. We will fix them as soon as possible.

What do you mean by "VT score not scanned" ? Do you have an idea at which point RogueKiller crashed ?

Regards.

Title: Re: ===> False Positives <===
Post by: Mops21 on February 07, 2019, 12:12:46 PM

Hi Curson

Thank you very much for your Infos

Need you the Files when yes here can you download the Files

https://www.sendspace.com/file/xospek

For my second question see my 2 screenshots please

For my other question with the Crashdump i have make it manually for you to check and analyze

Can you add the right click scanning please

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Curson on February 07, 2019, 02:02:35 PM

Hi Mops21,

This is not a bug.
RogueKiller only send specific files to VirusTotal for analysis and those two processes were not included.

We will add a "Send to VirusTotal" right click option, but only on Adlice Diag (the Expert version of RogueKiller).
RogueKiller is used by beginners, so we intent to keep it simple.

Regards.

Title: Re: ===> False Positives <===
Post by: Mops21 on February 07, 2019, 02:08:54 PM

Hi Curson

Thank you very much for your Infos

RogueKiller only send specific files to VirusTotal for analysis and those two processes were not included How can I changed that to scan with VT can you explain me this please or what can I do or you

I mean with the right click scanning to scan Files and Folders with Rogue Anti-Malware and Virustotal

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Curson on February 07, 2019, 02:27:22 PM

Hi Mops21,

Quote

How can I changed that to scan with VT

Sorry, but it's not possible to change this behaviour.

Quote

I mean with the right click scanning to scan Files and Folders with Rogue Anti-Malware and Virustotal

We will put this suggestion on our roadmap. In the meantime, you can use VirusTotal Windows Uploader (https://www.virustotal.com/de/documentation/desktop-applications/windows-uploader) third-party tool to do this.

Regards.

Title: Re: ===> False Positives <===
Post by: Mops21 on February 07, 2019, 04:17:13 PM

Hi Curson

Thank you very much for your Infos

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Mops21 on February 07, 2019, 06:18:38 PM

Hi Curson

Here are some more FPs from me see my screenshot

APEXlib.dll

https://www.virustotal.com/#/file/28319c93645908987a8fbf7d4c966087650038f254b6afc883ea0b8b28618724/details

APEX.exe

https://www.virustotal.com/#/file/4d20ff0e8ca634f9fa7d6b46e82118690654369e51c6b22e149fae2569d54cfe/details

And here can you download the Files

https://www.sendspace.com/file/dxtyoz

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Curson on February 09, 2019, 12:46:50 AM

Hi Mops21,

These should be fixed in the latest signatures database.
Could you please confirm ?

Regards.

Title: Re: ===> False Positives <===
Post by: Mops21 on February 09, 2019, 12:20:56 PM

Hi Curson

That is fixed now

Here is a new FP for you see my screenshot and my scanlog

iexplore.exe

https://www.virustotal.com/#/file/1df7b65df78e96e595def9b98a84cbf695233f9275010d684a65eec9beaf7f15/detection

And here can you download the File

https://www.sendspace.com/file/we822n

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Mops21 on February 11, 2019, 01:48:25 PM

Hi Curson

Here are some new FPs for you see my screenshot

iexplore.exe

https://www.virustotal.com/#/file/8cdc4cd6c75acff9744937efd1e286ad9e6ee9aff6a3049fd482f9a547f3498b/detection

And here can you download the File

https://www.sendspace.com/file/551d7p

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Mops21 on February 12, 2019, 12:47:39 PM

Hi Curson

Here is a new FPs for you see my screenshot

Please check and fix it please

iexplore.exe

https://www.virustotal.com/#/file/8cdc4cd6c75acff9744937efd1e286ad9e6ee9aff6a3049fd482f9a547f3498b/detection

And here can you download the File

https://www.sendspace.com/file/mvhcye

And here can you download some more logs

https://www.sendspace.com/file/aymve8

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Curson on February 12, 2019, 07:47:10 PM

Hi Mops21,

There is no need for you te report all [Hj.Shortcut] detections.

For the time being, every URL which is not explicitly whitelisted will be reported as such.
We are in the process to change this behaviour, so only malicious websites will be reported as [Hj.Shortcut] in the future.

Regards.

Title: Re: ===> False Positives <===
Post by: Mops21 on February 13, 2019, 11:55:48 AM

Hi Curson

Thank you very much for your Infos

Here are some Logs for you

https://www.sendspace.com/file/gxrmu9

And here is the anotherone Folder with a Logfile you must be enter this Password for it infected

https://www.sendspace.com/file/ntfgbn

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Mops21 on February 14, 2019, 12:12:48 PM

Hi Curson

Can you check this please

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Curson on February 14, 2019, 03:32:05 PM

Hi Mops21,

It's safe.
Regards.

Title: Re: ===> False Positives <===
Post by: Mops21 on February 15, 2019, 11:13:44 AM

Hi Curson

Thank you very much for your Infos

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Curson on February 15, 2019, 11:56:32 AM

Hi Mops21,

You are very welcome.

Regards.

Title: Re: ===> False Positives <===
Post by: Mops21 on February 15, 2019, 12:23:46 PM

Hi Curson

Thank you very much for your Infos

Can you check this too

The signature are from 10.02.2019 but we have in Germany 15.02.2019 please check and fix

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Curson on February 15, 2019, 03:44:45 PM

Hi Mops21,

You are welcome.
We had an issue with the signatures package. This will be fixed as soon as possible.

Regards.

Title: Re: ===> False Positives <===
Post by: Mops21 on February 16, 2019, 12:16:26 PM

Hi Curson

Thank you very much for your Infos

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Mops21 on February 18, 2019, 12:18:27 PM

Hi Curson

Here is a new FP for you see my screenshot

http://www.facebook.com/

https://www.virustotal.com/#/url/114fb86b9b4e868f8bac2249eb5c444b545f0240c3dadd23312a0bc1622b5488/detection

iexplore.exe

https://www.virustotal.com/#/file/8cdc4cd6c75acff9744937efd1e286ad9e6ee9aff6a3049fd482f9a547f3498b/detection

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Curson on February 18, 2019, 07:02:44 PM

Hi Mops21,

There is no need for you te report all [Hj.Shortcut] detections.

For the time being, every URL which is not explicitly whitelisted will be reported as such.
We are in the process to change this behaviour, so only malicious websites will be reported as [Hj.Shortcut] in the future.

The issue with the signatures package is now solved.

Regards.

Title: Re: ===> False Positives <===
Post by: randzonen on February 22, 2019, 10:25:05 PM

Pls fix this false positive. Insync is a legit program

https://www.insynchq.com/

Title: Re: ===> False Positives <===
Post by: Curson on February 23, 2019, 02:00:11 PM

Hi randzonen,

Thanks for your feedback.
Insync will be whitelisted in next signatures package.

Regards.

Title: Re: ===> False Positives <===
Post by: Lemonsfluffynoodles on February 26, 2019, 01:21:12 PM

Is this a false positive google chrome keeps showing as pum.homepage even after removing and clean installing chrome?

Title: Re: ===> False Positives <===
Post by: Lemonsfluffynoodles on February 27, 2019, 01:08:41 PM

any update?

Title: Re: ===> False Positives <===
Post by: Curson on February 27, 2019, 10:22:54 PM

Hi Lemonsfluffynoodles,

Welcome to Adlice.com Forum and thanks for your feedback.
Yes, it's a false positive. It should be fixed in latest signatures package release.

Regards.

Title: Re: ===> False Positives <===
Post by: bentaa on March 03, 2019, 01:50:03 AM

Hello, are these false positives?

RogueKiller Anti-Malware V13.1.6.0 (x64) [Feb 25 2019] (Free) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits
Started in : Normal mode
User : tbhben [Administrator]
Started from : E:\Program Files\RogueKiller\RogueKiller64.exe
Signatures : 20190204_072850, Driver : Loaded
Mode : Standard Scan, Scan -- Date : 2019/03/02 18:27:21 (Duration : 00:26:59)

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Process Modules ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Tasks ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registry ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ WMI ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Hosts File ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Files ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Web browsers ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
>>>>>> Firefox Addon
  [PUP.Gen2 (Potentially Malicious)] {91c612bf-2a7a-48b8-8c8c-6de28589b7a1} (E:\Program Files (x86)\Splashtop\Splashtop Connect for Firefox\{91c612bf-2a7a-48b8-8c8c-6de28589b7a1}) -- {91c612bf-2a7a-48b8-8c8c-6de28589b7a1} -> Found
  [PUP.Gen2 (Potentially Malicious)] {91c612bf-2a7a-48b8-8c8c-6de28589b7a0} (E:\Program Files (x86)\Splashtop\Splashtop Connect for Firefox\{91c612bf-2a7a-48b8-8c8c-6de28589b7a0}) -- {91c612bf-2a7a-48b8-8c8c-6de28589b7a0} -> Found
  [PUP.Gen2 (Potentially Malicious)] {d9284e50-81fc-11da-a72b-0800200c9a66} (E:\Program Files (x86)\Splashtop\Splashtop Connect for Firefox\{d9284e50-81fc-11da-a72b-0800200c9a66}) -- {d9284e50-81fc-11da-a72b-0800200c9a66} -> Found


Thanks in advance!

Title: Re: ===> False Positives <===
Post by: darktwillight on March 05, 2019, 11:53:45 AM

Hello,
Rougekiller announces the Firefox homepage as PUP https://www.startpage.com/

 Startpage.com is an internet search engine
and https://duckduckgo.com/

Set the entry in Firefox Startpage as start page
I made it myself.

https://www.virustotal.com/#/url/159eb4fb03182f38c25487207b9fb89ad7370f4b1fbf05821f8851c64233123b/detection

Quote

browser.startup.homepage Threat: PUM.HomePage Status: Found
C:\Users\dark\AppData\Roaming\Mozilla\Firefox\Profiles\14k8v168.default-1551444125829\prefs.js
Type: Firefox Config
Dates: https://wvwv.startpage.com/

name
Status Recognition
Firefox Config
Browser.startup.homepage Found PUM.HomePage (Potential Malware} C:\Users\dark\AppData\Roaming\Mozilla\Firefox\Profiles\14k8v168.default-1551444125829\prefs.js https://www.startpage.com/ 0/0

With best Regards

Title: Re: ===> False Positives <===
Post by: Curson on March 05, 2019, 09:18:11 PM

Hi bentaa, darktwillight,

Welcome to Adlice.com Forum.

bentaa, these are not false positive. I strongly advise you to remove them.
darktwillight, thanks for the feedback. We will fix this as soon as possible.

Regards.

Title: Re: ===> False Positives <===
Post by: pnamajck on March 17, 2019, 12:15:14 AM

previous  version  was  roguekiller_13.0.14.0 … no  problem.  today,  just  after  scan,  d/l  roguekiller_13.1.8.0.  performed  new  scan … flagged  one  detection.  i  have  searched  https://forum.adlice.com/  and  found  nothing  has  been  reported  for  this  detection.  also,  virus-total  gave  the  file  "prefs.js"  a  clean  bill  of  health.  could  you  tell  me  is  this  a  false  positive?

Code: [Select]

RogueKiller Anti-Malware V13.1.8.0 (x64) [Mar 12 2019] (Free) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 10 (10.0.17134) 64 bits
Started in : Normal mode
User : owner [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Signatures : 20190304_123840, Driver : Loaded
Mode : Standard Scan, Scan -- Date : 2019/03/16 16:54:22 (Duration : 00:16:03)
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Process Modules ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Tasks ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registry ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ WMI ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Hosts File ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Files ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Web browsers ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
>>>>>> Firefox Config
  [PUM.NewTab (Potentially Malicious)] browser.newtab.url (C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\2bu2d7n5.default\prefs.js) -- 0 -> Found
thanks  in  advance.
ref:  https://www.virustotal.com/#/file/67a7fee7b5891866927c100eacce6bf7365d1d56917f16c552e9cc54cab7a534/detection

edited:
fyi … i  chose  'cancel'  and  then  d/l  latest  signature-fiie (20190316_121712) … successfully  imported  file  from  desktop … new  scan … same  detection  results … thanks.

Title: Re: ===> False Positives <===
Post by: Curson on March 17, 2019, 07:02:06 PM

Hi pnamajck,

Welcome to Adlice.com Forum.
This is indeed a false positive. We will fix it as soon as possible.

Regards.

Title: Re: ===> False Positives <===
Post by: pnamajck on March 18, 2019, 01:32:22 AM

thanks  so  much  for  checking … such  quick  verification … all  the  best!

Title: Re: ===> False Positives <===
Post by: Curson on March 18, 2019, 08:58:33 PM

Hi pnamajck,

You are very welcome.
Regards.

Title: Re: ===> False Positives <===
Post by: pnamajck on March 23, 2019, 02:15:46 AM

d/l  latest  definitions (20190322_112508) … came  back  clean … thumbs-up.

Title: Re: ===> False Positives <===
Post by: Curson on March 24, 2019, 12:05:03 AM

Hi pnamajck,

You are welcome.
Thanks for your feedback.

Regards.

Title: Re: ===> False Positives <===
Post by: bentaa on April 22, 2019, 07:53:11 AM

Hello, is this a false positive? This software is from Malwarebytes.

Thanks in advance!

RogueKiller Anti-Malware V13.1.9.0 (x64) [Mar 27 2019] (Free) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits
Started in : Normal mode
User : tbhben [Administrator]
Started from : E:\Program Files\RogueKiller\RogueKiller64.exe
Signatures : 20190326_132530, Driver : Loaded
Mode : Standard Scan, Delete -- Date : 2019/04/20 18:07:32 (Duration : 00:34:39)
Switches : -minimize

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Delete ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[PUP.Divcom|PUP.AdBlocker|BitMiner.Gen0 (Malicious)] mbar.exe [Malwarebytes Corporation] -- %USERPROFILE%\Desktop\New folder (6)\New folder\mbar\mbar.exe ->

Title: Re: ===> False Positives <===
Post by: Curson on April 22, 2019, 05:39:11 PM

Hi bentaa,

This is indeed a false positive.
RogueKiller is detecting MalwareBytes malware database. This issue has been fixed when MBAM is installed on standard location but we cannot do much to prevent this when the application is located on a custom location.

Regards.

Title: Re: ===> False Positives <===
Post by: adamdevine on April 27, 2019, 11:22:26 AM

Same error I facing. How to resolve it.

Title: Re: ===> False Positives <===
Post by: Curson on April 27, 2019, 04:16:23 PM

Hi adamdevine,

Welcome to Adlice.com Forum.
You need to imput the path where you installed Malwarebytes product in the exclusions settings (https://www.adlice.com/docs/roguekiller/getting-started/settings/#exclusions) of RogueKiller so, it won't be detected anymore.

Regards.

Title: Re: ===> False Positives <===
Post by: Mops21 on June 13, 2019, 07:22:16 PM

Hi all

Here are 2 False Positivesx for you see my screenshot

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Curson on June 14, 2019, 06:53:44 PM

Hi Mops21,

Could you please empty your system Recycle Bin ?
They shouldn't be detected anymore.

Regards.

Title: Re: ===> False Positives <===
Post by: Mops21 on June 15, 2019, 12:43:27 PM

Hi Curson

Yes I will make it

Are These False Positives or what is that

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Mops21 on June 15, 2019, 02:00:00 PM

Hi all

Here are 3 False Positivesx for you see my screenshot

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Curson on June 15, 2019, 06:30:17 PM

Hi Mops21,

The two compressed files in the Recycle Bin are not false positive. these are EICAR test files (https://en.wikipedia.org/wiki/EICAR_test_file) for antivirus.
Could you please make a zip archive of the content of the following folder and attach it with your next reply ?

Quote

C:\Users\Alexander Robrecht\AppData\Local\Phrozen

Regards.

Title: Re: ===> False Positives <===
Post by: Mops21 on June 15, 2019, 07:32:40 PM

Hi Curson

Yes here are the Files for you

https://www.sendspace.com/file/xg6rbp

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Curson on June 15, 2019, 07:41:26 PM

Hi Mops21,

Thanks.
Is any of these software installed on your computer ?

Quote

Winja
Windows File Tools
Windows Privacy Tweaker
RunPE Detector
Shortcut Scanner
ADS Revealer

Regards.

Title: Re: ===> False Positives <===
Post by: Mops21 on June 16, 2019, 12:16:04 PM

Hi Curson

Yes here are the Files for you

Look in this Thread for that

https://malwaretips.com/threads/winja-7-0b.93186/

I have only Winja installed

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Curson on June 16, 2019, 06:15:18 PM

Hi Mops21,

Thanks for your feedback.
This directory will be whitelisted in the next malware definition update.

Regards.

Title: Re: ===> False Positives <===
Post by: Mops21 on June 17, 2019, 11:12:06 AM

Hi Curson

Thank you very much for your Infos

See this Link again the answer from Tigzy

https://malwaretips.com/threads/winja-7-0b.93186/

I have delete my 2 other eicar test files from my System and it is no clean

With best Regardfs
Mops21

Title: Re: ===> False Positives <===
Post by: Curson on June 17, 2019, 10:17:31 PM

Hi Mops21,

This directory is not detected anymore in current malware definition database.
Could you please check you use the latest version ?

Regards.

Title: Re: ===> False Positives <===
Post by: eurekaa on July 05, 2019, 02:12:22 PM

Yeah really need solution for that

Title: Re: ===> False Positives <===
Post by: eurekaa on July 05, 2019, 02:12:57 PM

need solution for same

Title: Re: ===> False Positives <===
Post by: Curson on July 05, 2019, 08:32:41 PM

Hi eurekaa,

Welcome to Adlice.com Forum.
Could you please attach RogueKiller full report with your next reply ?

Regards.

Title: Re: ===> False Positives <===
Post by: Mops21 on July 15, 2019, 06:41:53 PM

Hi

Can you check These Files please see the 2 screenshots

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Curson on July 15, 2019, 09:50:21 PM

Hi Mops21,

Thanks for your feedback.
Theses files are all false positives, currently detected by MalPE detection engine (still in beta).

Could you please make an archive containing a copy of all of them and attach it with your next reply ?
Analysing them, will help us improving the detection accuracy.

Regards.

Title: Re: ===> False Positives <===
Post by: Melecoton on July 16, 2019, 07:54:53 AM

Hi,

Today I update the program to V13.3.2 with MalPE V2, and it detect 12 elements. Can please check this? I Attach the screenshot and the report.

I try to make a copy of the files to attach them but it was impossible, is the first time I see files like that, i´m sorry.

Thanks,

Regards.

PS: Lately I have to start the program in compatibility mode (Windows eight) to get it to run, (I have Windows 10 version 1809).

Title: Re: ===> False Positives <===
Post by: Curson on July 16, 2019, 01:15:14 PM

Hi Melecoton,

Welcome to Adlice.com Forum.
All these detection are false positives.

Thanks for your feedback.

Regards.

Title: Re: ===> False Positives <===
Post by: Tigzy on July 16, 2019, 04:22:06 PM

Hey,
Just so you all know, MalPE is still in beta. This module works with a predictive AI model, and we are still training it with new samples (good/bad).
So please, while you are seeing the warning message when turning it on, don't rely strictly of the detections it generates.

Title: Re: ===> False Positives <===
Post by: Mops21 on July 16, 2019, 05:35:53 PM

Quote from: Curson on July 15, 2019, 09:50:21 PM

Hi Mops21,

Thanks for your feedback.
Theses files are all false positives, currently detected by MalPE detection engine (still in beta).

Could you please make an archive containing a copy of all of them and attach it with your next reply ?
Analysing them, will help us improving the detection accuracy.

Regards.

Hi

Thank you very much for your Infos

I will send you the Files part via part to you

https://www.sendspace.com/file/ohf7av

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Curson on July 17, 2019, 12:18:29 AM

Hi Mops21,

Thank you very much.

Regards.

Title: Re: ===> False Positives <===
Post by: Mops21 on July 19, 2019, 05:19:14 PM

Hi

Here are 2 more Samples for you

https://www.sendspace.com/file/eyfi17

Can you add a submitz Files Button into the Rogue Anti-Malware please
And you can add a function to pack all detected Files into a zip Folder please for send them via email or via forum

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Curson on July 19, 2019, 11:55:52 PM

Hi Mops21,

Thanks for your feedback.
We will add your suggestion to our roadmap.

Regards.

Title: Re: ===> False Positives <===
Post by: Mops21 on July 20, 2019, 06:41:18 PM

Hi

Thank you very much for your Infos

Here is the Scanlog of the Files

And can you add this Option or function to Rogue Anti-Malware please

Can you add a go to the detected Filepath of the File please

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Curson on July 20, 2019, 11:21:11 PM

Hi Mops21,

You are welcome.
This will be added to the roadmap as well.

Regards.

Title: Re: ===> False Positives <===
Post by: Lemonsfluffynoodles on August 03, 2019, 11:31:56 AM

Hi I just had a detection with google chrome called MalPe.99 somehow I deleted the scan log, but thought I would post anyway, is this a false positive?

Title: Re: ===> False Positives <===
Post by: Curson on August 03, 2019, 04:40:03 PM

Hi Lemonsfluffynoodles,

Thanks for your feedback.
Without the scan log, it's not possible to tell, but there is a high probability that was a false positive.

Regards.

Title: Re: ===> False Positives <===
Post by: Cdew112 on August 07, 2019, 01:44:18 AM

hey ran into this yesterday equilizer.apo  is from fileforge which is legit. MWB and HMP didnt pick this up so not sure if false-positive or not.

Title: Re: ===> False Positives <===
Post by: Curson on August 07, 2019, 02:48:21 AM

Hi Cdew112,

Welcome to Adlice.com Forum.
This is indeed a false positive. It will be whitelisted as soon as possible.

Regards.

Title: Re: ===> False Positives <===
Post by: Lemonsfluffynoodles on August 28, 2019, 02:24:12 PM

Hi Is this a false positive ?

Title: Re: ===> False Positives <===
Post by: Curson on August 28, 2019, 08:55:50 PM

Hi Lemonsfluffynoodles,
​
Yes, these are false positives.

Quote

%localappdata%\Temp\7zS9460.tmp\N2080_FW_Upgrade_Tool_V003\GPCIDrv64.sys
%localappdata%\Temp\7zS9460.tmp\N2080_FW_Upgrade_Tool_V003\GPCIDrv64.sys

RogueKiller automatically detects loaded modules located in temporary folders as [Suspicious.Path].

Quote

%localappdata%\SLR VR Application\SLR_Data\Managed\SteamVR_Actions.dll
%localappdata%\SLR VR Application\SLR_Data\Managed\SteamVR.dll
%localappdata%\SLR VR Application\SLR_Data\Managed\Assembly-CSharp.dll

​​You have enabled RogueKiller MalPE engine, which uses a predictive AI model. The engine is still is in beta state and prone to false positives detection, like in your case.
For the time being, it's advised not to use it unless you know what you are doing.

Could you please make an archive of the three files listed above and attach it with your reply ?
Analysing thoses files will help us improve the MalPE engine.

Regards.

Title: Re: ===> False Positives <===
Post by: techknowledge on September 11, 2019, 07:42:18 PM

%ProgramFiles%\Pulseway\*.ps1
All of my powershell scripts that are running get killed by roguekiller.

roguekillercmd arguments: -scan "-reportformat txt -reportpath $ThisApplicationLogFile -portable-license $roguekillerlicense" -autodelete -no_interact

Thank you for your time!

Title: Re: ===> False Positives <===
Post by: Curson on September 11, 2019, 09:45:35 PM

Hi techknowledge,

Welcome to Adlice.com Forum and thanks for your feedback.
Could you please attach a scan report with your next reply ?

Regards.

Title: Re: ===> False Positives <===
Post by: eurekaa on September 27, 2019, 07:35:51 PM

A false positive error, or in short a false positive, commonly called a "false alarm", is a result that indicates a given condition exists, when it does not.

Title: Re: ===> False Positives <===
Post by: Mops21 on October 29, 2019, 07:39:11 PM

Hi

Can you check this please see my screenshot

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Curson on October 29, 2019, 10:17:37 PM

Hi Mops21,

This look like false positives.
Could you please make an archive containing these files and attach it with your next reply ?

Regards.

Title: Re: ===> False Positives <===
Post by: Mops21 on October 30, 2019, 11:36:01 AM

Hi

Yes here are the Files but the first second Files can I not find on my System where the Folder exist no

https://www.sendspace.com/file/8ztbws

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Curson on October 30, 2019, 06:45:25 PM

Hi Mops21,

Thank your very much.
The archive contains the most important files, so it's alright.

Regards.

Title: Re: ===> False Positives <===
Post by: Mops21 on October 30, 2019, 07:43:08 PM

Hi

Also need you the other 2 Files anymore right or need you the 2 Files

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Curson on October 30, 2019, 07:53:26 PM

Hi Mops21,

No, the archive contained all the files we need.
However, it may take time until this is fixed. Please ignore these detections for the time being.

Regards.

Title: Re: ===> False Positives <===
Post by: Mops21 on October 31, 2019, 11:24:58 AM

Hi

Okay thank you very much for your Infos

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Curson on October 31, 2019, 11:21:45 PM

Hi Mops21,

You are very welcome.
Thanks again for your feedback.

Regards.

Title: Re: ===> False Positives <===
Post by: techknowledge on November 14, 2019, 04:14:41 PM

The powershell script that calls rogue killer via my MSP gets killed by rogue killer. As a result code after the portion that runs roguekiller does not run.
The powershell script in the log will change with each run.

Thank you for your time.

Scan log file:

Code: [Select]

RogueKillerCMD V2.5.3.0 (x64) [Nov  8 2019] (Premium) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekillercmd/
Operating System : Windows 10 (10.0.17763) 64 bits
Started in : Normal mode
User : SYSTEM [Admin rights]
Started from : C:\Programdata\TechKnowledgeCleanup\bin\scanners\roguekiller\roguekillercmd.exe
[[SIGNATURES]] : 20191112_105343, [[DRIVER]] : LOADED
Mode : Standard Scan, Remove -- Date : 2019/11/12 11:42:02 (Duration : 00:03:54)
Switches : -reportformat txt -reportpath C:\Programdata\TechKnowledgeCleanup\logs\RogueKillerLog.txt -portable-license C:\Programdata\TechKnowledgeCleanup\bin\scanners\roguekiller\rk.lic

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Remove ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[Mal.Powershell ([[MALICIOUS]])] powershell.exe -- %ProgramFiles%\Pulseway\automation_c15ddc4a_4ca5_4033_9985_ae772f03c0cc.ps1 -> ERROR [0]

Title: Re: ===> False Positives <===
Post by: Curson on November 15, 2019, 01:50:08 AM

Hi techknowledge,

Thanks for your feedback.
Could you please zip the detected powershell script and attach it with your next reply ?

Regards.

Title: Re: ===> False Positives <===
Post by: techknowledge on November 15, 2019, 03:23:43 PM

Unfortunately I will not be able to provide the script. However the script itself is not important in this situation. There are many scripts that I run through my MSP. They all run from that folder.

I fully understand not being able to white list a folder.
I was thinking more along the lines of providing a whitelist command line argument. If n argument already exists, could I get documentation on how to use it?

As it stands I have been forced to omit RougueKiller from my cleanup process.

Thank you again for your time, I do appreciate it.

Title: Re: ===> False Positives <===
Post by: Curson on November 15, 2019, 09:07:45 PM

Hi techknowledge,

There does not exist such a switch at the moment.
Maybe, you could share the script with sensitive information removed ? Which parameters are passed to Powershell binary along the script ?


Regards.

Title: Re: ===> False Positives <===
Post by: techknowledge on November 18, 2019, 03:43:02 PM

I understand now.
$args = @"
-scan "-reportformat txt -reportpath $ThisApplicationLogFile -portable-license $roguekillerlicense" -autodelete -no_interact
"@
Start-Process -FilePath $roguekillerexe -ArgumentList $args -Wait -RedirectStandardError $stdErrLog -NoNewWindow

Would it be change out -autodelete with something? I get the log sent every time it runs. If there is anything found in the log it goes direct to a tech rather than the general logging email address.

Could we create a follow up script that uses the log file to delete things previous found? That way we would avoid a second scan.

Title: Re: ===> False Positives <===
Post by: Tigzy on November 29, 2019, 04:26:55 PM

Hey, sorry for the delay.
I'll be looking into it very shortly.

Title: Re: ===> False Positives <===
Post by: Tigzy on November 29, 2019, 05:32:27 PM

So indeed yes we detect when a powershell script is beeing executed.
However since it's a process only it won't be deleted, just stopped.

The easy fix for us would be to whitelist the file with a pattern, is that ok ?
Can you tell me what rule you file name follows ?

Regards,

Title: Re: ===> False Positives <===
Post by: techknowledge on December 05, 2019, 08:06:44 PM

I change the script frequently.
Is the file pattern something I can set on my side?

Title: Re: ===> False Positives <===
Post by: Tigzy on December 06, 2019, 07:01:36 PM

Hey,
We've actually fixed it on our side, it will be in next release.
Regards,

Title: Re: ===> False Positives <===
Post by: Mops21 on December 14, 2019, 04:13:33 PM

Hi

Can you check this 1 File please

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Curson on December 16, 2019, 09:36:20 PM

Hi Mops21,

Thanks for your feedback.
This file will be investigated as soon as possible.

Regards.

Title: Re: ===> False Positives <===
Post by: Mops21 on December 19, 2019, 03:11:35 PM

Hi

Thank you very much for your Infos

Any new Infos about this availöable

And here is the Homepage of the product for you the Version 5 is in Beta available for that you must contact them for it

https://xvirus.net/xvirus-personal-firewall

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Curson on December 19, 2019, 09:10:59 PM

Hi Mops21,

This file is detected by MalPE, an heuristic-based detection engine.
It's quite hard to say what triggered the detection, and we are in the process of rewriting the heuristic model used by MalPE, so a fix probably won't be released shortly.

That being said, for the time being, I suggest you to exclude Xvirus Personal Firewall installer and related files using RogueKiller "Exclusion" module (https://www.adlice.com/docs/roguekiller/getting-started/settings/#exclusions).

Regards.

Title: Re: ===> False Positives <===
Post by: Mops21 on December 30, 2019, 01:01:27 PM

Hi

Thank you very much for your Infos

Any new Infos about the Xvirus File available

And can you check the 2 File from the Xsec Antivirus please too

https://www.sendspace.com/file/5pr7wp

And here is the Homepage of it for you

https://www.xsecantivirus.com/

https://www.xsecantivirus.com/support/contact.aspx

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Curson on December 30, 2019, 09:42:21 PM

Hi Mops21,

No fix for this specific detection was released, yet.
The two files you submitted trigger MalPE the same way the installer do. The new model should also get rid of these false positives as well.

Regards.

Title: Re: ===> False Positives <===
Post by: Ashazy1234 on January 05, 2020, 11:40:53 PM

Yeah.Dont post the same problem again and again.

Title: Re: ===> False Positives <===
Post by: graphixillusion on February 07, 2020, 02:09:21 AM

Hi there. I'm reporting this false positive. This process/service is the Stablebit Scanner for hdd health monitoring.

Here the official site:
https://stablebit.com/Scanner

This is the roguekiller log:

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Process Modules ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[Cloud.Generic (Malicious)] Scanner.Service.Native.exe (4780) -- C:\Program Files (x86)\StableBit\Scanner\Service\Scanner.Service.Native.exe -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[Cloud.Generic (Malicious)] ScannerServiceNative (4780) -- "C:\Program Files (x86)\StableBit\Scanner\Service\Scanner.Service.Native.exe" -> Found

Thank you!

Title: Re: ===> False Positives <===
Post by: Curson on February 07, 2020, 06:38:26 PM

Hi graphixillusion,

Thanks for your feedback.
Could you please attach the JSON report with your next reply ?

Regards.

Title: Re: ===> False Positives <===
Post by: graphixillusion on February 07, 2020, 11:26:39 PM

Quote from: Curson on February 07, 2020, 06:38:26 PM

Could you please attach the JSON report with your next reply ?

Sure. Here the interesting part in JSON format.

Title: Re: ===> False Positives <===
Post by: Curson on February 08, 2020, 01:19:54 AM

Hi graphixillusion,

Thanks for your feedback.
We will whitelist it as soon as possible.

Regards.

Title: Re: ===> False Positives <===
Post by: Mops21 on July 06, 2020, 06:46:29 PM

Hi

Can you check These 2 Files please

https://www.reviversoft.com/de/start-menu-reviver/

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Curson on July 06, 2020, 10:13:39 PM

Hi Mops21,

Thanks for your feedback.
ReviverSoft is a known company to distribute many "optimisation" software. It's not a false positive.

Regards.

Title: Re: ===> False Positives <===
Post by: Mops21 on July 07, 2020, 08:13:46 PM

Hi

Thank you very much for your Infos

And have you any Infos for the Xvirus and for the XSec Antivirus Samples that I upload here for me

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: Curson on July 07, 2020, 09:24:56 PM

Hi Mops21,

You are very welcome.
No, not yet.

Regards.

Title: Re: ===> False Positives <===
Post by: Mops21 on July 08, 2020, 07:36:52 PM

Hi

Thank you very much for your Infos

With best Regards
Mops21

Title: Re: ===> False Positives <===
Post by: kinglan10 on August 17, 2020, 05:57:31 AM

Hey I'm new here and I think I may have gotten a false positive using roguekiller. I hope I'm getting this reporting thing right

RogueKiller Anti-Malware V14.6.3.0 (x64) [Aug 10 2020] (Free) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 10 (10.0.18363) 64 bits
Started in : Normal mode
User : IVES [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Signatures : 20200813_142051, Driver : Loaded
Mode : Standard Scan, Scan -- Date : 2020/08/16 23:19:16 (Duration : 00:29:27)
Switches : -minimize

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Process Modules ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Tasks ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registry ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ WMI ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Hosts File ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Files ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[Tr.Gen (Malicious)] (file) pbsvc.exe -- (Even Balance, Inc.) C:\Windows\SysWOW64\pbsvc.exe -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Web browsers ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤





So yeah, this may be a false positive I think, the VT score is "not scanned" btw, though I do have the file quarantined rn just in case.

Title: Re: ===> False Positives <===
Post by: Curson on August 17, 2020, 10:07:26 AM

Hi kinglan10,

Welcome to Adlice.com Forum and thanks for your feedback.

This detection is indeed a false positive and will be removed in the next signature definitions package.
In the meantime, you can safetly restore this file from the quarantine area.

Regards.

Title: Re: ===> False Positives <===
Post by: kinglan10 on August 18, 2020, 04:04:02 AM

Quote from: Curson on August 17, 2020, 10:07:26 AM

Hi kinglan10,

Welcome to Adlice.com Forum and thanks for your feedback.

This detection is indeed a false positive and will be removed in the next signature definitions package.
In the meantime, you can safetly restore this file from the quarantine area.

Regards.

Hello Curson, thank you for the reply. :)
I'm glad this file was a picked up merely as a false positive, I'll be restoring this file back to it's location.

Take care sir.

Title: Re: ===> False Positives <===
Post by: Curson on August 18, 2020, 01:10:52 PM

Hi kinglan10,

You are very welcome.
Take care, too.

Regards.

Title: Re: ===> False Positives <===
Post by: Trombyl on January 25, 2021, 06:28:36 PM

Just ran a scan and it detected all of my vst's (virtual instruments for music production, .dll's) and the folder they were in as trojans (tr.ursu) which I assume is a false positive? I can see no reason as to why they would suddenly have become malicious

Title: Re: ===> False Positives <===
Post by: Curson on January 25, 2021, 10:51:19 PM

Hi Trombyl,

This indeed looks like a false positive.
Could you please attach RogueKiller scan report with your next reply ?

Regards.

Title: Re: ===> False Positives <===
Post by: Trombyl on January 26, 2021, 12:27:17 PM

Scanned another machine containing the same files and it seems like it's the folders that rougekiller has a problem with

RogueKiller Anti-Malware V14.6.1.0 (x64) [Jun 17 2020] (Free) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits
Started in : Normal mode
User : Vardagsrum [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Signatures : 20210125_075648, Driver : Loaded
Mode : Standard Scan, Scan -- Date : 2021/01/25 13:00:16 (Duration : 00:16:07)

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Process Modules ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Tasks ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registry ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ WMI ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Hosts File ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Files ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[Tr.Ursu (Malicious)] (folder) VSTPlugins -- C:\Program Files\VSTPlugins -> Found
[Tr.Ursu (Malicious)] (folder) VstPlugins -- C:\Program Files (x86)\VstPlugins -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Web browsers ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Antirootkit ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

Title: Re: ===> False Positives <===
Post by: Curson on January 26, 2021, 04:07:00 PM

Hi Trombyl,

Thanks for your feedback.
This is indeed a false positive. It's now fixed in the latest signatures package.

You can safetly restore the deleted  files and folders from the quarantine (https://www.adlice.com/docs/roguekiller/getting-started/history/#2-%C2%A0quarantine).
Sorry for the inconvenience.

Regards.

Title: Re: ===> False Positives <===
Post by: Toomuch_ on February 07, 2021, 01:38:50 PM

Here are three false positives on my pc, virustotal does not report an infection on any of these files. I Believe these files are part of Absolute Home and office stolen computer tracker:

RogueKiller Anti-Malware V14.8.4.0 (x64) [Jan 13 2021] (Free) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 10 (10.0.19042) 64 bits
Started in : Normal mode
User : samid [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Signatures : 20210203_130952, Driver : Loaded
Mode : Standard Scan, Scan -- Date : 2021/02/06 23:03:56 (Duration : 00:04:59)
Switches : -minimize

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Process Modules ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Tasks ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registry ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ WMI ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Hosts File ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Files ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[Tr.DoubleAgent (Malicious)] (file) rpcnetp.exe -- C:\Windows\System32\rpcnetp.exe -> Found
[Tr.DoubleAgent (Malicious)] (file) rpcnetp.exe -- C:\Windows\SysWOW64\rpcnetp.exe -> Found
[Tr.DoubleAgent (Malicious)] (file) rpcnetp.dll -- C:\Windows\SysWOW64\rpcnetp.dll -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Web browsers ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

Title: Re: ===> False Positives <===
Post by: Curson on February 07, 2021, 05:21:01 PM

Hi Toomuch_,

Thanks for your feedback and welcome to Adlice.com Forum.
Could you please make an archive of these three files and attach it with your next reply ?

They are indeed part of Absolute Computrace, which can be used with malicious intents : Absolute Computrace Revisited (https://securelist.com/absolute-computrace-revisited/58278/)
Is a Computrace module displayed in your computer BIOS/EFI ?

Regards.

Title: Re: ===> False Positives <===
Post by: Toomuch_ on February 07, 2021, 11:23:21 PM

Here are the three files attached and compressed. Absolute was offered by my OEM manufacturer at the time of purchase HP (Spectre X360). I installed it myself, so I assume it will show up in the UEFI however, I haven't checked. I can say that my laptop is still active and being tracked on the Absolute web portal.

Title: Re: ===> False Positives <===
Post by: Curson on February 08, 2021, 05:27:08 PM

Hi Toomuch_,

Thanks for your feedback again.

These files are indeed part of the legit Absolute software. However, since these files can be present on computers where the user has not installed the software (Kaspersky's article) or was even used maliciously (bootkit Lojax, see Lojack Becomes a Double-Agent (https://www.netscout.com/blog/asert/lojack-becomes-double-agent)) we decided not to remove the detections.

However, it will now be classified as PUP (Potentially Unwanted Software) in lieu of Trojan since, like in your case, it can have legitimate purposes.
Thank for your understanding.

Regards.

Title: Re: ===> False Positives <===
Post by: Ransom on September 09, 2024, 09:16:30 PM

Actually, I was busy with something completely different and came across this article...

https://www.adlice.com/google-chrome-secure-preferences/

...which in turn made me curious about RogueKiller.

I used it on my main system (Win10x64 Pro) and found a (single) malware (see also attached report): In the file folder C:\Program Files\Firefox is supposedly the "potential malware" PUP.Ghokswa. I uninstalled Firefox completely and reinstalled it - result: PUP.Ghokswa is still (or again) in the file folder C:\Program Files\Firefox.

I then ran RogueKiller in three VMs: Win7x64, Win8.1x64 and Win10x64. In all three VMs, RogueKiller found the "potential malware" PUP.Ghokswa in the file folder C:\Program Files\Firefox (see attached reports*).

Can I assume that these reports are false positives?

Regards,
Ransom

* Although RogueKiller offers to export a report as a text file, this does not work. It only works as a *.json file. The text files here were converted with the following online converter:

https://products.aspose.app/cells/de/conversion/json-to-text