Adlice forum
Software feedback => RogueKiller => Topic started by: xoth on November 16, 2014, 06:41:54 AM
-
I think that i found a possible false positive.
Computer apparently clean (Win XP sp3, Avira free+Comodo FW+CryptoPrevent policy). I download (last version) and launch RogueKiller to try it.
The scan found this 4 entries in Registry section
[Hj.Name] HKEY_USERS\RK_Administrator_ON_I_D453\Software\Microsoft\Windows\CurrentVersion\Run | CTFMON.EXE : F:\WINDOWS\System32\CTFMON.EXE -> Found
[Hj.Name] HKEY_USERS\RK_Default User_ON_I_EAC0\Software\Microsoft\Windows\CurrentVersion\Run | CTFMON.EXE : F:\WINDOWS\System32\CTFMON.EXE -> Found
[Hj.Name] HKEY_USERS\RK_LocalService_ON_I_0629\Software\Microsoft\Windows\CurrentVersion\Run | CTFMON.EXE : F:\WINDOWS\System32\CTFMON.EXE -> Found
[Hj.Name] HKEY_USERS\RK_NetworkService_ON_I_CD40\Software\Microsoft\Windows\CurrentVersion\Run | CTFMON.EXE : F:\WINDOWS\System32\CTFMON.EXE -> Found
but this CTFMON.EXE seem to be the legit one. I make a local scan of the file with Avira, Malwarebyte and ClamWin and they found it ok. I also upload it to virustotal.com and it seem to be ok https://www.virustotal.com/it/file/935db29473bec2edb91035bcd94633d87e18017898c65269e2376bc311043753/analysis/1416112462/
-
It's because of this:
RK_Administrator_ON_I == Means hard drive is I:/
And file is on F:/ == F:\WINDOWS\System32\CTFMON.EXE
What's that I drive? Is it a system drive?
-
I did not notice the drive letter, but I don't' know why the report say F: .... I have an F: volume, but F:\WINDOWS doesn't exist.
I: also exist, it has a windows\system32 directory, oddments from a very old installation, and at the time it actually was F: (dualboot win98/winXp respectively on c: and f:), but now it's without any files on it, it's only an empity dir.
The only CTFMON.EXE in the drives (explorer set to show also hidden and system file) are on
* C:\WINDOWS\system32
* C:\WINDOWS\system32\dllcache
* C:\WINDOWS\ServicePackFiles\i386
and they are all the same file (i make a fc from command prompt).
In the registry all the reference to CTFMON.EXE link to C:\WINDOWS\system32\ctfmon.exe or %windir%\system32\ctfmon.exe with %windir% = C:\WINDOWS
For "historical reason" (repeated upgrade, adding new hard disk and not reinstalling windows every the time) i have a strange drive configuration (see attachment image of my Computer Management->Disk Management), with some drive lette changed from the default one, maybe this could have deceived RogueKiller?
-
Actually F: is what is read from the I: registry hives; So I'm pretty sure if you boot on I:, it will become a F:
-
Well, actually as the time it was a system disk, it was F:.
The problem now is that the file
F:\WINDOWS\System32\CTFMON.EXE
or
I:\WINDOWS\System32\CTFMON.EXE
doesn't exist and both volume are used only for data (and paging file), so I don't undestand how Rouguekiller can found it (and detect it as bad).
Where are the reg hives? In the hidden directory "System Volume Information" with the restore point data?
Today I boot with a linux live-cd and I see that in "System Volume Information" of I: there are also files with the date attribute showing some years before the last clean install on C:, maybe they come from the old installation and Rouguekiller read it as the current one (is it possibile?).
-
This is maybe a bug, the drive letter should be redirected and in that case there's no detection.