Adlice forum

Software feedback => RogueKiller => Topic started by: Mclaughlin on April 17, 2016, 05:42:18 AM

Title: False-Positives
Post by: Mclaughlin on April 17, 2016, 05:42:18 AM

Hi,

Wanted to alert you to several False-Positives, some of which have been previously noted, but which unfortunately still hit. Particularly strange is a (new) FP – in the C:\ProgramData\RogueKillerPE folder (!) [copyright info written to “CopyrightAdlice Software©2015”]… I’ll add the 2 complete logs at the very end.

In sum, the FP’s are as follows:

Today’s Scan Results:

¤¤¤ Processes : 1 ¤¤¤
[Suspicious.Path] RogueKillerPE.shell.dll(5860) -- C:\ProgramData\RogueKillerPE\RogueKillerPE.shell.dll -> Found
[Comment - RogueKillerPE?!]

¤¤¤ Files : 1 ¤¤¤
[PUP][Folder] C:\ProgramData\{BE4DD016-EE56-4AC8-9832-69281423A3D4} -> Found
[Comment - HP Support Assistant installer package (previously mentioned)]

¤¤¤ Antirootkit : 1 (Driver: Loaded) ¤¤¤
[IRP:Addr(Hook.IRP)] \Driver\kbdclass - IRP_MJ_READ[3] : C:\Windows\System32\drivers\hmpalert.sys @ 0xfffff800b4b1fa20
[Comment - HitmanPro.Alert (has returned a hit for some time now, but haven’t posted yet)]

Earlier Scan Results:

¤¤¤ Processes : 1 ¤¤¤
[Proc.Injected] a2emergencykit.exe(8148) -- C:\EEK\bin64\a2emergencykit.exe -> Found
[Comment - Emsisoft Emergency Kit Scanner (FP previously posted)]

Note:

The Emsisoft Emergency Kit (C:\EEK\bin64\a2emergencykit.exe was not detected this time, as I simply got tired of the FP appearing on every scan, and deleted the .exe file… That did the job (!). It would still be nice if you’d make sure this is addressed…

Note also, that scans with Bitdefender TS 2016, HitmanPro, MBAM, MBAR, TDSS, adwcleaner, JRT, ESET online Scanner, and Emsisoft – all came out clean – both earlier and today; and the PC is behaving normally.

Best regards

=========================================================

Today’s Scan:

=========================================================

RogueKiller V12.1.2.0 (x64) [Apr 11 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : [Name] [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 04/16/2016 18:27:35

¤¤¤ Processes : 1 ¤¤¤
[Suspicious.Path] RogueKillerPE.shell.dll(5860) -- C:\ProgramData\RogueKillerPE\RogueKillerPE.shell.dll

-> Found

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[PUP][Folder] C:\ProgramData\{BE4DD016-EE56-4AC8-9832-69281423A3D4} -> Found

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 1 (Driver: Loaded) ¤¤¤
[IRP:Addr(Hook.IRP)] \Driver\kbdclass - IRP_MJ_READ[3] : C:\Windows\System32\drivers\hmpalert.sys @ 0xfffff800b4b1fa20

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] anrq3nwj.default-1425684543997 : user_pref("browser.startup.homepage", "https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=http://mail.google.com/mail/&scc=1&ltmpl=default&ltmplcache=2"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST750LX003-1AC154 +++++
--- User ---
[MBR] 5563ee86216a1c21e78cfa8297c1cea8
[BSP] 6a3125a7f090a24988d63ba5cae1a61d : Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 260 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1353728 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1615872 | Size: 686234 MB
4 - [SYSTEM] Basic data partition | Offset (sectors): 1407023104 | Size: 28375 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: JetFlash Transcend 32GB USB Device +++++
--- User ---
[MBR] 7b1455697ab04b3a0bfb25a783aecb26
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 96 | Size: 30719 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

=========================================================

Earlier Scan:

=========================================================

RogueKiller V11.0.14.0 (x64) [Feb 29 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : [Name] [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 03/02/2016 13:04:39

¤¤¤ Processes : 1 ¤¤¤
[Proc.Injected] a2emergencykit.exe(8148) -- C:\EEK\bin64\a2emergencykit.exe

-> Found

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[PUP][Folder] C:\ProgramData\{BE4DD016-EE56-4AC8-9832-69281423A3D4} -> Found

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0x0]) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] anrq3nwj.default-1425684543997 : user_pref("browser.startup.homepage", "https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=http://mail.google.com/mail/&scc=1&ltmpl=default&ltmplcache=2"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST750LX003-1AC154 +++++
--- User ---
[MBR] 5563ee86216a1c21e78cfa8297c1cea8
[BSP] 6a3125a7f090a24988d63ba5cae1a61d : Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 260 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1353728 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1615872 | Size: 686234 MB
4 - [SYSTEM] Basic data partition | Offset (sectors): 1407023104 | Size: 28375 MB
User = LL1 ... OK
User = LL2 ... OK

Title: Re: False-Positives
Post by: Curson on April 18, 2016, 03:00:35 PM

Hi Mclaughlin,

Thanks for your feedback.

Quote from: Mclaughlin

[Suspicious.Path] RogueKillerPE.shell.dll(5860) -- C:\ProgramData\RogueKillerPE\RogueKillerPE.shell.dll -> Found
[Comment - RogueKillerPE?!]
[IRP:Addr(Hook.IRP)] \Driver\kbdclass - IRP_MJ_READ[3] : C:\Windows\System32\drivers\hmpalert.sys @ 0xfffff800b4b1fa20
[Comment - HitmanPro.Alert (has returned a hit for some time now, but haven’t posted yet)]

The RogueKillerPE process is safe (obviously), this is quite strange it was detected.
We will whitelist this as soon as possible.

Quote from: Mclaughlin

[PUP][Folder] C:\ProgramData\{BE4DD016-EE56-4AC8-9832-69281423A3D4} -> Found
[Comment - HP Support Assistant installer package (previously mentioned)]
[Proc.Injected] a2emergencykit.exe(8148) -- C:\EEK\bin64\a2emergencykit.exe -> Found
[Comment - Emsisoft Emergency Kit Scanner (FP previously posted)]

I'm really sorry those PFs were not fixed earlier.
I will make sure they are taken care of.

Quote from: Mclaughlin

The Emsisoft Emergency Kit (C:\EEK\bin64\a2emergencykit.exe was not detected this time, as I simply got tired of the FP appearing on every scan, and deleted the .exe file… That did the job (!)

For the record, you can use RogueKiller External Scanner to disable a detection.
For more information, please read : RogueKiller External Scanner (http://www.adlice.com/software/roguekiller/external-scanner/).

Regards.