Messages

1

RogueKiller / Stinger32 is ZeroAccess: False Positive?

« on: June 24, 2016, 05:03:44 AM »

Roguekiller thinks that Stinger32 from McAfee is ZeroAccess

¤¤¤ Processes : 1 ¤¤¤
[ZeroAccess] stinger32.exe(12880) -- C:\Users\Aaron\Downloads\stinger32.exe

• -> Found

Is this something I should be worried about?  Has McAfee's Stinger32 been altered or is Roguekiller just having a bad case of mistaken identity?

2

RogueKiller / Re: Hidden.ADS

« on: April 12, 2016, 04:58:13 PM »

Hi MadDemon64,

You are welcome.
RogueKiller is using generic detections (heuristics) to find unknown malware and sometimes, like in your case, a legit file, process, ADS, etc is detected by mistake.
An exemple of malicious ADS are those used by some variants of the ZeroAccess rootkit.

Regards.

Thank you.

3

RogueKiller / Re: Hidden.ADS

« on: April 11, 2016, 05:56:01 PM »

Hi MadDemon64,

This ADS is harmless.
We will whitelist it as soon as possible.

Regards.

Thank you.  But I am curious why RougeKiler thinks it is malicious.  Is there another Hidden.ADS out there that is a virus and it just mistakes this for it, or is there something else?

4

RogueKiller / Hidden.ADS

« on: April 11, 2016, 03:58:41 PM »

So I just used Roguekiller and it found Hidden.ADS in C:\Windows\System32:Win32App_1

What is it?  Is it a false positive?  Would deleting it screw up my computer since it's in System32?

Here is the log:

RogueKiller V12.1.2.0 [Apr 11 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.10586) 64 bits version
Started in : Normal mode
User : Aaron [Administrator]
Started from : C:\Users\Aaron\Downloads\RogueKiller.exe
Mode : Scan -- Date : 04/11/2016 10:48:25

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 4 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2750566662-3117591305-1405036124-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://msi13.msn.com  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2750566662-3117591305-1405036124-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://msi13.msn.com  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2750566662-3117591305-1405036124-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://msi13.msn.com  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2750566662-3117591305-1405036124-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://msi13.msn.com  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[Hidden.ADS][Stream] C:\Windows\System32:Win32App_1 -> Found

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: HGST HTS721010A9E630 +++++
--- User ---
[MBR] a7d486b2a5fbf930d7348c8eec809c82
[BSP] c24e351d0eb11b093b54d6803ccdf5f9 : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 600 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 1230848 | Size: 300 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1845248 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2107392 | Size: 597703 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1226205184 | Size: 791 MB
5 - Basic data partition | Offset (sectors): 1227825152 | Size: 336134 MB
6 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1916227584 | Size: 18211 MB
User = LL1 ... OK
User = LL2 ... OK

It isn't showing up on anything else I use.  Malwarebytes, Norton, TDSSKiller, ADWCleaner, Hitmanpro, etc. all have no record of Hidden.ADS existing.  Is this a false positive or is RogueKiller the only thing capable of detecting this problem?