Author Topic: ===> False Positives <===  (Read 351435 times)

0 Members and 1 Guest are viewing this topic.

Reply #135October 21, 2015, 11:34:25 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #135 on: October 21, 2015, 11:34:25 PM »
Hi oscarxp,

The following entry is indeed a false positive. Thanks for reporting it.
Code: [Select]
[Proc.Svchost] svchost.exe(6920) -- [x] -> Killed [TermThr]We will make our best to fix it as soon as possible.

Regards.

Reply #136December 01, 2015, 06:40:03 AM

coldi

  • Newbie

  • Offline
  • *

  • 20
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #136 on: December 01, 2015, 06:40:03 AM »
Hi there I happened to stumble onto something again and I kinda think it's a false positive - a check with the latest rk11 found
¤¤¤ Registry : 1 ¤¤¤
[PUP] (X64) HKEY_LOCAL_MACHINE\Software\Partner -> Found
The registry folder looks like this http://i.imgur.com/lHLwnzQ.png (not my screenshot)
best regards

Reply #137December 01, 2015, 02:07:23 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #137 on: December 01, 2015, 02:07:23 PM »
Hi coldi,

This entry is not a false positive. It is linked to adware DealPly.
I advice you to remove it.

Regards.

Reply #138December 01, 2015, 05:06:47 PM

coldi

  • Newbie

  • Offline
  • *

  • 20
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #138 on: December 01, 2015, 05:06:47 PM »
Mhh ok I'll remove the key but it's a bit odd I can't observe any strange behaviour related to the description of the adware. Funnily I asked around a bit and that particular key seems to exist on a couple of windows10 systems without showing symptoms. Anyways interesting thanks for the information.

Reply #139December 01, 2015, 11:27:13 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #139 on: December 01, 2015, 11:27:13 PM »
Hi coldi,

You are welcome.
This entry seems to be a leftover, so it presents no threat. ;)

Regards.

Reply #140December 02, 2015, 01:04:26 PM

trooper

  • Newbie

  • Offline
  • *

  • 1
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #140 on: December 02, 2015, 01:04:26 PM »
this cant be right, no other prog. (tdsskiller, aswmbr, mbam,...) finds anything  :-\

(files section)

also: i use patched tcpip.sys to remove half-open limit, i uploaded the file to virustotal and nothing was found

Reply #141December 02, 2015, 02:28:58 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #141 on: December 02, 2015, 02:28:58 PM »
Hi trooper,

Welcome to Adlice.com Forum.

Thanks for your feedback.
These entries are indeed false positives. It will be fixed in RogueKiller next release.

Regards.

Reply #142December 11, 2015, 01:03:19 AM

oscarxp

  • Newbie

  • Offline
  • *

  • 10
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #142 on: December 11, 2015, 01:03:19 AM »
Hey admins

just installed new version and did a scan on my system but there seems to be lots of false positives. Can you please have a look and clarify.

Attached files.

Thank you

Reply #143December 11, 2015, 01:27:20 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #143 on: December 11, 2015, 01:27:20 PM »
Hi oscarxp,
Quote
[VT.Unknown] IDMan.exe(8964) -- C:\Program Files\Internet Download Manager\IDMan.exe[-] -> Killed [TermProc]
[VT.Unknown] egui.exe(7280) -- C:\Program Files\ESET\ESET Smart Security\egui.exe[7] -> Killed [TermProc]
These entries show up because they were not present in VirusTotal database at the time of the scan. If you allowed the files to be uploaded, they won't appear anymore.

For the others entries, we will make whitelist them as soon as possible.
Thanks for your feedback.

Regards.

Reply #144January 06, 2016, 10:22:01 PM

oscarxp

  • Newbie

  • Offline
  • *

  • 10
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #144 on: January 06, 2016, 10:22:01 PM »
Hey Guys

Happy New Year, today downloaded new version and did a scan

And i get some Hidden ADS as a malware plus also the registry shows some entries.

Can you check if this is not a false positive please thanks.

files attached

Reply #145January 06, 2016, 11:28:57 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #145 on: January 06, 2016, 11:28:57 PM »
Hi oscarxp,

Happy New Years !
This ADS detection is a known false positive. It will be fixed in RogueKiller next release.

Regards.

Reply #146January 08, 2016, 01:27:29 AM

laclac

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #146 on: January 08, 2016, 01:27:29 AM »
Pydio is a software for synchronize your cloud pydio (like dropbox)
[VT.Unknown] pydio-ui.exe(5060) -- D:\Program Files\PydioSync\bin\pydio-ui.exe[7] -> Tué(e) [TermProc]
[VT.Unknown] pydio-agent.exe(4400) -- D:\Program Files\PydioSync\bin\pydio-agent.exe[7] -> Tué(e) [TermProc]

Reply #147January 08, 2016, 12:56:59 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #147 on: January 08, 2016, 12:56:59 PM »
Hi laclac,

These entries show up because they were not present in VirusTotal database at the time of the scan. If you allowed the files to be uploaded, they won't appear anymore.

Regards.

Reply #148January 13, 2016, 04:07:37 PM

SlabBacon

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #148 on: January 13, 2016, 04:07:37 PM »
Are these IAT hook detections false positives? Thanks.

RogueKiller V11.0.7.0 (x64) [Jan 11 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Doug [Administrator]
Started from : C:\Users\Doug\Desktop\Security\RogueKillerX64.exe
Mode : Scan -- Date : 01/13/2016 10:03:19

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 18 ¤¤¤
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyComputer : 2  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowControlPanel : 2  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 2  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 2  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 2  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 2  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 2  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowVideos : 2  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyComputer : 2  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowControlPanel : 2  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 2  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 2  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 2  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 2  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 2  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowVideos : 2  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 3 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtProtectVirtualMemory : Unknown @ 0x77b90040 (jmp 0xfffffffffffa2190)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtFreeVirtualMemory : Unknown @ 0x77b90028 (jmp 0xfffffffffffa2498)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtAllocateVirtualMemory : Unknown @ 0x77b90010 (jmp 0xfffffffffffa24e0)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5002AALX-00J37A0 ATA Device +++++
--- User ---
[MBR] 9debdbc5daad6cceb51027dde86ff823
[BSP] 79bcbb79a1dc3c4533ed9e69a5766432 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


Reply #149January 13, 2016, 08:02:13 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #149 on: January 13, 2016, 08:02:13 PM »
Hi SlabBacon,

These hooks are likely legit.
Which security softwares are you using ?

In order to help us whitelisting them, please follow the following process :
  • Download Process Explorer and save it to your desktop.
  • Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  • When RogueKiller goes in a loop, locate the process named explorer.exe, do a right click on it and select Create Dump > Create Full Dump...
  • Save the dump on your desktop and compress it.
  • Upload it to Dropbox, Google Drive or similar services and share the link in your next reply.
Thanks for your help.

Regards.