Author Topic: ===> False Positives <=== (Read 333186 times)

Curson · « **Reply #135 on:** October 21, 2015, 11:34:25 PM »

Hi oscarxp,

The following entry is indeed a false positive. Thanks for reporting it.

[Proc.Svchost] svchost.exe(6920) -- [x] -> Killed [TermThr]We will make our best to fix it as soon as possible.

Regards.

coldi · « **Reply #136 on:** December 01, 2015, 06:40:03 AM »

Hi there I happened to stumble onto something again and I kinda think it's a false positive - a check with the latest rk11 found
¤¤¤ Registry : 1 ¤¤¤
[PUP] (X64) HKEY_LOCAL_MACHINE\Software\Partner -> Found
The registry folder looks like this http://i.imgur.com/lHLwnzQ.png (not my screenshot)
best regards

Curson · « **Reply #137 on:** December 01, 2015, 02:07:23 PM »

Hi coldi,

This entry is not a false positive. It is linked to adware DealPly.
I advice you to remove it.

Regards.

coldi · « **Reply #138 on:** December 01, 2015, 05:06:47 PM »

Mhh ok I'll remove the key but it's a bit odd I can't observe any strange behaviour related to the description of the adware. Funnily I asked around a bit and that particular key seems to exist on a couple of windows10 systems without showing symptoms. Anyways interesting thanks for the information.

Curson · « **Reply #139 on:** December 01, 2015, 11:27:13 PM »

Hi coldi,

You are welcome.
This entry seems to be a leftover, so it presents no threat.

Regards.

trooper · « **Reply #140 on:** December 02, 2015, 01:04:26 PM »

this cant be right, no other prog. (tdsskiller, aswmbr, mbam,...) finds anything $:-\$

(files section)

also: i use patched tcpip.sys to remove half-open limit, i uploaded the file to virustotal and nothing was found

Curson · « **Reply #141 on:** December 02, 2015, 02:28:58 PM »

Hi trooper,

Welcome to Adlice.com Forum.

Thanks for your feedback.
These entries are indeed false positives. It will be fixed in RogueKiller next release.

Regards.

oscarxp · « **Reply #142 on:** December 11, 2015, 01:03:19 AM »

Hey admins

just installed new version and did a scan on my system but there seems to be lots of false positives. Can you please have a look and clarify.

Attached files.

Thank you

Curson · « **Reply #143 on:** December 11, 2015, 01:27:20 PM »

Hi oscarxp,

Quote

[VT.Unknown] IDMan.exe(8964) -- C:\Program Files\Internet Download Manager\IDMan.exe[-] -> Killed [TermProc]
[VT.Unknown] egui.exe(7280) -- C:\Program Files\ESET\ESET Smart Security\egui.exe[7] -> Killed [TermProc]

These entries show up because they were not present in VirusTotal database at the time of the scan. If you allowed the files to be uploaded, they won't appear anymore.

For the others entries, we will make whitelist them as soon as possible.
Thanks for your feedback.

Regards.

oscarxp · « **Reply #144 on:** January 06, 2016, 10:22:01 PM »

Hey Guys

Happy New Year, today downloaded new version and did a scan

And i get some Hidden ADS as a malware plus also the registry shows some entries.

Can you check if this is not a false positive please thanks.

files attached

Curson · « **Reply #145 on:** January 06, 2016, 11:28:57 PM »

Hi oscarxp,

Happy New Years !
This ADS detection is a known false positive. It will be fixed in RogueKiller next release.

Regards.

laclac · « **Reply #146 on:** January 08, 2016, 01:27:29 AM »

Pydio is a software for synchronize your cloud pydio (like dropbox)
[VT.Unknown] pydio-ui.exe(5060) -- D:\Program Files\PydioSync\bin\pydio-ui.exe[7] -> Tué(e) [TermProc]
[VT.Unknown] pydio-agent.exe(4400) -- D:\Program Files\PydioSync\bin\pydio-agent.exe[7] -> Tué(e) [TermProc]

Curson · « **Reply #147 on:** January 08, 2016, 12:56:59 PM »

Hi laclac,

These entries show up because they were not present in VirusTotal database at the time of the scan. If you allowed the files to be uploaded, they won't appear anymore.

Regards.

SlabBacon · « **Reply #148 on:** January 13, 2016, 04:07:37 PM »

Are these IAT hook detections false positives? Thanks.

RogueKiller V11.0.7.0 (x64) [Jan 11 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Doug [Administrator]
Started from : C:\Users\Doug\Desktop\Security\RogueKillerX64.exe
Mode : Scan -- Date : 01/13/2016 10:03:19

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 18 ¤¤¤
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyComputer : 2 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowControlPanel : 2 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 2 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 2 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 2 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 2 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 2 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowVideos : 2 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyComputer : 2 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowControlPanel : 2 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 2 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 2 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 2 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 2 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 2 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3423139568-2959105372-4068864383-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowVideos : 2 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 3 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtProtectVirtualMemory : Unknown @ 0x77b90040 (jmp 0xfffffffffffa2190)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtFreeVirtualMemory : Unknown @ 0x77b90028 (jmp 0xfffffffffffa2498)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtAllocateVirtualMemory : Unknown @ 0x77b90010 (jmp 0xfffffffffffa24e0)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5002AALX-00J37A0 ATA Device +++++
--- User ---
[MBR] 9debdbc5daad6cceb51027dde86ff823
[BSP] 79bcbb79a1dc3c4533ed9e69a5766432 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Curson · « **Reply #149 on:** January 13, 2016, 08:02:13 PM »

Hi SlabBacon,

These hooks are likely legit.
Which security softwares are you using ?

In order to help us whitelisting them, please follow the following process :

Download Process Explorer and save it to your desktop.
Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
When RogueKiller goes in a loop, locate the process named explorer.exe, do a right click on it and select Create Dump > Create Full Dump...
Save the dump on your desktop and compress it.
Upload it to Dropbox, Google Drive or similar services and share the link in your next reply.

Thanks for your help.

Regards.

Author Topic: ===> False Positives <=== (Read 333186 times)

Curson

Re: ===> False Positives <===

coldi

Re: ===> False Positives <===

Curson

Re: ===> False Positives <===

coldi

Re: ===> False Positives <===

Curson

Re: ===> False Positives <===

trooper

Re: ===> False Positives <===

Curson

Re: ===> False Positives <===

oscarxp

Re: ===> False Positives <===

Curson

Re: ===> False Positives <===

oscarxp

Re: ===> False Positives <===

Curson

Re: ===> False Positives <===

laclac

Re: ===> False Positives <===

Curson

Re: ===> False Positives <===

SlabBacon

Re: ===> False Positives <===

Curson

Re: ===> False Positives <===