Author Topic: ===> False Positives <=== (Read 351388 times)

Curson · « **Reply #60 on:** March 12, 2015, 04:35:08 PM »

Hi mist63,

Thanks for bringing this up.
This entry will be whitelisted in the next version of RogueKiller.

Regards.

signal.vol@gmail.com · « **Reply #61 on:** March 13, 2015, 07:12:05 PM »

[SSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[17] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451109c
[SSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[19] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4511c66
[SSDT:Addr(Hook.SSDT)] NtClose[25] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4514b6a
[SSDT:Addr(Hook.SSDT)] NtConnectPort[31] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb45133f6
[SSDT:Addr(Hook.SSDT)] unknown[37] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451293a
[SSDT:Addr(Hook.SSDT)] NtCreateKey[41] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4513aee
[SSDT:Addr(Hook.SSDT)] NtCreateProcess[47] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4511ebc
[SSDT:Addr(Hook.SSDT)] NtCreateProcessEx[48] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4511f72
[SSDT:Addr(Hook.SSDT)] NtCreateSection[50] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451225c
[SSDT:Addr(Hook.SSDT)] NtCreateThread[53] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4510a0c
[SSDT:Addr(Hook.SSDT)] NtDeviceIoControlFile[66] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4513c5e
[SSDT:Addr(Hook.SSDT)] NtDuplicateObject[68] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb45180f8
[SSDT:Addr(Hook.SSDT)] NtFsControlFile[84] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4513f16
[SSDT:Addr(Hook.SSDT)] NtLoadDriver[97] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4511572
[SSDT:Addr(Hook.SSDT)] NtMakeTemporaryObject[105] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4514912
[SSDT:Addr(Hook.SSDT)] NtOpenFile[116] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451272c
[SSDT:Addr(Hook.SSDT)] NtOpenProcess[122] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4517b50
[SSDT:Addr(Hook.SSDT)] NtOpenSection[125] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451202c
[SSDT:Addr(Hook.SSDT)] NtOpenThread[128] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4517e00
[SSDT:Addr(Hook.SSDT)] NtProtectVirtualMemory[137] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4510f20
[SSDT:Addr(Hook.SSDT)] NtQueueApcThread[180] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4511d8e
[SSDT:Addr(Hook.SSDT)] NtReplaceKey[193] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4514760
[SSDT:Addr(Hook.SSDT)] NtRequestPort[199] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4513564
[SSDT:Addr(Hook.SSDT)] NtRequestWaitReplyPort[200] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4512ef8
[SSDT:Addr(Hook.SSDT)] NtRestoreKey[204] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb45147ea
[SSDT:Addr(Hook.SSDT)] NtSecureConnectPort[210] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451397e
[SSDT:Addr(Hook.SSDT)] NtSetContextThread[213] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4510b7c
[SSDT:Addr(Hook.SSDT)] NtSetSecurityObject[237] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb45146ba
[SSDT:Addr(Hook.SSDT)] NtSetSystemInformation[240] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451176c
[SSDT:Addr(Hook.SSDT)] NtShutdownSystem[249] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451487c
[SSDT:Addr(Hook.SSDT)] NtSuspendProcess[253] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4510df8
[SSDT:Addr(Hook.SSDT)] NtSuspendThread[254] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4510cd2
[SSDT:Addr(Hook.SSDT)] NtSystemDebugControl[255] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4511b98
[SSDT:Addr(Hook.SSDT)] NtTerminateProcess[257] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4517a48
[SSDT:Addr(Hook.SSDT)] NtTerminateThread[258] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb45182ea
[SSDT:Addr(Hook.SSDT)] NtUnloadDriver[262] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb45149a8
[SSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[277] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4510890
[ShwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[307] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4510478
[ShwSSDT:Addr(Hook.Shadow)] NtUserCallNoParam[322] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb4510680
[ShwSSDT:Addr(Hook.Shadow)] NtUserCallOneParam[323] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb45105d2
[ShwSSDT:Addr(Hook.Shadow)] NtUserDdeSetQualityOfService[347] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb45103de
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[383] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451037a
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[414] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb451020c
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[416] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb45101a8
[ShwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[460] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb450feb2
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[475] : C:\Program Files\Bitdefender\Antivirus Free

The following should not be considered as suspicious as they are marked as part of Bitdefender Antivirus. However, it probably should be verified by Bitdefender.

Edition\bdselfpr.sys @ 0xb450fcb8
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[476] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb450fd38
[ShwSSDT:Addr(Hook.Shadow)] NtUserRegisterRawInputDevices[491] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb450ff3a
[ShwSSDT:Addr(Hook.Shadow)] NtUserSendInput[502] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb450fc66
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[549] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb450f2b8
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[552] : C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys @ 0xb450f746

ryderjj89 · « **Reply #62 on:** March 14, 2015, 05:19:15 AM »

I dont know if you support Windows XP but here's another for ya with LogMeIn Rescue.

[Suspicious.Path] lmi_rescue.exe(4232) -- C:\Documents and Settings\username\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe[7] -> Killed [TermProc]
[Suspicious.Path] LMI_Rescue_srv.exe(4360) -- C:\Documents and Settings\username\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe[7] -> Killed [TermProc]
[Suspicious.Path] LMI_Rescue_srv.exe(4580) -- C:\Documents and Settings\username\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe[7] -> Killed [TermThr]
[Suspicious.Path] lmi_rescue.exe(4820) -- C:\Documents and Settings\username\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue.exe[7] -> Killed [TermProc]

Curson · « **Reply #63 on:** March 16, 2015, 11:05:00 AM »

Hi signal.vol,

Welcome to Adlice.com Forum!

Thanks for your contribution.
BitDefender's driver will be whitelisted in the next version of RogueKiller.

Regards.

Curson · « **Reply #64 on:** March 16, 2015, 11:13:55 AM »

Hi ryderjj89,

Quote from: ryderjj89

I dont know if you support Windows XP but here's another for ya with LogMeIn Rescue.

Windows XP is still fully supported and theses processes should be whitelisted in RogueKiller current version.
Which version did you run ?

Regards.

roushi · « **Reply #65 on:** March 19, 2015, 01:49:51 AM »

hello,
recently I use RK and found that my cloud security program, tresorit (tresorit.exe) is suspected malicious program. I download it from their offcial website (https://tresorit.com/). For security concern, I have uninstalled tresorit. But I still want to know whether false positive or rogue application. thanks

Curson · « **Reply #66 on:** March 19, 2015, 08:30:06 AM »

Hi roushi,

This is likely a false positive.
Could you please post the full path of the detected process ?

Regards.

roushi · « **Reply #67 on:** March 19, 2015, 05:33:45 PM »

sorry curson, I uninstalled it as soon as detected by RK and I forgot to record full path of the detected process.

Curson · « **Reply #68 on:** March 19, 2015, 10:32:09 PM »

Hi roushi,

That's no big deal.
I think I managed to discover the location of the executable by myself.

Regards.

roushi · « **Reply #69 on:** March 24, 2015, 04:25:18 PM »

Hi curson,
I scan with newer version of rogue killer

however, i got warning about userland rootkit, IAT hook

here is my log:
RogueKiller V10.5.7.0 (x64) [Mar 22 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : fajar [Administrator]
Started from : F:\New folder\Softwares\RogueKillerX64.exe
Mode : Scan -- Date : 03/24/2015 22:14:42

¤¤¤ Processes : 1 ¤¤¤
[Suspicious.Path] (SVC) SLEE_18_DRIVER -- \??\C:\WINDOWS\Sleen1864.sys[7] -> Stopped

¤¤¤ Registry : 13 ¤¤¤
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Partizan (system32\drivers\Partizan.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SLEE_18_DRIVER (\??\C:\WINDOWS\Sleen1864.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SLEE_18_DRIVER (\??\C:\WINDOWS\Sleen1864.sys) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8EF8906D-A45A-4663-8558-C4D00C3B3B13} | NameServer : 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 [UNITED STATES (US)][UNITED STATES (US)][PHILIPPINES (PH)][UNITED STATES (US)] -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8EF8906D-A45A-4663-8558-C4D00C3B3B13} | NameServer : 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 [UNITED STATES (US)][UNITED STATES (US)][PHILIPPINES (PH)][UNITED STATES (US)] -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-4056015360-625216753-3323311208-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-4056015360-625216753-3323311208-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-4056015360-625216753-3323311208-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-4056015360-625216753-3323311208-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-4056015360-625216753-3323311208-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-4056015360-625216753-3323311208-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-4056015360-625216753-3323311208-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-4056015360-625216753-3323311208-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 61 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53f40 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54230 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - PeekMessageA : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d54180 (ret )
[IAT:Inl(Hook.IEAT)] (chrome.exe) USER32.dll - IsDialogMessageW : C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL @ 0x74d53fc0 (ret )

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000LM024 HN-M101MBB +++++
--- User ---
[MBR] 35d34ea0725b15bfc5585d344d1a1ee4
[BSP] 9bc2edaef5de5c63af0852ed1c97e416 : Empty MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 100 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 206848 | Size: 900 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2050048 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2312192 | Size: 381096 MB
4 - [SYSTEM][MAN-MOUNT] | Offset (sectors): 782796800 | Size: 450 MB
5 - Basic data partition | Offset (sectors): 783718400 | Size: 150704 MB
6 - Basic data partition | Offset (sectors): 1092360192 | Size: 399999 MB
7 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1911560192 | Size: 20490 MB
User = LL1 ... OK
User = LL2 ... OK

============================================
RKreport_DEL_03182015_223955.log - RKreport_SCN_03092015_115351.log - RKreport_SCN_03102015_143536.log - RKreport_SCN_03182015_213128.log
RKreport_SCN_03182015_223747.log

I use bitdefender, malwarebytes anti malware and anti exploit, zemana anti logger.

can you give clues whether false positive or rootkit?

thanks a lot

Curson · « **Reply #70 on:** March 25, 2015, 08:11:31 PM »

Hi roushi,

They are probably false positives.
Could you please give me the full path and name of the following dll ?

Quote

C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL

Regards.

roushi · « **Reply #71 on:** March 26, 2015, 10:13:51 AM »

Hi curson,
I don't know how to find full path. I'm not advanced user. However, I search and found that this .dll file belongs to zemana anti logger (I use anti keylogger)
and located in :
C:\Program Files (x86)\KeyCryptSDK
thanks

Curson · « **Reply #72 on:** March 26, 2015, 02:24:11 PM »

Hi roushi,

Thanks for the information.
At first sight, it will be enough to whitelist the dll.

Regards.

laclac · « **Reply #73 on:** May 25, 2015, 05:34:47 PM »

Hi,

Thank you very much for this very good tool.
I think my computer is safe but when I scanned with RogueKiller I had 720 suspects elements.
I think it's false positives with the applis:
- SandBoxie (95% of the alert)
- GData (antivirus)
- Free download Manager (Lite Edition)
- OneDrive (on the Register)
- SyncCenter (

by defaut in windows I think but not sure (scan ok by virusTotal)

I attached the report

Thank you

Curson · « **Reply #74 on:** May 25, 2015, 06:32:15 PM »

Hi laclac,

Theses detections are indeed false positives and will be fixed as soon as possible.
Thanks for bringing this to your attention.

Regards.

Author Topic: ===> False Positives <=== (Read 351388 times)

Curson

Re: ===> False Positives <===

signal.vol@gmail.com

Re: ===> False Positives <===

ryderjj89

Re: ===> False Positives <===

Curson

Re: ===> False Positives <===

Curson

Re: ===> False Positives <===

roushi

Re: ===> False Positives <===

Curson

Re: ===> False Positives <===

roushi

Re: ===> False Positives <===

Curson

Re: ===> False Positives <===

roushi

Re: ===> False Positives <===

Curson

Re: ===> False Positives <===

roushi

Re: ===> False Positives <===

Curson

Re: ===> False Positives <===

laclac

Re: ===> False Positives <===

Curson

Re: ===> False Positives <===