Author Topic: ===> False Positives <===  (Read 352606 times)

0 Members and 1 Guest are viewing this topic.

Reply #45March 03, 2015, 02:51:52 PM

mist63

  • Newbie

  • Offline
  • *

  • 12
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #45 on: March 03, 2015, 02:51:52 PM »
Hi Curson,

Same issue with RK v10.5.0 and Symantec:

RogueKiller V10.5.0.0 [Mar  2 2015] par Adlice Software
¤¤¤ Processus : 1 ¤¤¤
[Suspicious.Path] (SVC) IDSxpx86 -- \??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150302.011\IDSxpx86.sys[7] -> [NoKill]

¤¤¤ Registre : 25 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IDSxpx86 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150302.011\IDSxpx86.sys) -> Trouvé(e)
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVEX15 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150302.019\NAVEX15.SYS) -> Trouvé(e)
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDSxpx86 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150302.011\IDSxpx86.sys) -> Trouvé(e)
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVEX15 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150302.019\NAVEX15.SYS) -> Trouvé(e)
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IDSxpx86 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150228.011\IDSxpx86.sys) -> Trouvé(e)
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NAVEX15 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150302.002\NAVEX15.SYS) -> Trouvé(e)

Regards

Reply #46March 03, 2015, 03:46:28 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #46 on: March 03, 2015, 03:46:28 PM »
Hi mist63,

Thanks for your contribution.
These entries will be whitelisted in the next version of RogueKiller.

Regards.

Reply #47March 05, 2015, 12:12:41 AM

laclac

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Fail detection
« Reply #47 on: March 05, 2015, 12:12:41 AM »
For information RogueKiller detects "Sandboxie" and "Unlocker" of malware.
But they are trust software very good.

http://www.sandboxie.com/
http://www.emptyloop.com/unlocker/

Reply #48March 05, 2015, 06:26:06 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Fail detection
« Reply #48 on: March 05, 2015, 06:26:06 PM »
Hi laclac,

Welcome to Adlice.com Forum!
Could you please post RogueKiller's report showing detections of these two softwares ?

Regards.

Note : Your thread has been merged with the "===> False Positives <===" thread for clarity.

Reply #49March 05, 2015, 09:26:05 PM

ryderjj89

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #49 on: March 05, 2015, 09:26:05 PM »
Hi ryderjj89,

RogueKiller 10.5.0 is out.
Could you please retry with this version ?

Regards.

Tried with 10.5.1, still killing LogMeIn Rescue during pre-scan.

Here's the log entry:

[Suspicious.Path] (SVC) LMIRescue_9c5cee35-34cc-4e1a-a350-ef13abfc5d98 -- "C:\Users\Violet\AppData\Local\LOGMEI~1\LMIR0002.tmp\LMI_Rescue_srv.exe" -service -sid 9c5cee35-34cc-4e1a-a350-ef13abfc5d98[7] -> Stopped
« Last Edit: March 05, 2015, 10:03:07 PM by ryderjj89 »

Reply #50March 05, 2015, 10:46:26 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #50 on: March 05, 2015, 10:46:26 PM »
Hi ryderjj89,

That's strange.
Could you please give me the full path of the service, specially the part which appeared as LOGMEI~1 ?

Regards.

Reply #51March 06, 2015, 07:44:19 PM

ryderjj89

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #51 on: March 06, 2015, 07:44:19 PM »
Someone posted the full path for you guys last month on page 3. Here they are again.

C:\Users\username\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_src.exe
C:\Users\username\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue.exe

Reply #52March 09, 2015, 03:06:20 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #52 on: March 09, 2015, 03:06:20 PM »
Hi ryderjj89,

We are unable te reproduce the issue.
Could you please tell me which version of LogMeIn is installed on your system ?

Regards.

Reply #53March 09, 2015, 07:35:47 PM

ryderjj89

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #53 on: March 09, 2015, 07:35:47 PM »
Its the Rescue Applet, not the technician console. I'm not sure how you can't reproduce the issue. Its happened for multiple people as of 10.5.1....

Reply #54March 10, 2015, 08:49:54 AM

roushi

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #54 on: March 10, 2015, 08:49:54 AM »
hello
this my log

RogueKiller V10.5.2.0 (x64) [Mar  9 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : fajar [Administrator]
Started from : C:\Users\fajar\Downloads\RogueKillerX64 (1).exe
Mode : Scan -- Date : 03/10/2015  14:35:36

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 10 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 192.168.250.1 203.161.30.1 203.161.30.2  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.250.1 203.161.30.1 203.161.30.2  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9626352A-45DB-4514-A4E4-F37C1C798476} | DhcpNameServer : 192.168.250.1 203.161.30.1 203.161.30.2  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C7491737-1EF7-4C2E-8F23-E2631A37F61E} | DhcpNameServer : 192.13.128.24  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9626352A-45DB-4514-A4E4-F37C1C798476} | DhcpNameServer : 192.168.250.1 203.161.30.1 203.161.30.2 [INDONESIA (ID)][INDONESIA (ID)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{C7491737-1EF7-4C2E-8F23-E2631A37F61E} | DhcpNameServer : 192.13.128.24 [UNITED STATES (US)]  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000LM024 HN-M101MBB +++++
--- User ---
[MBR] 35d34ea0725b15bfc5585d344d1a1ee4
[BSP] 9bc2edaef5de5c63af0852ed1c97e416 : Empty MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 100 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 206848 | Size: 900 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2050048 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2312192 | Size: 381096 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 782796800 | Size: 450 MB
5 - Basic data partition | Offset (sectors): 783718400 | Size: 150704 MB
6 - Basic data partition | Offset (sectors): 1092360192 | Size: 399999 MB
7 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1911560192 | Size: 20490 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Kingston DT 101 G2 USB Device +++++
--- User ---
[MBR] 0d8a95f0177a129bfb88face59b8bdbb
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_SCN_03092015_115351.log

Is this a false positive or my computer has been infected?

thanks

Reply #55March 10, 2015, 11:16:47 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #55 on: March 10, 2015, 11:16:47 PM »
Hi roushi,

Welcome to Adlice.com Forum!
Your report is clean.

Regards.

Reply #56March 11, 2015, 04:52:10 AM

roushi

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #56 on: March 11, 2015, 04:52:10 AM »
thanks a lot curson  :D

Reply #57March 11, 2015, 07:16:48 AM

Vtech

  • Newbie

  • Offline
  • *

  • 1
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #57 on: March 11, 2015, 07:16:48 AM »
Hi,

VIPRE Antivirus / Internet Security is getting detected as  ZeroAccess


Logs from RogueKiller below:

RogueKiller V10.5.3.0 [Mar 10 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : homeuser [Administrator]
Started from : C:\Users\homeuser\Desktop\RogueKiller.exe
Mode : Scan -- Date : 03/11/2015  13:45:34

¤¤¤ Processes : 1 ¤¤¤
[ZeroAccess] SBAMSvc.exe(1840) -- C:\Program Files (x86)\VIPRE\SBAMSvc.exe[-] -> ERROR [12]

¤¤¤ Registry : 12 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.134.0.2 8.8.8.8 [(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.134.0.2 8.8.8.8 [(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.134.0.2 8.8.8.8 [(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{FF6B266C-A68E-4703-AABD-3CD8908DD5EB} | DhcpNameServer : 10.134.0.2 8.8.8.8 [(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{FF6B266C-A68E-4703-AABD-3CD8908DD5EB} | DhcpNameServer : 10.134.0.2 8.8.8.8 [(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{FF6B266C-A68E-4703-AABD-3CD8908DD5EB} | DhcpNameServer : 10.134.0.2 8.8.8.8 [(Private Address) (XX)]  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3519769749-2856167998-2871467416-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3519769749-2856167998-2871467416-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] a96e3be04bff67e29b1dcdbca25ab636
[BSP] 5821089cd6275c700f6874710cdeda40 : Windows Vista/7/8 MBR Code
Partition table:
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_03072015_195806.log

Reply #58March 11, 2015, 11:08:21 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #58 on: March 11, 2015, 11:08:21 PM »
Hi Vtech,

Welcome to Adlice.com Forum!

Thanks for bringing this to our attention.
This will be fixed in the next version of RogueKiller.

Regards.

Reply #59March 12, 2015, 02:12:06 PM

mist63

  • Newbie

  • Offline
  • *

  • 12
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #59 on: March 12, 2015, 02:12:06 PM »
Hello,

ESET File security processus detected :

RogueKiller V10.5.3.0 (x64) [Mar 10 2015] par Adlice Software

Système d'exploitation : Windows Server 2008 R2 (6.1.7601 Service Pack 1) 64 bits version
Démarré en  : Mode normal
Utilisateur : root [Administrateur]
Démarré depuis : C:\Archives Système\anti-spyware\RogueKillerX64.exe
Mode : Scan -- Date : 03/12/2015  10:16:01

¤¤¤ Processus : 1 ¤¤¤
[Proc.Injected] ekrn.exe(37200) -- C:\Program Files\ESET\ESET File Security\x86\ekrn.exe[7] -> Tué(e) [DrvNtTerm]

Best regards