Author Topic: ===> False Positives <===  (Read 351726 times)

0 Members and 2 Guests are viewing this topic.

Reply #75June 18, 2015, 03:10:41 AM

Porthos

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #75 on: June 18, 2015, 03:10:41 AM »
RogueKiller V10.8.4.0 (x64) [Jun 15 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Owner [Administrator]
Started from : G:\1a Malware removal\A-Rouge Killer Tech\RogueKillerX64.exe
Mode : Scan -- Date : 06/17/2015  20:03:05

¤¤¤ Processes : 1 ¤¤¤
[VT.Unknown] explorer.exe(1612) -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamext.dll[7] -> Unloaded

¤¤¤ Registry : 2 ¤¤¤
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3159029859-3327715070-1988989244-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3159029859-3327715070-1988989244-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 36 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost
[C:\Windows\System32\drivers\etc\hosts] ::1       localhost
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 media.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 api.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.betterinstaller.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.filebulldog.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 inno.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 nsis.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.file2desktop.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.goateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.guttastatdk.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.inskinmedia.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.oibundles2.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.playbryte.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.llogetfastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.montiera.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.msdwnld.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.mypcbackup.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.ppdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.riceateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.shyapotato.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.solimba.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.tuto4pc.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.appround.biz
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bigspeedpro.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bispd.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.cdndp.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.download.sweetpacks.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.dpdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.visualbee.net

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD1003FZEX-00MK2 SCSI Disk Device +++++
--- User ---
[MBR] 34259e1b6e4cb47f9b754ce648c27c5f
[BSP] f6b5837cc939bcb42bb962bb25ef3332 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 953766 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: ST315005 41AS SCSI Disk Device +++++
--- User ---
[MBR] 8419b53418a44a8df2ae728761506c81
[BSP] 067f6f979de26751f61eeba52c8e72aa : Windows XP|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 1430796 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: SanDisk Extreme USB Device +++++
--- User ---
[MBR] bfc2508142cb31e56488e57ad8f80c9c
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 32 | Size: 30532 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_SCN_05202015_071126.log - RKreport_DEL_05202015_071233.log - RKreport_SCN_06022015_085035.log - RKreport_SCN_06092015_

Reply #76June 19, 2015, 10:07:26 AM

laclac

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #76 on: June 19, 2015, 10:07:26 AM »
Hi,

A new false positive, the antivirus eset:

RogueKiller V10.8.4.0 (x64) [Jun 15 2015] par Adlice Software
email : http://www.adlice.com/contact/
Remontées : http://forum.adlice.com
Site web : http://www.adlice.com/fr/logiciels/roguekiller/
Blog : http://www.adlice.com

Système d'exploitation : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Démarré en  : Mode normal
Utilisateur : stephane.chadeyron [Administrateur]
Démarré depuis : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Scan -- Date : 06/19/2015  10:04:43

¤¤¤ Processus : 1 ¤¤¤
[Proc.Injected] ekrn.exe(1908) -- C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[7] -> Tué(e) [DrvNtTerm]

¤¤¤ Registre : 2 ¤¤¤
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1618730201-3606924439-1700900945-13376\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Trouvé(e)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1618730201-3606924439-1700900945-13376\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Trouvé(e)

¤¤¤ Tâches : 0 ¤¤¤

¤¤¤ Fichiers : 0 ¤¤¤

¤¤¤ Fichier Hosts : 4 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 0 (Driver: Chargé) ¤¤¤

¤¤¤ Navigateurs web : 0 ¤¤¤

¤¤¤ Vérification MBR : ¤¤¤
+++++ PhysicalDrive0: ST320LT007-9ZV142 +++++
--- User ---
[MBR] 67cdd999a773c0f41e4ba3a8f11c844d
[BSP] 2dc1c207c6c27aac80441500ced12459 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 305143 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Reply #77June 19, 2015, 11:31:27 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #77 on: June 19, 2015, 11:31:27 AM »
Hi laclac,

Thanks for bringing this false positive to your attention.
It will be fixed as soon as possible.

Regards.

Reply #78June 19, 2015, 09:47:30 PM

o_ryry

  • Newbie

  • Offline
  • *

  • 1
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #78 on: June 19, 2015, 09:47:30 PM »
Greetings! I registered just to make this post, so I'll use this first line to say "Hey!" and to commend the AdlICE Software team for their contributions to the security community. That being said, I'm here to report a false positive.

What?
BOMGAR end-user client

RogueKiller detects the process that this applet creates as malicious and attempts to terminate it. Although RogueKiller is not actually able to terminate the process (thankfully), it highlights the row YELLOW and lists the status as "Killed".

STATUS: Killed [TermProc]
DETECTION: VT.Unknown
NAME: bomgar-scc.exe
PATH: C:\ProgramData\bomgar-scc-0x55846070\bomgar-scc.exe

Thanks for your help. Please let me know if any additional information is required. My company is a RogueKiller Premium licensee.

Reply #79June 21, 2015, 06:00:17 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #79 on: June 21, 2015, 06:00:17 PM »
Hi o_ryry,

Welcome to Adlice.com Forum.
Thanks for supporting our product.

This process will be whitelisted in RogueKiller's next release.  :)

Regards.

Reply #80June 24, 2015, 03:31:35 PM

coldi

  • Newbie

  • Offline
  • *

  • 20
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #80 on: June 24, 2015, 03:31:35 PM »
¤¤¤ Prozesse : 1 ¤¤¤
[AV.Killer] avp.exe(1656) -- C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\avp.exe[7] -> beendet [DrvNtTerm]

No Idea what happened there but suddenly it showed Kaspersky as a threat. I'd presume it's just a false positive.
Seems like there was a patch http://forum.kaspersky.com/index.php?showtopic=325739 maybe that caused the issue.
« Last Edit: June 24, 2015, 03:54:36 PM by coldi »

Reply #81June 24, 2015, 08:08:17 PM

Jim1108

  • Newbie

  • Offline
  • *

  • 1
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #81 on: June 24, 2015, 08:08:17 PM »
I'm getting the following error:

¤¤¤ Processes : 1 ¤¤¤
[AV.Killer] LogMeIn.exe(3112) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe[7] -> Killed [TermProc]

I use the paid LogMeIn service all the time. Is there something wrong with this executable or is this just a "false positive"?

Jim

Reply #82June 24, 2015, 10:46:54 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #82 on: June 24, 2015, 10:46:54 PM »
Hi coldi, hi Jim1108

Welcome to Adlice.com Forum.

These entries are indeed false positives. Thanks for bringing them to our attention.
This will be fixed as soon as possible.

Regards.

Reply #83June 25, 2015, 09:04:22 AM

cinder

  • Newbie

  • Offline
  • *

  • 16
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #83 on: June 25, 2015, 09:04:22 AM »
I think this one has already been reported, but here it is:

¤¤¤ Processes : 1 ¤¤¤
[Tr.Zeus|AV.Killer] mbamservice.exe(3092) -- D:\Programs\Malwarebytes Anti-Malware\mbamservice.exe[7] -> Killed [TermProc]

Can this be ignored? I'm confused because I have 2 PCs running Malwarebytes and this one reports this process and my other PC does not - both same version of RogueKiller.

Reply #84June 25, 2015, 10:26:22 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #84 on: June 25, 2015, 10:26:22 PM »
Hi Nathalie,

You are running mbamservice.exe from an unusual location. This is the reason why RogueKiller detect it as a thread.
You can totally ignore it. :)

Regards.

Reply #85June 26, 2015, 02:59:09 AM

cinder

  • Newbie

  • Offline
  • *

  • 16
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #85 on: June 26, 2015, 02:59:09 AM »
Hi Curson,

Yes, I have an SSD so I keep most programs on the D:\ drive instead. Ok thanks for clarifying.

- Natalie.

Reply #86July 03, 2015, 03:37:54 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #86 on: July 03, 2015, 03:37:54 PM »
Hi Natalie,

You are very welcome. ;)

Regards.

Reply #87July 06, 2015, 07:40:56 AM

cinder

  • Newbie

  • Offline
  • *

  • 16
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #87 on: July 06, 2015, 07:40:56 AM »
Hi Curson,

One more for you:

¤¤¤ Processes : 1 ¤¤¤
[VT.Generic.317] Panda_URL_Filteringb.exe(7964) -- C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filteringb.exe[7] VT(6) -> Killed [TermProc]

Safe to ignore?

Using Panda AV on my Media PC.

Thanks.

Reply #88July 06, 2015, 09:41:22 AM

vyosek

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
    • Antimalware forum viry.cz
Re: ===> False Positives <===
« Reply #88 on: July 06, 2015, 09:41:22 AM »
Hi Tigzy,

I would like to report FP:
Quote
[Proc.RunPE] hasplms.exe(1728) -- C:\Windows\System32\hasplms.exe[7] -> Zastaveno [TermProc]
[VT.Unknown] IRPnlServer.exe(368) -- C:\Program Files\Inner Range\Insight\IRPnlServer.EXE[-] -> Zastaveno [TermProc]
[VT.Unknown] IRLaunchPad.exe(3428) -- C:\Program Files\Inner Range\Insight\IRLaunchPad.exe[-] -> Zastaveno [TermProc]
[VT.Unknown] IRDBTaskbar.exe(3452) -- C:\Program Files\Inner Range\Insight\IRDBTaskbar.exe[-] -> Zastaveno [TermProc]
[VT.Unknown] Graphics.exe(3964) -- C:\Program Files\Inner Range\Insight\Graphics.exe[-] -> Zastaveno [TermProc]
[VT.Unknown] IRDBService.exe(3496) -- C:\Program Files\Inner Range\Insight\IRDBService.EXE[-] -> Zastaveno [TermProc]
[VT.Unknown] IRTracker.exe(1012) -- C:\Program Files\Inner Range\Insight\IRTracker.EXE[-] -> Zastaveno [TermProc]


hasplms.exe
http://www.file.net/process/hasplms.exe.html

Inner Range\Insight
It is the software used by security guards (anti bulgar SW)


Regards,
vyosek

Member of since 02/2011

Reply #89July 07, 2015, 04:45:20 AM

LarrySabo

  • Newbie

  • Offline
  • *

  • 8
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #89 on: July 07, 2015, 04:45:20 AM »
Greetings from a new Technician license user.  As a tech, I use all kinds of tools that are likely to be flagged as malware.  Having just started using the program, I'm reluctant to do a scan on my main system for fear of quarantining my tools. In the pre-scan, I see it killed AmmyyAdmin (my remote support program, renamed to "Sabo Remote Support.exe") and TrayIt! (a utility I depend upon). 

I'm going to hold off on doing the actual scan until I've made a fresh drive image, but am asking for assurance that the scan will offer the option to whitelist whatever if considers malicious and not remove the items until I approve. That option is not in the pre-scan, and it killed off processes I need.
« Last Edit: July 07, 2015, 01:36:48 PM by LarrySabo »