Author Topic: ===> False Positives <===  (Read 351629 times)

0 Members and 2 Guests are viewing this topic.

Reply #90July 08, 2015, 04:28:48 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #90 on: July 08, 2015, 04:28:48 PM »
Hi Natalie,

Hi Curson,

One more for you:

¤¤¤ Processes : 1 ¤¤¤
[VT.Generic.317] Panda_URL_Filteringb.exe(7964) -- C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filteringb.exe[7] VT(6) -> Killed [TermProc]

Safe to ignore?

Using Panda AV on my Media PC.

Thanks.

Yes, it's safe.
Thanks for reporting it. :)

Regards.

Reply #91July 08, 2015, 04:30:23 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #91 on: July 08, 2015, 04:30:23 PM »
Hi vyosek,

Hi Tigzy,

I would like to report FP:
Quote
[Proc.RunPE] hasplms.exe(1728) -- C:\Windows\System32\hasplms.exe[7] -> Zastaveno [TermProc]
[VT.Unknown] IRPnlServer.exe(368) -- C:\Program Files\Inner Range\Insight\IRPnlServer.EXE[-] -> Zastaveno [TermProc]
[VT.Unknown] IRLaunchPad.exe(3428) -- C:\Program Files\Inner Range\Insight\IRLaunchPad.exe[-] -> Zastaveno [TermProc]
[VT.Unknown] IRDBTaskbar.exe(3452) -- C:\Program Files\Inner Range\Insight\IRDBTaskbar.exe[-] -> Zastaveno [TermProc]
[VT.Unknown] Graphics.exe(3964) -- C:\Program Files\Inner Range\Insight\Graphics.exe[-] -> Zastaveno [TermProc]
[VT.Unknown] IRDBService.exe(3496) -- C:\Program Files\Inner Range\Insight\IRDBService.EXE[-] -> Zastaveno [TermProc]
[VT.Unknown] IRTracker.exe(1012) -- C:\Program Files\Inner Range\Insight\IRTracker.EXE[-] -> Zastaveno [TermProc]


hasplms.exe
http://www.file.net/process/hasplms.exe.html

Inner Range\Insight
It is the software used by security guards (anti bulgar SW)


Regards,
vyosek

Thanks for reporting this false positive.
It will be whitelisted as soon as possible.

Regards.

Reply #92July 08, 2015, 04:40:56 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #92 on: July 08, 2015, 04:40:56 PM »
Hi LarrySabo,

Welcome to Adlice.com Forum.

Greetings from a new Technician license user.  As a tech, I use all kinds of tools that are likely to be flagged as malware.  Having just started using the program, I'm reluctant to do a scan on my main system for fear of quarantining my tools. In the pre-scan, I see it killed AmmyyAdmin (my remote support program, renamed to "Sabo Remote Support.exe") and TrayIt! (a utility I depend upon). 

I'm going to hold off on doing the actual scan until I've made a fresh drive image, but am asking for assurance that the scan will offer the option to whitelist whatever if considers malicious and not remove the items until I approve. That option is not in the pre-scan, and it killed off processes I need.

Thanks for supporting our product. :)
RogueKiller won't quarantine any files during the pre-scan and the scan itself. You are able to select the files to be deleted/quarantined after the scan is complete.

Thats being said, could you please provide a sample of a RogueKiller scan log showing the detections in order for us to whiteliste the legit items ?

Regards.

Reply #93July 10, 2015, 02:50:43 PM

LarrySabo

  • Newbie

  • Offline
  • *

  • 8
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #93 on: July 10, 2015, 02:50:43 PM »
Thanks, Curson.  I'll do a scan sometime today or tomorrow and post the log.

Cheers, Larry

Reply #94July 12, 2015, 06:41:26 PM

LarrySabo

  • Newbie

  • Offline
  • *

  • 8
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #94 on: July 12, 2015, 06:41:26 PM »
Hi again.  Just did a scan (after imaging my system drive as a precaution). Scan log is attached. Not sure the JSON file format is what you prefer, so I attached both and the Text format.

Reply #95July 14, 2015, 10:29:40 PM

offchopx

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #95 on: July 14, 2015, 10:29:40 PM »
Hi everyone, I'm new member please mistake me if i'm wrong on this:


¤¤¤ Registry : 6 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : [IP of DNS 1] [IP of DNS 2] [IP of DNS 3] 192.168.1.1 ([AUSTRALIA (AU)][AUSTRALIA (AU)][AUSTRALIA (AU)][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : [IP of DNS 1] [IP of DNS 2] [IP of DNS 3] 192.168.1.1 ([AUSTRALIA (AU)][AUSTRALIA (AU)][AUSTRALIA (AU)][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : [IP of DNS 1] [IP of DNS 2] [IP of DNS 3] 192.168.1.1 ([AUSTRALIA (AU)][AUSTRALIA (AU)][AUSTRALIA (AU)][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E673EA29-A1AA-4851-8940-0922B5D15F24} | DhcpNameServer : [IP of DNS 1] [IP of DNS 2] [IP of DNS 3] 192.168.1.1 ([AUSTRALIA (AU)][AUSTRALIA (AU)][AUSTRALIA (AU)][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E673EA29-A1AA-4851-8940-0922B5D15F24} | DhcpNameServer : [IP of DNS 1] [IP of DNS 2] [IP of DNS 3] 192.168.1.1 ([AUSTRALIA (AU)][AUSTRALIA (AU)][AUSTRALIA (AU)][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{E673EA29-A1AA-4851-8940-0922B5D15F24} | DhcpNameServer : [IP of DNS 1] [IP of DNS 2] [IP of DNS 3] 192.168.1.1 ([AUSTRALIA (AU)][X][AUSTRALIA (AU)][-])  -> Found


I replace actual IP Address with square bracket [IP of DNS 1, 2, 3].

I think this is a false positive, as these are the IP addresses assigned by my ISP (Optus Cable, double checked router status settings and with a ping -a on all the IP's). I've never had this before, but now with a cable modem, which im not sure why exactly, it must reconfigure my dhcpnameservers.

Can anyone else confirm? Or do I have malware lol. Also I love this product, must have in a suite of tools.

Reply #96July 16, 2015, 12:08:51 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #96 on: July 16, 2015, 12:08:51 AM »
Hi LarrySabo,

Thanks for the feedback.

You are running AMMYY Admin Remote Control from an unusual location. This is the reason why RogueKiller detect it as a thread.
ESET SysInspector, Copy and Lightshot will be whitelisted in the next version of RogueKiller. TrayIt! was not present in the report.

Regards.

Reply #97July 16, 2015, 12:10:56 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #97 on: July 16, 2015, 12:10:56 AM »
Hi offchopx,

Welcome to Adlice.com Forum.
Such entries are indeed perfectly legit.

Regards.

Reply #98July 22, 2015, 04:43:07 PM

AAVmech2141

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #98 on: July 22, 2015, 04:43:07 PM »
I am wondering if someone could explain if these results are legitimate rootkits or not:

 ¤¤¤ Antirootkit : 45 (Driver: Loaded) ¤¤¤
[SSDT:Addr(Hook.SSDT)] NtAlertResumeThread[13] : Unknown @ 0x41e11fee0f000000
[SSDT:Addr(Hook.SSDT)] NtAlertThread[14] : Unknown @ 0x41e11fee22000000
[SSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[19] : Unknown @ 0x41e11200ca000000
[SSDT:Addr(Hook.SSDT)] NtAlpcConnectPort[22] : Unknown @ 0x41e108c571000000
[SSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[43] : Unknown @ 0x41e11ff1f2000000
[SSDT:Addr(Hook.SSDT)] NtCreateMutant[74] : Unknown @ 0x41e11ff070000000
[SSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[86] : Unknown @ 0x41e11ff1b1000000
[SSDT:Addr(Hook.SSDT)] NtCreateThread[87] : Unknown @ 0x41e11201e1000000
[SSDT:Addr(Hook.SSDT)] NtCreateThreadEx[88] : Unknown @ 0x41e11ff1c6000000
[SSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[96] : Unknown @ 0x41e11ff00d000000

Reply #99July 22, 2015, 05:20:24 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #99 on: July 22, 2015, 05:20:24 PM »
Hi AAVmech2141,

Welcome to Adlice.com Forum.
Could you please copy/paste RogueKiller full report in your next post ?

Regards.

Reply #100July 22, 2015, 05:35:45 PM

AAVmech2141

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #100 on: July 22, 2015, 05:35:45 PM »
Sorry, here is the complete log:

RogueKiller V10.9.3.0 [Jul 21 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : User [Administrator]
Started from : C:\Users\User\Downloads\RogueKiller.exe
Mode : Scan -- Date : 07/21/2015 16:08:39

¤¤¤ Processes : 30 ¤¤¤
[Proc.Injected] ccSvcHst.exe(3748) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe[7] -> Killed [TermProc]
[Proc.Injected] dwm.exe(3900) -- C:\Windows\System32\dwm.exe
  • -> [NoKill]
[Proc.Injected] taskhost.exe(3944) -- C:\Windows\System32\taskhost.exe[7] -> Killed [TermProc]
[Proc.Injected] explorer.exe(3996) -- C:\Windows\explorer.exe[7] -> Killed [TermProc]
[Proc.Injected] igfxtray.exe(3240) -- C:\Windows\System32\igfxtray.exe[7] -> Killed [TermProc]
[Proc.Injected] hkcmd.exe(3528) -- C:\Windows\System32\hkcmd.exe[7] -> Killed [TermProc]
[Proc.Injected] igfxpers.exe(3224) -- C:\Windows\System32\igfxpers.exe[7] -> Killed [TermProc]
[Proc.Injected] SPEnroll.exe(3984) -- C:\Windows\System32\SPEnroll.exe[7] -> Killed [TermProc]
[Proc.Injected] lync.exe(3740) -- C:\Program Files\Microsoft Office 15\root\office15\lync.exe[7] -> Killed [TermProc]
[Proc.Injected] AeXAgentUIHost.exe(5456) -- C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe[7] -> Killed [TermProc]
[Proc.Injected] OUTLOOK.EXE(4384) -- C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[7] -> Killed [TermProc]
[Proc.Injected] taskhost.exe(7844) -- C:\Windows\System32\taskhost.exe[7] -> Killed [TermProc]
[Proc.Injected] hpqtra08.exe(760) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[7] -> Killed [TermProc]
[Proc.Injected] taskeng.exe(7420) -- C:\Windows\System32\taskeng.exe[7] -> Killed [TermProc]
[Proc.Injected] hpwuschd2.exe(6424) -- C:\Program Files\HP\HP Software Update\hpwuschd2.exe[7] -> Killed [TermProc]
[Proc.Injected] ScanToPCActivationApp.exe(2764) -- C:\Program Files\HP\HP Officejet Pro 8500 A910\Bin\ScanToPCActivationApp.exe[7] -> Killed [TermProc]
[Proc.Injected] rundll32.exe(3776) -- C:\Windows\System32\rundll32.exe[7] -> Killed [TermProc]
[Proc.Injected] iexplore.exe(6600) -- C:\Program Files\Internet Explorer\iexplore.exe[7] -> Killed [TermProc]
[Proc.Injected] EXCEL.EXE(7952) -- C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXE[7] -> Killed [TermProc]
[Proc.Injected] AeXAgentUIHost.exe(6668) -- C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe[7] -> Killed [TermProc]
[Proc.Injected] ccSvcHst.exe(7960) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe[7] -> Killed [TermProc]
[Proc.Injected] dwm.exe(7776) -- C:\Windows\System32\dwm.exe
  • -> [NoKill]
[Proc.Injected] taskhost.exe(6096) -- C:\Windows\System32\taskhost.exe[7] -> Killed [TermProc]
[Proc.Injected] explorer.exe(6976) -- C:\Windows\explorer.exe[7] -> Killed [TermProc]
[Proc.Injected] hkcmd.exe(484) -- C:\Windows\System32\hkcmd.exe[7] -> Killed [TermProc]
[Proc.Injected] igfxpers.exe(7056) -- C:\Windows\System32\igfxpers.exe[7] -> Killed [TermProc]
[Proc.Injected] SPEnroll.exe(5628) -- C:\Windows\System32\SPEnroll.exe[7] -> Killed [TermProc]
[Proc.Injected] mswinext.exe(5728) -- C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe[7] -> Killed [TermProc]
[Proc.Injected] hpwuschd2.exe(5508) -- C:\Program Files\HP\HP Software Update\hpwuschd2.exe[7] -> Killed [TermProc]
[Proc.Injected] hpqtra08.exe(1968) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[7] -> Killed [TermProc]

¤¤¤ Registry : 12 ¤¤¤
[PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : andeconnect.andent.andersonsinc.com  -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-21-1781805705-461526871-837300805-51550\Software\Microsoft\Internet Explorer\Main | Start Page : http://andeconnect.andent.andersonsinc.com/wps/portal/Andeconnect/andehome  -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : andeconnect.andent.andersonsinc.com  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.200 10.0.0.201 10.6.11.1 ([(Private Address) (XX)][(Private Address) (XX)][(Private Address) (XX)])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.200 10.0.0.201 10.6.11.1 ([(Private Address) (XX)][(Private Address) (XX)][(Private Address) (XX)])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.200 10.0.0.201 10.6.11.1 ([(Private Address) (XX)][(Private Address) (XX)][(Private Address) (XX)])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C004DD39-8A7C-4F4E-96CB-88F009CD6DC8} | DhcpNameServer : 10.0.0.200 10.0.0.201 10.6.11.1 ([(Private Address) (XX)][(Private Address) (XX)][(Private Address) (XX)])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{C004DD39-8A7C-4F4E-96CB-88F009CD6DC8} | DhcpNameServer : 10.0.0.200 10.0.0.201 10.6.11.1 ([(Private Address) (XX)][(Private Address) (XX)][(Private Address) (XX)])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{C004DD39-8A7C-4F4E-96CB-88F009CD6DC8} | DhcpNameServer : 10.0.0.200 10.0.0.201 10.6.11.1 ([(Private Address) (XX)][(Private Address) (XX)][(Private Address) (XX)])  -> Found
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1781805705-461526871-837300805-51550\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1781805705-461526871-837300805-78429\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 45 (Driver: Loaded) ¤¤¤
[SSDT:Addr(Hook.SSDT)] NtAlertResumeThread[13] : Unknown @ 0x41e11fee0f000000
[SSDT:Addr(Hook.SSDT)] NtAlertThread[14] : Unknown @ 0x41e11fee22000000
[SSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[19] : Unknown @ 0x41e11200ca000000
[SSDT:Addr(Hook.SSDT)] NtAlpcConnectPort[22] : Unknown @ 0x41e108c571000000
[SSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[43] : Unknown @ 0x41e11ff1f2000000
[SSDT:Addr(Hook.SSDT)] NtCreateMutant[74] : Unknown @ 0x41e11ff070000000
[SSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[86] : Unknown @ 0x41e11ff1b1000000
[SSDT:Addr(Hook.SSDT)] NtCreateThread[87] : Unknown @ 0x41e11201e1000000
[SSDT:Addr(Hook.SSDT)] NtCreateThreadEx[88] : Unknown @ 0x41e11ff1c6000000
[SSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[96] : Unknown @ 0x41e11ff00d000000
[SSDT:Addr(Hook.SSDT)] NtDuplicateObject[111] : Unknown @ 0x41e11200ea000000
[SSDT:Addr(Hook.SSDT)] NtFreeVirtualMemory[131] : Unknown @ 0x41e11212b1000000
[SSDT:Addr(Hook.SSDT)] NtImpersonateAnonymousToken[145] : Unknown @ 0x41e11ff085000000
[SSDT:Addr(Hook.SSDT)] NtImpersonateThread[147] : Unknown @ 0x41e11ff094000000
[SSDT:Addr(Hook.SSDT)] NtLoadDriver[155] : Unknown @ 0x41e108eb4f000000
[SSDT:Addr(Hook.SSDT)] NtMapViewOfSection[168] : Unknown @ 0x41e112129e000000
[SSDT:Addr(Hook.SSDT)] NtOpenEvent[177] : Unknown @ 0x41e11ff05d000000
[SSDT:Addr(Hook.SSDT)] NtOpenProcess[190] : Unknown @ 0x41e11201d0000000
[SSDT:Addr(Hook.SSDT)] NtOpenProcessToken[191] : Unknown @ 0x41e11200db000000
[SSDT:Addr(Hook.SSDT)] NtOpenSection[194] : Unknown @ 0x41e11ff037000000
[SSDT:Addr(Hook.SSDT)] NtOpenThread[198] : Unknown @ 0x41e11201bf000000
[SSDT:Addr(Hook.SSDT)] NtProtectVirtualMemory[215] : Unknown @ 0x41e11ff1dd000000
[SSDT:Addr(Hook.SSDT)] NtQueueApcThread[269] : Unknown @ 0x41e11ff19c000000
[SSDT:Addr(Hook.SSDT)] NtQueueApcThreadEx[270] : Unknown @ 0x41e11ff187000000
[SSDT:Addr(Hook.SSDT)] NtReadVirtualMemory[277] : Unknown @ 0x41e11ff172000000
[SSDT:Addr(Hook.SSDT)] NtResumeThread[304] : Unknown @ 0x41e11fee35000000
[SSDT:Addr(Hook.SSDT)] NtSetContextThread[316] : Unknown @ 0x41e11fee6e000000
[SSDT:Addr(Hook.SSDT)] NtSetInformationProcess[333] : Unknown @ 0x41e11fee81000000
[SSDT:Addr(Hook.SSDT)] NtSetSystemInformation[350] : Unknown @ 0x41e11ff020000000
[SSDT:Addr(Hook.SSDT)] NtSuspendProcess[366] : Unknown @ 0x41e11ff04a000000
[SSDT:Addr(Hook.SSDT)] NtSuspendThread[367] : Unknown @ 0x41e11fee48000000
[SSDT:Addr(Hook.SSDT)] NtTerminateProcess[370] : Unknown @ 0x41e1121598000000
[SSDT:Addr(Hook.SSDT)] unknown[371] : Unknown @ 0x41e11fee5b000000
[SSDT:Addr(Hook.SSDT)] NtUnmapViewOfSection[385] : Unknown @ 0x41e112128b000000
[SSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[399] : Unknown @ 0x41e11212c2000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[318] : Unknown @ 0x41e1564064000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[402] : Unknown @ 0x41e1550977000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[434] : Unknown @ 0x41e1561f69000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[436] : Unknown @ 0x41e1550885000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetRawInputData[448] : Unknown @ 0x41e1556f17000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[490] : Unknown @ 0x41e1504ce7000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[508] : Unknown @ 0x41e1563d98000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[509] : Unknown @ 0x41e0b5a2ff000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[585] : Unknown @ 0x41e1508cc5000000
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[588] : Unknown @ 0x41e0b58222000000

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST250DM000-1BD141 +++++
--- User ---
[MBR] aef303c4bef24d2153d8a81fad4f5016
[BSP] 000d6524b2f3e7099403d0f2ac284232 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 612 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1255424 | Size: 237861 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


Reply #101July 22, 2015, 05:54:11 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #101 on: July 22, 2015, 05:54:11 PM »
Hi AAVmech2141,

Thoses hooks and [Proc.Injected] detections seems linked to Symantec Endpoint Protection.
Please follow the following process.
  • Restart your computer.
  • Download Process Explorer and save it to your desktop.
  • Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  • Locate the process named taskeng.exe, right click select Create Dump > Create Full Dump...
  • Save the dump on your desktop, compress it and upload it on Google Drive/Dropbox.
  • Share the link in your next reply.
We will analyse what is really injected, and whitelist if needed.

Regards.

Reply #102July 22, 2015, 11:12:20 PM

AAVmech2141

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #102 on: July 22, 2015, 11:12:20 PM »
Here is the link for the taskeng.exe compressed file:

https://drive.google.com/open?id=0B-odu-iO-tYIa2VTa0tuRHFWNVU

Thank you!


Reply #103July 23, 2015, 11:53:23 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #103 on: July 23, 2015, 11:53:23 AM »
Hi AAVmech2141,

I don't have access to the file.
Could you please make it public access ?

Regards.

Reply #104July 23, 2015, 02:50:00 PM

AAVmech2141

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #104 on: July 23, 2015, 02:50:00 PM »
Sorry I didn't catch that and thanks for working with me. It should be good now.

https://drive.google.com/file/d/0B-odu-iO-tYIa2VTa0tuRHFWNVU/view?usp=sharing