Author Topic: ===> False Positives <===  (Read 351493 times)

0 Members and 6 Guests are viewing this topic.

Reply #105July 23, 2015, 06:20:56 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #105 on: July 23, 2015, 06:20:56 PM »
Hi AAVmech2141,

Symantec Endpoint Protection is indeed the culprit.
Theses false positives will be fixed in the next version of RogueKiller. Thanks for reporting them.

Regards.

Reply #106July 23, 2015, 07:20:28 PM

AAVmech2141

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #106 on: July 23, 2015, 07:20:28 PM »
Curson,

Awesome thank you so much for your help.


Reply #107July 23, 2015, 07:26:24 PM

AAVmech2141

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #107 on: July 23, 2015, 07:26:24 PM »
Curson,

FYI rouge killer only acted like that to Symantec Endpoint Protection on 32 bit OS and not 64 bit

Reply #108July 24, 2015, 12:14:17 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #108 on: July 24, 2015, 12:14:17 AM »
Hi AAVmech2141,

You are very welcome.
Symantec Endpoint Protection was already whitelisted for 64 bits OSs but, for some reasons, not on 32 bits ones. ;)

Regards.

Reply #109July 24, 2015, 03:18:04 PM

LarrySabo

  • Newbie

  • Offline
  • *

  • 8
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #109 on: July 24, 2015, 03:18:04 PM »
RogueKiller won't quarantine any files during the pre-scan and the scan itself. You are able to select the files to be deleted/quarantined after the scan is complete.
Hi again,

RogueKiller terminates any AmmyAdin processes during the pre-scan, which makes it impossible to use the product remotely for me, since Ammyy is my remoye support app.  Is there a way to tell RogueKiller to exempt this or other specified processes?

Larry

Reply #110July 25, 2015, 09:49:17 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #110 on: July 25, 2015, 09:49:17 PM »
Hi LarrySabo,

Yes, you can achieve this using RogueKiller External Scanner.
For more information, please read : RogueKiller External Scanner.

Regards.

Reply #111July 26, 2015, 02:51:41 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 956
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: ===> False Positives <===
« Reply #111 on: July 26, 2015, 02:51:41 PM »
Hey all,
@LarrySabo you can also give us a scan report and we will whitelist it.
Thanks.

Reply #112August 13, 2015, 08:17:43 AM

ATUONA

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #112 on: August 13, 2015, 08:17:43 AM »
Hello, are these false positives or is my computer infected ?
¤¤¤ Registre : 3 ¤¤¤
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VBoxAswDrv (\??\C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys) -> Trouvé(e)
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2406841604-1318200101-2111424369-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Trouvé(e)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2406841604-1318200101-2111424369-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Trouvé(e)
Thanks

Reply #113August 13, 2015, 09:41:04 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #113 on: August 13, 2015, 09:41:04 PM »
Hi ATUONA,

Welcome to Adlice.com Forum.
The following entry is a false positive. Thanks for bringing it to our attention.
Quote
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VBoxAswDrv (\??\C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys) -> Trouvé(e)
It will be whitelisted as soon as possible.

The others entries are Potentially Unwanted Modification (PUM). In your case, they are perfectly legit.

Regards.

Reply #114August 15, 2015, 11:31:18 PM

oscarxp

  • Newbie

  • Offline
  • *

  • 10
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #114 on: August 15, 2015, 11:31:18 PM »
Hey Guys

im new to this forum but i been using Roguekiller for some time, i downloaded latest version and scanned my labtop. Only problem is i get the below results attached showing up not sure if they are false positives or i been infected.

I have scanned the system using ESET, Malwarebytes Anti Malware latest versions and nothing comes up as infected.

Please can you verify this.. Thanks

Below is my attached Log file of RogueKiller
« Last Edit: August 15, 2015, 11:42:02 PM by oscarxp »

Reply #115August 17, 2015, 02:06:30 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #115 on: August 17, 2015, 02:06:30 PM »
Hi oscarxp,

Welcome to Adlice.com Forum.
These hooks seems legit.

Regards.

Reply #116August 21, 2015, 05:36:23 AM

Nickerbocker

  • Newbie

  • Offline
  • *

  • 1
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #116 on: August 21, 2015, 05:36:23 AM »
Hello All,

Updated to 10.10.1.0 ran a scan and noticed IAT hooks in the 'AntiRootKit' tab. Just wondering if these are false positives, or if I am still infected. I use the word "still" because I recently dealt with the conduit virus.

I have ran MWB Anti-Malware, adwcleaner, Hitman Pro and find no remaning traces. I also ran MWB Anti-Rootkit, Bootkit Removal (BitDefender) , TDSS Killer (Kaspersky) and of course RogueKiller. RogueKiller is the only scan to detect these IAT hooks. Log attached.

Thanks in advance,

Reply #117August 21, 2015, 03:29:02 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #117 on: August 21, 2015, 03:29:02 PM »
Hi Nickerbocker,

Welcome to Adlice.com Forum.
These hooks are legit.

Regards.

Reply #118August 25, 2015, 03:10:17 PM

oscarxp

  • Newbie

  • Offline
  • *

  • 10
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #118 on: August 25, 2015, 03:10:17 PM »
Hi oscarxp,

Welcome to Adlice.com Forum.
These hooks seems legit.

Regards.

Thanks but i did a new scan and now show my svchost.exe(4616) was terminated as its infected.

I have scanned with ESET, and Malwarebytes Anti Malware and shows nonthing infected. Is this another false positive i have attached new scan log

Reply #119August 25, 2015, 08:36:44 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #119 on: August 25, 2015, 08:36:44 PM »
Hi oscarxp,

Could you please attach RogueKiller JSON report in your next post ?

Regards.