Author Topic: ===> False Positives <===  (Read 163540 times)

0 Members and 1 Guest are viewing this topic.

Reply #120August 27, 2015, 03:19:01 am

oscarxp

  • Newbie

  • Offline
  • *

  • 10
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #120 on: August 27, 2015, 03:19:01 am »
Hi oscarxp,

Could you please attach RogueKiller JSON report in your next post ?

Regards.


Here i have done new scan with new rogue killer and attached both txt and Json file.

Reply #121August 27, 2015, 08:32:21 am

WaterBourne

  • Newbie

  • Offline
  • *

  • 1
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #121 on: August 27, 2015, 08:32:21 am »
Processes : 3
[VT.Trojan/Win32.BTSGeneric] Service_KMS.exe(2664) -- C:\Program Files\KMSpico\Service_KMS.exe[-] -> Killed [TermProc]
[VT.Unknown] EpicGamesLauncher.exe(7504) -- F:\Program Files\Epic Games\Launcher\Portal\Binaries\Win64\EpicGamesLauncher.exe[7] -> Killed [TermProc]
[VT.Unknown] UnrealCEFSubProcess.exe(4892) -- F:\Program Files\Epic Games\Launcher\Engine\Binaries\Win64\UnrealCEFSubProcess.exe[7] -> Killed [TermThr]

Registry : 3
[VT.Unknown] (X64) HKEY_USERS\S-1-5-21-2703859281-3180650423-3785014512-1001\Software\Microsoft\Windows\CurrentVersion\Run | EADM : "C:\Program Files (x86)\Origin\Origin.exe" -AutoStart [7]
  • -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found

Reply #122August 27, 2015, 04:49:05 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2362
  • Reputation:
    82
    • View Profile
Re: ===> False Positives <===
« Reply #122 on: August 27, 2015, 04:49:05 pm »
Hi oscarxp,

There is probably a bug witch such detection. We are working on it.
Thanks for bringing this to our attention.

Regards.

Reply #123August 27, 2015, 04:59:55 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2362
  • Reputation:
    82
    • View Profile
Re: ===> False Positives <===
« Reply #123 on: August 27, 2015, 04:59:55 pm »
Hi WaterBourne,

Quote
[VT.Trojan/Win32.BTSGeneric] Service_KMS.exe(2664) -- C:\Program Files\KMSpico\Service_KMS.exe[-] -> Killed [TermProc]
This program is used to trick Windows activation scheme and is flagged by VirusTotal. It won't be whitelisted.

Quote
[VT.Unknown] EpicGamesLauncher.exe(7504) -- F:\Program Files\Epic Games\Launcher\Portal\Binaries\Win64\EpicGamesLauncher.exe[7] -> Killed [TermProc]
[VT.Unknown] UnrealCEFSubProcess.exe(4892) -- F:\Program Files\Epic Games\Launcher\Engine\Binaries\Win64\UnrealCEFSubProcess.exe[7] -> Killed [TermThr]

Registry : 3
[VT.Unknown] (X64) HKEY_USERS\S-1-5-21-2703859281-3180650423-3785014512-1001\Software\Microsoft\Windows\CurrentVersion\Run | EADM : "C:\Program Files (x86)\Origin\Origin.exe" -AutoStart [7] -> Found
These entries show up because they were not present in VirusTotal database at the time of the scan. If you allowed the files to be uploaded, they won't appear anymore.

Quote
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
PUM stands for Potentially Unwanted Modification. In your case, thoses entries are perfectly legit and necessary to access Internet.
For more information, please read RogueKiller Documentation.

Regards.

Reply #124August 30, 2015, 01:48:42 am

oscarxp

  • Newbie

  • Offline
  • *

  • 10
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #124 on: August 30, 2015, 01:48:42 am »
Hi oscarxp,

There is probably a bug witch such detection. We are working on it.
Thanks for bringing this to our attention.

Regards.

Thanks for the reply so do i need to do anything??

Reply #125August 31, 2015, 01:36:18 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2362
  • Reputation:
    82
    • View Profile
Re: ===> False Positives <===
« Reply #125 on: August 31, 2015, 01:36:18 pm »
Hi oscarxp,

No, you don't need to do anything at all.

Regards.
« Last Edit: August 31, 2015, 01:38:21 pm by Curson »

Reply #126September 21, 2015, 09:19:10 pm

1PW

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #126 on: September 21, 2015, 09:19:10 pm »
Hello All:

While running version 10.10.6.0, the following was reported, in part, regarding Malwarebytes Anti-Exploit (MBAE) version 1.08.1.1025 Beta Preview:

Code: [Select]
Processes : 1
[VT.Unknown] mbae64.exe(3972) -- C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[7] -> Killed [DrvNtTerm]

Manually submitting the identical mbae64.exe file to VirusTotal.com, yielded  https://www.virustotal.com/en/file/abc0a4e0ae2485862b54f92fa7c90e39959730dab6b441e3603f6bdff270e0b0/analysis/1442859057/

The version of MBAE in question may be downloaded from https://malwarebytes.box.com/s/2nhlislxnicldrtfs6qx073pa2rrk0zz

Please examine these reports and reply with your theory as to what is happening.

Thank you.
« Last Edit: September 21, 2015, 09:21:09 pm by 1PW »

Reply #127September 24, 2015, 12:21:11 am

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2362
  • Reputation:
    82
    • View Profile
Re: ===> False Positives <===
« Reply #127 on: September 24, 2015, 12:21:11 am »
Hi 1P,

Welcome to Adlice.com Forum.

This entry show up because the file was not present in VirusTotal database at the time of the scan. If you allowed the file to be uploaded, it won't appear anymore.

Regards.

Reply #128September 24, 2015, 08:55:23 am

1PW

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #128 on: September 24, 2015, 08:55:23 am »
The above FP is gone now.

Thank you.

Reply #129September 24, 2015, 03:21:19 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2362
  • Reputation:
    82
    • View Profile
Re: ===> False Positives <===
« Reply #129 on: September 24, 2015, 03:21:19 pm »
Hi 1PW,

You are welcome.

Regards.

Reply #130October 07, 2015, 11:07:41 am

Kaitengiri

  • Newbie

  • Offline
  • *

  • 1
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #130 on: October 07, 2015, 11:07:41 am »
Are these a legit... code... whatever... Or is it just a false alert? Im confused cause roguekiller suddenly found these IAT hooks on my pc... Copypasting the log...
Please help a confused fellah ;__;

RogueKiller V10.10.9.0 (x64) [Oct  5 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Niko [Administrator]
Started from : C:\Users\Niko\Downloads\RogueKillerX64.exe
Mode : Scan -- Date : 10/07/2015 11:40:24

Processes : 0

Registry : 3
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ALSysIO (\??\C:\Users\Niko\AppData\Local\Temp\ALSysIO64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALSysIO (\??\C:\Users\Niko\AppData\Local\Temp\ALSysIO64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ALSysIO (\??\C:\Users\Niko\AppData\Local\Temp\ALSysIO64.sys) -> Found

Tasks : 0

Files : 0

Hosts File : 1
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

Antirootkit : 30 (Driver: Loaded)
[IAT:Inl(Hook.IEAT)] (explorer.exe) ntdll.dll - NtSetSystemInformation : Unknown @ 0x772201e0 (jmp 0x161140|jmp 0xfffffffffffffe19|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll.dll - NtWriteVirtualMemory : Unknown @ 0x772203a0 (jmp 0x162650|jmp 0xfffffffffffffc59|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll.dll - NtDuplicateObject : Unknown @ 0x77220380 (jmp 0x162610|jmp 0xfffffffffffffc79|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll.dll - NtCreateEvent : Unknown @ 0x772202c0 (jmp 0x162490|jmp 0xfffffffffffffd39|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll.dll - NtNotifyChangeKey : Unknown @ 0x77220480 (jmp 0x161bf0|jmp 0xfffffffffffffb79|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x772203d0 (jmp 0x162760|jmp 0xfffffffffffffc29|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll.dll - NtOpenEvent : Unknown @ 0x772202d0 (jmp 0x162520|jmp 0xfffffffffffffd29|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll.dll - NtAssignProcessToJobObject : Unknown @ 0x77220390 (jmp 0x162160|jmp 0xfffffffffffffc69|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll.dll - NtSetContextThread : Unknown @ 0x772203f0 (jmp 0x161510|jmp 0xfffffffffffffc09|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll.dll - NtCreateSection : Unknown @ 0x77220300 (jmp 0x1624b0|jmp 0xfffffffffffffcf9|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll.dll - NtOpenProcess : Unknown @ 0x77220360 (jmp 0x162750|jmp 0xfffffffffffffc99|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll.dll - NtNotifyChangeMultipleKeys : Unknown @ 0x77220490 (jmp 0x161bf0|jmp 0xfffffffffffffb69|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll.dll - NtQueryObject : Unknown @ 0x77220440 (jmp 0x162990|jmp 0xfffffffffffffbb9|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateIoCompletion : Unknown @ 0x77220340 (jmp 0x162020|jmp 0xfffffffffffffcb9|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenSection : Unknown @ 0x77220310 (jmp 0x1625f0|jmp 0xfffffffffffffce9|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateSemaphore : Unknown @ 0x772202a0 (jmp 0x161e90|jmp 0xfffffffffffffd59|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenSemaphore : Unknown @ 0x772202b0 (jmp 0x161920|jmp 0xfffffffffffffd49|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateMutant : Unknown @ 0x77220280 (jmp 0x161f00|jmp 0xfffffffffffffd79|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenMutant : Unknown @ 0x77220290 (jmp 0x161950|jmp 0xfffffffffffffd69|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateTimer : Unknown @ 0x77220320 (jmp 0x161ee0|jmp 0xfffffffffffffcd9|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenTimer : Unknown @ 0x77220330 (jmp 0x161960|jmp 0xfffffffffffffcc9|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateThreadEx : Unknown @ 0x772203c0 (jmp 0x161f90|jmp 0xfffffffffffffc39|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtTerminateThread : Unknown @ 0x772203e0 (jmp 0x162500|jmp 0xfffffffffffffc19|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenThread : Unknown @ 0x77220370 (jmp 0x1619b0|jmp 0xfffffffffffffc89|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtSuspendThread : Unknown @ 0x77220420 (jmp 0x161290|jmp 0xfffffffffffffbd9|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ RPCRT4.dll) ntdll.dll - NtAlpcSendWaitReceivePort : Unknown @ 0x77220470 (jmp 0x162270|jmp 0xfffffffffffffb89|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ RPCRT4.dll) ntdll.dll - NtQueueApcThreadEx : Unknown @ 0x77220430 (jmp 0x161770|jmp 0xfffffffffffffbc9|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ GDI32.dll) ntdll.dll - NtVdmControl : Unknown @ 0x77220270 (jmp 0x160ff0|jmp 0xfffffffffffffd89|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ ntmarta.dll) ntdll.dll - NtOpenEventPair : Unknown @ 0x772202f0 (jmp 0x161a20|jmp 0xfffffffffffffd09|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ WS2_32.dll) ntdll.dll - NtLoadDriver : Unknown @ 0x772201d0 (jmp 0x161a30|jmp 0xfffffffffffffe29|call 0x5)

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: WDC WD10EZEX-75M2NA0 ATA Device +++++
--- User ---
[MBR] 6bff5770c03e7cd9ad8c283232419a35
[BSP] 073100360ba840d05d0fb98b809d619c : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 953767 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


Reply #131October 07, 2015, 07:39:44 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2362
  • Reputation:
    82
    • View Profile
Re: ===> False Positives <===
« Reply #131 on: October 07, 2015, 07:39:44 pm »
H Kaitengiri,

Welcome to Adlice.com Forum.
Those hooks are legit.

Regards.

Reply #132October 19, 2015, 03:16:28 pm

malware1

  • Newbie

  • Offline
  • *

  • 24
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #132 on: October 19, 2015, 03:16:28 pm »
[Hj.Name] (X64) HKEY_USERS\RK_Default_ON_G_5317\Software\Microsoft\Windows\CurrentVersion\RunOnce | mctadmin : C:\Windows\System32\mctadmin.exe [7]
[Hj.Name] (X86) HKEY_USERS\RK_Default_ON_G_5317\Software\Microsoft\Windows\CurrentVersion\RunOnce | mctadmin : C:\Windows\System32\mctadmin.exe [7]

Reply #133October 20, 2015, 02:27:21 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2362
  • Reputation:
    82
    • View Profile
Re: ===> False Positives <===
« Reply #133 on: October 20, 2015, 02:27:21 pm »
Hi malware1,

Thanks for the report.
We will make our best to whitelist it in RogueKiller next release.

Regards.

Reply #134October 21, 2015, 11:21:48 pm

oscarxp

  • Newbie

  • Offline
  • *

  • 10
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #134 on: October 21, 2015, 11:21:48 pm »
Hey Admins

 its been a while so i decided to do some checks on my pc.  i downloaded latest version of RogueKiller and there seem to be some stuff again detected. Now im not sure if they are false positives as i have also scanned the system using ESET, Malwarebytes Anti Malware using latest versions and nothing comes up as infected..

I have attached files, please do check and let me know.