Author Topic: ===> False Positives <===  (Read 351541 times)

0 Members and 2 Guests are viewing this topic.

Reply #150February 03, 2016, 12:37:15 AM

oscarxp

  • Newbie

  • Offline
  • *

  • 10
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #150 on: February 03, 2016, 12:37:15 AM »
Hey Guys

was Scanning a friends Labtop and found the following IAT hooks. Now not sure if they are malware but those to ask and check if there is any false positives.

I have attached the files.

Please check and let me know.

Reply #151February 03, 2016, 04:43:28 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #151 on: February 03, 2016, 04:43:28 PM »
Hi oscarxp,

These hooks are indeed false positives.
We will fix this as soon as possible.

Regards.

Reply #152February 07, 2016, 06:02:35 AM

blackcastro

  • Newbie

  • Offline
  • *

  • 1
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #152 on: February 07, 2016, 06:02:35 AM »
Possible false positives, see text attached.

Reply #153February 08, 2016, 12:03:11 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #153 on: February 08, 2016, 12:03:11 AM »
Hi blackcastro,
Quote
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-185662957-2699151515-3144002599-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=120.138.97.225:8080  -> Found
[PUM.Proxy][FIREFX:Config] iurx8nq0.default : user_pref("network.proxy.http", "115.111.7.246"); -> Found
[PUM.Proxy][FIREFX:Config] iurx8nq0.default : user_pref("network.proxy.http_port", 3128); -> Found
Do you connect to proxy servers on purpose ?

Regards.

Reply #154February 08, 2016, 03:50:23 AM

Raiken347

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #154 on: February 08, 2016, 03:50:23 AM »
Hey guys
can you help me check if these are false positives, please?

Scan logfile attached below
« Last Edit: February 08, 2016, 04:05:14 AM by Raiken347 »

Reply #155February 08, 2016, 01:32:54 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #155 on: February 08, 2016, 01:32:54 PM »
Hi Raiken347,

Welcome to Adlice.com Forum.
Your report is clean.

Regards.

Reply #156February 08, 2016, 03:30:06 PM

Raiken347

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #156 on: February 08, 2016, 03:30:06 PM »
So the hooks in the log were false positives then?
Sry im tech-illiterate

Reply #157February 08, 2016, 04:20:28 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #157 on: February 08, 2016, 04:20:28 PM »
Hi Raiken347,

Yes, they are. :)

Regards.

Reply #158February 12, 2016, 01:15:10 PM

JRottef

  • Newbie

  • Offline
  • *

  • 8
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #158 on: February 12, 2016, 01:15:10 PM »
Hi guys,

can U help me check if IAT hooks on attached .txt are false positives, please?

Thx

Reply #159February 12, 2016, 04:13:05 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #159 on: February 12, 2016, 04:13:05 PM »
Hi JRottef,

Theses IAT hooks are known false positives. We will fix this as soon as possible.

Regards.

Reply #160February 12, 2016, 07:36:38 PM

Atomic

  • Newbie

  • Offline
  • *

  • 1
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #160 on: February 12, 2016, 07:36:38 PM »
Bomgar
False-Positive

The Bomgar client and rep console are getting terminated while running Rogue
bomgar is a server or VM that techs use to get remote access to computers/servers/phones etcetera.
We use Bomgar everyday, all-day, everyone of my employees. 
When we run a scan Rogue Kills our remote connection, then we have to wait for the service start again, if at all, and reconnect to the machine.

Killed [TermProc] - Detection: VT.Unknown - Name: bomgar-scc.exe - Path: C:\ProgramData\bomgar-scc-\bomgar-scc.exe
Killed [termproc] - Detection: VT.Unknown - Name: Bomgar-rep.exe - Path\program files\bomgar\bomgar representative console\domain name\bomgar-rep.exe

You can verify them: bomgar.com

Reply #161February 14, 2016, 03:30:23 PM

JRottef

  • Newbie

  • Offline
  • *

  • 8
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #161 on: February 14, 2016, 03:30:23 PM »
Hi Curson,

sorry for delayed answer. Tyvm for your help and good news. :)

Regards

Reply #162February 14, 2016, 09:43:58 PM

baapdamper

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #162 on: February 14, 2016, 09:43:58 PM »
Hi,

I was scanning my laptop with Rogue Killer, and got this results.

Can you help me out? By reporting of they are true or false?

Thanks in advance.

Regards.

baap


Reply #163February 15, 2016, 02:02:24 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #163 on: February 15, 2016, 02:02:24 AM »
Hi,

@Atomic
Quote
Killed [TermProc] - Detection: VT.Unknown - Name: bomgar-scc.exe - Path: C:\ProgramData\bomgar-scc-\bomgar-scc.exe
Killed [termproc] - Detection: VT.Unknown - Name: Bomgar-rep.exe - Path\program files\bomgar\bomgar representative console\domain name\bomgar-rep.exe
These entries show up because they were not present in VirusTotal database at the time of the scan. If you allowed the files to be uploaded, they won't appear anymore.

@JRottef
You are very welcome. :)

@baapdamper,
Welcome to Adlice.com Forum.
Theses IAT hooks are known false positives. We will fix this as soon as possible.

Regards.

Reply #164February 15, 2016, 02:24:38 AM

baapdamper

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #164 on: February 15, 2016, 02:24:38 AM »
Hi,

@Atomic
Quote
Killed [TermProc] - Detection: VT.Unknown - Name: bomgar-scc.exe - Path: C:\ProgramData\bomgar-scc-\bomgar-scc.exe
Killed [termproc] - Detection: VT.Unknown - Name: Bomgar-rep.exe - Path\program files\bomgar\bomgar representative console\domain name\bomgar-rep.exe
These entries show up because they were not present in VirusTotal database at the time of the scan. If you allowed the files to be uploaded, they won't appear anymore.

@JRottef
You are very welcome. :)

@baapdamper,
Welcome to Adlice.com Forum.
Theses IAT hooks are known false positives. We will fix this as soon as possible.

Regards.

Thanks for the answer and help Curson. Really appreciate that. But ive got still one question for you. How come that RogueKiller didn't see the IAT hooks as false positives in the begin on a relatively new fresh Installed Windows? Because a week ago, i formatted and reinstalled Windows and 2 days later i scanned with Roguekiller, and there was nothing wrong. But a friend of mine, downloaded a file on my pc from a sketchy website yesterday. And Roguekiller identified a process and some registry errors. I fixed the problem by repairing, and was scanning after that with my virusscanner (Avast) and Malwarebytes and they found nothing. I started RogueKiller again, and than i saw all the IAT hooks.

So there is nothing to worry about? And i dont have to format again? Thanks for the help again, and in March i will buy the premium version. Im a poor student so cant buy it right now ; ) Really like the program!

Regards,

baapdamper