Author Topic: ===> False Positives <===  (Read 351589 times)

0 Members and 1 Guest are viewing this topic.

Reply #165February 15, 2016, 08:57:59 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #165 on: February 15, 2016, 08:57:59 PM »
Hi baapdamper,

These hooks were certainly added by a Windows KB on Windows 10. You are not the only user reporting them but it's quite difficult for us to whitelist list for technical reasons.
So, you don't have to format your system again.

Quote from: baapdamper
Thanks for the help again, and in March i will buy the premium version. Im a poor student so cant buy it right now ; ) Really like the program!
Thanks for your support and the kind words. :)

Regards.

Reply #166March 03, 2016, 06:54:03 AM

shawnkhall

  • Newbie

  • Offline
  • *

  • 1
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #166 on: March 03, 2016, 06:54:03 AM »
The current version of Chrome (49.0.2623.75, released today) is detecting as Proc.RunPE

Reply #167March 03, 2016, 06:30:06 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #167 on: March 03, 2016, 06:30:06 PM »
Hi shawnkhall,

Could you please post RogueKiller full report in your next reply ?

Regards.

Reply #168March 11, 2016, 02:53:11 AM

Yaakov A. Sternberg

  • Newbie

  • Offline
  • *

  • 1
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #168 on: March 11, 2016, 02:53:11 AM »
Are all of these false positives?

RogueKiller V12.0.1.0 (x64) [Mar  7 2016] (Free) by Adlice Software

Operating System : Windows 10 (10.0.10586) 64 bits version
Started in : Normal mode
User : [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 03/10/2016 19:56:01

¤¤¤ Processes : 3 ¤¤¤
[Proc.RunPE] igfxtray.exe(5208) -- C:\Windows\System32\igfxTray.exe
  • -> Found
[Tr.Zeus] mbar.exe(4336) -- C:\Users\Ima\Desktop\YAX\Antimalware\mbar\mbar.exe
  • -> Found
[Suspicious.Path] {2016FF4C-9F2D-449D-9795-26CCF5FF66CC}.exe(3344) -- C:\Users\Ima\AppData\Local\Temp\{B5B979C1-C8E7-4616-B6AC-9CDD0F2D9BF0}\{2016FF4C-9F2D-449D-9795-26CCF5FF66CC}.exe
  • -> Found


¤¤¤ Registry : 12 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-679388669-3697153169-3940493748-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com/?pc=ASJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-679388669-3697153169-3940493748-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com/?pc=ASJB  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-679388669-3697153169-3940493748-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com/?pc=ASJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-679388669-3697153169-3940493748-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com/?pc=ASJB  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-679388669-3697153169-3940493748-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com/?pc=ASJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-679388669-3697153169-3940493748-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com/?pc=ASJB  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-679388669-3697153169-3940493748-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com/?pc=ASJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-679388669-3697153169-3940493748-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com/?pc=ASJB  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-679388669-3697153169-3940493748-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com/?pc=ASJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-679388669-3697153169-3940493748-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com/?pc=ASJB  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-679388669-3697153169-3940493748-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com/?pc=ASJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-679388669-3697153169-3940493748-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com/?pc=ASJB  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[Hj.Name][File] C:\Users\Ima\AppData\Local\Temp\44645a3\winlogon.exe -> Found

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0x0]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST500LT012-1DG142 +++++
--- User ---
[MBR] beb9253c14cd2e84d0c7c51fca657a43
[BSP] b3fc247e62bdab1f7acf574a70a921f8 : Empty MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 100 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 206848 | Size: 900 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2050048 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2312192 | Size: 190776 MB
4 - Basic data partition | Offset (sectors): 393021440 | Size: 264545 MB
5 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 934809600 | Size: 20490 MB
User = LL1 ... OK
User = LL2 ... OK

Reply #169March 11, 2016, 02:39:58 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #169 on: March 11, 2016, 02:39:58 PM »
Hi Yaakov A. Sternberg,
Quote
[Proc.RunPE] igfxtray.exe(5208) -- C:\Windows\System32\igfxTray.exe
[Tr.Zeus] mbar.exe(4336) -- C:\Users\Ima\Desktop\YAX\Antimalware\mbar\mbar.exe
These ones are false positives. This will be fixed as soon as possible.

Quote
[Suspicious.Path] {2016FF4C-9F2D-449D-9795-26CCF5FF66CC}.exe(3344) -- C:\Users\Ima\AppData\Local\Temp\{B5B979C1-C8E7-4616-B6AC-9CDD0F2D9BF0}\{2016FF4C-9F2D-449D-9795-26CCF5FF66CC}.exe
[Hj.Name][File] C:\Users\Ima\AppData\Local\Temp\44645a3\winlogon.exe
These ones are detected as suspicious because of the path and name but are perfectly legit.

PUM stands for Potentially Unwanted Modification. In your case, thoses entries are perfectly legit.
For more information, please read RogueKiller Documentation.

Regards.

Reply #170March 14, 2016, 05:06:57 PM

oscarxp

  • Newbie

  • Offline
  • *

  • 10
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #170 on: March 14, 2016, 05:06:57 PM »
Hey Guys

Did a new scan with the new version, there seems to be some false positives.

Files attached.

Reply #171March 14, 2016, 08:30:56 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #171 on: March 14, 2016, 08:30:56 PM »
Hi oscarxp,

These entries are PUMs (Potentially Unwanted Modification). In your case, they are perfectly legit and necessary to access Internet.
For more information, please read RogueKiller Documentation.

Regards.

Reply #172March 23, 2016, 03:12:06 PM

JukkaG

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #172 on: March 23, 2016, 03:12:06 PM »
F-Secure Antivirus component is getting tagged as Zeus again.

Reply #173March 23, 2016, 03:31:36 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #173 on: March 23, 2016, 03:31:36 PM »
Hi JukkaG,

Thanks for your feedback.
This false positive will be fixed as soon as possible.

Regards.

Reply #174April 17, 2016, 07:50:38 PM

oscarxp

  • Newbie

  • Offline
  • *

  • 10
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #174 on: April 17, 2016, 07:50:38 PM »
Hey Admins

Please can you check as there is some files flagged as malware and not sure if its true or not.

also PUMs detected.

Attached files

Reply #175April 18, 2016, 03:06:50 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #175 on: April 18, 2016, 03:06:50 PM »
Hi oscarxp,

Thanks for your feedback.
Quote from: oscarxp
[VT.Unknown] IDMan.exe(7984) -- C:\Program Files\Internet Download Manager\IDMan.exe ->Found
This entry shows up because it was not present in VirusTotal database at the time of the scan. If you allowed the file to be uploaded, it won't appears anymore.

Quote from: oscarxp
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{08737A4B-C649-4A48-B690-5089E5F1FAC5} | NameServer : 10.4.0.1 ([])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{08737A4B-C649-4A48-B690-5089E5F1FAC5} | NameServer : 10.4.0.1 ([])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{08737A4B-C649-4A48-B690-5089E5F1FAC5} | NameServer : 10.4.0.1 ([])  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-3866417636-918505807-1518629057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
These entries are PUMs (Potentially Unwanted Modification). In your case, they are perfectly legit.
For more information, please read RogueKiller Documentation

Quote from: oscarxp
[Hidden.ADS][Stream] C:\Windows\System32\rpcss.dll:$CmdTcID -> Found
This is a legit Comodo ADS.
It will be whitelisted as soon as possible.

Regards.

Reply #176April 23, 2016, 10:17:27 PM

1PW

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #176 on: April 23, 2016, 10:17:27 PM »
Hello All:

False Positive Check Request.  RogueKiller (Free) 12.1.3.0 64-bit

¤¤¤ Processes : 1 ¤¤¤
[VT.Unknown] mbae64.exe(4016) -- C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe-> Found

The above file is a part of Malwarebytes Anti-Exploit (MBAE) Free/Trial/Premium v1.08.1.1195

Reference: https://www.virustotal.com/en/file/e663232a48ffb3d730a1728ef72ab305517c2059d6d59db999a178e8ae726b6a/analysis/1461437900/ Digitally signed.

Thank you for your consideration,

1PW
« Last Edit: April 23, 2016, 10:22:54 PM by 1PW »

Reply #177April 24, 2016, 11:27:06 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #177 on: April 24, 2016, 11:27:06 PM »
Hi 1PW,

This entry show up because it was not present in VirusTotal database at the time of the scan.
If you allowed the file to be uploaded, it won't appear anymore.

Regards.
« Last Edit: April 24, 2016, 11:41:20 PM by Curson »

Reply #178April 27, 2016, 07:51:42 AM

Germán Pc

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #178 on: April 27, 2016, 07:51:42 AM »
Hi guys,

I just created my profile here and I just wanted to know if I should be worried about the log that RK created this time:

RogueKiller V12.1.4.0 (x64) [Apr 25 2016] (Free) by Adlice Software
correo : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Sitio web : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Sistema Operativo : Windows 10 (10.0.10586) 64 bits version
Iniciado en : Modo Normal
Usuario : gpc98_000 [Administrador]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Modo : Escanear -- Fecha : 04/27/2016 00:10:04

¤¤¤ Procesos : 1 ¤¤¤
[Proc.RunPE] NvStreamService.exe(2448) -- C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
  • -> Encontrado


¤¤¤ Registro : 10 ¤¤¤
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3070503474-1825489414-2760614103-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : proxy.unal.edu.co:8080  -> Encontrado
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3070503474-1825489414-2760614103-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : proxy.unal.edu.co:8080  -> Encontrado
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3070503474-1825489414-2760614103-1002\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com/  -> Encontrado
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3070503474-1825489414-2760614103-1002\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com/  -> Encontrado
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3070503474-1825489414-2760614103-1002\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com  -> Encontrado
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3070503474-1825489414-2760614103-1002\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com  -> Encontrado
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.2.9.116 10.3.9.116 ([][])  -> Encontrado
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.2.9.116 10.3.9.116 ([][])  -> Encontrado
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53d8aaec-47b2-470f-b616-d2696171eb68} | DhcpNameServer : 10.2.9.116 10.3.9.116 ([][])  -> Encontrado
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{53d8aaec-47b2-470f-b616-d2696171eb68} | DhcpNameServer : 10.2.9.116 10.3.9.116 ([][])  -> Encontrado

¤¤¤ Tareas : 0 ¤¤¤

¤¤¤ Archivos : 1 ¤¤¤
[PUP][Carpeta] C:\ProgramData\{FE8D473A-6F06-4F99-B5F4-BED72B2A038C} -> Encontrado

¤¤¤ Archivo de hosts : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Cargado) ¤¤¤

¤¤¤ Navegadores Web : 1 ¤¤¤
[PUM.Proxy][FIREFX:Config] 6t8gr3ik.default-1432495202606 : user_pref("network.proxy.type", 2); -> Encontrado

¤¤¤ Chequeo MBR : ¤¤¤
+++++ PhysicalDrive0: ST1000LM024 HN-M101MBB +++++
--- User ---
[MBR] 27e1843659451c18b582d4bcf7e5786c
[BSP] 9cb9bd99896f179553067dcea5b1f913 : Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 100 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 206848 | Size: 900 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2050048 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2312192 | Size: 381097 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 782798848 | Size: 450 MB
5 - Basic data partition | Offset (sectors): 783720448 | Size: 550703 MB
6 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1911560192 | Size: 20490 MB
User = LL1 ... OK
User = LL2 ... OK

NOTE: the unal.edu.co proxy is the proxy that I have to use in order to access the internet from my university.

I launched RK because I am actually having an issue updating my Nvidia GE Force 720m's drivers since a few months. I have tried downloading the drivers directly from Nvidia's website and it always stop installation with a message that says taht I already have the most recent drivers. But when I go to check that in devices administrator (I don't know which is the real name in english because I am colombian...) It says that it is not updated. So I have tried a lot of times updating it through the window that allows you to update it from this "devices administrators" page and shows me the error code 28.

Thanks for taking the time for reading this,

Regards :)

Reply #179April 27, 2016, 07:26:59 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #179 on: April 27, 2016, 07:26:59 PM »
Hi Germán Pc,

Welcome to Adlice.com Forum.
Quote
[Proc.RunPE] NvStreamService.exe(2448) -- C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe ->  Encontrado
This entry is a false positive. You could safely ignore it.

Quote
[PUP][Carpeta] C:\ProgramData\{FE8D473A-6F06-4F99-B5F4-BED72B2A038C} -> Encontrado
This folder is malware-related. I advice you to delete it.

The rest of your report is clean.
For the issue you encounter with the update of the Nvidia drivers, you could try to completely uninstall them using the Windows control panel, then do a full reinstall with the ones you downloaded from Nvidia's website.

Regards.