===> False Positives <===

[Germán Pc]

Thanks a lot for your help . I'm going to uninstall it and a will write here how is it going.

Regards

[Curson]

Hi Germán Pc,

You are very welcome.

Regards.

[JukkaG]

F-Secure Antivirus is again coming up as Zeus, as you can see in log attached.

[Curson]

Hi JukkaG,

Thanks for letting us known. It seems the path of the process has changed.
We will whitelist it again as soon as possible.

Regards.

[gamefan]

Hello

I am here to report false positives.

A scan of rougekiller found 2 potential files

[PUP.Gen][File] C:\Users\Gamefan\AppData\Local\RemoveTresoritTemp.exe -> Found
[PUP.Gen][File] C:\Users\Gamefan\AppData\Local\UninstallTresoritCompletely.exe -> Found

these are leftover uninstall exe's from Tresorit, which is a legit alternative to Dropbox, they've never been detected before on any of my scans.

I uploaded both to virus total

https://www.virustotal.com/en/file/619f1109e826eb98fee8573ee325033d6f6afa37fd94b49817826613cb79dda4/analysis/1473056903/
https://www.virustotal.com/en/file/8c85f3cc07e342cfd7e38870e3af676981c6b0f80d039969a68f7f41c002b369/analysis/1473056917/

what should I do? Are these both legit files? I believe DrWeb ended up labeling the second file as safe a few minutes after I uploaded it.

[gamefan]

Update:

both detections have diasappeared after running a scan in safe mode after updating RK. Has it alreadybeen whitelisted?

If they still doont show up after running itnagain in normal mode, doesnthat mean im fine?

also they didnt show up on the adwcleaner, JRT, Kaspersky anti root kit, mcaffe anti rootkit, malwarebytes, or hotman scans. none of them found anything malicious

[Curson]

Hi gamefan,

Thanks for your feedback.
These entries were indeed false positives but this if fixed in RogueKiller latest version released today.

Regards.

[Punit Srivastava]

 
Hi Team,
 
I would like to introduce our product “ReSOLV” , We provide predictive device management software for Tech Support Providers, SMBs, IT Helpdesks, and anyone who wants to manage end-user devices.
We are associated with the well known names of IT sector i.e. HP, DELL, IBM, TOSHIBA & and many more. My concern of writing this email to you is related with the white listing of our product. I am attaching here the exe & dll files of our product which have a 2762 version number. Please verify accordingly. I would request you to white list our product in your database.
 
Your favor in white listing process would be highly appreciable.

Regards,
Punit Srivastava
Sr. Software Engineer-Testing&Support
HFN Inc|Support Automation Delivered

 

[Curson]

Hi Punit,

Welcome to Adlice.com Forum.
Could you please provide a report of RogueKiller detecting your product ?

Regards.

[firefoxthebomb]

Think I have some false positives here, see log below, The items I feel are false positive are in RED

1. hasplms.exe file is part of the ScanSnap software that comes with my fi-6130Z scanner the virustotal results here: https://www.virustotal.com/en/file/22c58e4bf558420fee5b2d6a8f15531c768f5814a18d5f5b20cdbc8479090319/analysis/1476191969/

2. The 3 reg keys are part of my Symantec Endpoint Protection version 12.1.6 (12.1 RU6 MP5) build 7004 (12.1.7004.6500) (AntiVirus)

3. The slack ones are part of the slack messenger v2.2.1

RogueKiller V12.7.1.0 (x64) [Oct 10 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : firefox [Administrator]
Started from : L:\Flash Drives\128GB Flash Drive Backup 5-26-2016\Tech CD\Utils\Ad Aware\Bleeping Computer Stuff\RogueKiller by tigzy\RogueKillerX64 V12.7.1.exe
Mode : Scan -- Date : 10/11/2016 08:13:03 (Duration : 00:38:04)

¤¤¤ Processes : 1 ¤¤¤
[Proc.RunPE] hasplms.exe(5536) -- C:\Windows\System32\hasplms.exe[7] -> Found

¤¤¤ Registry : 11 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\BHDrvx64 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.7004.6500.105\Data\Definitions\BASHDefs\20160922.001\BHDrvx64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAVENG (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.7004.6500.105\Data\Definitions\VirusDefs\20161003.002\ENG64.SYS) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAVEX15 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.7004.6500.105\Data\Definitions\VirusDefs\20161003.002\EX64.SYS) -> Found

[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://dell13.msn.com/?pc=DCJB  -> Found
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell13.msn.com/?pc=DCJB  -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-1957994488-1563985344-1417001333-1107\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-1957994488-1563985344-1417001333-1107\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 3 ¤¤¤
[Suspicious.Path][File] C:\Users\firefox\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Slack.lnk [LNK@] C:\Users\firefox\AppData\Local\slack\Update.exe --processStart "slack.exe" -a "--startup" -> Found
[PUP][Folder] C:\Users\firefox\AppData\Roaming\Download Manager -> Found
[PUP][Folder] C:\Users\firefox\AppData\Local\PackageAware -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 2 ¤¤¤
[PUM.HomePage][FIREFX:Config] hcdjlx88.default : user_pref("browser.startup.homepage", "https://forums.malwarebytes.org/"); -> Found


¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ATA TOSHIBA DT01ACA2 SCSI Disk Device +++++
--- User ---
[MBR] 9a58401060fd78b7ced0042be99fe3e8
[BSP] a4478fcfe5b4c86f09d53598ed58a5e2 : HP|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 750 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1617920 | Size: 367112 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 753463296 | Size: 1539826 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive1: ATA TOSHIBA DT01ACA2 SCSI Disk Device +++++
--- User ---
[MBR] d4ecfbd1a1d3c4917af6d6d28c8c95d7
[BSP] 6f5fe8da57fa68252ca31cc6e5d209fd : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive2: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: Generic- SM/xD-Picture USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive5: Generic- M.S./M.S.Pro/HG USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive6: Kanguru SS3 USB Device +++++
--- User ---
[MBR] 94f9443d96441ecfcdafb5853a2e8a7e
[BSP] 39eaafe8c7c2f2a60c9df4ab5a671e21 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 8064 | Size: 120348 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

[Curson]

Hi firefoxthebomb,

Thanks for your feedback. These entries are indeed false positives.
Could you please follow the following process in order to help us whitelisting the [Proc.RunPE] one ?

• Download Process Explorer and save it to your desktop.
  
• Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  
• Locate the process hasplms.exe, right click select Create Dump > Create Full Dump...
  
• Save the dump on your desktop, compress it and upload it on Google Drive/Dropbox.
• Share the link in your next reply.

Could you also please attach the file hasplms.exe with your next reply.

Regards.

[firefoxthebomb]

Followed the instructions however the file size is 0, but I have included a copy of the exe file.

You can download it from here: https://we.tl/oJrPirkfXr (its the WeTransfer site)

[coldi]

Hi there,
I have a potential false positive. A scan with the latest version showed 15 hidden.ads detections and I think all of them are related to drivers of an older asus xonar audio card and the cmi chip on it I still have.
Obviously not sure if that's the case so I added the detected files and the report.
regards

[Curson]

Hi firefoxthebomb,

Thanks.
We will analyse the file.

Regards.

[Curson]

Hi coldi,

Thanks for your feedback.
These ADS are indeed false positives. We will fix this as soon as possible.

Regards.