Author Topic: ===> False Positives <===  (Read 331357 times)

0 Members and 1 Guest are viewing this topic.

Reply #195October 14, 2016, 03:44:00 PM

randzonen

  • Guest
Re: ===> False Positives <===
« Reply #195 on: October 14, 2016, 03:44:00 PM »
Seems like Rogue Killer 12.7.1.0 thinks everything from Intel  is malware and marked is for instant deletion...

[Hidden.ADS][Stream] C:\Windows\System32\common_clang64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\difx64.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\DPTopologyApp.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\DPTopologyAppv2_0.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\GfxResources.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\GfxUIEx.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\Gfxv2_0.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\Gfxv4_0.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\ig75icd64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igc64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igd10idpp64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igd10iumd64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igd11dxva64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igd12umd64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igdail64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igdbcl64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igdde64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igdfcl64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igdmcl64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igdmd64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igdrcl64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igdumdim64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igdusc64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfx11cmrt64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxcmjit64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxcmrt64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxCoIn_v4463.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxCUIService.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxCUIServicePS.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxDH.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxDHLib.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxDHLibv2_0.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxDI.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxDILib.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxDILibv2_0.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxDTCM.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxEM.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxEMLib.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxEMLibv2_0.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxexps.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxext.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxHK.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxLHM.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxLHMLib.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxLHMLibv2_0.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxOSP.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxSDK.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxSDKLib.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxSDKLibv2_0.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxTray.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\iglhcp64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\iglhsip64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\IntelCpHDCPSvc.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\IntelOpenCL64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\IntelWiDiMCComp64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\IntelWiDiUMS64.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\Intel_OpenCL_ICD64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\MetroIntelGenericUIFramework.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\OpenCL.DLL:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\common_clang32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\ig75icd32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igc32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igd10idpp32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igd10iumd32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igd11dxva32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igd12umd32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igdail32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igdbcl32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igdde32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igdfcl32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igdmcl32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igdmd32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igdrcl32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igdumdim32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igdusc32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igfx11cmrt32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igfxcmjit32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igfxcmrt32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igfxexps32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\iglhcp32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\iglhsip32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\IntelCpHeciSvc.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\IntelOpenCL32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\Intel_OpenCL_ICD32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\OpenCL.DLL:Zone.Identifier -> Gefunden

Reply #196October 16, 2016, 11:13:51 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2812
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #196 on: October 16, 2016, 11:13:51 PM »
Hi randzonen,

Thanks for your feedback.
An emergency fix has been issued for this false positive.

Regards.

Reply #197November 14, 2016, 03:56:21 AM

coldi

  • Newbie

  • Offline
  • *

  • 20
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #197 on: November 14, 2016, 03:56:21 AM »
Hi there,
not sure if it's the case but I might have stumbled about something again.
The latest version shows [PUM.HomePage][Chrome:Config] Default : homepage [] -> Found but no additional information is given and as far as I can tell the browser is functioning as it should. I'll add the report but there doesn't seem to be anything more about it. The previous version doesn't detect it.
Regards

Reply #198November 14, 2016, 03:13:42 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2812
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #198 on: November 14, 2016, 03:13:42 PM »
Hi coldi,

Thanks for your feedback. It seems like a bug on our end.
We will investigate this issue.

Regards.

Reply #199December 18, 2016, 06:19:32 PM

pparent516

  • Guest
Re: ===> False Positives <===
« Reply #199 on: December 18, 2016, 06:19:32 PM »
Please, fix this false positive. Weathereye.exe is a not PUP nor virus. Weathereye is an weather's application and it's not dangerous. Here the link for downloading : https://www.theweathernetwork.com/weather-apps

Here RogueKiller report :

RogueKiller V12.8.5.0 (x64) [Dec 12 2016] (Premium) par Adlice Software
email : http://www.adlice.com/contact/
Remontées : http://forum.adlice.com
Site web : http://www.adlice.com/fr/download/roguekiller/
Blog : http://www.adlice.com

Système d'exploitation : Windows 10 (10.0.14393) 64 bits version
Démarré en  : Mode normal
Utilisateur : Paulo [Administrateur]
Démarré depuis : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 12/18/2016 11:25:34 (Durée : 00:19:52)

¤¤¤ Processus : 0 ¤¤¤

¤¤¤ Registre : 6 ¤¤¤
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2824724146-1966662352-9585513-1001\Software\Microsoft\Windows\CurrentVersion\Run | WeatherEye : C:\Users\Paulo\AppData\Local\MétéoMédia\weathereye.exe [7] -> Trouvé(e)
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2824724146-1966662352-9585513-1001\Software\Microsoft\Windows\CurrentVersion\Run | WeatherEye : C:\Users\Paulo\AppData\Local\MétéoMédia\weathereye.exe [7] -> Trouvé(e)
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2824724146-1966662352-9585513-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12182016110228673\Software\Microsoft\Windows\CurrentVersion\Run | WeatherEye : C:\Users\Paulo\AppData\Local\MétéoMédia\weathereye.exe [7] -> Trouvé(e)
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2824724146-1966662352-9585513-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12182016110228673\Software\Microsoft\Windows\CurrentVersion\Run | WeatherEye : C:\Users\Paulo\AppData\Local\MétéoMédia\weathereye.exe [7] -> Trouvé(e)
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2824724146-1966662352-9585513-500-{637FE20B-9A5B-4F51-B1BE-D10045625B40}-12182016110029563\Software\Microsoft\Windows\CurrentVersion\Run | WeatherEye : C:\Users\XAdmin\AppData\Local\MétéoMédia\weathereye.exe [7] -> Trouvé(e)
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2824724146-1966662352-9585513-500-{637FE20B-9A5B-4F51-B1BE-D10045625B40}-12182016110029563\Software\Microsoft\Windows\CurrentVersion\Run | WeatherEye : C:\Users\XAdmin\AppData\Local\MétéoMédia\weathereye.exe [7] -> Trouvé(e)

¤¤¤ Tâches : 0 ¤¤¤

¤¤¤ Fichiers : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Fichier Hosts : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Chargé) ¤¤¤

¤¤¤ Navigateurs web : 0 ¤¤¤

¤¤¤ Vérification MBR : ¤¤¤
+++++ PhysicalDrive0: INTEL SSDSC2BW240H6 +++++
--- User ---
[MBR] ab29a7e42e94628b34d1970a7578900b
[BSP] 05c1135502c1387ca20f9f871e6b4971 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 184320 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 377491456 | Size: 44614 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Reply #200December 19, 2016, 02:47:24 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2812
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #200 on: December 19, 2016, 02:47:24 PM »
Hi pparent516,

Welcome to Adlice.com Forum and thanks for your feedback.
This false positive will be fixed as soon as possible.

Regards.

Reply #201February 03, 2017, 09:13:16 AM

Suario

  • Newbie

  • Offline
  • *

  • 1
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #201 on: February 03, 2017, 09:13:16 AM »
Hello, i recently do a scan with roguekiller and it shows MBAMService.exe as a Adw.Elex|PUP.Divcom so i was wondering if this is a false positive?

Here i add the report :

RogueKiller V12.9.6.0 (x64) [Jan 30 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Junito [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 02/03/2017 01:22:55 (Duration : 00:14:14)

¤¤¤ Processes : 2 ¤¤¤
[Adw.Elex|PUP.Divcom] MBAMService.exe(2696) -- Q:\Pgramas\Anti-Malware\mbamservice.exe[7] -> Found
[Suspicious.Path] (SVC) ALSysIO -- \??\C:\Users\JUNITO~1\AppData\Local\Temp\ALSysIO64.sys
  • -> Found


¤¤¤ Registry : 3 ¤¤¤
[PUP.HackTool] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\NetCut_is1 -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALSysIO (\??\C:\Users\JUNITO~1\AppData\Local\Temp\ALSysIO64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ALSysIO (\??\C:\Users\JUNITO~1\AppData\Local\Temp\ALSysIO64.sys) -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 3 ¤¤¤
[PUP.Gen1][Folder] C:\Users\Junito\AppData\Roaming\Easeware -> Found
[PUP.Gen1][File] C:\Users\Junito\AppData\Roaming\Microsoft\Windows\Recent\client-stats.log.lnk [LNK@] C:\Users\JUNITO~1\AppData\Roaming\Easeware\DRIVER~1\CLIENT~1.LOG -> Found
[PUP.Gen1][File] C:\Users\Junito\AppData\Roaming\Microsoft\Windows\Recent\DriverEasy.lnk [LNK@] C:\Users\JUNITO~1\AppData\Roaming\Easeware\DRIVER~1 -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: HGST HTS545050A7E380 ATA Device +++++
--- User ---
[MBR] d8c3edb4bed2a3984bc767cd235ebc5e
[BSP] 403de67ba0e2f219f2b79355739651fe : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476937 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Maxtor 6L120M0 ATA Device +++++
--- User ---
[MBR] aa7415b7c5c1f25a0031f6eb43396297
[BSP] 8f89bcf184ff96be07bf6cdb6134749f : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 117244 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: KINGSTON SV300S37A240G ATA Device +++++
--- User ---
[MBR] c664ba19eded6725426e299ee13da4d1
[BSP] a27144b8b980601f0ab2ec1d08dde42b : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 228834 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Reply #202February 03, 2017, 01:25:22 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2812
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #202 on: February 03, 2017, 01:25:22 PM »
Hi Suario,

Welcome to Adlice.com Forum and thanks for your feedback.
Yes, it's a false positive. RogueKiller is detecting MalwareBytes malware database. This issue has been fixed when MBAM is installed on standard location.

Regards.

Reply #203February 07, 2017, 06:29:42 AM

counselorgene

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #203 on: February 07, 2017, 06:29:42 AM »
Hi there,

First I want to tell you I love your program.
I analyzed my system with RogueKiller. Please see my output below. I've got Dr. Web Security Space as well as MalwareBytes on the machine. I also have Sophos Virus Removal Tool installed on the system. I used to have Advanced System Care on this machine but recently removed it because it was likely helping to compromise my system. I received several Proc.Injected, Root.Necurs, and PUM.HomePage entrees. I ran in Safe Mode.
Please let me know if this is a true infection or false positive, based on what you see:

----------------------------------------------------------------------------------------------------

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Safe mode
User : [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 02/06/2017 21:36:42 (Duration : 00:18:59)

¤¤¤ Processes : 12 ¤¤¤
[Proc.Injected] wininit.exe(456) -- C:\Windows\System32\wininit.exe[-] -> Found
[Proc.Injected] winlogon.exe(520) -- C:\Windows\System32\winlogon.exe[-] -> Found
[Proc.Injected] lsass.exe(572) -- C:\Windows\System32\lsass.exe[7] -> Found
[Proc.Injected] svchost.exe(648) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(680) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] dwm.exe(772) -- C:\Windows\System32\dwm.exe[-] -> Found
[Proc.Injected] svchost.exe(808) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(840) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(880) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] explorer.exe(348) -- C:\Windows\explorer.exe[7] -> Found
[Proc.Injected] ctfmon.exe(468) -- C:\Windows\System32\ctfmon.exe[-] -> Found
[Proc.Injected] dllhost.exe(1224) -- C:\Windows\System32\dllhost.exe[7] -> Found

¤¤¤ Registry : 9 ¤¤¤
[Root.Necurs] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4F97855176CB095D -> Found
[Root.Necurs] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4F9785531D1ACAC5 -> Found
[Root.Necurs] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4F978556B1AA1B1D -> Found
[Root.Necurs] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4F978557637EA65F -> Found
[Root.Necurs] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4F97856826CFAA11 -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-693542642-1096459626-489246537-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://acer13.msn.com  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-693542642-1096459626-489246537-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://acer13.msn.com  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-693542642-1096459626-489246537-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://acer13.msn.com  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-693542642-1096459626-489246537-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://acer13.msn.com  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000DM003-1CH162 +++++
--- User ---
[MBR] 7aa2b29e011ab8ad378df2d386190073
[BSP] b3b0a7523e12b5fb1cc53299d026348e : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 300 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1435648 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1697792 | Size: 937229 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1921142784 | Size: 450 MB
5 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1922064384 | Size: 15361 MB
User = LL1 ... OK
User = LL2 ... OK
-------------------------------------------------------------------------------------------------------

Thank you!

Reply #204February 07, 2017, 11:54:34 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2812
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #204 on: February 07, 2017, 11:54:34 AM »
Hi counselorgene,

Welcome to Adlice.com Forum and thanks for your feedback.
This is really suspicious. Could you please follow the following process :
  • Download Process Explorer and save it to your desktop.
  • Click on the setup file (procexp64.exe) and select Run as Administrator to start the tool.
  • Locate the process named wininit.exe, right click select Create Dump > Create Full Dump...
  • Save the dump on your desktop, compress it and upload it on Google Drive/Dropbox.
  • Share the link in your next reply.
We will analyse what is really injected, and whitelist if needed.

Regards.

Reply #205February 07, 2017, 07:08:18 PM

counselorgene

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #205 on: February 07, 2017, 07:08:18 PM »
Hi Curson,

Thanks for getting back to me. I've done all this and here are links to the files on my google drive. I created a .ZIP and a .RAR just in case:

https://drive.google.com/file/d/0B5U9vVVDQn6iazYxa1V2anYyUGc/view (ZIP)
https://drive.google.com/file/d/0B5U9vVVDQn6idGRLMXA0a3VJWm8/view (RAR).

Let me know if you have any issues accessing or reading them.

Thanks for your help!

Reply #206February 07, 2017, 09:46:00 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2812
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #206 on: February 07, 2017, 09:46:00 PM »
Hi counselorgene,

The injection is caused by Dr. Web. We will whitelist it as soon as possible.
However, I advice you to remove the [Root.Necurs] entries.
Could you please redo a scan in normal mode and attach RogueKiller report with your next reply ?

Regards.

Reply #207February 08, 2017, 07:27:26 AM

counselorgene

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #207 on: February 08, 2017, 07:27:26 AM »
Hi Curson,

Thanks for that info. I deleted the [Root.Necurs] entries. Here is what populates now. I believe this all related to Dr. Web, but maybe not. I ran the program in both Normal WIN operating conditions and Safe Mode. See the output below for both:

--------------------------------------------------------------------------------------------------------

Normal WIN Operating Conditions:

¤¤¤ Processes : 63 ¤¤¤
[Proc.Injected] wininit.exe(576) -- C:\Windows\System32\wininit.exe[-] -> Found
[Proc.Injected] winlogon.exe(636) -- C:\Windows\System32\winlogon.exe[-] -> Found
[Proc.Injected] lsass.exe(688) -- C:\Windows\System32\lsass.exe[7] -> Found
[Proc.Injected] svchost.exe(760) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(804) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] dwm.exe(896) -- C:\Windows\System32\dwm.exe[-] -> Found
[Proc.Injected] svchost.exe(932) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(976) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(1000) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] igfxCUIService.exe(504) -- C:\Windows\System32\igfxCUIService.exe[7] -> Found
[Proc.Injected] svchost.exe(652) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(884) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] spoolsv.exe(1228) -- C:\Windows\System32\spoolsv.exe[-] -> Found
[Proc.Injected] svchost.exe(1252) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] armsvc.exe(1456) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[7] -> Found
[Proc.Injected] taskhostex.exe(1480) -- C:\Windows\System32\taskhostex.exe[7] -> Found
[Proc.Injected] explorer.exe(1584) -- C:\Windows\explorer.exe[7] -> Found
[Proc.Injected] AdminService.exe(1636) -- C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AdminService.exe[-] -> Found
[Proc.Injected] officeclicktorun.exe(1656) -- C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[7] -> Found
[Proc.Injected] svchost.exe(1692) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] dasHost.exe(1708) -- C:\Windows\System32\dasHost.exe[-] -> Found
[Proc.Injected] dwservice.exe(1744) -- C:\Program Files\DrWeb\dwservice.exe[7] -> Found
[Proc.Injected] svchost.exe(1772) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] HeciServer.exe(1860) -- C:\Program Files\Intel\iCLS Client\HeciServer.exe[7] -> Found
[Proc.Injected] Jhi_service.exe(1940) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[7] -> Found
[Proc.Injected] HotkeyUtility.exe(1532) -- C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe[7] -> Found
[Proc.Injected] RosettaStoneDaemon.exe(2164) -- C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[7] -> Found
[Proc.Injected] svchost.exe(2272) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] dwengine.exe(2960) -- C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe[7] -> Found
[Proc.Injected] dwantispam.exe(2344) -- C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwantispam.exe[7] -> Found
[Proc.Injected] dwarkdaemon.exe(2436) -- C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwarkdaemon.exe[7] -> Found
[Proc.Injected] PresentationFontCache.exe(2520) -- C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[7] -> Found
[Proc.Injected] svchost.exe(3232) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] SearchIndexer.exe(3304) -- C:\Windows\System32\SearchIndexer.exe[-] -> Found
[Proc.Injected] igfxHK.exe(3496) -- C:\Windows\System32\igfxHK.exe[7] -> Found
[Proc.Injected] igfxTray.exe(3504) -- C:\Windows\System32\igfxTray.exe[7] -> Found
[Proc.Injected] igfxEM.exe(3676) -- C:\Windows\System32\igfxEM.exe[7] -> Found
[Proc.Injected] BtvStack.exe(3928) -- C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[-] -> Found
[Proc.Injected] RAVCpl64.exe(3960) -- C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[7] -> Found
[Proc.Injected] ActivateDesktop.exe(3976) -- C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[-] -> Found
[Proc.Injected] dwwatcher.exe(4008) -- C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwwatcher.exe[7] -> Found
[Proc.Injected] frwl_svc.exe(3936) -- C:\Program Files\DrWeb\frwl_svc.exe[7] -> Found
[Proc.Injected] dwnetfilter.exe(4128) -- C:\Program Files\DrWeb\dwnetfilter.exe[7] -> Found
[Proc.Injected] spideragent.exe(4136) -- C:\Program Files\DrWeb\spideragent.exe[7] -> Found
[Proc.Injected] ClassicStartMenu.exe(4336) -- C:\Program Files\Classic Shell\ClassicStartMenu.exe[-] -> Found
[Proc.Injected] netsession_win.exe(4360) -- C:\Users\Zoya\AppData\Local\Akamai\netsession_win.exe[7] -> Found
[Proc.Injected] netsession_win.exe(4456) -- C:\Users\Zoya\AppData\Local\Akamai\netsession_win.exe[7] -> Found
[Proc.Injected] CCleaner64.exe(4492) -- C:\Program Files\CCleaner\CCleaner64.exe[7] -> Found
[Proc.Injected] ArcServer.exe(4516) -- C:\Program Files (x86)\Acer Remote\ArcServer.exe[-] -> Found
[Proc.Injected] hpwuschd2.exe(4540) -- C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[7] -> Found
[Proc.Injected] wmplayer.exe(4636) -- C:\Program Files (x86)\Windows Media Player\wmplayer.exe[-] -> Found
[Proc.Injected] frwl_notify.exe(4648) -- C:\Program Files\DrWeb\frwl_notify.exe[7] -> Found
[Proc.Injected] firefox.exe(4444) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7] -> Found
[Proc.Injected] firefox.exe(4832) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7] -> Found
[Proc.Injected] DeviceDetector.exe(5368) -- C:\Program Files (x86)\CyberLink\MediaEspresso\DeviceDetector\DeviceDetector.exe[-] -> Found
[Proc.Injected] RIconMan.exe(588) -- C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe[-] -> Found
[Proc.Injected] IntuitUpdateService.exe(5496) -- C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe[7] -> Found
[Proc.Injected] LMS.exe(3792) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[7] -> Found
[Proc.Injected] NASvc.exe(5648) -- c:\Program Files (x86)\Nero\Update\NASvc.exe[7] -> Found
[Proc.Injected] UNS.exe(5624) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7] -> Found
[Proc.Injected] wmpnetwk.exe(2688) -- C:\Program Files\Windows Media Player\wmpnetwk.exe[-] -> Found
[Proc.Injected] drwupsrv.exe(6140) -- C:\Program Files\Common Files\Doctor Web\Updater\drwupsrv.exe[7] -> Found
[Proc.Injected] conhost.exe(2292) -- C:\Windows\System32\conhost.exe[-] -> Found

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000DM003-1CH162 +++++
--- User ---
[MBR] 7aa2b29e011ab8ad378df2d386190073
[BSP] b3b0a7523e12b5fb1cc53299d026348e : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 300 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1435648 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1697792 | Size: 937229 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1921142784 | Size: 450 MB
5 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1922064384 | Size: 15361 MB
User = LL1 ... OK
User = LL2 ... OK



SAFE MODE:

¤¤¤ Processes : 14 ¤¤¤
[Proc.Injected] wininit.exe(464) -- C:\Windows\System32\wininit.exe[-] -> Found
[Proc.Injected] winlogon.exe(516) -- C:\Windows\System32\winlogon.exe[-] -> Found
[Proc.Injected] lsass.exe(576) -- C:\Windows\System32\lsass.exe[7] -> Found
[Proc.Injected] svchost.exe(648) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(688) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] dwm.exe(784) -- C:\Windows\System32\dwm.exe[-] -> Found
[Proc.Injected] svchost.exe(832) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(908) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(948) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] explorer.exe(384) -- C:\Windows\explorer.exe[7] -> Found
[Proc.Injected] ctfmon.exe(376) -- C:\Windows\System32\ctfmon.exe[-] -> Found
[Proc.Injected] dllhost.exe(1220) -- C:\Windows\System32\dllhost.exe[7] -> Found
[Proc.Injected] WmiPrvSE.exe(1320) -- C:\Windows\System32\wbem\WmiPrvSE.exe[-] -> Found
[Proc.Injected] WmiPrvSE.exe(1800) -- C:\Windows\System32\wbem\WmiPrvSE.exe[-] -> Found

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000DM003-1CH162 +++++
--- User ---
[MBR] 7aa2b29e011ab8ad378df2d386190073
[BSP] b3b0a7523e12b5fb1cc53299d026348e : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 300 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1435648 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1697792 | Size: 937229 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1921142784 | Size: 450 MB
5 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1922064384 | Size: 15361 MB
User = LL1 ... OK
User = LL2 ... OK



--------------------------------------------------------------------------------------------------------

Let me know what you think. Thank you!

Reply #208February 08, 2017, 01:18:32 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2812
  • Reputation:
    100
    • View Profile
Re: ===> False Positives <===
« Reply #208 on: February 08, 2017, 01:18:32 PM »
Hi counselorgene,

Thanks for your feedback.
All these injections are made by Dr. Web software, so no need to worry about them.

Regards.

Reply #209February 08, 2017, 08:11:02 PM

counselorgene

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Re: ===> False Positives <===
« Reply #209 on: February 08, 2017, 08:11:02 PM »
Thank you, Curson!

I will strongly consider buying the premium version of your software. While some entries were false positives, I appreciate that it did find some entrees that were viral.

Thanks again!