False positive?

[xoth]

I think that i found a possible false positive.
Computer apparently clean (Win XP sp3, Avira free+Comodo FW+CryptoPrevent policy). I download (last version) and launch RogueKiller to try it.

The scan found this 4 entries in Registry section

[Hj.Name] HKEY_USERS\RK_Administrator_ON_I_D453\Software\Microsoft\Windows\CurrentVersion\Run | CTFMON.EXE : F:\WINDOWS\System32\CTFMON.EXE  -> Found
[Hj.Name] HKEY_USERS\RK_Default User_ON_I_EAC0\Software\Microsoft\Windows\CurrentVersion\Run | CTFMON.EXE : F:\WINDOWS\System32\CTFMON.EXE  -> Found
[Hj.Name] HKEY_USERS\RK_LocalService_ON_I_0629\Software\Microsoft\Windows\CurrentVersion\Run | CTFMON.EXE : F:\WINDOWS\System32\CTFMON.EXE  -> Found
[Hj.Name] HKEY_USERS\RK_NetworkService_ON_I_CD40\Software\Microsoft\Windows\CurrentVersion\Run | CTFMON.EXE : F:\WINDOWS\System32\CTFMON.EXE  -> Found

but this CTFMON.EXE seem to be the legit one. I make a local scan of the file with Avira, Malwarebyte and ClamWin and they found it ok. I also upload it to virustotal.com and it seem to be ok https://www.virustotal.com/it/file/935db29473bec2edb91035bcd94633d87e18017898c65269e2376bc311043753/analysis/1416112462/

[Tigzy]

It's because of this:

RK_Administrator_ON_I == Means hard drive is I:/

And file is on F:/ ==  F:\WINDOWS\System32\CTFMON.EXE
What's that I drive? Is it a system drive?

[xoth]

I did not notice the drive letter, but I don't' know why the report say F: .... I have an F: volume, but F:\WINDOWS doesn't exist.

I: also exist, it has a windows\system32 directory, oddments from a very old installation, and at the time it actually was F: (dualboot win98/winXp respectively on c: and f:), but now it's without any files on it, it's only an empity dir.

The only CTFMON.EXE in the drives (explorer set to show also hidden and system file) are on

* C:\WINDOWS\system32
* C:\WINDOWS\system32\dllcache
* C:\WINDOWS\ServicePackFiles\i386

and they are all the same file (i make a fc from command prompt).

In the registry all the reference to CTFMON.EXE link to C:\WINDOWS\system32\ctfmon.exe or %windir%\system32\ctfmon.exe with %windir% = C:\WINDOWS

For "historical reason" (repeated upgrade, adding new hard disk and not reinstalling windows every the time) i have a strange drive configuration (see attachment image of my Computer Management->Disk Management), with some drive lette changed from the default one, maybe this could have deceived RogueKiller?
   

[Tigzy]

Actually F: is what is read from the I: registry hives; So I'm pretty sure if you boot on I:, it will become a F:

[xoth]

Well, actually as the time it was a system disk, it was F:.

The problem now is that the file

F:\WINDOWS\System32\CTFMON.EXE

or

I:\WINDOWS\System32\CTFMON.EXE

doesn't exist and both volume are used only for data (and paging file), so I don't undestand how Rouguekiller can found it (and detect it as bad).

Where are the reg hives? In the hidden directory "System Volume Information" with the restore point data?

Today I boot with a linux live-cd and I see that in "System Volume Information" of I: there are also files with the date attribute showing some years before the last clean install on C:, maybe they come from the old installation and Rouguekiller read it as the current one (is it possibile?).

[Tigzy]

This is maybe a bug, the drive letter should be redirected and in that case there's no detection.