Author Topic: False positive?  (Read 9750 times)

0 Members and 1 Guest are viewing this topic.

November 21, 2018, 04:24:05 PM

calamityjane

  • Newbie

  • Offline
  • *

  • 29
  • Reputation:
    0
  • Personal Text
    Not in Kansas
    • View Profile
False positive?
« on: November 21, 2018, 04:24:05 PM »
Hello there,

I am using your V13.0.11.0 anti-malware.

Starting with RogueKiller V13, last month, I have been getting the following detected item:

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registry ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
>>>>>> O83 - Svchost Services
  [Suspicious.Path (Potentially Malicious)] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost|LocalServiceNoNetwork -- PLA DPS BFE mpssvc ehstart -> Found


Prior to V13, this has never shown up.
Can you shed any light on this?

I'm using Vista, SP2.

Also,

1. This detection appears whether the MalPE is enabled or not.

2. (unrelated to above detection)
During the scanning process, you have incorporated a real-time notification (in the orange band), regarding what UCheck is detecting as outdated software, when I move the cursor over the area.
.
However, it is including RogueKiller, TWICE, as outdated.
It is listing V13.0.3.0 and also 13.0.11.0 (updated this past Monday).

I have not purchased the UCheck, just to be clear.
I am only referring to what is shown during the RogueKiller scan.

Many thanks!
cj




 

Reply #1November 21, 2018, 04:28:58 PM

calamityjane

  • Newbie

  • Offline
  • *

  • 29
  • Reputation:
    0
  • Personal Text
    Not in Kansas
    • View Profile
Re: False positive?
« Reply #1 on: November 21, 2018, 04:28:58 PM »
Addendum:

I did not mean to say, "I have not purchased the UCheck".

I meant to say that I have not downloaded UCheck.

Reply #2November 21, 2018, 08:57:43 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: False positive?
« Reply #2 on: November 21, 2018, 08:57:43 PM »
Hi calamityjane,

Thanks for your feedback.
This is indeed a false positive. In order to help us whitelist it, could you please do the following process :

1) Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :
Code: [Select]
REG EXPORT "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" "%USERPROFILE%\Desktop\RegExport.log"
2) A new file named RegExport.log should has been created on your desktop. Please attach it with your next reply.

Regarding to the issue with the outdated version of RogueKiller displayed twice, could you please check if RogueKiller V13.0.3.0 is still present in the "Add/Remove Programs" of your operating system ? If that's the case, could you please uninstall it, then check if the issue is still present when you do a scan with the latest version of RogueKiller ?

Regards.

Reply #3November 21, 2018, 11:36:22 PM

calamityjane

  • Newbie

  • Offline
  • *

  • 29
  • Reputation:
    0
  • Personal Text
    Not in Kansas
    • View Profile
Re: False positive?
« Reply #3 on: November 21, 2018, 11:36:22 PM »
Thanks Curson,

Per your request for the RegExport.log, I've included it in attachment.

Regarding the RogueKiller`"outdated versions", you are correct insofar as V13.0.3.0 and 13.0.11.0 showing separately in "Add/Remove Programs".

It never occurred to me to check that!
I suppose this might have happened when I had to manually download an update.

At any rate, prior to the old version uninstall, I got a pop-up message that both versions were located in the same folder and that removal of the old might impact the latest version. (my words, I can't remember exactly what the message was).

Unfortunately, post-uninstall, the latest V13.0.11.0 was  deleted along with V13.0.3.0
I have not, as of yet, reinstalled RogueKiller, but I'll do it in the morning.

Again, and as always, I'm grateful for your kind support.
cj




Reply #4November 21, 2018, 11:58:19 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: False positive?
« Reply #4 on: November 21, 2018, 11:58:19 PM »
Hi calamityjane,

Thanks for the attachement.
There was likely an issue with the uninstallation of RogueKiller V13.0.3.0, leading to this situation.

Please don't hesitate to ask, if you need any help with the reinstallation or activation of RogueKiller latest version.

Regard.

Reply #5November 22, 2018, 05:49:31 PM

calamityjane

  • Newbie

  • Offline
  • *

  • 29
  • Reputation:
    0
  • Personal Text
    Not in Kansas
    • View Profile
Re: False positive?
« Reply #5 on: November 22, 2018, 05:49:31 PM »
I uninstalled the remaining (non-functional) remnants of V13.0.11.0 that were left after the intentional uninstall of V13.0.3.0.
I was able to successfully keep my log history  and Premium license key by using the selective RevoUninstaller software.

I downloaded V13 and re-ran a scan.
The UCheck mini-scan no longer shows RogueKiller and I have the latest V13.0.12.0

All is good!
cj


Reply #6November 22, 2018, 07:07:55 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: False positive?
« Reply #6 on: November 22, 2018, 07:07:55 PM »
Hi calamityjane,

You are welcome.
Thanks for your feedback.

Regards.