Help
This topic will be used to post false positives in Anti-virus/Anti-malware programs so that end-users know not to fix the particular entries that may be shown.
Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.False Positives in antivirus-programs
#1
- Bleep Bleep!
-
- Group: Admin
- Posts: 36,174
- Joined: 24-January 04
- Gender:Male
- Location:USA
Posted 18 November 2009 - 01:18 PM
Lawrence Abrams
Circle BleepingComputer on Google+!
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone should do this!
Circle BleepingComputer on Google+!
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone should do this!
Back to top
#2
- Bleep Bleep!
-
- Group: Admin
- Posts: 36,174
- Joined: 24-January 04
- Gender:Male
- Location:USA
Posted 18 November 2009 - 01:19 PM
Week of 11/16 MalwareBytes' Anti-malware had the following false positives:
C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll (Virus.Mariofev)
C:\WINDOWS\$NtServicePackUninstall$\user32.dll (Virus.Mariofev)
C:\WINDOWS\ServicePackFiles\i386\user32.dll (Virus.Mariofev)
These false positives have already been resolved in a past definitions update. Please make sure you update your MBAM definitions.
C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll (Virus.Mariofev)
C:\WINDOWS\$NtServicePackUninstall$\user32.dll (Virus.Mariofev)
C:\WINDOWS\ServicePackFiles\i386\user32.dll (Virus.Mariofev)
These false positives have already been resolved in a past definitions update. Please make sure you update your MBAM definitions.
Lawrence Abrams
Circle BleepingComputer on Google+!
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone should do this!
Circle BleepingComputer on Google+!
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone should do this!
#3
- To Insanity and Beyond
-
- Group: Global Moderator
- Posts: 46,295
- Joined: 10-September 04
- Gender:Male
- Location:NJ USA
Posted 18 November 2009 - 08:52 PM
MalwareBytes' Anti-malware
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\atapi
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi
Files Infected:
C:\WINDOWS\system32\drivers\atapi.sys
Had this one yesterday 11/17
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\atapi
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi
Files Infected:
C:\WINDOWS\system32\drivers\atapi.sys
Had this one yesterday 11/17
This post has been edited by Grinler: 19 November 2009 - 01:22 PM
Reason for edit: Resolved via definitons update
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook
#4
- Bleepin' Blonde
-
- Group: Malware Study Hall Admin
- Posts: 36,073
- Joined: 05-October 07
- Gender:Female
- Location:Romania
Posted 19 November 2009 - 06:01 AM
@Grinler, delete this post if you want, its just a note...
@Boopme, this can be part of a very 'legit' rootkit. Maybe you can include a link.
@Boopme, this can be part of a very 'legit' rootkit. Maybe you can include a link.
#5
- Bleepin' Blonde
-
- Group: Malware Study Hall Admin
- Posts: 36,073
- Joined: 05-October 07
- Gender:Female
- Location:Romania
Posted 19 November 2009 - 06:40 AM
You want false positives? Here ya go, have fun 
I kept all files in a folder on my desktop and will be able to rescan them to check if they are still detected whenever you like. I included all tools I am using on a regular basis.
Combofix.exe
dds.scr
Flash_Disinfector.exe
Inherit.exe
OTL.exe
OTM.exe
RootRepeal.exe
RSIT.exe
Win32kDiag.exe
OTS.exe
TFC.exe
Note - I included Junction.zip, GooredFix.exe, SystemLook.exe and GMER (<random>.exe) as well, but those came out clean. apart from that, kudo's to McAfee!
I kept all files in a folder on my desktop and will be able to rescan them to check if they are still detected whenever you like. I included all tools I am using on a regular basis.
Combofix.exe
dds.scr
Flash_Disinfector.exe
Inherit.exe
OTL.exe
OTM.exe
RootRepeal.exe
RSIT.exe
Win32kDiag.exe
OTS.exe
TFC.exe
Note - I included Junction.zip, GooredFix.exe, SystemLook.exe and GMER (<random>.exe) as well, but those came out clean. apart from that, kudo's to McAfee!
#6
- To Insanity and Beyond
-
- Group: Global Moderator
- Posts: 46,295
- Joined: 10-September 04
- Gender:Male
- Location:NJ USA
Posted 19 November 2009 - 02:36 PM
elise025, on Nov 19 2009, 06:01 AM, said:
@Grinler, delete this post if you want, its just a note...
@Boopme, this can be part of a very 'legit' rootkit. Maybe you can include a link.
@Boopme, this can be part of a very 'legit' rootkit. Maybe you can include a link.
Hi Elise as I didn't trust it 100% I had them post in HJT here. But while looking it up MBAM site had it as an FP.
http://www.bleepingcomputer.com/forums/ind...p;#entry1504844
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook
#7
- Da Bleepin' Instructor
-
- Group: Malware Response Instructor
- Posts: 12,924
- Joined: 21-March 08
- Gender:Male
Posted 19 November 2009 - 06:14 PM
@boopme
Yes, you were right, there was a FP regarding that which was posted in the MBAM forum topic over here:
http://www.malwarebytes.org/forums/index.p...=30371&st=0
This FP should of been resolved now with the latest updates.
Cheers.
~Extremeboy
Yes, you were right, there was a FP regarding that which was posted in the MBAM forum topic over here:
http://www.malwarebytes.org/forums/index.p...=30371&st=0
This FP should of been resolved now with the latest updates.
Cheers.
~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.
The help you receive here is always free but if you wish to show your appreciation, you may wish to
.
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.
The help you receive here is always free but if you wish to show your appreciation, you may wish to
.
#8
- Distinguished Member
-
- Group: Members
- Posts: 809
- Joined: 06-May 10
- Gender:Female
- Location:the crazy city of Boston, In the North East reaches of New England
Posted 06 May 2010 - 11:23 PM
Oh yeah.
Don't forget the FP malwarebytes gives for Night of Parasite. That is an accessible game for the visually impaired I like to play, and these were the files MBAM flagged as infected: C:\program files\Night Of Parasite\NOP(3.1) (trojan.FlyStudio), and then there was a file with a .fnr extension that I can't remember the name of. And I've tried talking to them about it, but they don't care. But for all those who love it, it's a fine game to play, and security programs should know the difference between real trojans, and programs that have installation characteristics of trojans. I'm thinking that it could be that the installer is in the original chinese that causes the issue.
Regards,
Your tech geek Chromebuster
Don't forget the FP malwarebytes gives for Night of Parasite. That is an accessible game for the visually impaired I like to play, and these were the files MBAM flagged as infected: C:\program files\Night Of Parasite\NOP(3.1) (trojan.FlyStudio), and then there was a file with a .fnr extension that I can't remember the name of. And I've tried talking to them about it, but they don't care. But for all those who love it, it's a fine game to play, and security programs should know the difference between real trojans, and programs that have installation characteristics of trojans. I'm thinking that it could be that the installer is in the original chinese that causes the issue.
Regards,
Your tech geek Chromebuster
Raeder24. We're for community, accessibility for the blind, and technology support. Founded in 2008. join our community at raeder24.org
#9
- Distinguished Member
-
- Group: Members
- Posts: 809
- Joined: 06-May 10
- Gender:Female
- Location:the crazy city of Boston, In the North East reaches of New England
Posted 11 May 2010 - 08:11 PM
Hey folks,
It's just me with another one LOL. All folks belonging to the blind and visually impaired community, keep an eye out for Super Antispyware for it accidentally detected two of the files for the accessible game judgment day as being infected with trojan.agent/gen-cryptor. I reported it immediately, so they should update their defs so that it doesn't happen again. Just keep a close eye.
Regards,
Chromebuster
It's just me with another one LOL. All folks belonging to the blind and visually impaired community, keep an eye out for Super Antispyware for it accidentally detected two of the files for the accessible game judgment day as being infected with trojan.agent/gen-cryptor. I reported it immediately, so they should update their defs so that it doesn't happen again. Just keep a close eye.
Regards,
Chromebuster
Raeder24. We're for community, accessibility for the blind, and technology support. Founded in 2008. join our community at raeder24.org
#10
- Member
-
- Group: Members
- Posts: 143
- Joined: 22-May 10
- Gender:Male
Posted 22 May 2010 - 08:42 PM
I can't stand False Positives - always frustrates me if my computer is still safe or if its infected. Thanks for keeping us updated.
#11
- Member
-
- Group: Members
- Posts: 15
- Joined: 16-December 08
- Gender:Female
- Location:India
Posted 28 June 2010 - 10:06 AM
boopme, on Nov 19 2009, 07:22 AM, said:
MalwareBytes' Anti-malware
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\atapi
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi
Files Infected:
C:\WINDOWS\system32\drivers\atapi.sys
Had this one yesterday 11/17
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\atapi
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi
Files Infected:
C:\WINDOWS\system32\drivers\atapi.sys
Had this one yesterday 11/17
HI
C:\WINDOWS\system32\drivers\atapi.sys is an infected file. Check for the file size.
The size of atapi.sys should be 94kb. If the file size is 95kb or 93kb , the file is infected . This infected can cause Google and other search engines redirection.
Terry Turn
#12
- Member
-
- Group: Members
- Posts: 15
- Joined: 16-December 08
- Gender:Female
- Location:India
Posted 28 June 2010 - 10:10 AM
The Antivirus software which I am using detected few genuine system files as infected files
C:\windows\system32\services.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\winlogon.exe
Terry Turn
#13
- Bleepin' Blonde
-
- Group: Malware Study Hall Admin
- Posts: 36,073
- Joined: 05-October 07
- Gender:Female
- Location:Romania
Posted 30 June 2010 - 05:05 AM
Quote
Please click HERE and follow the instructions in STEP 2 to download and run the norton removal tool.
Quote
C:\WINDOWS\system32\drivers\atapi.sys is an infected file. Check for the file size.
The size of atapi.sys should be 94kb. If the file size is 95kb or 93kb , the file is infected . This infected can cause Google and other search engines redirection.
The size of atapi.sys should be 94kb. If the file size is 95kb or 93kb , the file is infected . This infected can cause Google and other search engines redirection.
This post has been edited by elise025: 30 June 2010 - 05:06 AM
#14
- Forum Regular
-
- Group: Members
- Posts: 155
- Joined: 11-July 10
- Gender:Male
Posted 11 July 2010 - 09:14 AM
Terry Turn, on Jun 28 2010, 11:06 AM, said:
HI
C:\WINDOWS\system32\drivers\atapi.sys is an infected file. Check for the file size.
The size of atapi.sys should be 94kb. If the file size is 95kb or 93kb , the file is infected . This infected can cause Google and other search engines redirection.
C:\WINDOWS\system32\drivers\atapi.sys is an infected file. Check for the file size.
The size of atapi.sys should be 94kb. If the file size is 95kb or 93kb , the file is infected . This infected can cause Google and other search engines redirection.
My atapi.sys is 24kb O.o Then again, I have Win7.....
#15
- Distinguished Member
-
- Group: Members
- Posts: 809
- Joined: 06-May 10
- Gender:Female
- Location:the crazy city of Boston, In the North East reaches of New England
Posted 13 July 2010 - 05:25 PM
just another one. USB Guardian is tagged by MBAM. The main executable is tagged as Trojan.FakeAlert.
Raeder24. We're for community, accessibility for the blind, and technology support. Founded in 2008. join our community at raeder24.org
