Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

False Positives in antivirus-programs


  • Please log in to reply
98 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:06 AM

Posted 18 November 2009 - 01:18 PM

This topic will be used to post false positives in Anti-virus/Anti-malware programs so that end-users know not to fix the particular entries that may be shown.


Note: A separate reporting area specifically dedicated for AdwCleaner can be found in this topic...AdwCleaner False Positive Reporting Topic



BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:06 AM

Posted 18 November 2009 - 01:19 PM

Week of 11/16 MalwareBytes' Anti-malware had the following false positives:

C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll (Virus.Mariofev)
C:\WINDOWS\$NtServicePackUninstall$\user32.dll (Virus.Mariofev)
C:\WINDOWS\ServicePackFiles\i386\user32.dll (Virus.Mariofev)

These false positives have already been resolved in a past definitions update. Please make sure you update your MBAM definitions.

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 70,522 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:06 AM

Posted 18 November 2009 - 08:52 PM

MalwareBytes' Anti-malware

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\atapi
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi

Files Infected:
C:\WINDOWS\system32\drivers\atapi.sys


Had this one yesterday 11/17

Edited by Grinler, 19 November 2009 - 01:22 PM.
Resolved via definitons update

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,317 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:06 PM

Posted 19 November 2009 - 06:01 AM

@Grinler, delete this post if you want, its just a note...

@Boopme, this can be part of a very 'legit' rootkit. Maybe you can include a link.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,317 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:06 PM

Posted 19 November 2009 - 06:40 AM

You want false positives? Here ya go, have fun :thumbsup:

I kept all files in a folder on my desktop and will be able to rescan them to check if they are still detected whenever you like. I included all tools I am using on a regular basis.

Combofix.exe
dds.scr
Flash_Disinfector.exe
Inherit.exe
OTL.exe
OTM.exe
RootRepeal.exe
RSIT.exe
Win32kDiag.exe
OTS.exe
TFC.exe

Note - I included Junction.zip, GooredFix.exe, SystemLook.exe and GMER (<random>.exe) as well, but those came out clean. apart from that, kudo's to McAfee!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 70,522 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:06 AM

Posted 19 November 2009 - 02:36 PM

@Grinler, delete this post if you want, its just a note...

@Boopme, this can be part of a very 'legit' rootkit. Maybe you can include a link.


Hi Elise as I didn't trust it 100% I had them post in HJT here. But while looking it up MBAM site had it as an FP.

http://www.bleepingcomputer.com/forums/ind...p;#entry1504844
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 AM

Posted 19 November 2009 - 06:14 PM

@boopme

Yes, you were right, there was a FP regarding that which was posted in the MBAM forum topic over here:
http://www.malwarebytes.org/forums/index.p...=30371&st=0

This FP should of been resolved now with the latest updates.

Cheers.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:11:06 AM

Posted 06 May 2010 - 11:23 PM

Oh yeah.
Don't forget the FP malwarebytes gives for Night of Parasite. That is an accessible game for the visually impaired I like to play, and these were the files MBAM flagged as infected: C:\program files\Night Of Parasite\NOP(3.1) (trojan.FlyStudio), and then there was a file with a .fnr extension that I can't remember the name of. And I've tried talking to them about it, but they don't care. But for all those who love it, it's a fine game to play, and security programs should know the difference between real trojans, and programs that have installation characteristics of trojans. I'm thinking that it could be that the installer is in the original chinese that causes the issue.

Regards,
Your tech geek Chromebuster

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#9 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:11:06 AM

Posted 11 May 2010 - 08:11 PM

Hey folks,
It's just me with another one LOL. All folks belonging to the blind and visually impaired community, keep an eye out for Super Antispyware for it accidentally detected two of the files for the accessible game judgment day as being infected with trojan.agent/gen-cryptor. I reported it immediately, so they should update their defs so that it doesn't happen again. Just keep a close eye.

Regards,
Chromebuster

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#10 Sefket

Sefket

  • Members
  • 155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:06 AM

Posted 22 May 2010 - 08:42 PM

I can't stand False Positives - always frustrates me if my computer is still safe or if its infected. Thanks for keeping us updated.

#11 Terry Turn

Terry Turn

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:India
  • Local time:08:36 PM

Posted 28 June 2010 - 10:06 AM

MalwareBytes' Anti-malware

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\atapi
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi

Files Infected:
C:\WINDOWS\system32\drivers\atapi.sys


Had this one yesterday 11/17



HI

C:\WINDOWS\system32\drivers\atapi.sys is an infected file. Check for the file size.
The size of atapi.sys should be 94kb. If the file size is 95kb or 93kb , the file is infected . This infected can cause Google and other search engines redirection.
Terry Turn

#12 Terry Turn

Terry Turn

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:India
  • Local time:08:36 PM

Posted 28 June 2010 - 10:10 AM

The Antivirus software which I am using detected few genuine system files as infected files
C:\windows\system32\services.exe
C:\windows\system32\winlogon.exe
Terry Turn

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,317 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:06 PM

Posted 30 June 2010 - 05:05 AM

Please click HERE and follow the instructions in STEP 2 to download and run the norton removal tool.

Maybe you should make sure they are not infected with a file infector virus. You can doublecheck those files at www.virustotal.com

C:\WINDOWS\system32\drivers\atapi.sys is an infected file. Check for the file size.
The size of atapi.sys should be 94kb. If the file size is 95kb or 93kb , the file is infected . This infected can cause Google and other search engines redirection.

Maybe you should check the date this was reported :thumbsup:

Edited by elise025, 30 June 2010 - 05:06 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 Jayson201

Jayson201

  • Members
  • 208 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 AM

Posted 11 July 2010 - 09:14 AM

HI

C:\WINDOWS\system32\drivers\atapi.sys is an infected file. Check for the file size.
The size of atapi.sys should be 94kb. If the file size is 95kb or 93kb , the file is infected . This infected can cause Google and other search engines redirection.


My atapi.sys is 24kb O.o Then again, I have Win7.....

#15 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:11:06 AM

Posted 13 July 2010 - 05:25 PM

just another one. USB Guardian is tagged by MBAM. The main executable is tagged as Trojan.FakeAlert.

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users