Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Fp with Adwcleaner 3.020


  • Please log in to reply
16 replies to this topic

#1 shadowk8

shadowk8

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 28 February 2014 - 11:10 PM

Hey guys looks like i found a false positive with Adwcleaner 3.020 regarding C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk

Seems to be thinking that the windows 8.1 search function is infected i don't believe that to be true. Wanted to send the log to him on his main site by was having trouble logging in so i was wondering if you guys could possibly contact him. Also wanted to make sure it was a false positive.

 

 appreciate it 

Colin

 

# AdwCleaner v3.020 - Report created 28/02/2014 at 22:46:31
# Updated 27/02/2014 by Xplode
# Operating System : Windows 8.1 Pro  (64 bits)
# Username : ColinR - COLIN
# Running from : D:\AdwCleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
File Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.16518
 
 
-\\ Google Chrome v33.0.1750.117
 
[ File : C:\Users\ColinR\AppData\Local\Google\Chrome\User Data\Default\preferences ]


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:04 AM

Posted 01 March 2014 - 12:03 AM

Can you go to that location, and right click on the file and select properties and take a screenshot of it and post it here?

#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:04 AM

Posted 01 March 2014 - 06:06 AM

Can you submit that file to VirusTotal and post the report link here?

 

Thanks


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 shadowk8

shadowk8
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 01 March 2014 - 03:45 PM

Ya sure sorry for the late replys:

 

cryptodan heres a screenshot uploaded to imgur with the adwcleaner log/file location etc... http://i.imgur.com/bIopraD.jpg

Also the target of the shortcut: %windir%\system32\rundll32.exe -sta {C90FB8CA-3295-4462-A721-2935E83694BA}

 

And Didier Stevens hers the virustotal link: https://www.virustotal.com/en/file/889a5b65315613b8d29ef66efec7198c5ef13a698fc0b237948a5443bd27c9da/analysis/1393706650/

 

What do u guys think?


Edited by shadowk8, 01 March 2014 - 03:46 PM.


#5 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:04 PM

Posted 01 March 2014 - 06:45 PM

Hi -

Many systems are not the same, and this is why a the program starts like this -

* Please download AdwCleaner by Xplode and save to your Desktop.
* Double-click on AdwCleaner.exe to run the tool.
* Vista/Windows 7/8 users right-click and select Run As Administrator.
* Click on the Scan button (only once)
* AdwCleaner will begin...be patient as the scan may take some time to complete.
* After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.

 

At this stage you can choose to remove or Not remove (untick) any program found.

Always submit a AdwCleaner[R0].txt if you think you have any suspect programs, and Highlight the program.

 

All of these cleaner programs are varied and you must read the pre-check list (R0 txt)

The programs put up by AdwAware Cleaner are to give you or your helper an idea of what to remove.



#6 shadowk8

shadowk8
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 01 March 2014 - 07:11 PM

Hi noknojon im aware no program is perfect and fp's happen and in this case it seemed like adwcleaner was detecting a windows process so figured that would be an important one to inform the creator about. As far as i can tell its a fp i maybe wrong which is why i posted to this forum sub just to double check with you guys more or less. 



#7 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:04 AM

Posted 01 March 2014 - 09:11 PM

I would consider this a false positive. The shortcut link refers to a legit software process.

#8 shadowk8

shadowk8
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 02 March 2014 - 01:23 PM

Good to hear, i dont know if you guys talk to the adwcleaner creator but it be great if someone could report it as a fp :P 

 

thank you guys 



#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:04 AM

Posted 02 March 2014 - 02:03 PM

The file you submitted to VirusTotal is rundll32.exe and it is fine, its digital signature is valid.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:04 AM

Posted 02 March 2014 - 04:25 PM

I have advised the developer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 shadowk8

shadowk8
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 08 March 2014 - 12:25 AM

I ment to also mention the past version 3.19 detected HKCU\Software\caphyon and [x64] HKCU\Software\caphyon never noticed it in previous versions. Havent found anything really bad about them nore have i noticed anything strange going on in my browsers so i think it might be another fp not sure, what you guys thought about them?I ended up just removing them on adwcleaner 3.19 seems it popped back up, might tonight be from tonight after installing curse voice beta client.I guess im asking should i just leave it alone like the search.ink as a fp or remove them?  Sorry for the 20 questions :/

 

scan from today:

 

# AdwCleaner v3.020 - Report created 08/03/2014 at 00:16:54
# Updated 27/02/2014 by Xplode
# Operating System : Windows 8.1 Pro  (64 bits)
# Username : ColinR - COLIN
# Running from : C:\Users\ColinR\Documents\anti-Malware programs\AdwCleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
File Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKCU\Software\caphyon
Key Found : [x64] HKCU\Software\caphyon
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.16518
 
 
-\\ Google Chrome v33.0.1750.146
 
[ File : C:\Users\ColinR\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Edited by shadowk8, 08 March 2014 - 12:36 AM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:04 AM

Posted 08 March 2014 - 07:48 AM

Caphyon is a software company that develops windows installer authoring software (i.e. Advanced Installer), search engine software, and optimization software, all of which are notorious for being part of bundled packages.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:04 AM

Posted 08 March 2014 - 08:15 AM

In regards to your previous report for...

***** [ Files / Folders ] *****
File Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk


M-K-D-B, BC Malware Response Team advised...

When I remember correctly, there are PUPs like snap.do which modifies this file. This may be the reason why AdwCleaner reports it. I'm going to add it to my next feedback for Xplode.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 shadowk8

shadowk8
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 08 March 2014 - 01:47 PM

Ya looking throught the registry last time i saw advanced installer but of course never saw anything using it. Ill removing them in a second figured they were more of a nusense then damaging. And regarding the search.ink file sounds like its a 50/50 so sensitive to detection. I might just remove it out of curiousity and see if anything happens, can always /scannow on the command prompet if its causing issues. Anyways i appreciate you repsonding to my paranoia quietman7 lol. I guess keep me up to date if you dont mind.

 

Thanks guys,

Colin



#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:04 AM

Posted 08 March 2014 - 03:43 PM

Not a problem...that's what we are here for.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users