Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AdwCleaner False Positive Reporting Topic


  • Please log in to reply
135 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:49 AM

Posted 25 March 2015 - 05:33 PM

If you run into a any false positives where AdwCleaner is deleting legitimate applications, please use this topic to report them to the developer. When reporting them, please post a copy of the log that is produced when you run AdwCleaner.

Thank you.

BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 AM

Posted 25 March 2015 - 05:45 PM

Looks like you just gave me something to do tonight in a VM. Is he aware of legitimate applications that are deleted because they are running from the AppData folders? If so, will he exclude them or not?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,503 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:49 AM

Posted 25 March 2015 - 05:47 PM

Unknown...post whatever you find and I will make sure its relayed on. I created this as I routinely get PMs about false positives and felt it was better to have a single place to report them.

#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 AM

Posted 25 March 2015 - 06:26 PM

Hotspot Shield and Lightshot still being flagged by AdwCleaner. Brand new Windows 7 64-bits VM with Hotspot Shield, OpenVPN, Gyazo, Lightshot and Greenshot installed.

# AdwCleaner v4.113 - Logfile created 25/03/2015 at 14:20:23
# Updated 22/03/2015 by Xplode
# Database : 2015-03-23.1 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : Test - TEST-PC
# Running from : C:\Users\Test\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

Service Found : hshld

***** [ Files / Folders ] *****


***** [ Scheduled tasks ] *****

Task Found : update-sys
Task Found : update-S-1-5-21-595279432-3498618734-902360539-1001
Task Found : update-sys

***** [ Shortcuts ] *****


***** [ Registry ] *****

Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyEnable] - 1
Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - <local>127.0.0.1;localhost;10.*;192.168.*;127.0.0.1:895;127.0.0.1:896
Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyServer] - hxxp=127.0.0.1:8555;hxxps=127.0.0.1:8555
Key Found : HKCU\Software\anchorfree
Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\hotspotshield.com
Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.hotspotshield.com
Key Found : [x64] HKCU\Software\anchorfree
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{30A5B3C9-2084-4063-A32A-628A98DE512B}_is1
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Lightshot]

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17496

*************************

AdwCleaner[R0].txt - [299 bytes] - [25/03/2015 14:16:32]
AdwCleaner[R1].txt - [1629 bytes] - [25/03/2015 14:20:23]

########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [1688 bytes] ##########

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 estreia

estreia

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 26 March 2015 - 05:05 PM

Would this count as a false positive? I think I read somewhere the internet setting proxy override was false but what about the other one? I wasn't sure if I should be asking in this thread either...Sorry for text wall. 

 

 

# AdwCleaner v4.113 - Logfile created 26/03/2015 at 17:59:11
# Updated 22/03/2015 by Xplode
# Database : 2015-03-26.1 [Server]
# Operating system : Windows 8.1  (x64)
# Username : xweet_000 - RONNIE
# Running from : C:\Users\xweet_000\Desktop\adwcleaner_4.113.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - <local>
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17416
 
 
-\\ Google Chrome v38.0.2125.104
 
 
-\\ Chrome Canary v
 
*************************
 
AdwCleaner[R0].txt - [832 bytes] - [28/10/2014 04:35:34]
AdwCleaner[R10].txt - [1933 bytes] - [01/01/2015 22:39:19]
AdwCleaner[R11].txt - [1836 bytes] - [07/01/2015 18:39:37]
AdwCleaner[R12].txt - [1957 bytes] - [14/01/2015 18:07:35]
AdwCleaner[R13].txt - [2074 bytes] - [18/01/2015 05:25:55]
AdwCleaner[R14].txt - [2055 bytes] - [21/01/2015 18:17:39]
AdwCleaner[R15].txt - [2247 bytes] - [28/01/2015 17:44:54]
AdwCleaner[R16].txt - [2368 bytes] - [04/02/2015 16:19:17]
AdwCleaner[R17].txt - [2461 bytes] - [11/02/2015 05:08:41]
AdwCleaner[R18].txt - [2521 bytes] - [11/02/2015 05:18:52]
AdwCleaner[R19].txt - [2712 bytes] - [18/02/2015 15:26:25]
AdwCleaner[R1].txt - [841 bytes] - [29/10/2014 12:27:38]
AdwCleaner[R20].txt - [2701 bytes] - [25/02/2015 16:15:19]
AdwCleaner[R21].txt - [2761 bytes] - [04/03/2015 05:28:14]
AdwCleaner[R22].txt - [2821 bytes] - [12/03/2015 06:06:03]
AdwCleaner[R23].txt - [3260 bytes] - [18/03/2015 04:20:09]
AdwCleaner[R24].txt - [3001 bytes] - [18/03/2015 04:43:59]
AdwCleaner[R25].txt - [3061 bytes] - [18/03/2015 17:12:10]
AdwCleaner[R26].txt - [3230 bytes] - [26/03/2015 17:32:40]
AdwCleaner[R27].txt - [1970 bytes] - [26/03/2015 17:59:11]
AdwCleaner[R2].txt - [982 bytes] - [22/11/2014 17:58:30]
AdwCleaner[R3].txt - [1663 bytes] - [22/11/2014 17:59:51]
AdwCleaner[R4].txt - [1115 bytes] - [23/11/2014 22:35:44]
AdwCleaner[R5].txt - [1406 bytes] - [10/12/2014 16:13:52]
AdwCleaner[R6].txt - [1660 bytes] - [17/12/2014 14:21:53]
AdwCleaner[R7].txt - [1415 bytes] - [22/12/2014 07:48:08]
AdwCleaner[R8].txt - [1475 bytes] - [22/12/2014 19:08:07]
AdwCleaner[R9].txt - [1871 bytes] - [01/01/2015 12:39:55]
AdwCleaner[S0].txt - [887 bytes] - [28/10/2014 04:37:02]
AdwCleaner[S10].txt - [2776 bytes] - [18/02/2015 15:35:38]
AdwCleaner[S11].txt - [3335 bytes] - [18/03/2015 04:41:07]
AdwCleaner[S1].txt - [2358 bytes] - [22/11/2014 18:00:58]
AdwCleaner[S2].txt - [1448 bytes] - [10/12/2014 17:35:05]
AdwCleaner[S3].txt - [1727 bytes] - [17/12/2014 14:59:46]
AdwCleaner[S4].txt - [1957 bytes] - [01/01/2015 22:42:00]
AdwCleaner[S5].txt - [1899 bytes] - [07/01/2015 18:40:49]
AdwCleaner[S6].txt - [2020 bytes] - [14/01/2015 18:08:55]
AdwCleaner[S7].txt - [2137 bytes] - [18/01/2015 05:40:35]
AdwCleaner[S8].txt - [2309 bytes] - [28/01/2015 17:46:33]
AdwCleaner[S9].txt - [2430 bytes] - [04/02/2015 16:21:47]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R27].txt - [3210 bytes] ##########


#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 AM

Posted 27 March 2015 - 07:19 AM

For the uninstall CLSID present, I guess it's a good detection since it's also flagged by McAfee under a PUP.

http://home.mcafee.com/virusinfo/virusprofile.aspx?key=8338014#none

Also I guess that [ProxyOverride] keys cannot really constantly be flagged as a FP since a lot of malware will modify these settings and there's just way too many possiblities.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 M-K-D-B

M-K-D-B

  • Malware Response Team
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bavaria
  • Local time:08:49 AM

Posted 27 March 2015 - 08:42 AM

Hotspot Shield and Lightshot still being flagged by AdwCleaner. Brand new Windows 7 64-bits VM with Hotspot Shield, OpenVPN, Gyazo, Lightshot and Greenshot installed.

reported as a FP to Xplode.


Regards,
M-K-D-B

#8 JKAraya

JKAraya

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 20 April 2015 - 09:19 AM

tific.exe
tificchild.exe
bomgar-scc.exe

 

these processes are used by tech support software / remote desktop software to provide tech support. ADWCleaner kills them when used and disconnects the support agent.



#9 M-K-D-B

M-K-D-B

  • Malware Response Team
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bavaria
  • Local time:08:49 AM

Posted 21 April 2015 - 02:46 PM

tific.exe
tificchild.exe
bomgar-scc.exe

 

these processes are used by tech support software / remote desktop software to provide tech support. ADWCleaner kills them when used and disconnects the support agent.

reported to Xplode.


Regards,
M-K-D-B

#10 Digiti

Digiti

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:N.Y. USA
  • Local time:02:49 AM

Posted 23 April 2015 - 05:47 AM

Adwcleaner latest version is showing these these three registry entries in Windows 7 64bit:https://app.box.com/s/35hosdgpi11iprfcbtu66lbbfzdg53yd

 

 

 

None of my other antimalware programs are picking this up like Emsisoft AntiMalware, Malwarebytes free or HitmanPro

 

I did not delete these because I am afraid  I will lose my internet connection. Please advise. Thank you.



#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 AM

Posted 23 April 2015 - 07:01 AM

Are you using a proxy or VPN of some sort in your browsers or on your connection? Check your Internet Options, under the Connection tab and click on the Settings button. What do you see?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 M-K-D-B

M-K-D-B

  • Malware Response Team
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bavaria
  • Local time:08:49 AM

Posted 23 April 2015 - 02:43 PM

Hi,

 

Adwcleaner latest version is showing these these three registry entries in Windows 7 64bit:https://app.box.com/s/35hosdgpi11iprfcbtu66lbbfzdg53yd

 

 

 

None of my other antimalware programs are picking this up like Emsisoft AntiMalware, Malwarebytes free or HitmanPro

 

I did not delete these because I am afraid  I will lose my internet connection. Please advise. Thank you.

can you please run a new scan with version 4.202 and post the logfile here (just press the logfile-button after the scan has finished and notepad will open with the scan results)?

 

Thank you in advance.


Regards,
M-K-D-B

#13 Digiti

Digiti

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:N.Y. USA
  • Local time:02:49 AM

Posted 23 April 2015 - 05:13 PM

Are you using a proxy or VPN of some sort in your browsers or on your connection? Check your Internet Options, under the Connection tab and click on the Settings button. What do you see?

No VPN or Proxy setup here.



#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 AM

Posted 23 April 2015 - 05:14 PM

Proceed with the instructions given by M-K-D-B just above please, they take priority over mine :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 Digiti

Digiti

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:N.Y. USA
  • Local time:02:49 AM

Posted 23 April 2015 - 05:23 PM

# AdwCleaner v4.202 - Logfile created 23/04/2015 at 18:16:18

# Updated 23/04/2015 by Xplode

# Database : 2015-04-23.2 [Server]

# Operating system : Windows 7 Ultimate Service Pack 1 (x64)

# Username : Bob1 - BOB1-PC

# Running from : C:\Users\Bob1\Desktop\adwcleaner_4.202.exe

# Option : Scan

 

***** [ Services ] *****

 

***** [ Files / Folders ] *****

 

***** [ Scheduled tasks ] *****

 

***** [ Shortcuts ] *****

 

***** [ Registry ] *****

 

Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyServer] - localhost:8080

Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [DefaultConnectionSettings]

Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [SavedLegacySettings]

 

***** [ Web browsers ] *****

 

-\\ Internet Explorer v11.0.9600.17728

 

-\\ Mozilla Firefox v37.0.2 (x86 en-US)

 

-\\ Pale Moon v25.3.1 (en-US)

 

-\\ Google Chrome v42.0.2311.90

 

-\\ Opera v28.0.1750.51

 

*************************

AdwCleaner[R0].txt - [1359 bytes] - [01/01/2015 21:23:16]

AdwCleaner[R10].txt - [2345 bytes] - [16/01/2015 20:05:56]

AdwCleaner[R11].txt - [3721 bytes] - [17/01/2015 17:28:33]

AdwCleaner[R12].txt - [2034 bytes] - [20/01/2015 00:05:19]

AdwCleaner[R13].txt - [2723 bytes] - [21/01/2015 11:33:34]

AdwCleaner[R14].txt - [3040 bytes] - [26/01/2015 18:39:49]

AdwCleaner[R15].txt - [3101 bytes] - [27/01/2015 00:46:07]

AdwCleaner[R16].txt - [2482 bytes] - [27/01/2015 06:41:05]

AdwCleaner[R17].txt - [3174 bytes] - [28/01/2015 20:41:58]

AdwCleaner[R18].txt - [3189 bytes] - [05/02/2015 12:05:35]

AdwCleaner[R19].txt - [3250 bytes] - [05/02/2015 16:27:34]

AdwCleaner[R1].txt - [953 bytes] - [02/01/2015 00:05:08]

AdwCleaner[R20].txt - [2818 bytes] - [06/02/2015 13:59:58]

AdwCleaner[R21].txt - [3845 bytes] - [08/02/2015 02:32:35]

AdwCleaner[R22].txt - [3822 bytes] - [08/02/2015 18:43:30]

AdwCleaner[R23].txt - [3640 bytes] - [17/02/2015 04:25:48]

AdwCleaner[R24].txt - [4667 bytes] - [20/02/2015 12:13:34]

AdwCleaner[R25].txt - [4969 bytes] - [24/02/2015 01:45:54]

AdwCleaner[R26].txt - [4787 bytes] - [25/02/2015 10:53:51]

AdwCleaner[R27].txt - [5200 bytes] - [28/02/2015 20:39:45]

AdwCleaner[R28].txt - [5071 bytes] - [10/03/2015 03:56:04]

AdwCleaner[R29].txt - [5123 bytes] - [13/03/2015 12:27:02]

AdwCleaner[R2].txt - [1012 bytes] - [02/01/2015 12:45:28]

AdwCleaner[R30].txt - [4302 bytes] - [13/03/2015 13:29:15]

AdwCleaner[R31].txt - [33047 bytes] - [04/04/2015 01:15:36]

AdwCleaner[R32].txt - [32725 bytes] - [05/04/2015 15:04:28]

AdwCleaner[R33].txt - [4082 bytes] - [06/04/2015 11:33:31]

AdwCleaner[R34].txt - [4142 bytes] - [08/04/2015 21:18:28]

AdwCleaner[R35].txt - [4982 bytes] - [11/04/2015 14:18:50]

AdwCleaner[R36].txt - [4932 bytes] - [12/04/2015 19:52:17]

AdwCleaner[R37].txt - [5160 bytes] - [18/04/2015 17:25:23]

AdwCleaner[R38].txt - [5220 bytes] - [20/04/2015 16:10:01]

AdwCleaner[R39].txt - [6050 bytes] - [22/04/2015 23:57:26]

AdwCleaner[R3].txt - [3157 bytes] - [05/01/2015 02:33:47]

AdwCleaner[R40].txt - [3074 bytes] - [23/04/2015 18:16:18]

AdwCleaner[R4].txt - [1282 bytes] - [05/01/2015 13:15:18]

AdwCleaner[R5].txt - [1343 bytes] - [05/01/2015 18:03:25]

AdwCleaner[R6].txt - [4327 bytes] - [07/01/2015 17:41:39]

AdwCleaner[R7].txt - [3098 bytes] - [08/01/2015 18:22:10]

AdwCleaner[R8].txt - [2737 bytes] - [09/01/2015 13:37:42]

AdwCleaner[R9].txt - [4770 bytes] - [12/01/2015 12:03:41]

AdwCleaner[S0].txt - [1375 bytes] - [01/01/2015 21:31:09]

AdwCleaner[S10].txt - [10630 bytes] - [27/01/2015 00:53:43]

AdwCleaner[S11].txt - [14416 bytes] - [28/01/2015 20:54:21]

AdwCleaner[S12].txt - [3940 bytes] - [08/02/2015 02:35:26]

AdwCleaner[S13].txt - [9344 bytes] - [08/02/2015 02:39:43]

AdwCleaner[S14].txt - [5758 bytes] - [13/03/2015 13:03:30]

AdwCleaner[S15].txt - [4381 bytes] - [13/03/2015 13:32:24]

AdwCleaner[S16].txt - [5761 bytes] - [05/04/2015 15:06:57]

AdwCleaner[S17].txt - [5007 bytes] - [12/04/2015 19:54:11]

AdwCleaner[S18].txt - [6127 bytes] - [23/04/2015 00:09:40]

AdwCleaner[S1].txt - [3205 bytes] - [05/01/2015 02:43:22]

AdwCleaner[S2].txt - [4489 bytes] - [05/01/2015 03:07:15]

AdwCleaner[S35].txt - [14416 bytes] - [05/02/2015 16:33:58]

AdwCleaner[S36].txt - [5758 bytes] - [13/03/2015 13:09:07]

AdwCleaner[S37].txt - [4381 bytes] - [13/03/2015 14:32:23]

AdwCleaner[S38].txt - [5761 bytes] - [05/04/2015 15:26:16]

AdwCleaner[S39].txt - [5007 bytes] - [12/04/2015 20:01:50]

AdwCleaner[S3].txt - [4409 bytes] - [07/01/2015 17:44:44]

AdwCleaner[S4].txt - [3713 bytes] - [08/01/2015 18:25:05]

AdwCleaner[S5].txt - [9062 bytes] - [08/01/2015 18:30:21]

AdwCleaner[S6].txt - [4232 bytes] - [17/01/2015 17:32:06]

AdwCleaner[S7].txt - [2097 bytes] - [20/01/2015 00:17:39]

AdwCleaner[S8].txt - [3319 bytes] - [21/01/2015 11:49:24]

AdwCleaner[S9].txt - [6918 bytes] - [21/01/2015 12:12:45]

########## EOF - C:\AdwCleaner\AdwCleaner[R40].txt - [4921 bytes] ##########   This my latest scan today






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users