Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

adw-cleaner detection: possibly false/positive?


  • Please log in to reply
12 replies to this topic

#1 LASERzzzzzz

LASERzzzzzz

  • Members
  • 45 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Europe/Germany
  • Local time:12:02 AM

Posted 22 June 2016 - 02:02 PM

hi

hi,

i have a (gaming-)laptop "msi GT72-2QD" (GTX970M, i7, W8.1 preinstalled). I'm using it only for gaming (games only from steam/EA): therefore
there are only few other/"normal" applications installed on this machine. Security sopfware that i'm frequently using ("real time" and "on demand")
on this laptop:
1) "F-secure Internet security 2016"
2) "Malware bytes anti malware free"
3) "Zemana antimalware premium"
4) "adw cleaner"

I installed the latest version of "adw cleaner" (v5.200) and ran a scan. The software detected two entries in the registry: see report below.
After that i also ran the other av-software but there ware no detections, everything was OK. In the past 5-6 months i had already several
false/positive detections from adw-cleaner so i think/hope this time its also "only" a flase/positive detection.....
The log file is in german language so i hope it's not too difficult for you guys to find a solution....

 

thanks a lot !

 

LASERzzzzzz .......................live from Europe/Germany..........................................................................................................

 

 

 

 

# AdwCleaner v5.200 - Bericht erstellt am 22/06/2016 um 20:33:21
# Aktualisiert am 14/06/2016 von ToolsLib
# Datenbank : 2016-06-22.1 [Server]
# Betriebssystem : Windows 8.1  (X64)
# Benutzername : NRG1 - NRG1GT72
# Gestartet von : C:\liveSTOR\adw_cleaner\AdwCleaner.exe
# Option : Suchlauf
# Unterstützung : https://toolslib.net/forum

***** [ Dienste ] *****


***** [ Ordner ] *****


***** [ Dateien ] *****


***** [ DLL ] *****


***** [ WMI ] *****


***** [ Verknüpfungen ] *****


***** [ Aufgabenplanung ] *****


***** [ Registrierungsdatenbank ] *****

Schlüssel gefunden : HKLM\SOFTWARE\Classes\AppID\WMHelper.DLL
Schlüssel gefunden : HKLM\SOFTWARE\Classes\AppID\{A7DDCBDE-5C86-415C-8A37-763AE183E7E4}

***** [ Internetbrowser ] *****


*************************

C:\AdwCleaner\AdwCleaner[S1].txt - [971 Bytes] - [15/06/2016 15:16:45]
C:\AdwCleaner\AdwCleaner[S2].txt - [1043 Bytes] - [18/06/2016 20:59:11]
C:\AdwCleaner\AdwCleaner[S3].txt - [966 Bytes] - [22/06/2016 20:33:21]

########## EOF - C:\AdwCleaner\AdwCleaner[S3].txt - [1038 Bytes] ##########
 


Edited by LASERzzzzzz, 22 June 2016 - 02:03 PM.

....i dont like CHAOS but CHAOS likes me! ....live from EUROPE/germany !!! ....live from EUROPE/germany !!!


BC AdBot (Login to Remove)

 


#2 Viper_Security

Viper_Security

  • Members
  • 821 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:03:02 PM

Posted 22 June 2016 - 02:15 PM

wmhelper.dll is a MusicNet belonging to MusicNet Client SDK (iMesh release build) from MusicNet, Inc.

 

it most likely doesn't like it because its an oddity, you should be fine.( Its just a P2P(Peer-to-peer sharing network))

 

The software is designed to connect to the Internet and adds a Windows Firewall exception in order to do so without being interfered with.


    IT Auditor & Security Professional

hQBT2G3.png


#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:02 PM

Posted 22 June 2016 - 02:40 PM

Actually, it isn't a false positive if you ask me. iMesh is known to be a PUP and therefore, AdwCleaner is right in targetting it.

http://www.nicolascoolman.com/fr/pup-bearshare/
https://www.mywot.com/en/scorecard/imesh.com?utm_source=addon&utm_content=warn-viewsc

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 Viper_Security

Viper_Security

  • Members
  • 821 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:03:02 PM

Posted 22 June 2016 - 02:46 PM

Actually, it isn't a false positive if you ask me. iMesh is known to be a PUP and therefore, AdwCleaner is right in targetting it.

http://www.nicolascoolman.com/fr/pup-bearshare/
https://www.mywot.com/en/scorecard/imesh.com?utm_source=addon&utm_content=warn-viewsc

PUP= Potentially Unwanted Program

 

key word is Potentially 76% of people who use it kept it, see for yourself

 

http://www.shouldiremoveit.com/iMesh-6582-program.aspx


    IT Auditor & Security Professional

hQBT2G3.png


#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:02 PM

Posted 22 June 2016 - 02:48 PM

iMesh also changes your web browser settings (browser hijacker) during the install, which is considered malicious behavior.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 Viper_Security

Viper_Security

  • Members
  • 821 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:03:02 PM

Posted 22 June 2016 - 02:52 PM

iMesh also changes your web browser settings (browser hijacker) during the install, which is considered malicious behavior.

I See, the EXACT reason i stopped using Cnet because they bundled other "software" with it, When installing a program ALWAYS click "Advanced" to double check your only installing the program, that possibly could hav been what happened, if still worrisome try running Rkill.  http://www.bleepingcomputer.com/download/rkill/

 

if rkill stops it remove iMesh. and Thank you Aura for informing me about the browser redirection.


    IT Auditor & Security Professional

hQBT2G3.png


#7 LASERzzzzzz

LASERzzzzzz
  • Topic Starter

  • Members
  • 45 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Europe/Germany
  • Local time:12:02 AM

Posted 22 June 2016 - 04:25 PM

ok thanks for your hints/suggestions!

I know that some softwares contain PUPs, so i've been always using the advance-installation....
...but of course it's possible that i simply forgot to choose the right option ("advance-installation") while installing a software...
But the problem is:

i dont have iMesh on my system...  should i run "Rkill" anyway on this laptop?
And i've never been using torrents or any other P2P-software...

Here is a list of programs, that i installed in the last 4 months... maybe one of them "infected" the laptop....?

 

UrlTgR9.jpg


Edited by LASERzzzzzz, 22 June 2016 - 04:26 PM.

....i dont like CHAOS but CHAOS likes me! ....live from EUROPE/germany !!! ....live from EUROPE/germany !!!


#8 Viper_Security

Viper_Security

  • Members
  • 821 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:03:02 PM

Posted 22 June 2016 - 04:29 PM

ok thanks for your hints/suggestions!

I know that some softwares contain PUPs, so i've been always using the advance-installation....
...but of course it's possible that i simply forgot to choose the right option ("advance-installation") while installing a software...
But the problem is:

i dont have iMesh on my system...  should i run "Rkill" anyway on this laptop?
And i've never been using torrents or any other P2P-software...

Here is a list of programs, that i installed in the last 4 months... maybe one of them "infected" the laptop....?

 

UrlTgR9.jpg

The "FreeFileSync" looks suspicious some version of that include open candy bundles. (PUPs)


    IT Auditor & Security Professional

hQBT2G3.png


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,265 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:02 PM

Posted 22 June 2016 - 06:08 PM

A Potentially Unwanted Program (PUP) is a very broad threat category which can encompass any number of different programs to include those which are benign as well as problematic. Thus, this type of detection does not always necessarily mean the file is malicious or a bad program. PUPs in and of themselves are not always bad...many are generally known, non-malicious but unwanted software usually containing adware or bundled with other free third-party software as a common practice by legitimate vendors to include toolbars, add-ons/plug-ins and browser extensions. PUPs are considered unwanted because they can cause undesirable system performance or other problems and are sometimes installed without the user's consent since they are often included when downloading legitimate programs. However, some users may intentionally install programs with PUP characteristics because they are willing to trade-off the undesirable effects for the benefits provided by using them.

PUPs may also be defined somewhat differently by various security vendors and may or may not be detected/removed based on that definition. That fact adds to confusion and a lot of complaints from end users asking why a detection was not made on a particular file (program) they are having issues with.

Some programs falling into the PUP category have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. Since PUP detections do not necessarily mean the file is malicious or a bad program, in some cases the detection may be a "false positive". Anti-virus/Anti-Malware scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. Usually, if you installed or recognize the program and it is not causing any issues, you can ignore the detection or add to it's exclusion list. If not or you downloaded it from an untrusted site, then you need to investigate further.

To learn more about PUPs and how you get them, please read: About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 LASERzzzzzz

LASERzzzzzz
  • Topic Starter

  • Members
  • 45 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Europe/Germany
  • Local time:12:02 AM

Posted 25 June 2016 - 04:42 AM

 Usually, if you installed or recognize the program and it is not causing any issues, you can ignore the detection or add to it's exclusion list. If not or you downloaded it from an untrusted site, then you need to investigate further.

 

 

Hi

 

i want to ask you again for your opinion:

i found the suspiciuos file  ("WMHelper.DLL", see post #o1) in the installation directory of JRiver Media Center (see screenshot below) . I wanted to buy the software

so i downloaded the trial-version from their homepage. It's a well known software and i didn't hear/read nothing about security problems with this manufacturer

or their software. I also had no issues on this laptop (after installing JRiver)   .....so i think it's safe to ignore this detection....

I also scanned the file. Here are the results: it's clean.

https://www.virustotal.com/de/file/e7d06c07ebf1a26056221276b4b3fdc66826e21358014f8560fe963c1d621080/analysis/1466774203/    

 

RJqC2Dj.jpg

 

 

thanks a lot !

 

LASERzzzzzzzzzzzz......................live from EUROPE/GERMANY.............live from EUROPE/GERMANY............live from EUROPE/GERMANY..............


Edited by LASERzzzzzz, 25 June 2016 - 04:47 AM.

....i dont like CHAOS but CHAOS likes me! ....live from EUROPE/germany !!! ....live from EUROPE/germany !!!


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,265 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:02 PM

Posted 26 June 2016 - 04:08 PM

You can report the detection here and get an official assessment from the developers: AdwCleaner False Positive Reporting Topic...and include the log file.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 LASERzzzzzz

LASERzzzzzz
  • Topic Starter

  • Members
  • 45 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Europe/Germany
  • Local time:12:02 AM

Posted 27 June 2016 - 07:12 AM

ok, thanks !  ...here is the new POST #122   

 

 

LASER...................live from EUROPE/GERMANY.............live from EUROPE/GERMANY............live from EUROPE/GERMANY..............


Edited by LASERzzzzzz, 27 June 2016 - 07:13 AM.

....i dont like CHAOS but CHAOS likes me! ....live from EUROPE/germany !!! ....live from EUROPE/germany !!!


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,265 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:02 PM

Posted 27 June 2016 - 06:24 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users