Author Topic: False Positive alarm?  (Read 5811 times)

0 Members and 1 Guest are viewing this topic.

Offline Yezinki

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 810
False Positive alarm?
« on: March 17, 2010, 09:12:38 AM »
Hi there....Avast 5 Free Ed on a fresh install of Vista 32 bit displayed Rootkit Found, while trying to figure the Service Nero backUp......it said Rookit hidden in service.......ignore/delete.....I really didn't know what to do.....my questions are.....why didn't it detect it on a boot scan.....the service is still there........when I open it don't get the message again....if there was a Rootkit that got deleted, would there be any log of it.......strange.....Hoping to hear your views. Thanks!
OS: W7 Pro 32bit.

Protection:  Avast 12.3 Free, MBAM.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85156
  • No support PMs thanks
Re: False Positive alarm?
« Reply #1 on: March 17, 2010, 04:15:04 PM »
Without information, how can we comment ???

What was the file name and location of the detection ?

This I believe is considered Suspect rather than Infected is it not (and Ignore is the suggested action) ?

- "A suspicious file has been detected (using a heuristic method). This may be a sign of malware infection. Please allow the file to be submitted to our virus lab for analysis."
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.5.2470 (build 21.5.6354.675) UI 1.0.646/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Yezinki

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 810
Re: False Positive alarm?
« Reply #2 on: March 17, 2010, 05:24:54 PM »
It said "Rootkit hidden in Nero BackUp Service"....that was the location.
OS: W7 Pro 32bit.

Protection:  Avast 12.3 Free, MBAM.

Offline Yezinki

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 810
Re: False Positive alarm?
« Reply #3 on: March 17, 2010, 05:33:16 PM »
NB Service.........C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
OS: W7 Pro 32bit.

Protection:  Avast 12.3 Free, MBAM.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37033
Re: False Positive alarm?
« Reply #4 on: March 17, 2010, 05:45:12 PM »
upload the file to VirusTotal  www.virustotal.com when you have the result copy the URL in the addressbar and post it HERE

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85156
  • No support PMs thanks
Re: False Positive alarm?
« Reply #5 on: March 17, 2010, 06:54:07 PM »
@ Pondus
I don't believe VT will find anything as it doesn't use anti-rootkit scanning, just bog standard signature scanning.

@ Yezinki
Presumably this has been on your system for some time ?
See http://www.systemlookup.com/search.php?type=filename&client=malwaresearch-ff&search=NBService.exe which indicates that it is a legit location, but that is no confirmation the file and its use are clean.

I don't know why Nero would require a hidden service to run the Nero BackItUp though.
What happens if in Nero you disable this BackItUp function (what exactly does it do) ?

Just click the Ignore button and critically allow it to be sent for analysis.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.5.2470 (build 21.5.6354.675) UI 1.0.646/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline bong2x

  • Poster
  • *
  • Posts: 474
  • My system Protector is avast
Re: False Positive alarm?
« Reply #6 on: March 17, 2010, 07:02:00 PM »
maybe for the reason that it hide itself to protect it from direct deletion, user is very curious if there something they saw that they don't understand they delete it. so what happen if that files is not hidden? ::)
Hardware
Intel Core 2 Duo @ 2.20GHz,3GB RAM.
Software
OS->WinXp-pro Sp3.
Protection->avast Free 6.0.1091,MBAM,SAS
Browser->Firefox 4.0,IE8,G-chrome
Emergency Interface->unlocker 1.8.9

Life is a continue process of learning

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85156
  • No support PMs thanks
Re: False Positive alarm?
« Reply #7 on: March 17, 2010, 07:14:31 PM »
But why in an application that has nothing to do with security, which can be reinstalled, etc. it shouldn't need to run as a hidden service.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.5.2470 (build 21.5.6354.675) UI 1.0.646/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Yezinki

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 810
Re: False Positive alarm?
« Reply #8 on: March 18, 2010, 03:27:03 AM »
I must have deleted it casue I don't see the ND Service.exe file in the location..........when it was detected I got the option of Delete & Ignore......would I need to uninstall & reinstall Nero?

Thanks!
OS: W7 Pro 32bit.

Protection:  Avast 12.3 Free, MBAM.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85156
  • No support PMs thanks
Re: False Positive alarm?
« Reply #9 on: March 18, 2010, 03:59:33 AM »
Well I don't know what the Nero BackItUp function does and the NBService.exe file in particular, so I can't really say. But if you don't use the Nero BackItUp function then I wouldn't have thought it necessary to reinstall Nero.

If you use Nero regularly and a function reports the missing file, then you may have to reinstall to recover the file if it doesn't allow what it is you are trying to do to run.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.5.2470 (build 21.5.6354.675) UI 1.0.646/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Yezinki

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 810
Re: False Positive alarm?
« Reply #10 on: March 18, 2010, 04:01:09 AM »
Thanks DavidR for expressing your expert views.
OS: W7 Pro 32bit.

Protection:  Avast 12.3 Free, MBAM.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85156
  • No support PMs thanks
Re: False Positive alarm?
« Reply #11 on: March 18, 2010, 04:06:36 AM »
You're welcome, hardly expert views in this case as I don't use Nero on this system (haven't used it for a few years) and am not familiar with it.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.5.2470 (build 21.5.6354.675) UI 1.0.646/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 70698
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: False Positive alarm?
« Reply #12 on: March 18, 2010, 10:07:28 AM »
But why in an application that has nothing to do with security, which can be reinstalled, etc. it shouldn't need to run as a hidden service.


some notebook companies do integrate their software also in root. like some progs from asus. i had a fp from avast with that. why they do it, i don't know...
Win 8.1 [x64] - Avast PremSec 21.5.6354.BCi [UI.646] - EEK - Firefox ESR 78.11 [NS/uBO/PB] - TB 78.11
Avast-Tools: Secure Browser 91.0 - Cleanup 21.1 - SecureLine 5.12 - Driver Updater 21.1 - CCleaner 5.82
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85156
  • No support PMs thanks
Re: False Positive alarm?
« Reply #13 on: March 18, 2010, 02:46:18 PM »
But Nero has nothing to do with notebook companies. When you install the software 'it' and not the notebook company determines how its services run. This is still true even if Nero is installed by the manufacturer rather than the user installing it.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.5.2470 (build 21.5.6354.675) UI 1.0.646/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 70698
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: False Positive alarm?
« Reply #14 on: March 18, 2010, 02:57:22 PM »
But Nero has nothing to do with notebook companies. When you install the software 'it' and not the notebook company determines how its services run. This is still true even if Nero is installed by the manufacturer rather than the user installing it.


true.
but i had some root dvd-related things on my c: even without any cd/dvd-drive in my notebook.
funny, isn't ist... ;)
Win 8.1 [x64] - Avast PremSec 21.5.6354.BCi [UI.646] - EEK - Firefox ESR 78.11 [NS/uBO/PB] - TB 78.11
Avast-Tools: Secure Browser 91.0 - Cleanup 21.1 - SecureLine 5.12 - Driver Updater 21.1 - CCleaner 5.82
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0