Author Topic: False positive? (Read 7062 times)

tarmac · « **on:** September 19, 2010, 03:48:36 AM »

My wife is a bit concerned that she may be infected. She ran Rootkit Buster with the following results:

+----------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 2.80.0.1077
+----------------------------------------------------

--== Dump Hidden MBR, Hidden Files and Alternate Data Streams on C:\ ==--
[HIDDEN_FILE]:
   FullPath : C:\Users\Kat\AppData\Roaming\systemfl.$dk
   FullPathLength: 41
   DesiredAccess : 0x0
   Options : 0x0
   Attributes : 0x2026
   ShareAccess : 0x0
   Type : 0x0
[HIDDEN_FILE]:
   FullPath : C:\Windows\System32\sys_drv.dat
   FullPathLength: 31
   DesiredAccess : 0x0
   Options : 0x0
   Attributes : 0x26
   ShareAccess : 0x0
   Type : 0x0
[HIDDEN_FILE]:
   FullPath : C:\Windows\System32\sys_drv_2.dat
   FullPathLength: 33
   DesiredAccess : 0x0
   Options : 0x0
   Attributes : 0x26
   ShareAccess : 0x0
   Type : 0x0
[HIDDEN_FILE]:
   FullPath : C:\Windows\System32\WinFLdrv.sys
   FullPathLength: 32
   DesiredAccess : 0x0
   Options : 0x0
   Attributes : 0x20
   ShareAccess : 0x0
   Type : 0x0
4 hidden files found.

--== Dump Hidden Registry Value on HKLM ==--
No hidden registry entries found.

Avast only reported the last entry above (C:\Windows\System32\WinFLdrv.sys).
Personally I suspect it isn't anything to worry about. Any opinions?

Thanks, Tim

Pondus · « **Reply #1 on:** September 19, 2010, 09:41:56 AM »

have you tried Malwarebytes for a second opinion ?

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
always run update before you scan so you have the latest database
click on the remove selected button to quarantine anything found
you may post the scan log here

antonpaco · « **Reply #2 on:** September 19, 2010, 12:53:57 PM »

go on site www.virustotal.com and check all the file, it will be scanned by 40 antivirus.

tarmac · « **Reply #3 on:** September 20, 2010, 04:54:12 AM »

Still just as perplexed as before. Malwarebytes' reports clean.
So the tally results are:
AVG- the aforementioned 4 entries with no ability to quarantine or delete;
RootKit Buster- same as AVG;
Avast- reported only the last entry(C:\Windows\System32\WinFLdrv.sys) also with no ability to quarantine or delete;
Malwarebyte' says all clear.

_________
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4653

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

9/19/2010 10:34:11 PM
mbam-log-2010-09-19 (22-34-11).txt

Scan type: Full scan (C:\|)
Objects scanned: 217280
Time elapsed: 52 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Pondus · « **Reply #4 on:** September 20, 2010, 07:55:51 AM »

Quote

AVG- the aforementioned 4 entries with no ability to quarantine or delete;

does this mean that you have AVG and avast! installed ?

If you want Essexboy to have a look inside, then follow this guide and attach the log`s
http://forum.avast.com/index.php?topic=53253.0

To avoid using 20 post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt.)

tarmac · « **Reply #5 on:** September 20, 2010, 02:32:45 PM »

Not anymore, she only briefly installed AVG to triple check on the anomaly first reported by Rootkit Buster and Avast.I had her go back to a restore point prior to onset, just for the heck of it and yet it still remains. I suppose we'll probably have to do a reformat by the time this is all done but it would be nice to know what is going on and why and how it occurred in the first place. But more than likely we'll never find out for sure. Thanks anyway Pondus.

Pondus · « **Reply #6 on:** September 20, 2010, 03:32:38 PM »

Quote

Not anymore, she only briefly installed AVG to triple check on the anomaly first reported by Rootkit Buster and Avast.I had her go back to a restore point prior to onset, just for the heck of it and yet it still remains.

You can find a removal tool for AVG here, it is #2 http://uninstallers.blogspot.com/
OBS: different version for 32bit - 64bit

essexboy · « **Reply #7 on:** September 20, 2010, 09:04:42 PM »

Do you have folder locker on your system ? As these are hidden files belonging to that programme and are not a threat

tarmac · « **Reply #8 on:** September 21, 2010, 08:52:11 AM »

Essexboy, you may have nailed it. Yes she does have Folder Lock installed. I'll let her know she's ok.
Great, now we don't have to go through all that reformatting, reinstalling & everything else. If we would have, she no doubt would have reinstalled Folder Lock and we'd be right back here to where we started.
Thanks. You the man!

ignacio19833 · « **Reply #9 on:** October 11, 2010, 01:15:05 AM »

this file that does not meet the explorer is a false positive that generates closing folder, I have avast 5 Internet segurity salted when I scan it is eliminated and vueve appearing is normal and I have this for one year and not me to harmed in my operating system

Author Topic: False positive? (Read 7062 times)

tarmac

False positive?

Pondus

Re: False positive?

antonpaco

Re: False positive?

tarmac

Re: False positive?

Pondus

Re: False positive?

tarmac

Re: False positive?

Pondus

Re: False positive?

essexboy

Re: False positive?

tarmac

Re: False positive?

ignacio19833

Re: False positive?