Over 1 million tech questions and answers.

False Positive Scan Result?

Q: False Positive Scan Result?

I just ran a full system scan with Avast 5.0. I got the result "Threat Detected". Avast found the following:


The file was moved to the Avast Virus Chest (quarantine) with the following information:

Threat: Win32: Malware-Gen Location: C:\Windows

I ran a general web search and also searched several Virus Libraries with no results found. Since it's in quarantine I can restore it if needed. Has anyone heard of this file or infection?

Thanks for your help and input.

Read other answers
Preferred Solution: False Positive Scan Result?

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)


My friend has a Toshiba NB-500 netbook:

CPU: x86_64 Intel(R) Atom(TM) CPU N455   @ 1.66GHz
HDD: 5400rpm - 320 GB
OS: Windows 10 (upgraded from pre-installed windows 7 starter)

The problem is the slowness: the system is really not usable.
So after cleaning auto run boot applications, and services from msconfig, I've tried to scan it with various adware scanners (RKill, TDSSkiller, adwcleaner, malware bytes am, and so on...) nothing found.
I've also performed a scan with the installed antivirus, Avast: nothing found. Then I removed it and activate the default MS Win Defender, launched a scan, but nothing found that time too.
Finally, I scanned it with ClamAV working form a USB booted Linux live system and obtained the following results:

/mnt/sda2/Program Files/Adobe/Reader 9.0/Reader/reader_sl.exe: Win.Trojan.Decay-453 FOUND
/mnt/sda2/Program Files/Mobile Partner/AutoRun/AutoRunSetup.exe: Win.Trojan.Katusha-600 FOUND
/mnt/sda2/Program Files/Mobile Partner/SkinMagicU.dll: Win.Trojan.Ramnit-7199 FOUND
/mnt/sda2/ProgramData/DatacardService/DCService.exe: Win.Trojan.Katusha-600 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 4824952
Engine version: 0.99.2
Scanned directories: 26173
Scanned files: 147551
Infected files: 4
Total errors: 8
Data scanned: 22485.68 MB
Data read: 27043.46 MB (ratio 0.83:1)
Time: 14972.820 sec (249 m 32 s)

I doubt that they are false positives. How can I verify it?
May be by md5sum? could you ... Read more

Read other answers

My email program is Thunderbird, and it's fully up to date. OS is XP

A day or two ago, AVG Free started reporting I-worm/Netsky.Q in C:\Documents and Settings\[userid]\Local Settings\temp\newmsg (and newmsg-1, -2, etc). I did some research on this virus/worm, looked for the files and the registry entries it's supposed to create (I searched both i-worm and netsky separate as well) and came up empty. I used Eraser to delete everything in the temp folder, and the file comes back and gets reported as infected, apparently whenever I receive new email, even from this forum.

I'm told by a Mozilla forum moderator that T-bird does not use this folder path.

I ran a full scan using Malwarebytes and that came up clean. Symantec's netsky fix tool is still running, but I expect that'll come up empty too. I'm running an AVG scan, but can't really trust what it comes up with, I think.

I'm wondering if this snuck in from an email from my mom - her spouse reported that Mom'd had a virus infection, and he had cleaned it. She hadn't sent me any attachments, but just to be safe I deleted all emails from Mom and her spouse to the beginning of the year. That didn't work though, about 5 minutes later the AVG message popped up again.

I don't know what to do now, aside from uninstall AVG and install a better antivirus app.

Appreciate any assistance!

Here's my HijackThis scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at... Read more

Read other answers

My name is Michal and I’m a data administrator, London UK.
I have a problem with the scan results using RogueKiller, it shows this hook and directs me to the website that says only " check on the internet whether your machine is infected or not".
Problem is that at work I deal with a lot of sensitive data and I need to know for sure.
My request is can someone please help me identify if this is a virus or just as suggested it is one of the actual genuine software's doings?
Based on this thread ( http://www.bleepingcomputer.com/forums/t/601924/rootkit-ssdtinl-zwdeleteatom/ )I could assume that it is only a false positive but I can’t be sure as to whether my case is exactly the same. I would supply the logs requested there but I don’t want to use those tools without someone telling me to do so.
There is so little on the internet about this issue that I have no way to find out for myself even by comparison. I understand that I could simply format everything but it is the data licks that I’m worrying about.
This is what I know:
Malwarebytes AntiRootkit didn’t find anything
Microsoft Security Essentials found nothing
Also I would like to ask if someone could advise me as to what software specialises in stopping the rootkits from being installed or even better is there a software that would let me know each time an IRP Hook is trying to be established?
Please get back to me and thanks to anyone who would show the interest in assisting me with this... Read more

A:ZwDeleteAtom[99] RogueKiller scan, false positive?

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/615169 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

Read other 0 answers

Having read at another forums about the fact that "Stopsign" was able to detect a virus which no other application was able to, I thought of giving it a try. I therefore started the scan.

2. Within the first 2 seconds, the scan showed that there was a trojan in my Documents and setting\Log-in name\ Application Data\Temp. I opened the folder and it was empty, no hidden file even.

3. Then it showed a trojan in Firefox Cache. I deleted the file it had indicated.

4. Now see what happened.

5. When I wanted the scan to go on now, I get a message that "stopsign\...blah blah...\...exe cannot be found. If you know the location ............" and words to that effect.

6. I rebooted the machine and the exact sequence of para 2, 3, 4, 5 repeated.

7. What is happening ??

A:Online scan giving false positive ??

Hi techno12

Do you mean eAcceleration Stop-Sign?

That program is well known for occasional problems with false positives.

Have a look here: http://www.spywarewarrior.com/rogue_anti-spyware.htm#ss_note

Read other 3 answers


In running my AVG Anti-Rootkit Scan today, it gave me a list of files, but did not register them as "infected." It reported that the items were "white-listed" and should not be removed or were "hidden" files. As I've said, AVG didn't list them as "infected," but as "0/28 files infected." My computer has not been running irregularly, so this strikes me as very peculiar. I run scans religiously (weekly) and back them up with a good sweep of Advanced System Care, which have not reported anything up until now.

I called Best Buy and asked what their opinion was, and they reported it could be a false positive. They recommended that I download and run TDSS Killer to see if the results would be mirrored, but they were not.

So, would it be safe to say that I'm clean? What else could I do to make sure?

A:AVG false positive? TDSS Killer scan picks up nothing?

Generally the term "white-list" is used to describe item that are considered safe.

Read other 4 answers

Win 10 Home 10586.164

Did a Sfc /scannow.
Result : found corrupted files but unable to repair some of them.

Did a dism..../restorehealth.
Result : Restore operation successful.

Did a sfc /scannow right after dism.
Result : found corrupted files but unable to repair some of them.

I tried to do a chkdsk /f/r, but scanning and repair stayed at 10% for over 45 minutes.
I aborted it. No patience for that.

Do I have a false negative from sfc, or false positive from dism ?

A:False negative or false positive ?

Update :
Did another sfc, same negative result.

Read other 1 answers

Hi all,

I just run the Sophos antivirus package and it decteted a "Virus fragment 'Micro-12' in C:\WINDOWS\system32\ActiveScan\pskavs.dll".
In http://forum.avast.com/index.php?topic=18413.msg156599 , this issue is already known to avast and it looks like a false positive since pskavs.dll belongs to Panda Active scan and the virus signature may not be encriped.
In http://virusscan.jotti.org/ Avast dectects it as Win32:CTX and ClamV as Sirius.Annihilator.272.
Can you confirm that this is a false positive?



A:False positive?

Yes, your ok!

Read other 1 answers

I'm pretty sure my computer is clean (but one never knows); however, Malwarebytes found a PUP today.  Centureylink is my internet provider (PUP has centurylink in it).  I'm running windows 10 64-bit on a desktop.
So is this a false positive or do I need to post to the removal area?
I tried to copy and paste but it's not showing up on the post, is there a way to attach the picture of the log from Malwarebytes?

A:Is this a false positive?

Hi Tierra93 Are you able to upload the file Malwarebytes detected on VirusTotal.com, and copy/paste the report URL here? It'll be easier that way What was the detection name? PUP.CenturyLink?

Read other 1 answers

AVG is now reporting some versions of zip.sfx that come as part of the Winrar package as a threat.

Sewe attached for details.

Read other answers

This morning, two computers in house suddenly decided that the wkcalrem.exe file in Microsoft Works 2000 was infected. I can think of no way that particular file is likely to be infected and it's too much coincidence that two un-networked computers just happened to pick it up at the same time. Anybody else got it?

A:Avg False Positive?

I have always known the file that you mention to be part of works, the startup database here lists it as clean, however I always like to scan files like that at Jotti or virustotal before I tell the Antivirus to ignore it. I think that you have a false positive, I just like to be safe.

Read other 2 answers

Hi, yesterday i downloaded a virus. Antivirus popped up but i couldnt do anything because my PC started running really slow. But thats not my point. When i start my PC in normal mode mouse is moving and everything seems to be working  but when i click on something Windows force stops or whatever so i cant run antivirus there. I booted it into safe mode and downloaded like every antivirus. Superantispyware showed about 400 tracking cookies- deleted them , other antiviruses found viruses - deleted them but that didnt solved the problem. Roguekiller is showing this: 
BTW I already deleted the "terra.im" one but right after i deleted it it showed that it have been already replaced. THE MAIN QUESTION IS  am I supposed to delete the HKEY... files ? I have a feeling that it might be "zeroaccess virus" hidden in there. PLEASE HELP ME 

A:False or positive

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===Download Malwarebytes' Anti-Malware from HereDouble-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).The scan may take some time to finish,so please be patient.If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Log... Read more

Read other 2 answers

Hi, i just recently scanned my computer with AVG Free 8.0 and it found a trojan horse generic10.BHES. But it was listed as a C:\documents and settings\vincent lee\application data\adobe\acrobat\7.0\updater\adberdr709_en_US.exe. I think it may be a false positive? can a normal file be infected? it was cleaned and quarantined but should i post a hijack log as well? I am using windows xp. thanks

if i were to upload it to a website that checks files, do i restore the file from my virus vault? would it be safe? how do i go about restoring it and sending it? thanks!

A:Is This A False Positive?

It probably is a false positive. If you still have access to the file you can upload it at Jotti for analysis.

Read other 4 answers

Scanned with malwarebytes and avira after...system seems to be clean. I just turned on the computer and this popped up after like 5 minutes or so just browsing reddit. Didn't download or click any links or any ads. I don't know how I could've gotten this. So please someone help me determine is this is a false positive or something bigger.

A:False positive or....?

I would consider it a false positive, because it is located in the ATI Directory. Do you have any ATI Products?Please download TDSSKiller exe version to your desktop. Double-click on TDSSKiller.exe to run the tool for known TDSS variants. Vista/Windows 7 users right-click and select Run As Administrator.    Click on Change Parameters and click Detect TDLFS File System.    Click the Start Scan button.    Do not use the computer during the scan    If the scan completes with nothing found, click Close to exit.    If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.    A TDSSKiller text file would be saved in Local Disk C.    Copy and paste the contents of that file in your next reply.ADW CleanerPlease download AdwCleaner by Xplode onto your desktop.Close all open programs and internet browsers.Double click on adwcleaner.exe to run the tool.Click on Clean.Confirm each time with Ok.You will be prompted to restart your computer. A text file will open after the restart.Please post the contents of that logfile with your next reply.You can find the logfile at C:\AdwCleaner[S1].txt as well.... Read more

Read other 5 answers

My Nod32 Smart Security keeps finding the same thing, but it is a different driver each time. Oddly enough, a similar thing happened before I rebooted this computer 2 days ago. I don't know where this is coming from, because the software on this computer are programs such as iTunes.P.S. I'm running Windows Vista SP1

A:False Positive?

Also, my website has this on some parts of it. On where it says connected to, and transferring data from and such.

Read other 1 answers

 After reformatting both computers that had same exact ransom ware.  Microsoft Security Essentials was installed.  After an  AVG scan it detected MSE as having the Small Trojan. 
   I know this topic was previously done before and closed and I read it thoroughly, but after the pain of having to wipe drives clean, reinstall programs (some I paid a lot of money for and might have to repurchase possibly) just want to be sure, cautious and informed fully.
 How common is this issue of possible false positives? Best ways of dealing with them?And is it simply just not using the programs that causes the conflict? For example if I unistall MSE ( a program never used before nor really feel like need or want)  should AVG then not detect anything?
   Any informed opinion or further information on topic is greatly appreciated.

A:AVG false positive?

Hello SonyStereo,
You should choose only one antivirus program to use. You can uninstall MSE and use AVG. My personal recommendation is vice versa, but that is your choice.
If you uninstall MSE, AVG will not detect it.
Please read this quote from quietman7, if you have not already:

IMPORTANT NOTE: Using more than one anti-virus program is not advisable. Why? The primary concern with doing so is due to Windows resource management and significant conflicts that can arise especially when they are running in real-time protection mode simultaneously. Even if one of them is disabled for use as a stand-alone on demand scanner, it can affect the other and cause conflicts. Anti-virus software components insert themselves deep into the operating systems core where they install kernel mode drivers that load at boot-up regardless of whether real-time protection is enabled or not. Thus, using multiple anti-virus solutions can result in kernel mode conflicts causing system instability, catastrophic crashes, slow performance and waste vital system resources. When actively running in the background while connected to the Internet, each anti-virus may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

When scanning engines are init... Read more

Read other 3 answers

I have ZAM installed for on demand scans and it's within it's 15 days trial license.
It keeps detecting Amazon Spain as an infection in my search bar. I have added it there with "Add to search bar" on Firefox.

Is there a real problem or is it a false positive?

A:False Positive or not?

Can you link the search engine add-on? The only Amazon search engine add-on that I can find on Firefox is "Amazon.com Quick Search with Suggestions" made by "Justin". This is not an official Amazon search.

Alternatively, there is an official extension called Amazon Assistant for Firefox that does not get flagged by ZAM.

Read other 5 answers

How do I add a exception in norton 2011 Internet security?

A:False positive

You can configure exclusions in NIS to ignore certain files and/or directories. From the NIS main window, click on Settings, then under Computer Settings you will find a section for AntiVirus and SONAR exclusions. Add your exclusions to both the Items to Exclude from Scans and Items to Exclude from Auto-Protect and SONAR Detection.

If you want to exclude everything in a directory, be sure to have the "Include subfolders" box checked.

If its false positives thats troubling you, submit them to Symantec.


Read other 2 answers

Hi Folks,

Just wondering if anyone else has had this particular situation....I ve attached two "bad boys" MSE detected...so here's the interesting scenario (at least for me!)...it was caught by MSE while or just after (literally mintues after) I did a full scan using Malwarebytes....and the Mbytes scan came all clear!!....I mist say I don't have much experience dealing with bad boys (which is a good thing I like to think) but is this what you call false positive? (must confess reading up on the two named rascals they seem to be anything but false!). Just wanna get some feed back,in the least to improve my knowledge.

Many thanks for stopping by

A:Is this a false positive?

I wouldnt call it a false positive. Read about your issue here.

MSE alert on Java

Read other 3 answers

Okay, so ever since I put System Shock Portable (a modified version of SystemShock 1 with mouselook among other mods) I've been getting this detection message from AVG whenever it runs a scan. All it says is to report the result though. So here I am, reporting the result.

"";"Multiple runtime compression aspack,nupx, C:\Users\Shade the Wolf\Documents\My Games\SYSTEMSHOCK-Portable-v1.2.2\RES\gulikoza\3dfxSpl2.dll";"Report message"


A:False positive?

Hi -
I think the best place to report / question this would be to the AVG forum.
Do you get a report from any other security program ??

Read other 4 answers

I ran a malwarebytes full scan, and it marked the following file as a trojan: C:/Program Files/Synaptics/SynTP/SynZMetr.exe.

Is this a false positive, or this legit malware?The file date is marked as before I even got this computer from the manufacturer.

A:Is this a false positive?

It's a false positive.. https://www.virustotal.com/en/file/c...6733/analysis/

Read other 2 answers


I am just curious about this with false positives and such as that many people talk about.
Let say for example this file. (I am not gonna link to it since it can be harmful, but here is
the results from using jotti on it:

2010-02-10 Trojan.Agent.Cuff
[F-Secure Anti-Virus]
2010-02-14 Trojan.Win32.Agent.cuff
2010-02-14 Trojan.Win32.Agent!IK
2010-02-14 Trojan.Generic.2716132
[Avast! antivirus]
2010-02-14 Found nothing
2010-02-14 Trojan.Win32.Agent
[Grisoft AVG Anti-Virus]
2010-02-14 Generic_c.AELX
[Kaspersky Anti-Virus]
2010-02-14 Trojan.Win32.Agent.cuff
[Avira AntiVir]
2010-02-12 TR/Spy.1458176.1
2010-02-13 Found nothing
[Softwin BitDefender]
2010-02-14 Trojan.Generic.2716132
[Panda Antivirus]
2010-02-12 Generic
2010-02-13 Trojan.Packed-158
[Quick Heal]
2010-02-13 Trojan.Agent.cuff
2010-02-14 BackDoor.W32.VB.bax
2010-02-14 Mal/Generic-A
2010-02-14 Trojan.Siggen.5009
[VirusBlokAda VBA32]
2010-02-13 Trojan.Win32.Agent.cuff
[Frisk F-Prot Antivirus]
2010-02-13 W32/Themida_Packed!Eldorado
2010-02-13 Trojan.Agent.NTRQ

Read other answers

I have been using AVG for some time. Recently, I have been getting a notification that I have the RORON i-net worm in one of my temporary internet files. It usuallly occurs when browsing this or some other forum. However, a scan with AVG, with Housecall, with Antivir, and with EZ Etrust does not show any infection. I can only conclude that this is a false positive. I just wondered if anyone else has experienced this.

A:False positive in AVG?

Read other 6 answers

All season long I've gone to hdstreams.net to watch the Seahawks games online & no problem. Today I go there & suddenly Avast says threat has been detected & this pop up


A:Is this a false/positive?

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17496
Run by Thomas Paine at 17:10:19 on 2014-12-27
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8184.4882 [GMT -8:00]
AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Window... Read more

Read other 13 answers

During my AVG scan it shows AdbeRdr708_en_US.exe as a danger. Is this a false positive? I did a search and it shows as a valid component of the Adobe Reader.

A:AVG False Positive?

Read other 16 answers

A while ago, before the servers shut down, I used to play the MMO Need for Speed World. Turns out that it can still be played in singleplayer by forcing the client into an offline server.
According to my virus total scan here: https://www.virustotal.com/en/file/0dceea1fe89bb8080918df8931f1c477a081937dc82bbafc4b39aeb2392a583f/analysis/1453461307/
the modified client to force it into such server from here: http://www.elitepvpers.com/forum/need-speed-world/3767890-nfs-world-offline-server.html
is a virus, and three people agree with it. My antivirus, Avast finds nothing wrong with it.
Elitepvpers seems to be a disreputable site. I downloaded it from the PC gaming wiki from here instead: https://drive.google.com/folderview?id=0Bwbb_Yiw_IWNfkZCQ3dJUkRsU2hvd3R2Q2hZWjN2VElvS3lQRWN6VWdMeUExVFpJa2p6WGs&usp=sharing&tid=0Bwbb_Yiw_IWNfmplMnN1cXZZWkNpZEljdkJmeFF3eGY5b3EwNFNMSkRFalV5V2FoQi1fTVE#list
In your opinion, is this a false positive?

A:False positive?

A Virustotal analysis of elitepvpers indicates it is a clean site...see here.The first six detections are more generic detections for unknown or suspicious files. For example...Artemis technology is the "Active Protection" component of McAfee's Security Center which uses a combination of signature and behavior analysis to check with McAfee servers in real-time to identify possible new malware threats. This is accomplished by adding heuristics to the virus database. McAfee then uses this heuristic detection to analyze the cataloged behaviors and assess the likelihood of possible new variants of malware before the vendor can get samples and update the program's definitions for detection. This process is similar to Symantec's Bloodhound Technology. Artemis is not the name of an actual virus, but an alert displayed by McAfee when it thinks it may have found a new virus. Artemis is included in the detection name for any file that is quarantined or blocked by McAfee's Global Threat Intelligence (GTI) technology for enhanced detection of unknown threats based on the file's behavior. Thus, Artemis detections may or may not be malicious.In general, heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. Heuristic scanning methods vary depending on the vendor. Some claim to allow emulation of the file's activities in a virtual sandbox. Others scan the file more intensively, sea... Read more

Read other 10 answers

Prevx v3.0.5.220 on my unit shows ADWcleaner as malware. Infected with Community.OuterEdge.ADWcleaner.exe. Downloded it 3 times. Same each time. Anyone had this to happen to them? ThnxsEdit: Moved topic from Windows 8 to the more appropriate forum. ~ Animal


you can try uploading the file to VirusTotal.com for scanning, if the file is being detected by most of the antivirus vendors, then it probably contains malware.

Read other 5 answers

For some reasons my Kaspersky Endpoint Security 10 flagged a Bleeping Computer thread as "phishing website"... that boggles me.
Or maybe I'm just paranoid with all the security settings cranked up to High.

A:False positive?

Yes it appears to be a FP. The detection is on the url for this topic: Trojan dllhost.exe *32 COM virusIt is a heuristic detection. Heuristics is the ability of a scanning program to detect possible new variants of malware before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as suspicious or infected. If that is the case, then you can restore the file and add it to the exclusion or ignore list.

Read other 3 answers

I started down this road with a friends computer known to have malware on it.
That had also had major software stuffup with updating.
(it attempts to contact a known malware indicative Domain name.)
personal firewall blocked it, but only because Im paranoid enough to make iexplore
ask everytime it wants to use the net.

Thats not the problem.

Ok I started at major Geeks, using a procedure they outlined.
To initially verify that my system is still clean, as I rebuilt friends computer here.
part of that major Geeks procedure was to tun combofix.
up to that point nothing had found any malware, or any left over bits, nor anything suspicious.
(I run a very tight ship, (real FWs, openBSD, the whole nine yards) no viruses, trojans, etal 10+ yrs and counting)

Combofix, found two files in my system32 directory. named tmp67.tmp and tmp68.tmp
FileAlyser identifies them as identical (MD5), I dont like them because a hex dump shows
they have a standard looking DLL front end. makes me suspicious as they have .tmp fiel extensions.

FileAlyser further identifies them as claiming to be
Company name CreativeLabs Inc. version 2,0,6,0 Product name OpenAL installer.

That would be fine. (I dont like that I cant find any way they could have got them selves run.)
but My system works fine with them removed.
(paranoid mode on) hmmm thinks I perhaps the damngerous bit is still there hiding and so I looks.

My system works fine with them removed because something else put them back!... Read more

A:Is this a false positive?

The silence prompted yet mnore reading and i found.

"The use of Combofix or any other high level removal tool is not for this area. If your log shows indications of the use of these tools,
there is a high probability your post will be ignored. "

If this is the problem where ought I post my problem. The guide does not say.

If there is no where, am I forever condemed not to get help identifying the file tmp67.tmp, because I once ran combofix?

Read other 4 answers

I scanned an infected computer with MBAM MSE and Kaspersky. All found trojans and removed them.
Then ran scan with Superantispyware and it found new trojans:

Trojan.Agent/Gen-IExplorer[Fake](2 items)
Trojen.Agent/Gen-PEC (2 items)

I then scanned the folders where the files were kept with Kaspersky and MBAM and they came up clear.
Are these real trojans or are they false positives?


A:SAS False Positive?

Anytime you suspect a file detection may be a false positive, get a second opinion by submitting it to one of the following online services that analyzes suspicious files:Jotti's virusscanVirusTotalVirSCANIn the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.You can submit the file(s) directly to SUPERAntispyware downloading and using the SUPERSampleSubmit Utility. The direct download link for this utility can also be found here.Alternatively you can report the results at the False Positives Forum but they will probably ask you to submit a sample. Once a file is received, a technician can examine it in more detail and provide a report letting you know the results.

Read other 1 answers

Hi all,

I scanned my system yesterday with Superantispyware. It came up with 44 security issues called: 'Security.HiJack[ImageFileExecutionOptions]'.

I've done a bit of searching, and some people have said that this is a false positive. However, I want to make sure that this is the case.

I sent off a 'false positive' report to Superantispyware, and as yet I have not received feedback. I have also done a scan with Bullgaurd's scanner, and it reported nothing. I am also currently running scans with Malwarebytes and Windows Defender, and I will let you all know when the scans finish.

I am slightly confused as to how a virus(s) got onto my system in the first place, if they are not false positives. I use Sandboxie which seems to have helped in the past with any potential threats. My only other concern is that a few days ago, I accidentally went on a site which left a virus on my parents laptop. Unfortunately at the time I hadn't got Sandboxie installed, and the system was infected. I did however manage to remove everything via safe mode and using Superantispyware. Later on I looked at the log, and it seems that there was indeed a 'real' virus, however, the same 'Security.HiJack[ImageFileExecutionOptions]' 'virus' was also there, but at the time I thought nothing of it, as I believed it to be part of the 'real' virus (which if I remember rightly was a trojan). Hence, I am slightly confused as to whether or not this in... Read more

A:False positive?

IFEOs can be used for both legitimate and nefarious purposes.

Usually you won't have IFEOs on common apps such as iTunes though unless you've messed with them yourself. Not an absolute. . . just a generality.

Since you mention being infected before I'd go ahead and have SAS remove those.

Hope that helps.


Read other 5 answers

Is it a false positive or what?

Read other answers

Hello. To begin with, here are some details of the system that I'm working with: It's running Windows 7 Professional, Protected by NOD32 v4 antivirus, with Windows Defender running realtime. Weekly I scan with Malwarebytes Antimalware. I use Opera 10.1 for webbrowsing, and typically keep javascript off. I haven't manually downloaded or installed any software in weeks. Only automatic updates have run for various programs. One of those programs I run is Steam.Yesterday, when Steam self-updated, something very peculiar happened. While Steam was in the process of Patching itself, it spawns a process called SteamServiceTmp.exe. I've seen this happen in the past (I was watching in Process Explorer), so I didn't think much of it at all. However, a popup balloon from Windows Defender cropped up at this point, and said that it wanted to send SteamServiceTmp.exe to Microsoft. I was a little freaked out, because I didn't know what was going on. NOD didn't see anything, and Defender was acting like SteamServiceTmp was a piece of malware. I was in such a panic, I don't remember the exact message, but Defender didn't really say anything explicit. I checked the logfiles for defender, and the quarantine, but found nothing there. I only was able to find evidence that anything happened when I checked the System Event Viewer. I included the entry from that below, following by a hidden log file that I eventually uncovered from this information.I've been ab... Read more

A:Was this a false positive? Or something Serious?

Maybe it is something on Windows Defender's end?

Read other 2 answers

I did a scan with Norton Internet Security 2011 and received a report that no security risks were detected. But number of items scanned was on 235,000; the number in the past has always been around 750,000. Something must be truncating the scan. I repeated the scan; same result. I downloaded & ran Norton PowerEraser; no risks found. I've tried to get into the Norton Forum, but while my registration was confirmed on the registration page, confirming email was never received. Next step?EdEdit: Moved topic from Win 7 to the more appropriate forum. ~ Animal

A:False positive report

Check you scan settings. It's possible you inadvertently changed something whereby the scanning engine is not scanning everything it did in the past.

Read other 1 answers


I've had a a virus detection in a3-free and AVG, and I'm slightly concerned about it. I'd appreciate some advice from someone a bit more adept with computers than myself

The virus is detected in A3 as "Exploit.Win32.MS04!k" and is on six files in the temp folder, eg: C:\Users\A---\Appdata|Local\Temp\~PI1187.tmp. All the files have a similar name, starting with "~PI". In AVG, I just get a message that the same six files "May be infected by unknown virus Exploit.JPEG". There's no other information than that in AVG.

Malwarebytes, Ad-aware and Avira Antivir all show the files as clean. I did a jotti.org scan and about half the scanners show the files as infected.

After googling I found that the MS04 virus sometimes shows on images that have been resized by the user. Also, the "PI" extension seems to be some kind of high-quality or encrypted image format. In my case, I'm assuming these are temp files left/created after I resized or edited some images (though I've never knowingly used or downloaded files in the format).

I've scanned all the .jpg images on the PC and my portable HD, and AVG/A3 shows them as clean. I've also submitted the files for analysis to ikarus and grisoft, but this can take days or weeks. I'm using Vista 32-bit on a Dell laptop.

I don't have any recurring virus issues at this point, the files have been sucessfully quarantine... Read more

A:Possible false positive but cannot confirm this

Hi akjunke,I can see your frustration. The messages on the internet are mixed. However, what seems to be consistent is that the information following the MS04 in the name Exploit.Win32.MS04 gives more information about what this is. In one case, I believe it is Exploit.Win32.MS04 011 this refers to a file called explor.exe which is definitely malware. Your particular filename, ending with !k doesn't appear anywhere in the internet except in this thread we're in now.There is another thread about this that I can refer you to: http://www.bleepingcomputer.com/forums/t/159591/avg-8-detects-exploitjpeg-only-in-the-resized-file/Also, how are your resizing your photos? I'm sorry this is not more substantial. I hope the files you submitted to ikarus and grisoft will return some kind of result that can clarify this and that you can post those results back here. Sorry for the long wait.Thanks for bringing this up.Zllio

Read other 3 answers

I've been using Malwarebytes Anti-malware on Windows 8 CP and got no detections. I have since installed the new Release Preview and ran Malarebytes and got 2 trojan detections are these false positives? I've also ran Spybot Search & Destroy and Windows Defender and got no detections. Anyone else using Malwarebytes?

A:False positive with Malwarebytes?

Me. I installed and ran it very soon after the installation of Windows 8 Release. It found nothing?

Read other 3 answers

After todays updates I ran a full scan of my system with AVG. It reported "aaw2007.exe trojan downloader generic5.PIO" as an infection. This is the installer I got for Ad-Aware 2007 directly from the Lavasoft site. Would I be right in assuming this is a false positive or do any of the more knowledgeable out there know different?

A:Solved: AVG false positive?

Read other 6 answers

I started up my computer and Dell Backup and Recovery started by itself as usual and all of a sudden AVAST moved a file associated with Dell Backup and Recovery that was in the folder for it. Is this a false positive or is it actually malware? The reason why I am keeping this software that could be bloating the PC is for the DELL Factory Reinstall disk. The file is called "DBRFactorySetupUpdate.exe" and it is thought to be "Win32:Evo-gen [Susp]."

A:AVAST False Positive?

If you think it's a false positive you can let them know,

Avast Contact us

Explain why you think it is to them and it should get removed.

Read other 5 answers

Latest Spybot Search & Destroy found:
Redirected host
Redirected host

Isn't this a false positive?

I have reported it to the developers, a while ago, but so far I suppose they do not agree with me. I even reported the source which is the Hosts file (1.2MB) from http://remember.mine.nu/

Is the website www.ZeroSpyWare.com a valid website which does not belong in the Hosts file as a redirection (i.e. for malware or adware websites) or is it a valid entry in the Hosts file and thus a false positive from the Spybot S&D tool?

-- Tom

P.S. I have not visited the www.ZeroSpyWare.com website. Until I find out otherwise, I will associate it with some kind of malware website and just ignore the Spybot S&D findings as a false positive regardless of what Spybot continues to inform me from a scan.

A:Solved: False positive or not?

Read other 7 answers

On several browsers, Avast is alerting with this message when I use my browser to check my juno email. There is nothing in my inbox or other folders at the time. AV says it has blocked a possible virus.

A:False positive or real

Hi there .. That has been going on for years .. I thought Avast had that fixed long ago ..

Read other 1 answers

Hi, I sent my brother a photo as an attachement in email. He called me up and told me I had a virus because his Nortons 2004 warned him not to open the attachement because it had an "incurable virus". I ran AVG and went to trendmicro and did an online scan. Both were clean. Was this just a fluke in Norton's. MY brother is afraid to open my emails now.


A:Norton false positive???

Perhaps it is, i haven't heard of a problem like this. But if you have checked and double checked it, there might not be a problem.
But to be sure, your brother might want to open it and check with Norton after he downloaded if there actually is a virus.
And always make sure your anti-virus programs are up to date.

Read other 3 answers

First, I've been reviewing your posts for days, and you rock!I am running Windows XP SP2, with Trend Micro Internet Security Pro. I also use SpyBot S&D, Spyware Blaster, Windows Defender, and Spyware Doctor on demand. I have TrendMicro and Windows Defender on real-time protection. I began to notice three spyware files in Trend Micro that weren't showing up on the other scans, though Spybot S&D did also notice one of them. Now it shows clean, but after every reboot, Trend Micro shows the same three: TYSPY_SMALL, TSPY_MOSUCKER, and Adware_BHOT_IEHELPER, and sometimes I get Adware_MemWatcher. I turned off Window Defender membership option, but that didn't change anything.After an online chat with Trend Micro, I did all the clearing of everything temporary, and ran House Call in safe mode. It crashed my computer, but eventually got it to run, and deleted the files, as I have 100 times over. On normal reboot, Trend Micro wouldn't load, so I ended up removing it and reinstalling it. In doing so, I had to delete all the anti-virus programs and un-immunize Spybot. At that time I also had Ad-Aware as another on demand scan option. (It never detected any of the above either.) In any case, I slowly added the anti-virus programs back one by one, and Trend Micro was clean until Spyware Doctor was added, at which time the Adware_BHOT_IEHELPER began to show up. After a couple of days, I then added Spybot Search and Destroy, and then the other three showed up and won't go away. I... Read more

A:Spyware Or False Positive?

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:Preparation Guide For Use Before Posting A HijackThis LogThanks,Charles

Read other 2 answers

Hi I have had this problem now on two computers. It is the same problem that was confirmed on this thread http://www.bleepingcomputer.com/forums/ind...howtopic=240232 , however, it was locked. I care not about the false positive, what i am looking for is a way to revert the files back to normal. I used the recovery console today and was unsuccessfull. BTW, todays computer was over 400 files, the original computer this happened on was amost 1000 files.Is there another way, be it software, or a script for a batch file to remove the .vir from the file extension. So far the best i have come up with is a keyboard macro, but it isnt the most trustworthy process.ThanksBilly

A:Act! Software False Positive.

Have you also run ComboFix as thay had ?

Read other 5 answers

I have just done a scan with Kasperky AV, i changed all the scan settings to their highest and it found these 5 infections:

deleted: Trojan program Trojan-Downloader.Win32.CWS.fp File: C:\WINDOWS\SoftwareDistribution\Download\1edecfd398679471b89bb28b61fc583a1a19f244//PE_Patch/common\update.exe
deleted: Trojan program Trojan-Downloader.Win32.CWS.fp File: C:\WINDOWS\SoftwareDistribution\Download\30aee677e35c6a0669ba22afb9b63923e7c5d226//PE_Patch//CAB-file.cab/update\update.exe
deleted: Trojan program Trojan-Downloader.Win32.CWS.fp File: C:\WINDOWS\SoftwareDistribution\Download\3e4a91bc1328a49b3e4cb88c71ec696b9e147936//PE_Patch//CAB-file.cab/common\update.exe
deleted: Trojan program Trojan-Downloader.Win32.CWS.fp File: C:\WINDOWS\SoftwareDistribution\Download\525c6b6ee42e7a3ac28f488b00c6289a7281a71d//PE_Patch/update\update.exe
deleted: Trojan program Trojan-Downloader.Win32.CWS.fp File: C:\WINDOWS\SoftwareDistribution\Download\9c5b7af77a669a7388262248a95f9616b80d787e//PE_Patch//CAB-file.cab/common\update.exe

I have had no problems with my computer and my HijackThis log is clean, i have also done scans with MBAM, Spybot, Dr Web
and Ad-Aware which found nothing. I can't find any information on this Trojan so is it a false positive? and should i restore them if

A:Malware Or False Positive?

Hello try submitting them to Jotti's malware scan and/or Virustotal the results will help a lot in determining that.

Read other 2 answers

This computer i am using rarely goes online and i allways try to keep it patched and virus scan before using. During my last scan a2 (a squared) seems to have found a number of virus's, (i have submitted these files to a2 for verification). I have also run scans using Kaspersky, Mbam & SuperAntispyware which have come back clean (please see the logs below)Could some one advise me what to do next.ThankyouChr!sa-squared Free - Version 4.0Last update: 03/04/2009 13:16:01Scan settings:Objects: Memory, Traces, Cookies, C:\Scan archives: OnHeuristics: OffADS Scan: OnScan start: 04/04/2009 11:57:33c:\program files\scansoft\paperport\visioneer.exe detected: Trace.File.ClipGenie!A2C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe detected: Virus.Win32.Patched.B!IKC:\WINDOWS\$NtServicePackUninstall$\eventtriggers.exe detected: Virus.Win32.Virut.ar!IKC:\WINDOWS\$NtServicePackUninstall$\evtrig.exe detected: Virus.Win32.Virut.ar!IKC:\WINDOWS\$NtServicePackUninstall$\kernel32.dll detected: Trojan.Win32.Agent!IKC:\WINDOWS\$NtServicePackUninstall$\sysinfo.exe detected: Virus.Win32.Virut.ar!IKC:\WINDOWS\$NtServicePackUninstall$\systeminfo.exe detected: Virus.Win32.Virut.ar!IKC:\WINDOWS\$NtServicePackUninstall$\taskkill.exe detected: Win32... Read more

A:Infection or False Positive Please Help

Hello.I have also run scans using KasperskyAre you referring to the online scan? If you still have the log it would be great if I can see it.Those may be a false-positive. If Kaspersky didn't find anything it's probably a false-positive. Those files seems to be infected by VIRUT according to a2...Please run the following scan.Download and Run DrWebCureIt in Safe ModeBefore we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to use Safe Mode and you will not have access to this page.Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".Scan with Dr.Web CureIt as follows:Double-click on launch.exe to start the program. Cancel any prompts to download the latest CureIt version and click Start.At the prompt to "Start scan now", click OK. Allow the setup.exe/driver to load if asked by any of your security programs.The Express scan will automatically begin.If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.When complete, click Select All, t... Read more

Read other 11 answers

So yesterday I scanned my whole system with my McAfee Total Protection and found this:

Shall I send it to McAfee to confirm it as a false positive?

A:McAfee false positive?

Quote: Originally Posted by alwinwinjoe

So yesterday I scanned my whole system with my McAfee Total Protection and found this:

Shall I send it to McAfee to confirm it as a false positive?

Yup i would send it to MacAfee to make sure it's clean

Good Luck,

Read other 3 answers