Over 1 million tech questions and answers.

False Positive Scan Result?

Q: False Positive Scan Result?

I just ran a full system scan with Avast 5.0. I got the result "Threat Detected". Avast found the following:


The file was moved to the Avast Virus Chest (quarantine) with the following information:

Threat: Win32: Malware-Gen Location: C:\Windows

I ran a general web search and also searched several Virus Libraries with no results found. Since it's in quarantine I can restore it if needed. Has anyone heard of this file or infection?

Thanks for your help and input.

Read other answers
Preferred Solution: False Positive Scan Result?

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)


My friend has a Toshiba NB-500 netbook:

CPU: x86_64 Intel(R) Atom(TM) CPU N455   @ 1.66GHz
HDD: 5400rpm - 320 GB
OS: Windows 10 (upgraded from pre-installed windows 7 starter)

The problem is the slowness: the system is really not usable.
So after cleaning auto run boot applications, and services from msconfig, I've tried to scan it with various adware scanners (RKill, TDSSkiller, adwcleaner, malware bytes am, and so on...) nothing found.
I've also performed a scan with the installed antivirus, Avast: nothing found. Then I removed it and activate the default MS Win Defender, launched a scan, but nothing found that time too.
Finally, I scanned it with ClamAV working form a USB booted Linux live system and obtained the following results:

/mnt/sda2/Program Files/Adobe/Reader 9.0/Reader/reader_sl.exe: Win.Trojan.Decay-453 FOUND
/mnt/sda2/Program Files/Mobile Partner/AutoRun/AutoRunSetup.exe: Win.Trojan.Katusha-600 FOUND
/mnt/sda2/Program Files/Mobile Partner/SkinMagicU.dll: Win.Trojan.Ramnit-7199 FOUND
/mnt/sda2/ProgramData/DatacardService/DCService.exe: Win.Trojan.Katusha-600 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 4824952
Engine version: 0.99.2
Scanned directories: 26173
Scanned files: 147551
Infected files: 4
Total errors: 8
Data scanned: 22485.68 MB
Data read: 27043.46 MB (ratio 0.83:1)
Time: 14972.820 sec (249 m 32 s)

I doubt that they are false positives. How can I verify it?
May be by md5sum? could you ... Read more

Read other answers

My email program is Thunderbird, and it's fully up to date. OS is XP

A day or two ago, AVG Free started reporting I-worm/Netsky.Q in C:\Documents and Settings\[userid]\Local Settings\temp\newmsg (and newmsg-1, -2, etc). I did some research on this virus/worm, looked for the files and the registry entries it's supposed to create (I searched both i-worm and netsky separate as well) and came up empty. I used Eraser to delete everything in the temp folder, and the file comes back and gets reported as infected, apparently whenever I receive new email, even from this forum.

I'm told by a Mozilla forum moderator that T-bird does not use this folder path.

I ran a full scan using Malwarebytes and that came up clean. Symantec's netsky fix tool is still running, but I expect that'll come up empty too. I'm running an AVG scan, but can't really trust what it comes up with, I think.

I'm wondering if this snuck in from an email from my mom - her spouse reported that Mom'd had a virus infection, and he had cleaned it. She hadn't sent me any attachments, but just to be safe I deleted all emails from Mom and her spouse to the beginning of the year. That didn't work though, about 5 minutes later the AVG message popped up again.

I don't know what to do now, aside from uninstall AVG and install a better antivirus app.

Appreciate any assistance!

Here's my HijackThis scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at... Read more

Read other answers

Having read at another forums about the fact that "Stopsign" was able to detect a virus which no other application was able to, I thought of giving it a try. I therefore started the scan.

2. Within the first 2 seconds, the scan showed that there was a trojan in my Documents and setting\Log-in name\ Application Data\Temp. I opened the folder and it was empty, no hidden file even.

3. Then it showed a trojan in Firefox Cache. I deleted the file it had indicated.

4. Now see what happened.

5. When I wanted the scan to go on now, I get a message that "stopsign\...blah blah...\...exe cannot be found. If you know the location ............" and words to that effect.

6. I rebooted the machine and the exact sequence of para 2, 3, 4, 5 repeated.

7. What is happening ??

A:Online scan giving false positive ??

Hi techno12

Do you mean eAcceleration Stop-Sign?

That program is well known for occasional problems with false positives.

Have a look here: http://www.spywarewarrior.com/rogue_anti-spyware.htm#ss_note

Read other 3 answers

My name is Michal and I’m a data administrator, London UK.
I have a problem with the scan results using RogueKiller, it shows this hook and directs me to the website that says only " check on the internet whether your machine is infected or not".
Problem is that at work I deal with a lot of sensitive data and I need to know for sure.
My request is can someone please help me identify if this is a virus or just as suggested it is one of the actual genuine software's doings?
Based on this thread ( http://www.bleepingcomputer.com/forums/t/601924/rootkit-ssdtinl-zwdeleteatom/ )I could assume that it is only a false positive but I can’t be sure as to whether my case is exactly the same. I would supply the logs requested there but I don’t want to use those tools without someone telling me to do so.
There is so little on the internet about this issue that I have no way to find out for myself even by comparison. I understand that I could simply format everything but it is the data licks that I’m worrying about.
This is what I know:
Malwarebytes AntiRootkit didn’t find anything
Microsoft Security Essentials found nothing
Also I would like to ask if someone could advise me as to what software specialises in stopping the rootkits from being installed or even better is there a software that would let me know each time an IRP Hook is trying to be established?
Please get back to me and thanks to anyone who would show the interest in assisting me with this... Read more

A:ZwDeleteAtom[99] RogueKiller scan, false positive?

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/615169 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

Read other 0 answers


In running my AVG Anti-Rootkit Scan today, it gave me a list of files, but did not register them as "infected." It reported that the items were "white-listed" and should not be removed or were "hidden" files. As I've said, AVG didn't list them as "infected," but as "0/28 files infected." My computer has not been running irregularly, so this strikes me as very peculiar. I run scans religiously (weekly) and back them up with a good sweep of Advanced System Care, which have not reported anything up until now.

I called Best Buy and asked what their opinion was, and they reported it could be a false positive. They recommended that I download and run TDSS Killer to see if the results would be mirrored, but they were not.

So, would it be safe to say that I'm clean? What else could I do to make sure?

A:AVG false positive? TDSS Killer scan picks up nothing?

Generally the term "white-list" is used to describe item that are considered safe.

Read other 4 answers

Win 10 Home 10586.164

Did a Sfc /scannow.
Result : found corrupted files but unable to repair some of them.

Did a dism..../restorehealth.
Result : Restore operation successful.

Did a sfc /scannow right after dism.
Result : found corrupted files but unable to repair some of them.

I tried to do a chkdsk /f/r, but scanning and repair stayed at 10% for over 45 minutes.
I aborted it. No patience for that.

Do I have a false negative from sfc, or false positive from dism ?

A:False negative or false positive ?

Update :
Did another sfc, same negative result.

Read other 1 answers

Hello. To begin with, here are some details of the system that I'm working with: It's running Windows 7 Professional, Protected by NOD32 v4 antivirus, with Windows Defender running realtime. Weekly I scan with Malwarebytes Antimalware. I use Opera 10.1 for webbrowsing, and typically keep javascript off. I haven't manually downloaded or installed any software in weeks. Only automatic updates have run for various programs. One of those programs I run is Steam.Yesterday, when Steam self-updated, something very peculiar happened. While Steam was in the process of Patching itself, it spawns a process called SteamServiceTmp.exe. I've seen this happen in the past (I was watching in Process Explorer), so I didn't think much of it at all. However, a popup balloon from Windows Defender cropped up at this point, and said that it wanted to send SteamServiceTmp.exe to Microsoft. I was a little freaked out, because I didn't know what was going on. NOD didn't see anything, and Defender was acting like SteamServiceTmp was a piece of malware. I was in such a panic, I don't remember the exact message, but Defender didn't really say anything explicit. I checked the logfiles for defender, and the quarantine, but found nothing there. I only was able to find evidence that anything happened when I checked the System Event Viewer. I included the entry from that below, following by a hidden log file that I eventually uncovered from this information.I've been ab... Read more

A:Was this a false positive? Or something Serious?

Maybe it is something on Windows Defender's end?

Read other 2 answers

I started down this road with a friends computer known to have malware on it.
That had also had major software stuffup with updating.
(it attempts to contact a known malware indicative Domain name.)
personal firewall blocked it, but only because Im paranoid enough to make iexplore
ask everytime it wants to use the net.

Thats not the problem.

Ok I started at major Geeks, using a procedure they outlined.
To initially verify that my system is still clean, as I rebuilt friends computer here.
part of that major Geeks procedure was to tun combofix.
up to that point nothing had found any malware, or any left over bits, nor anything suspicious.
(I run a very tight ship, (real FWs, openBSD, the whole nine yards) no viruses, trojans, etal 10+ yrs and counting)

Combofix, found two files in my system32 directory. named tmp67.tmp and tmp68.tmp
FileAlyser identifies them as identical (MD5), I dont like them because a hex dump shows
they have a standard looking DLL front end. makes me suspicious as they have .tmp fiel extensions.

FileAlyser further identifies them as claiming to be
Company name CreativeLabs Inc. version 2,0,6,0 Product name OpenAL installer.

That would be fine. (I dont like that I cant find any way they could have got them selves run.)
but My system works fine with them removed.
(paranoid mode on) hmmm thinks I perhaps the damngerous bit is still there hiding and so I looks.

My system works fine with them removed because something else put them back!... Read more

A:Is this a false positive?

The silence prompted yet mnore reading and i found.

"The use of Combofix or any other high level removal tool is not for this area. If your log shows indications of the use of these tools,
there is a high probability your post will be ignored. "

If this is the problem where ought I post my problem. The guide does not say.

If there is no where, am I forever condemed not to get help identifying the file tmp67.tmp, because I once ran combofix?

Read other 4 answers

Hi, yesterday i downloaded a virus. Antivirus popped up but i couldnt do anything because my PC started running really slow. But thats not my point. When i start my PC in normal mode mouse is moving and everything seems to be working  but when i click on something Windows force stops or whatever so i cant run antivirus there. I booted it into safe mode and downloaded like every antivirus. Superantispyware showed about 400 tracking cookies- deleted them , other antiviruses found viruses - deleted them but that didnt solved the problem. Roguekiller is showing this: 
BTW I already deleted the "terra.im" one but right after i deleted it it showed that it have been already replaced. THE MAIN QUESTION IS  am I supposed to delete the HKEY... files ? I have a feeling that it might be "zeroaccess virus" hidden in there. PLEASE HELP ME 

A:False or positive

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===Download Malwarebytes' Anti-Malware from HereDouble-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).The scan may take some time to finish,so please be patient.If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Log... Read more

Read other 2 answers

AVG is now reporting some versions of zip.sfx that come as part of the Winrar package as a threat.

Sewe attached for details.

Read other answers

Prevx v3.0.5.220 on my unit shows ADWcleaner as malware. Infected with Community.OuterEdge.ADWcleaner.exe. Downloded it 3 times. Same each time. Anyone had this to happen to them? ThnxsEdit: Moved topic from Windows 8 to the more appropriate forum. ~ Animal


you can try uploading the file to VirusTotal.com for scanning, if the file is being detected by most of the antivirus vendors, then it probably contains malware.

Read other 5 answers

I ran a malwarebytes full scan, and it marked the following file as a trojan: C:/Program Files/Synaptics/SynTP/SynZMetr.exe.

Is this a false positive, or this legit malware?The file date is marked as before I even got this computer from the manufacturer.

A:Is this a false positive?

It's a false positive.. https://www.virustotal.com/en/file/c...6733/analysis/

Read other 2 answers

I have ZAM installed for on demand scans and it's within it's 15 days trial license.
It keeps detecting Amazon Spain as an infection in my search bar. I have added it there with "Add to search bar" on Firefox.

Is there a real problem or is it a false positive?

A:False Positive or not?

Can you link the search engine add-on? The only Amazon search engine add-on that I can find on Firefox is "Amazon.com Quick Search with Suggestions" made by "Justin". This is not an official Amazon search.

Alternatively, there is an official extension called Amazon Assistant for Firefox that does not get flagged by ZAM.

Read other 5 answers

 After reformatting both computers that had same exact ransom ware.  Microsoft Security Essentials was installed.  After an  AVG scan it detected MSE as having the Small Trojan. 
   I know this topic was previously done before and closed and I read it thoroughly, but after the pain of having to wipe drives clean, reinstall programs (some I paid a lot of money for and might have to repurchase possibly) just want to be sure, cautious and informed fully.
 How common is this issue of possible false positives? Best ways of dealing with them?And is it simply just not using the programs that causes the conflict? For example if I unistall MSE ( a program never used before nor really feel like need or want)  should AVG then not detect anything?
   Any informed opinion or further information on topic is greatly appreciated.

A:AVG false positive?

Hello SonyStereo,
You should choose only one antivirus program to use. You can uninstall MSE and use AVG. My personal recommendation is vice versa, but that is your choice.
If you uninstall MSE, AVG will not detect it.
Please read this quote from quietman7, if you have not already:

IMPORTANT NOTE: Using more than one anti-virus program is not advisable. Why? The primary concern with doing so is due to Windows resource management and significant conflicts that can arise especially when they are running in real-time protection mode simultaneously. Even if one of them is disabled for use as a stand-alone on demand scanner, it can affect the other and cause conflicts. Anti-virus software components insert themselves deep into the operating systems core where they install kernel mode drivers that load at boot-up regardless of whether real-time protection is enabled or not. Thus, using multiple anti-virus solutions can result in kernel mode conflicts causing system instability, catastrophic crashes, slow performance and waste vital system resources. When actively running in the background while connected to the Internet, each anti-virus may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

When scanning engines are init... Read more

Read other 3 answers

I have been using AVG for some time. Recently, I have been getting a notification that I have the RORON i-net worm in one of my temporary internet files. It usuallly occurs when browsing this or some other forum. However, a scan with AVG, with Housecall, with Antivir, and with EZ Etrust does not show any infection. I can only conclude that this is a false positive. I just wondered if anyone else has experienced this.

A:False positive in AVG?

Read other 6 answers

My Nod32 Smart Security keeps finding the same thing, but it is a different driver each time. Oddly enough, a similar thing happened before I rebooted this computer 2 days ago. I don't know where this is coming from, because the software on this computer are programs such as iTunes.P.S. I'm running Windows Vista SP1

A:False Positive?

Also, my website has this on some parts of it. On where it says connected to, and transferring data from and such.

Read other 1 answers

Okay, so ever since I put System Shock Portable (a modified version of SystemShock 1 with mouselook among other mods) I've been getting this detection message from AVG whenever it runs a scan. All it says is to report the result though. So here I am, reporting the result.

"";"Multiple runtime compression aspack,nupx, C:\Users\Shade the Wolf\Documents\My Games\SYSTEMSHOCK-Portable-v1.2.2\RES\gulikoza\3dfxSpl2.dll";"Report message"


A:False positive?

Hi -
I think the best place to report / question this would be to the AVG forum.
Do you get a report from any other security program ??

Read other 4 answers

Scanned with malwarebytes and avira after...system seems to be clean. I just turned on the computer and this popped up after like 5 minutes or so just browsing reddit. Didn't download or click any links or any ads. I don't know how I could've gotten this. So please someone help me determine is this is a false positive or something bigger.

A:False positive or....?

I would consider it a false positive, because it is located in the ATI Directory. Do you have any ATI Products?Please download TDSSKiller exe version to your desktop. Double-click on TDSSKiller.exe to run the tool for known TDSS variants. Vista/Windows 7 users right-click and select Run As Administrator.    Click on Change Parameters and click Detect TDLFS File System.    Click the Start Scan button.    Do not use the computer during the scan    If the scan completes with nothing found, click Close to exit.    If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.    A TDSSKiller text file would be saved in Local Disk C.    Copy and paste the contents of that file in your next reply.ADW CleanerPlease download AdwCleaner by Xplode onto your desktop.Close all open programs and internet browsers.Double click on adwcleaner.exe to run the tool.Click on Clean.Confirm each time with Ok.You will be prompted to restart your computer. A text file will open after the restart.Please post the contents of that logfile with your next reply.You can find the logfile at C:\AdwCleaner[S1].txt as well.... Read more

Read other 5 answers


I am just curious about this with false positives and such as that many people talk about.
Let say for example this file. (I am not gonna link to it since it can be harmful, but here is
the results from using jotti on it:

2010-02-10 Trojan.Agent.Cuff
[F-Secure Anti-Virus]
2010-02-14 Trojan.Win32.Agent.cuff
2010-02-14 Trojan.Win32.Agent!IK
2010-02-14 Trojan.Generic.2716132
[Avast! antivirus]
2010-02-14 Found nothing
2010-02-14 Trojan.Win32.Agent
[Grisoft AVG Anti-Virus]
2010-02-14 Generic_c.AELX
[Kaspersky Anti-Virus]
2010-02-14 Trojan.Win32.Agent.cuff
[Avira AntiVir]
2010-02-12 TR/Spy.1458176.1
2010-02-13 Found nothing
[Softwin BitDefender]
2010-02-14 Trojan.Generic.2716132
[Panda Antivirus]
2010-02-12 Generic
2010-02-13 Trojan.Packed-158
[Quick Heal]
2010-02-13 Trojan.Agent.cuff
2010-02-14 BackDoor.W32.VB.bax
2010-02-14 Mal/Generic-A
2010-02-14 Trojan.Siggen.5009
[VirusBlokAda VBA32]
2010-02-13 Trojan.Win32.Agent.cuff
[Frisk F-Prot Antivirus]
2010-02-13 W32/Themida_Packed!Eldorado
2010-02-13 Trojan.Agent.NTRQ

Read other answers

I'm pretty sure my computer is clean (but one never knows); however, Malwarebytes found a PUP today.  Centureylink is my internet provider (PUP has centurylink in it).  I'm running windows 10 64-bit on a desktop.
So is this a false positive or do I need to post to the removal area?
I tried to copy and paste but it's not showing up on the post, is there a way to attach the picture of the log from Malwarebytes?

A:Is this a false positive?

Hi Tierra93 Are you able to upload the file Malwarebytes detected on VirusTotal.com, and copy/paste the report URL here? It'll be easier that way What was the detection name? PUP.CenturyLink?

Read other 1 answers

A while ago, before the servers shut down, I used to play the MMO Need for Speed World. Turns out that it can still be played in singleplayer by forcing the client into an offline server.
According to my virus total scan here: https://www.virustotal.com/en/file/0dceea1fe89bb8080918df8931f1c477a081937dc82bbafc4b39aeb2392a583f/analysis/1453461307/
the modified client to force it into such server from here: http://www.elitepvpers.com/forum/need-speed-world/3767890-nfs-world-offline-server.html
is a virus, and three people agree with it. My antivirus, Avast finds nothing wrong with it.
Elitepvpers seems to be a disreputable site. I downloaded it from the PC gaming wiki from here instead: https://drive.google.com/folderview?id=0Bwbb_Yiw_IWNfkZCQ3dJUkRsU2hvd3R2Q2hZWjN2VElvS3lQRWN6VWdMeUExVFpJa2p6WGs&usp=sharing&tid=0Bwbb_Yiw_IWNfmplMnN1cXZZWkNpZEljdkJmeFF3eGY5b3EwNFNMSkRFalV5V2FoQi1fTVE#list
In your opinion, is this a false positive?

A:False positive?

A Virustotal analysis of elitepvpers indicates it is a clean site...see here.The first six detections are more generic detections for unknown or suspicious files. For example...Artemis technology is the "Active Protection" component of McAfee's Security Center which uses a combination of signature and behavior analysis to check with McAfee servers in real-time to identify possible new malware threats. This is accomplished by adding heuristics to the virus database. McAfee then uses this heuristic detection to analyze the cataloged behaviors and assess the likelihood of possible new variants of malware before the vendor can get samples and update the program's definitions for detection. This process is similar to Symantec's Bloodhound Technology. Artemis is not the name of an actual virus, but an alert displayed by McAfee when it thinks it may have found a new virus. Artemis is included in the detection name for any file that is quarantined or blocked by McAfee's Global Threat Intelligence (GTI) technology for enhanced detection of unknown threats based on the file's behavior. Thus, Artemis detections may or may not be malicious.In general, heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. Heuristic scanning methods vary depending on the vendor. Some claim to allow emulation of the file's activities in a virtual sandbox. Others scan the file more intensively, sea... Read more

Read other 10 answers

For some reasons my Kaspersky Endpoint Security 10 flagged a Bleeping Computer thread as "phishing website"... that boggles me.
Or maybe I'm just paranoid with all the security settings cranked up to High.

A:False positive?

Yes it appears to be a FP. The detection is on the url for this topic: Trojan dllhost.exe *32 COM virusIt is a heuristic detection. Heuristics is the ability of a scanning program to detect possible new variants of malware before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as suspicious or infected. If that is the case, then you can restore the file and add it to the exclusion or ignore list.

Read other 3 answers

How do I add a exception in norton 2011 Internet security?

A:False positive

You can configure exclusions in NIS to ignore certain files and/or directories. From the NIS main window, click on Settings, then under Computer Settings you will find a section for AntiVirus and SONAR exclusions. Add your exclusions to both the Items to Exclude from Scans and Items to Exclude from Auto-Protect and SONAR Detection.

If you want to exclude everything in a directory, be sure to have the "Include subfolders" box checked.

If its false positives thats troubling you, submit them to Symantec.


Read other 2 answers

Hi Folks,

Just wondering if anyone else has had this particular situation....I ve attached two "bad boys" MSE detected...so here's the interesting scenario (at least for me!)...it was caught by MSE while or just after (literally mintues after) I did a full scan using Malwarebytes....and the Mbytes scan came all clear!!....I mist say I don't have much experience dealing with bad boys (which is a good thing I like to think) but is this what you call false positive? (must confess reading up on the two named rascals they seem to be anything but false!). Just wanna get some feed back,in the least to improve my knowledge.

Many thanks for stopping by

A:Is this a false positive?

I wouldnt call it a false positive. Read about your issue here.

MSE alert on Java

Read other 3 answers

Hi all,

I just run the Sophos antivirus package and it decteted a "Virus fragment 'Micro-12' in C:\WINDOWS\system32\ActiveScan\pskavs.dll".
In http://forum.avast.com/index.php?topic=18413.msg156599 , this issue is already known to avast and it looks like a false positive since pskavs.dll belongs to Panda Active scan and the virus signature may not be encriped.
In http://virusscan.jotti.org/ Avast dectects it as Win32:CTX and ClamV as Sirius.Annihilator.272.
Can you confirm that this is a false positive?



A:False positive?

Yes, your ok!

Read other 1 answers

I scanned an infected computer with MBAM MSE and Kaspersky. All found trojans and removed them.
Then ran scan with Superantispyware and it found new trojans:

Trojan.Agent/Gen-IExplorer[Fake](2 items)
Trojen.Agent/Gen-PEC (2 items)

I then scanned the folders where the files were kept with Kaspersky and MBAM and they came up clear.
Are these real trojans or are they false positives?


A:SAS False Positive?

Anytime you suspect a file detection may be a false positive, get a second opinion by submitting it to one of the following online services that analyzes suspicious files:Jotti's virusscanVirusTotalVirSCANIn the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.You can submit the file(s) directly to SUPERAntispyware downloading and using the SUPERSampleSubmit Utility. The direct download link for this utility can also be found here.Alternatively you can report the results at the False Positives Forum but they will probably ask you to submit a sample. Once a file is received, a technician can examine it in more detail and provide a report letting you know the results.

Read other 1 answers

Hi all,

I scanned my system yesterday with Superantispyware. It came up with 44 security issues called: 'Security.HiJack[ImageFileExecutionOptions]'.

I've done a bit of searching, and some people have said that this is a false positive. However, I want to make sure that this is the case.

I sent off a 'false positive' report to Superantispyware, and as yet I have not received feedback. I have also done a scan with Bullgaurd's scanner, and it reported nothing. I am also currently running scans with Malwarebytes and Windows Defender, and I will let you all know when the scans finish.

I am slightly confused as to how a virus(s) got onto my system in the first place, if they are not false positives. I use Sandboxie which seems to have helped in the past with any potential threats. My only other concern is that a few days ago, I accidentally went on a site which left a virus on my parents laptop. Unfortunately at the time I hadn't got Sandboxie installed, and the system was infected. I did however manage to remove everything via safe mode and using Superantispyware. Later on I looked at the log, and it seems that there was indeed a 'real' virus, however, the same 'Security.HiJack[ImageFileExecutionOptions]' 'virus' was also there, but at the time I thought nothing of it, as I believed it to be part of the 'real' virus (which if I remember rightly was a trojan). Hence, I am slightly confused as to whether or not this in... Read more

A:False positive?

IFEOs can be used for both legitimate and nefarious purposes.

Usually you won't have IFEOs on common apps such as iTunes though unless you've messed with them yourself. Not an absolute. . . just a generality.

Since you mention being infected before I'd go ahead and have SAS remove those.

Hope that helps.


Read other 5 answers

Hi, i just recently scanned my computer with AVG Free 8.0 and it found a trojan horse generic10.BHES. But it was listed as a C:\documents and settings\vincent lee\application data\adobe\acrobat\7.0\updater\adberdr709_en_US.exe. I think it may be a false positive? can a normal file be infected? it was cleaned and quarantined but should i post a hijack log as well? I am using windows xp. thanks

if i were to upload it to a website that checks files, do i restore the file from my virus vault? would it be safe? how do i go about restoring it and sending it? thanks!

A:Is This A False Positive?

It probably is a false positive. If you still have access to the file you can upload it at Jotti for analysis.

Read other 4 answers

All season long I've gone to hdstreams.net to watch the Seahawks games online & no problem. Today I go there & suddenly Avast says threat has been detected & this pop up


A:Is this a false/positive?

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17496
Run by Thomas Paine at 17:10:19 on 2014-12-27
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8184.4882 [GMT -8:00]
AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Window... Read more

Read other 13 answers

This morning, two computers in house suddenly decided that the wkcalrem.exe file in Microsoft Works 2000 was infected. I can think of no way that particular file is likely to be infected and it's too much coincidence that two un-networked computers just happened to pick it up at the same time. Anybody else got it?

A:Avg False Positive?

I have always known the file that you mention to be part of works, the startup database here lists it as clean, however I always like to scan files like that at Jotti or virustotal before I tell the Antivirus to ignore it. I think that you have a false positive, I just like to be safe.

Read other 2 answers

During my AVG scan it shows AdbeRdr708_en_US.exe as a danger. Is this a false positive? I did a search and it shows as a valid component of the Adobe Reader.

A:AVG False Positive?

Read other 16 answers

Is it a false positive or what?

Read other answers

Hi and thanks for your help in advance.  After running, RogueKiller orange flags the following two items in the "antirootkit" section/tab:
shwSSDT:Addr (Hook.Shadow) 585 NtUserSetWindowsHookEx unknown unknown \0x89d288c6
shwSSDT:Addr (Hook.Shadow) 588 NtUserSetWinEventHook unknown unknown 0x89d288cb
I have no idea what these entries mean and wonder if I can ignore.
I did post on forum.adlice.com but with no success.

A:RogueKiller False Positive?

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===What is the issue that lead you to run the RogueKiller tool.==If you have a CD emulator disable it before running the TDSSKiller tool.Disable the CD emulators....Please download DeFogger to your desktop.Double click DeFogger to run the tool.The application window will appearClick the Disable button to disable your CD Emulation driversClick Yes to continueA 'Finished!' message will appearClick OKDeFogger will now ask to reboot the machine - click OKIMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.Do not re-enable these drivers until otherwise instructed. Or when this computer is clean.HOW TO: Enable the CD Emulators... < restore only when we are finished.To re-enable your Emulation drivers, double click DeFogger to run the tool.The application window will appearClick the Re-enable button to re-enable your CD Emulation driversClick Yes to continueA 'Finished!' message will appearClick OKDeFogger will now ask to reboot the machine - click OKIMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.Your Emulation drivers are now re-enabled.===We will check your BIOS and Master boot record.R... Read more

Read other 2 answers

I had a run-in several weeks ago with Rovnix.D on my machine that I ended up not even knowing about until it was already blue screening my x64 Win7 machine.  I ended up having to reformat my machine and reinstall after a blue screen trashed my boot sector completely (as well as my registry) when I attempted to do a roll-back/restore, and even ended up losing access to my PC's restore partition.  Long story short, I ended up doing things the old-fashioned way, getting a copy of Win7 x64, inputting my key from the sticker on my machine, and then hunting down drivers (I kept putting off making those restore DVDs for my machine, so I still don't have access).  It was a pain in the rear.  I had been running AVG antivirus at the time, and it never detected it.
Since the reinstall, things have worked wonderfully of course, but suddenly, about two weeks ago, MSE detected a Rovnix.D infection in my boot sector again.  >.<;;;  I've tried everything I can think of, short of reformatting again (please God, NO!) to remove it.  Nothing else detects it except their Security suite, which states that it partially removes the infection.  MSE tries to remove it, says it cannot due to security issues, and suggests quarantining, however the button to do so is grayed out and unclickable, and my only option is to close the window.  RIGHT NOW, everything runs properly, though there have been a few recent issues with slowdown that I can't acco... Read more

A:Rovnix.D - False Positive with MSE?

Hello, having run ComboFix please post that log with a DDS log if possible in a new topic..Please follow this Preparation Guide and post in a new topic.Let me know if all went well.

Read other 1 answers

HKCU\Software\Microsoft\Windows\CurrentVersion\Run (Trojan.Agent)

Got this alert on both my systems after Malwarebytes updated to database v2012.06.14.01.
In just a few minuets Malwarebytes had two updates. The latest is v2012.06.14.03 and the alert is gone. I guess they got there definition file messed up.


A:Malwarebytes False Positive

Just goes to show ya, nobodys perfect Just waiting for the BSOD update

Read other 1 answers

Combofix was great for me, because it solved my problem.
Neverthless, in order to improve the tool, I'd notify the following false positive.
The file "XLoader.sys" was deleted and, after renaming as "XLoader.sys.vir", placed in the "Quarantine" folder.
But this file is not a virus: is it a part of drivers of my videoconverter named "ConvertX".
Without this file, the "ConvertX" peripheral doesn't work anymore.
I had to restore the original name and newly put the file in the appropriate folder (in my case, "C:\Windows\System32\Drivers\").
Then I'd kindly ask you to consider this problem in the future releases of Combofix.

A:Combofix false positive

I have informed the developer.

Read other 27 answers

HiJust done a online scan with Trend Micro's "Housecall" and its picked up ADWARE_MEMWATCHER here: C:\WINDOWS\system32\drivers\etc\host\ think it may be a false positive and have something to do with Spybot S&D?Am I infected?Thanks in advance.__________________________Logfile of Trend Micro HijackThis v2.0.2Scan saved at 20:24:17, on 24/09/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZONELABS\vsmon.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Acronis\Schedule2\schedul2.exeC:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exeC:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeC:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exeC:\Program Files\Zone Labs\ZoneAlarm&#... Read more

A:Adware_memwatcher - False Positive?

to BleepingComputer.comI want to apologise that it has taken so long to get back to you. We on the HJT Team are working as fast as possible to get your log answered.If you do not still need help, please let me know, so that I can move on to other users who still need help.Please take note of the following:While a HJT Team member is working with you, please refrain from making any changes to your computer.Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.Please reply using the button in the lower left hand corner of your screen.Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" .If you would still like help, please follow the instructions below:We need to create an OTViewIt ReportPlease download OTViewIt by OldTimer.Save it to your d... Read more

Read other 2 answers

I have just done a scan with Kasperky AV, i changed all the scan settings to their highest and it found these 5 infections:

deleted: Trojan program Trojan-Downloader.Win32.CWS.fp File: C:\WINDOWS\SoftwareDistribution\Download\1edecfd398679471b89bb28b61fc583a1a19f244//PE_Patch/common\update.exe
deleted: Trojan program Trojan-Downloader.Win32.CWS.fp File: C:\WINDOWS\SoftwareDistribution\Download\30aee677e35c6a0669ba22afb9b63923e7c5d226//PE_Patch//CAB-file.cab/update\update.exe
deleted: Trojan program Trojan-Downloader.Win32.CWS.fp File: C:\WINDOWS\SoftwareDistribution\Download\3e4a91bc1328a49b3e4cb88c71ec696b9e147936//PE_Patch//CAB-file.cab/common\update.exe
deleted: Trojan program Trojan-Downloader.Win32.CWS.fp File: C:\WINDOWS\SoftwareDistribution\Download\525c6b6ee42e7a3ac28f488b00c6289a7281a71d//PE_Patch/update\update.exe
deleted: Trojan program Trojan-Downloader.Win32.CWS.fp File: C:\WINDOWS\SoftwareDistribution\Download\9c5b7af77a669a7388262248a95f9616b80d787e//PE_Patch//CAB-file.cab/common\update.exe

I have had no problems with my computer and my HijackThis log is clean, i have also done scans with MBAM, Spybot, Dr Web
and Ad-Aware which found nothing. I can't find any information on this Trojan so is it a false positive? and should i restore them if

A:Malware Or False Positive?

Hello try submitting them to Jotti's malware scan and/or Virustotal the results will help a lot in determining that.

Read other 2 answers

Latest Spybot Search & Destroy found:
Redirected host
Redirected host

Isn't this a false positive?

I have reported it to the developers, a while ago, but so far I suppose they do not agree with me. I even reported the source which is the Hosts file (1.2MB) from http://remember.mine.nu/

Is the website www.ZeroSpyWare.com a valid website which does not belong in the Hosts file as a redirection (i.e. for malware or adware websites) or is it a valid entry in the Hosts file and thus a false positive from the Spybot S&D tool?

-- Tom

P.S. I have not visited the www.ZeroSpyWare.com website. Until I find out otherwise, I will associate it with some kind of malware website and just ignore the Spybot S&D findings as a false positive regardless of what Spybot continues to inform me from a scan.

A:Solved: False positive or not?

Read other 7 answers

AVG False Positive with mIRC v. 5.91
AVG tech support confirmed that their latest update (Virus Database 250 dated January 21, 2003) reports that mIRC v. 5.91 is infected with the trojan BackDoor.mar. They say it will be fixed in the next release.

A:AVG False Positive with mIRC v. 5.91

OK thanks, Will have to post this in another thread-3 people report it saying they had the virus.

Read other 1 answers

Hi, this is my first time posting, so I hope I am posting in the correct forum!  I have an acer aspire one, 64-bit OS windows 7 home premium version.  I have IOLO system mechanic as my main anti-virus program, and run MBAM premium along side it.  lately I have to repair the system 3-4 times a day with system mechanic program, system shield says its blocking and quarantining infections with real time monitoring, but nothing is ever in the quarantine section, d my settings don't let it purge automatically, MBAM is not reporting anything, but another scan I ran, says im infected with the WIN32:adw-gen virus, but it never shows up anywhere else, ive even scanned the implicated infected folder with MBAM and it says no malware detected. please help! my computer has slowed down greatly, it takes about 10mn for it to load at start-up. please  help me get my computer back!

A:possible virus? or false positive?

Hello asl, also do these now.Please download MiniToolBox, save it to your desktop and run it.Checkmark the following checkboxes:Flush DNSReport IE Proxy SettingsReset IE Proxy SettingsReport FF Proxy SettingsReset FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Users, Partitions and Memory size.Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.Note: When using "Reset FF Proxy Settings" option Firefox should be closed.Download TDSSKiller and save it to your desktop.Extract (unzip) its contents to your desktop.Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.If an infected file is detected, the default action will be Cure, click on Continue.If a suspicious file is detected, the default action will be Skip, click on Continue.It may ask you to reboot the computer to complete the process. Click on Reboot Now.If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here....ADW CleanerPlease download AdwCleaner by Xplode and save to your Desktop.Double-click on AdwCleaner.exe to run the tool.Vista/Windows 7/8 users right-click and ... Read more

Read other 4 answers

The 0000XXX and XXXXXXXXX are random numbers. There's 22 of these. They're false positives I'm guessing?

A:SAS NVIDIA False Positive?

Hello Cas. Lets get a second opinion.To get a second opinion, submit it to one of the following online services that analyzes suspicious files:Jotti's virusscanVirusTotalIn the "File to Scan" (Upload or Submit) box, browse to the location of the suspicious file(s) and submit (upload) it for scanning/analysis. If you get a message saying "File has already been analyzed", click Reanalyze or Scan again.

Read other 6 answers

I'm running Windows XP, SP 3.

Ok, so a couple of weeks ago I upgraded to AVG 9.0. I updated it and scanned and it found a Trojan Horse Vundo.jw in my system32 folder, on the csrss.exe file, and csrss.exe\00270000 (or something). AVG said it removed it, then a day later, it was back, same files. Removed it again, same thing next day, and the next, etc.

Since then I've downloaded, installed, scanned and tried removing it using at least 6-7 other programs, one of which is BitDefender. Now here's where it gets confusing... to install and use BitDefender, I had to remove AVG. After installing BitDefender and finding out it didn't find the possible trojan, I looked for the next program to use, none of which have found it. The trouble here is that I'm not actually sure if it's still on my system since none of the programs detected it, but it was there when I uninstalled AVG for BitDefender... so I really need some help

(As a note; on the day I uninstalled AVG, AVG detected the trojan in the same files, but said it was now a trojan horse vundo.je, no longer a .jw)

HiJack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:21:32 p.m., on 29/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WI... Read more

A:Trojan or false positive...?

Read other 16 answers

Is this file (private server game client) a false positive or a real malware?VirusTotal LinkAs far as I'm concerned, a lot of people are accessing this file and it does not seem to be a malware. I just want to be sure.

A:Is This File a False Positive?

It's a Malware..Trojan DropperA type of trojan that drops one or more malware onto a system. A typical trojan-dropper is a file that contains other files (its payload) compressed inside its body. In many cases, trojan-droppers also contain innocent files or multimedia files to disguise malicious activities.

Read other 2 answers

okay, this is how my computer get started to loose its mind.

avg detected a virus name Trojan Horse VB.AIEF
i thought its just a normal virus to heal with but when i searched it in virus directory of AVG, its not there...
then, that virus infected files inside my local disks like Programs, Documents, etc. (My Computer > Local Disk (eg C:\) > Any folder) and it says can't be opened and they have extensions of ".exe"
weird again~
Also, I discovered that if i turn off the AVG, i can open folders in my local disks.
I searched the net and says that AVG 2012 had false positive issues, malwares, etc.
I'm just an amateur with computers but not noob. I can understand some terms and fix some issues but not this kind of problem.
So there, i tried to use other anti-virus. my friends suggested it. i downloaded avast! and found malware. i downloaded spyware doctor and found same.
i thought i'm in relief. so there i fixed the problems...
hmmm... it actually deleted my files inside local disks...
here's another weird part.
first C:\
all my folders turn into files with extensions ".000"
my programs are still working with ease.
next, D:\
my files are deleted T_T and i'm too sad because my warcraft 3 and red alert 2 are there
so i found the net that pc tools had file recovery and found pandorabox to recover files but i didn't try yet.
also i asked AVG and they said that i need to do the AVG Rescue CD.
well i can do it but i&#... Read more

A:AVG False Positive or Malware?

I really need your help... Thanks!

Read other 1 answers