Over 1 million tech questions and answers.

combofix & ashampoo false positive ?

Q: combofix & ashampoo false positive ?

Have the latest beta combofix called kittyfix.
Running it, it warns in the beginning that Ashampoo antivirus is active
runtime-scanning, etc, etc, continue at own risk.
Although I have previously had some Ashampoo utils installed, they are
now all removed via controlpanel add/remove programs. No trace now using explorer, no trace using regedit and search for "ashampoo".
No errors using malwarebytes. No errors running Registry booster from
Uniblue.
So is this a false postive from combofix, or what ??

regards
snofte

RELEVANCY SCORE 200
Preferred Solution: combofix & ashampoo false positive ?

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

A: combofix & ashampoo false positive ?

Ashampoo AV is likely still registered with WMI. Many applications have terrible uninstall routines.

A Reminder....

As seen in Post #2 of our sticky topic 'NEW INSTRUCTIONS Read this Before Posting For Malware Removal Help'

Quote:




Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix




Please follow our pre-posting process outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed. I currently have as many open topics as I can effectively handle; this will have you back in queue with the proper logs so an available helper would be able to assist.


If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Read other 1 answers
RELEVANCY SCORE 89.2

Greetings.

Today, 3/28/2011, I downloaded the latest ComboFix with a filesize of 4304820 and ran it.

I did so because of an unusual occurrence in my IE7 session which all of a sudden took me to Symantec's site saying something had interfered with my home page.

As I am a tech and this is my daily machine, it surprised me that anything should be amiss. I ran Malwarebytes and it did not find anything amiss, however, while scanning Symantec (Ver 10.0.1.1009) found and deleted a plugin for a security camera, dvrocxchs.dll and said it was a downloader trojan.

As this .dll has been on my machine for quite some time and while has been known to present false positives in the past, I decided to err on the side of caution. I downloaded and ran ComboFix as well.

Much to my surprise, it found a few "viruses", however they are all "sourceforge" type programs, which leads me to believe ComboFix has ID'd them incorrectly. Below is the log....

2011-03-28 13:17:07 . 2011-03-28 13:17:07 9,910 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-03-28 13:12:29 . 2011-03-28 13:12:29 51 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-03-21 13:14:18 . 2010-01-22 06:46:50 214,528 ----a-w- C:\Qoobox\Quarantine\C\JDownloader\JDownloader.exe.vir
2010-02-15 12:36:15 . 2004-09-19 15:46:40 69,632 ----a-w- C:\Qoobox\Quarantine\C\NZB-O-Mati... Read more

A:Combofix false positive?

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your ... Read more

Read other 3 answers
RELEVANCY SCORE 89.2

Hello,
 
I use two programs on my computer:\
 
Volume2 Advanced Audio Mixer
http://irzyxa.deviantart.com/art/Volume2-version-1-1-3-247-Release-340146840
 
and
 
Network Activity Indicator
http://www.itsamples.com/index.html
 
Any time combofix is run on my laptop with these two apps installed, it disables / quarantines the programs as harmful or viruses?
 
Is there anything wrong with either of these applications?
 
Thanks
 
Rob

A:Combofix false positive?

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/520503 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

Read other 2 answers
RELEVANCY SCORE 89.2

Combofix was great for me, because it solved my problem.
Neverthless, in order to improve the tool, I'd notify the following false positive.
The file "XLoader.sys" was deleted and, after renaming as "XLoader.sys.vir", placed in the "Quarantine" folder.
But this file is not a virus: is it a part of drivers of my videoconverter named "ConvertX".
Without this file, the "ConvertX" peripheral doesn't work anymore.
I had to restore the original name and newly put the file in the appropriate folder (in my case, "C:\Windows\System32\Drivers\").
Then I'd kindly ask you to consider this problem in the future releases of Combofix.
Cheers

A:Combofix false positive

I have informed the developer.

Read other 27 answers
RELEVANCY SCORE 88.4

It seems to be a new file based on first submission date and 0 comments or votes for such a popular program.  Has this been infected again or is it a false positive.
 
Report: https://www.virustotal.com/en/file/9b2d5b4d7307f44fd4b3ffcf84fadebbdf3de068e33cc6adba61ce29e8c60d1d/analysis/1388750468/
Downloaded from: http://www.bleepingcomputer.com/download/combofix/
 

 
Jiangmin Trojan/JmGenGeneric.boe 20140103
Kingsoft Win32.HeurC.KVM003.a.(kcloud) 20130829
McAfee Artemis!A085D5874473 20140103
McAfee-GW-Edition Artemis!A085D5874473 20140103
Rising PE:Malware.XPACK/RDM!5.1 20140103
Sophos NirCmd 20140103
TrendMicro-HouseCall TROJ_GEN.F47V0101 20140103
 
First submission 2014-01-01 18:59:38 UTC ( 1 day, 17 hours ago )
Last submission 2014-01-03 12:01:08 UTC ( 4 minutes ago )

A:7 / 48 AV detects ComboFix. False positive?

This is a false positive by the anti-virus. Combofix is not malware. However, certain embedded files that are part of legitimate programs or specialized fix tools such as Combofix may at times be detected by some anti-virus and anti-malware scanners as suspicious, a Risk Tool, Hacking Tool, Potentially Unwanted Program, a possible threat or even Malware (virus/trojan) when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, whether files are compressed or packed, what behavior (routines, scripts, etc) it performs, any registry strings it may contain and the type of security engine that was used during the scan. Other legitimate files which may be obfuscated, encrypted or password protected in order to conceal itself so they do not allow access for scanning but often trigger alerts by anti-virus software. For example, Catchme is a rootkit scanner that detects userland rootkits and is incorporated with some specialized fix tools like Combofix and GMER.When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or which can potentially be used for malicious purposes. Compressed and packed files in particular are often flagged as suspicious by security software because they have difficulty reading what is inside them. These detections do not necessarily mean the file is malicious or a bad program. It means it has the potential for being misused by ... Read more

Read other 1 answers
RELEVANCY SCORE 88.4

Combofix False Positive - Avira's Strange behaviour

On downloading Combofix from: http://www.bleepingcomputer.com/download/anti-virus/combofix

Avira flashed up the following:

Virus or unwanted program 'RKIT/Agent.4368790 [trojan]'
detected in file '\\10.1.1.20\Devil's Backbone\MyTools\ComboFix\ComboFix.exe.
Action performed: Deny access

Knowing that it is safe anyway i continued to download, avira's free version cannot delete from a mapped drive anyway.

On copying the downloaded file to the desktop and right clicking and selecting "Scan selected file with Avria" Avira completes the scan and finds nothing!

Downloading the file a second time from bleepingcomputer.com, avira does not flash up the warning again!

Avira flashes up another message when copying the downloaded file to a USB Memory stick!

This time:

Virus or unwanted program 'RKIT/Agent.4370492 [trojan]'
detected in file 'J:\MyTools\ComboFix\ComboFix.exe.
Action performed: Deny access

I think it is denying access to the file being overwritten rather than the file that i have just downloaded but the file being overwritten was also downloaded from bleepingcomputer.com on Friday 6th January 2012 (4 Days ago). Avira didn't detect anything wrong on Friday when Combofix was downloaded and used. Combofix appeared to run and do its job as normal, nothing unusual happened at the time or since Friday!

A:Posible Combofix False Positive

No one should be using ComboFix unless specifically instructed to do so by a Malware Removal Expert who can interpret the logs. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. When issues arise with new malware infections or other security tools conflicting with ComboFix, experts are aware of them and can advise users what should or should not be done while providing assistance. Those attempting to use ComboFix on their own do not have such information and are at risk when running the tool in an unsupervised environment. Please read the pinned topic ComboFix usage, Questions, Help? - Look here. What specific issues are you having that requires using ComboFix?Compliments of QuietMan7Please follow the instructions in ==>Malware Removal and Log Section Preparation Guide<==.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable... Read more

Read other 24 answers
RELEVANCY SCORE 87.2

Every time I run combofix, it says it has detected rootkit activity, reboots, then warns that Zero-Access rootkit has been detected. Multiple runs still say the same thing. I've thrown everything I can find at it, nothing else shows the rootkit. I've attached an otl log and am ready to provide whatever information you need.

I ran otl with the "all users" checked, and:

msconfig
safebootminimal
activex
drivers32
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
wininit.exe
hlp.dat
/md5stop

It did not generate a minimized "extra.txt"?

System info:
XP Professional SP3
2.4 Dual core, 2gb ram.
Thanks for your time.

A:False Positive from Combofix? Zero-Access rootkit

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. [/b]If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about y... Read more

Read other 6 answers
RELEVANCY SCORE 87.2

We noticed that Combofix incorrectly identifies files used by SafeNet Sentinel as malware.

nsprs.dll
seraurth1.dll
serauth2.dll
ssprs.dll

Are all located in system32 and are used by Safenet which is used by software vendors to enforce licenses. In our envrionment it is used by SPSS. From looking online, it apepars this has been a false positive in scanners for some time. Any idea if there are plans to correct?

A:Combofix False Positive: SafeNet Sentinel

I have notified the author with a copy of your post. We will update this thread with his response. Thank you for advising us.

Read other 2 answers
RELEVANCY SCORE 87.2

Ran Combofix to check for malware after 0xd1 BSOD caused by Intel Wireless driver.
 
Was surpised when the log said that AmazonCloudDrive.exe had been quarantined. I went into Qoobox to have a look at the file. Its signatures looked correct to me. Its original location was in appdata/local/etcetc.
 
My gut feeling is that this detection is a false positive. Can someone confirm?
 
Thanks,
 
Adam

A:Combofix Quarantines AmazonCloudDrive.exe... false positive?

Just uploaded the file to virus total. Score 0/54: https://www.virustotal.com/en/file/bbe7028bfe05fa78c123f4c0a4af5f40c0a87d05a1719fa826dd8d9adbd3bcc6/analysis/1415377443/

Read other 12 answers
RELEVANCY SCORE 86.4

Hi,
 
This Josh Tech Support for Usoris Systems LLC. We've received multiple complaints from our commercial end-users that have informed us in regards to ComboFix deleting a module on our Remote Utilities software during use. They've stated that they have never had this issue in the past with ComboFix running along with our Remote Utilities. I'm wondering if the developers have a communication channel where I could forward this type of request?
 
Thanks!

A:ComboFix False Positive on Remote Utilities Software

I will pass along the information to sUBs, the developer but he most likely will want to see a log.

Read other 15 answers
RELEVANCY SCORE 86.4

Every time I run combofix, it says it has detected rootkit activity, reboots, then warns that Zero-Access rootkit has been detected. Multiple runs still say the same thing. I've thrown everything I can find at it, nothing else shows the rootkit. I've pasted an otl log and attached a gmer.log am ready to provide whatever other information you need. I ran otl with the "all users" checked, and:msconfigsafebootminimalactivexdrivers32netsvcs%SYSTEMDRIVE%\*.exe/md5startexplorer.exewinlogon.exewininit.exehlp.dat/md5stopIt did not generate a minimized "extra.txt"?System info:XP Home Edition SP32.0 ghz cpu, 2gb ram.Thanks for your time.  I have attached gmer.log (quick scan) and pasted otl.txt(all users).  OTL logfile created on: 7/28/2014 3:02:37 PM - Run 1OTL by OldTimer - Version 3.2.69.0     Folder = C:\Documents and Settings\Home\DesktopWindows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstationInternet Explorer (Version = 8.0.6001.18702)Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1.99 Gb Total Physical Memory | 1.24 Gb Available Physical Memory | 62.16% Memory free3.84 Gb Paging File | 3.11 Gb Available in Paging File | 81.13% Paging File freePaging file location(s): c:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program FilesDrive C: | 298.08 Gb Total Space | 218.75 Gb Free Space | 73.39% Space Free | P... Read more

A:False Positive from Combofix ??- Zero-Access rootkit Detected

Hello  moddman, Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
   If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
   Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

   Finally, please reply using the Post  button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  I will be analyzing your log. I will get back to you with instructions.      Download RogueKiller on the desktop
    Close all the running processes
    Under Vista/Seven, right click -> Run as Administrator
    Otherwise just double-click on RogueKiller.exe
 ... Read more

Read other 23 answers
RELEVANCY SCORE 86.4

Just to start, I have been using Combofix for several years, successfully removing malware that no other software could detect (nor remove so quickly and effectively). So I'm not a newbie or neophyte when it comes to malware removal.

I've run into a situation where Combofix is detecting a legitimate veterinary software as a malware. I was able to restore the software files from quarantine so no big deal, but I'm wondering how to report a false positive to the author of Combofix. After searching through Bleepingcomputer.com, it appears this is the best way to communicate with Combofix's author. But please point me in the right direction if I am mistaken.

I've had this happen twice now, a few months apart, so I don't think it is an isolated incident. And I don't think that Combofix is legitimately removing an infected file because it removes the entire directory (after removing every single subdirectory and every single file).

Here is the directory that Combofix detects as malware:

C:\Program Files (x86)\AdVantage\

Both incidents have been on Windows 7 Professional 64-bit

I'm guessing that there must be a malware with the name of "advantage" that Combofix is confusing with the legitimate veterinary software of the same name.

Any help anyone can provide in providing this information to the Combofix author or pointing me in the right direction would be appreciated!

A:Combofix false positive on AdVantage Veterinary Software

We will get a message regarding the information you provided to the author. Thank you for advising us of the issue.

Read other 3 answers
RELEVANCY SCORE 86.4

Hi,
 
This Josh Tech Support for Usoris Systems LLC. We've received multiple complaints from our commercial end-users that have informed us in regards to ComboFix deleting a module on our Remote Utilities software during use. They've stated that they have never had this issue in the past with ComboFix running along with our Remote Utilities. I'm wondering if the developers have a communication channel where I could forward this type of request?
 
Thanks!

A:ComboFix False Positive on Remote Utilities Software

I will pass along the information to sUBs, the developer but he most likely will want to see a log.

Read other 1 answers
RELEVANCY SCORE 84.8

While the Windows Google Drive program is running, it creates folders called C:\Users\[username]\AppData\Local\temp\_MEInnnnn (where "nnnnn" is a 5-digit number). They contain python scripts and other things. They're usually created at startup, and removed tidily upon exit, but sometimes persist (I've taken that up with Google).  But I'm writing here to say that Combofix removes them.  (False Positive?)
 
I'm running Win7Pro/64-bit. 

A:Combofix deletes Google Drive Temp files. Possible False Positive?

ComboFix does scan the AppData folder as it is a common place malware tries to hid.If you believe the detection is a "false positive" by ComboFix, the developer (sUBs) will need a sample of the file(s) and log (ComboFix.txt) so he can investigate. Please submit (upload) a zipped copy to this Submit Malware Sample page.Fill in the requested information, comments and any further information.Zip the file(s) using a zipping program (i.e. 7-zip, WinRAR).Click the Browse... button and navigate to the location of the file.Click on the file to highlight it and choose Open.Click the Send File button.You will not be able to view the files that have been uploaded as they only show to the authorized users who can download them.sUBs will be able to collect the file(s) from there and examine them.Let me know when you have done this so I can advise the developer.

Read other 1 answers
RELEVANCY SCORE 69.6

Win 10 Home 10586.164

Did a Sfc /scannow.
Result : found corrupted files but unable to repair some of them.

Did a dism..../restorehealth.
Result : Restore operation successful.

Did a sfc /scannow right after dism.
Result : found corrupted files but unable to repair some of them.

I tried to do a chkdsk /f/r, but scanning and repair stayed at 10% for over 45 minutes.
I aborted it. No patience for that.

Do I have a false negative from sfc, or false positive from dism ?

A:False negative or false positive ?

Update :
Did another sfc, same negative result.

Read other 1 answers
RELEVANCY SCORE 65.6

Starting Combofix, it displays that "Ashampoo Antivirus" is detected and enabled. Advises that it should be
disabled before proceed. Dare not go further then.
But I do not have any Ashampoo Antivirus, all Ashampoo-program were uninstalled long time ago.
Explorer finds no folders with Ashampoo. A search via Regedit for "Ashampoo" and "Antivirus" gives no hits.
Add/remove programs via controlpanel finds no Ashampoo programs.
How to get rid of the Ashampoo thing ??

Regards
Snofte

A:Combofix & ashampoo Antivirus

Worth reading remarks by BC personnel, http://www.bleepingcomputer.com/forums/ind...p;#entry1159014.Louis

Read other 4 answers
RELEVANCY SCORE 65.2

During my AVG scan it shows AdbeRdr708_en_US.exe as a danger. Is this a false positive? I did a search and it shows as a valid component of the Adobe Reader.
Thanks!
 

A:AVG False Positive?

Read other 16 answers
RELEVANCY SCORE 65.2

Prevx v3.0.5.220 on my unit shows ADWcleaner as malware. Infected with Community.OuterEdge.ADWcleaner.exe. Downloded it 3 times. Same each time. Anyone had this to happen to them? ThnxsEdit: Moved topic from Windows 8 to the more appropriate forum. ~ Animal

A:false/positive?

Hi,
 
you can try uploading the file to VirusTotal.com for scanning, if the file is being detected by most of the antivirus vendors, then it probably contains malware.

Read other 5 answers
RELEVANCY SCORE 65.2

I have been using AVG for some time. Recently, I have been getting a notification that I have the RORON i-net worm in one of my temporary internet files. It usuallly occurs when browsing this or some other forum. However, a scan with AVG, with Housecall, with Antivir, and with EZ Etrust does not show any infection. I can only conclude that this is a false positive. I just wondered if anyone else has experienced this.
 

A:False positive in AVG?

Read other 6 answers
RELEVANCY SCORE 65.2

A while ago, before the servers shut down, I used to play the MMO Need for Speed World. Turns out that it can still be played in singleplayer by forcing the client into an offline server.
According to my virus total scan here: https://www.virustotal.com/en/file/0dceea1fe89bb8080918df8931f1c477a081937dc82bbafc4b39aeb2392a583f/analysis/1453461307/
the modified client to force it into such server from here: http://www.elitepvpers.com/forum/need-speed-world/3767890-nfs-world-offline-server.html
is a virus, and three people agree with it. My antivirus, Avast finds nothing wrong with it.
 
Elitepvpers seems to be a disreputable site. I downloaded it from the PC gaming wiki from here instead: https://drive.google.com/folderview?id=0Bwbb_Yiw_IWNfkZCQ3dJUkRsU2hvd3R2Q2hZWjN2VElvS3lQRWN6VWdMeUExVFpJa2p6WGs&usp=sharing&tid=0Bwbb_Yiw_IWNfmplMnN1cXZZWkNpZEljdkJmeFF3eGY5b3EwNFNMSkRFalV5V2FoQi1fTVE#list
 
In your opinion, is this a false positive?
 

A:False positive?

A Virustotal analysis of elitepvpers indicates it is a clean site...see here.The first six detections are more generic detections for unknown or suspicious files. For example...Artemis technology is the "Active Protection" component of McAfee's Security Center which uses a combination of signature and behavior analysis to check with McAfee servers in real-time to identify possible new malware threats. This is accomplished by adding heuristics to the virus database. McAfee then uses this heuristic detection to analyze the cataloged behaviors and assess the likelihood of possible new variants of malware before the vendor can get samples and update the program's definitions for detection. This process is similar to Symantec's Bloodhound Technology. Artemis is not the name of an actual virus, but an alert displayed by McAfee when it thinks it may have found a new virus. Artemis is included in the detection name for any file that is quarantined or blocked by McAfee's Global Threat Intelligence (GTI) technology for enhanced detection of unknown threats based on the file's behavior. Thus, Artemis detections may or may not be malicious.In general, heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. Heuristic scanning methods vary depending on the vendor. Some claim to allow emulation of the file's activities in a virtual sandbox. Others scan the file more intensively, sea... Read more

Read other 10 answers
RELEVANCY SCORE 65.2

Okay, so ever since I put System Shock Portable (a modified version of SystemShock 1 with mouselook among other mods) I've been getting this detection message from AVG whenever it runs a scan. All it says is to report the result though. So here I am, reporting the result.
 

 
"";"Multiple runtime compression aspack,nupx, C:\Users\Shade the Wolf\Documents\My Games\SYSTEMSHOCK-Portable-v1.2.2\RES\gulikoza\3dfxSpl2.dll";"Report message"
 

 

A:False positive?

Hi -
I think the best place to report / question this would be to the AVG forum.
 
Do you get a report from any other security program ??

Read other 4 answers
RELEVANCY SCORE 65.2

I'm pretty sure my computer is clean (but one never knows); however, Malwarebytes found a PUP today.  Centureylink is my internet provider (PUP has centurylink in it).  I'm running windows 10 64-bit on a desktop.
 
So is this a false positive or do I need to post to the removal area?
 
I tried to copy and paste but it's not showing up on the post, is there a way to attach the picture of the log from Malwarebytes?
 
 
 
 

A:Is this a false positive?

Hi Tierra93 Are you able to upload the file Malwarebytes detected on VirusTotal.com, and copy/paste the report URL here? It'll be easier that way What was the detection name? PUP.CenturyLink?

Read other 1 answers
RELEVANCY SCORE 65.2

For some reasons my Kaspersky Endpoint Security 10 flagged a Bleeping Computer thread as "phishing website"... that boggles me.
Or maybe I'm just paranoid with all the security settings cranked up to High.
 

A:False positive?

Yes it appears to be a FP. The detection is on the url for this topic: Trojan dllhost.exe *32 COM virusIt is a heuristic detection. Heuristics is the ability of a scanning program to detect possible new variants of malware before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as suspicious or infected. If that is the case, then you can restore the file and add it to the exclusion or ignore list.

Read other 3 answers
RELEVANCY SCORE 65.2

Hi, i just recently scanned my computer with AVG Free 8.0 and it found a trojan horse generic10.BHES. But it was listed as a C:\documents and settings\vincent lee\application data\adobe\acrobat\7.0\updater\adberdr709_en_US.exe. I think it may be a false positive? can a normal file be infected? it was cleaned and quarantined but should i post a hijack log as well? I am using windows xp. thanks

if i were to upload it to a website that checks files, do i restore the file from my virus vault? would it be safe? how do i go about restoring it and sending it? thanks!

A:Is This A False Positive?

It probably is a false positive. If you still have access to the file you can upload it at Jotti for analysis.

Read other 4 answers
RELEVANCY SCORE 65.2

I have ZAM installed for on demand scans and it's within it's 15 days trial license.
It keeps detecting Amazon Spain as an infection in my search bar. I have added it there with "Add to search bar" on Firefox.

Is there a real problem or is it a false positive?
Thanks!
 

A:False Positive or not?

Can you link the search engine add-on? The only Amazon search engine add-on that I can find on Firefox is "Amazon.com Quick Search with Suggestions" made by "Justin". This is not an official Amazon search.

Alternatively, there is an official extension called Amazon Assistant for Firefox that does not get flagged by ZAM.
 

Read other 5 answers
RELEVANCY SCORE 65.2

This morning, two computers in house suddenly decided that the wkcalrem.exe file in Microsoft Works 2000 was infected. I can think of no way that particular file is likely to be infected and it's too much coincidence that two un-networked computers just happened to pick it up at the same time. Anybody else got it?

A:Avg False Positive?

I have always known the file that you mention to be part of works, the startup database here lists it as clean, however I always like to scan files like that at Jotti or virustotal before I tell the Antivirus to ignore it. I think that you have a false positive, I just like to be safe.

Read other 2 answers
RELEVANCY SCORE 65.2

Hi all,

I scanned my system yesterday with Superantispyware. It came up with 44 security issues called: 'Security.HiJack[ImageFileExecutionOptions]'.

I've done a bit of searching, and some people have said that this is a false positive. However, I want to make sure that this is the case.

I sent off a 'false positive' report to Superantispyware, and as yet I have not received feedback. I have also done a scan with Bullgaurd's scanner, and it reported nothing. I am also currently running scans with Malwarebytes and Windows Defender, and I will let you all know when the scans finish.

I am slightly confused as to how a virus(s) got onto my system in the first place, if they are not false positives. I use Sandboxie which seems to have helped in the past with any potential threats. My only other concern is that a few days ago, I accidentally went on a site which left a virus on my parents laptop. Unfortunately at the time I hadn't got Sandboxie installed, and the system was infected. I did however manage to remove everything via safe mode and using Superantispyware. Later on I looked at the log, and it seems that there was indeed a 'real' virus, however, the same 'Security.HiJack[ImageFileExecutionOptions]' 'virus' was also there, but at the time I thought nothing of it, as I believed it to be part of the 'real' virus (which if I remember rightly was a trojan). Hence, I am slightly confused as to whether or not this in... Read more

A:False positive?

IFEOs can be used for both legitimate and nefarious purposes.

Usually you won't have IFEOs on common apps such as iTunes though unless you've messed with them yourself. Not an absolute. . . just a generality.

Since you mention being infected before I'd go ahead and have SAS remove those.

Hope that helps.

~Blade

Read other 5 answers
RELEVANCY SCORE 65.2

Hi, yesterday i downloaded a virus. Antivirus popped up but i couldnt do anything because my PC started running really slow. But thats not my point. When i start my PC in normal mode mouse is moving and everything seems to be working  but when i click on something Windows force stops or whatever so i cant run antivirus there. I booted it into safe mode and downloaded like every antivirus. Superantispyware showed about 400 tracking cookies- deleted them , other antiviruses found viruses - deleted them but that didnt solved the problem. Roguekiller is showing this: 
 
BTW I already deleted the "terra.im" one but right after i deleted it it showed that it have been already replaced. THE MAIN QUESTION IS  am I supposed to delete the HKEY... files ? I have a feeling that it might be "zeroaccess virus" hidden in there. PLEASE HELP ME 

A:False or positive

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===Download Malwarebytes' Anti-Malware from HereDouble-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).The scan may take some time to finish,so please be patient.If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Log... Read more

Read other 2 answers
RELEVANCY SCORE 65.2

 
Scanned with malwarebytes and avira after...system seems to be clean. I just turned on the computer and this popped up after like 5 minutes or so just browsing reddit. Didn't download or click any links or any ads. I don't know how I could've gotten this. So please someone help me determine is this is a false positive or something bigger.

A:False positive or....?

I would consider it a false positive, because it is located in the ATI Directory. Do you have any ATI Products?Please download TDSSKiller exe version to your desktop. Double-click on TDSSKiller.exe to run the tool for known TDSS variants. Vista/Windows 7 users right-click and select Run As Administrator.    Click on Change Parameters and click Detect TDLFS File System.    Click the Start Scan button.    Do not use the computer during the scan    If the scan completes with nothing found, click Close to exit.    If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.    A TDSSKiller text file would be saved in Local Disk C.    Copy and paste the contents of that file in your next reply.ADW CleanerPlease download AdwCleaner by Xplode onto your desktop.Close all open programs and internet browsers.Double click on adwcleaner.exe to run the tool.Click on Clean.Confirm each time with Ok.You will be prompted to restart your computer. A text file will open after the restart.Please post the contents of that logfile with your next reply.You can find the logfile at C:\AdwCleaner[S1].txt as well.... Read more

Read other 5 answers
RELEVANCY SCORE 65.2

Hi,
I scanned an infected computer with MBAM MSE and Kaspersky. All found trojans and removed them.
Then ran scan with Superantispyware and it found new trojans:

Trojan.Agent/Gen-IExplorer[Fake](2 items)
Trojen.Agent/Gen-PEC (2 items)

I then scanned the folders where the files were kept with Kaspersky and MBAM and they came up clear.
Are these real trojans or are they false positives?

Thanks!

A:SAS False Positive?

Anytime you suspect a file detection may be a false positive, get a second opinion by submitting it to one of the following online services that analyzes suspicious files:Jotti's virusscanVirusTotalVirSCANIn the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.You can submit the file(s) directly to SUPERAntispyware downloading and using the SUPERSampleSubmit Utility. The direct download link for this utility can also be found here.Alternatively you can report the results at the False Positives Forum but they will probably ask you to submit a sample. Once a file is received, a technician can examine it in more detail and provide a report letting you know the results.

Read other 1 answers
RELEVANCY SCORE 65.2

I started down this road with a friends computer known to have malware on it.
That had also had major software stuffup with updating.
(it attempts to contact a known malware indicative Domain name.)
personal firewall blocked it, but only because Im paranoid enough to make iexplore
ask everytime it wants to use the net.

Thats not the problem.

Ok I started at major Geeks, using a procedure they outlined.
To initially verify that my system is still clean, as I rebuilt friends computer here.
part of that major Geeks procedure was to tun combofix.
up to that point nothing had found any malware, or any left over bits, nor anything suspicious.
(I run a very tight ship, (real FWs, openBSD, the whole nine yards) no viruses, trojans, etal 10+ yrs and counting)

However:
Combofix, found two files in my system32 directory. named tmp67.tmp and tmp68.tmp
FileAlyser identifies them as identical (MD5), I dont like them because a hex dump shows
they have a standard looking DLL front end. makes me suspicious as they have .tmp fiel extensions.

FileAlyser further identifies them as claiming to be
Company name CreativeLabs Inc. version 2,0,6,0 Product name OpenAL installer.

That would be fine. (I dont like that I cant find any way they could have got them selves run.)
but My system works fine with them removed.
(paranoid mode on) hmmm thinks I perhaps the damngerous bit is still there hiding and so I looks.

My system works fine with them removed because something else put them back!... Read more

A:Is this a false positive?

The silence prompted yet mnore reading and i found.

"The use of Combofix or any other high level removal tool is not for this area. If your log shows indications of the use of these tools,
there is a high probability your post will be ignored. "

If this is the problem where ought I post my problem. The guide does not say.

If there is no where, am I forever condemed not to get help identifying the file tmp67.tmp, because I once ran combofix?

Read other 4 answers
RELEVANCY SCORE 65.2

All season long I've gone to hdstreams.net to watch the Seahawks games online & no problem. Today I go there & suddenly Avast says threat has been detected & this pop up

 

A:Is this a false/positive?

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17496
Run by Thomas Paine at 17:10:19 on 2014-12-27
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8184.4882 [GMT -8:00]
.
AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Window... Read more

Read other 13 answers
RELEVANCY SCORE 65.2

Hello!

I am just curious about this with false positives and such as that many people talk about.
Let say for example this file. (I am not gonna link to it since it can be harmful, but here is
the results from using jotti on it:

2010-02-10 Trojan.Agent.Cuff
[F-Secure Anti-Virus]
2010-02-14 Trojan.Win32.Agent.cuff
[A-Squared]
2010-02-14 Trojan.Win32.Agent!IK
[G DATA]
2010-02-14 Trojan.Generic.2716132
[Avast! antivirus]
2010-02-14 Found nothing
[Ikarus]
2010-02-14 Trojan.Win32.Agent
[Grisoft AVG Anti-Virus]
2010-02-14 Generic_c.AELX
[Kaspersky Anti-Virus]
2010-02-14 Trojan.Win32.Agent.cuff
[Avira AntiVir]
2010-02-12 TR/Spy.1458176.1
[ESET NOD32]
2010-02-13 Found nothing
[Softwin BitDefender]
2010-02-14 Trojan.Generic.2716132
[Panda Antivirus]
2010-02-12 Generic
[ClamAV]
2010-02-13 Trojan.Packed-158
[Quick Heal]
2010-02-13 Trojan.Agent.cuff
[CPsecure]
2010-02-14 BackDoor.W32.VB.bax
[Sophos]
2010-02-14 Mal/Generic-A
[Dr.Web]
2010-02-14 Trojan.Siggen.5009
[VirusBlokAda VBA32]
2010-02-13 Trojan.Win32.Agent.cuff
[Frisk F-Prot Antivirus]
2010-02-13 W32/Themida_Packed!Eldorado
[VirusBuster]
2010-02-13 Trojan.Agent.NTRQ

Read other answers
RELEVANCY SCORE 65.2

AVG is now reporting some versions of zip.sfx that come as part of the Winrar package as a threat.

Sewe attached for details.
 

Read other answers
RELEVANCY SCORE 65.2

Hi Folks,

Just wondering if anyone else has had this particular situation....I ve attached two "bad boys" MSE detected...so here's the interesting scenario (at least for me!)...it was caught by MSE while or just after (literally mintues after) I did a full scan using Malwarebytes....and the Mbytes scan came all clear!!....I mist say I don't have much experience dealing with bad boys (which is a good thing I like to think) but is this what you call false positive? (must confess reading up on the two named rascals they seem to be anything but false!). Just wanna get some feed back,in the least to improve my knowledge.

Many thanks for stopping by

A:Is this a false positive?

I wouldnt call it a false positive. Read about your issue here.

MSE alert on Java

Read other 3 answers
RELEVANCY SCORE 65.2

Is it a false positive or what?

Read other answers
RELEVANCY SCORE 65.2

Hi all,

I just run the Sophos antivirus package and it decteted a "Virus fragment 'Micro-12' in C:\WINDOWS\system32\ActiveScan\pskavs.dll".
In http://forum.avast.com/index.php?topic=18413.msg156599 , this issue is already known to avast and it looks like a false positive since pskavs.dll belongs to Panda Active scan and the virus signature may not be encriped.
In http://virusscan.jotti.org/ Avast dectects it as Win32:CTX and ClamV as Sirius.Annihilator.272.
Can you confirm that this is a false positive?

cheers,

JL
 

A:False positive?

Yes, your ok!
 

Read other 1 answers
RELEVANCY SCORE 65.2

My Nod32 Smart Security keeps finding the same thing, but it is a different driver each time. Oddly enough, a similar thing happened before I rebooted this computer 2 days ago. I don't know where this is coming from, because the software on this computer are programs such as iTunes.P.S. I'm running Windows Vista SP1

A:False Positive?

Also, my website has this on some parts of it. On where it says connected to, and transferring data from and such.
argos-co-uk.jrj.com.cn.playstation-com.simplehomelink.ru

Read other 1 answers
RELEVANCY SCORE 65.2

How do I add a exception in norton 2011 Internet security?

A:False positive

You can configure exclusions in NIS to ignore certain files and/or directories. From the NIS main window, click on Settings, then under Computer Settings you will find a section for AntiVirus and SONAR exclusions. Add your exclusions to both the Items to Exclude from Scans and Items to Exclude from Auto-Protect and SONAR Detection.

If you want to exclude everything in a directory, be sure to have the "Include subfolders" box checked.

If its false positives thats troubling you, submit them to Symantec.

https://submit.symantec.com/dispute/false_positive/

Read other 2 answers
RELEVANCY SCORE 65.2

Hello. To begin with, here are some details of the system that I'm working with: It's running Windows 7 Professional, Protected by NOD32 v4 antivirus, with Windows Defender running realtime. Weekly I scan with Malwarebytes Antimalware. I use Opera 10.1 for webbrowsing, and typically keep javascript off. I haven't manually downloaded or installed any software in weeks. Only automatic updates have run for various programs. One of those programs I run is Steam.Yesterday, when Steam self-updated, something very peculiar happened. While Steam was in the process of Patching itself, it spawns a process called SteamServiceTmp.exe. I've seen this happen in the past (I was watching in Process Explorer), so I didn't think much of it at all. However, a popup balloon from Windows Defender cropped up at this point, and said that it wanted to send SteamServiceTmp.exe to Microsoft. I was a little freaked out, because I didn't know what was going on. NOD didn't see anything, and Defender was acting like SteamServiceTmp was a piece of malware. I was in such a panic, I don't remember the exact message, but Defender didn't really say anything explicit. I checked the logfiles for defender, and the quarantine, but found nothing there. I only was able to find evidence that anything happened when I checked the System Event Viewer. I included the entry from that below, following by a hidden log file that I eventually uncovered from this information.I've been ab... Read more

A:Was this a false positive? Or something Serious?

Maybe it is something on Windows Defender's end?

Read other 2 answers
RELEVANCY SCORE 65.2

 After reformatting both computers that had same exact ransom ware.  Microsoft Security Essentials was installed.  After an  AVG scan it detected MSE as having the Small Trojan. 
   I know this topic was previously done before and closed and I read it thoroughly, but after the pain of having to wipe drives clean, reinstall programs (some I paid a lot of money for and might have to repurchase possibly) just want to be sure, cautious and informed fully.
 How common is this issue of possible false positives? Best ways of dealing with them?And is it simply just not using the programs that causes the conflict? For example if I unistall MSE ( a program never used before nor really feel like need or want)  should AVG then not detect anything?
   Any informed opinion or further information on topic is greatly appreciated.

A:AVG false positive?

Hello SonyStereo,
 
You should choose only one antivirus program to use. You can uninstall MSE and use AVG. My personal recommendation is vice versa, but that is your choice.
If you uninstall MSE, AVG will not detect it.
 
Please read this quote from quietman7, if you have not already:
 

 
IMPORTANT NOTE: Using more than one anti-virus program is not advisable. Why? The primary concern with doing so is due to Windows resource management and significant conflicts that can arise especially when they are running in real-time protection mode simultaneously. Even if one of them is disabled for use as a stand-alone on demand scanner, it can affect the other and cause conflicts. Anti-virus software components insert themselves deep into the operating systems core where they install kernel mode drivers that load at boot-up regardless of whether real-time protection is enabled or not. Thus, using multiple anti-virus solutions can result in kernel mode conflicts causing system instability, catastrophic crashes, slow performance and waste vital system resources. When actively running in the background while connected to the Internet, each anti-virus may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

When scanning engines are init... Read more

Read other 3 answers
RELEVANCY SCORE 65.2

I ran a malwarebytes full scan, and it marked the following file as a trojan: C:/Program Files/Synaptics/SynTP/SynZMetr.exe.

Is this a false positive, or this legit malware?The file date is marked as before I even got this computer from the manufacturer.

A:Is this a false positive?

It's a false positive.. https://www.virustotal.com/en/file/c...6733/analysis/

Read other 2 answers
RELEVANCY SCORE 64.8

I got an alert from MalwareBytes that "PUP.RiskwareTool.CK" is malware. I have it quarantined at the moment and just need verification on whether it's a false positive or not.And yes, I'm using a keygen "crack"... Guilty Thank you in advance.

A:Is PUP.RiskwareTool.CK a false positive?

It porobably is the crack... usually there is info after...RiskWare.Tool.CK c:\Windows\xxxxxxxxx.exe

Read other 3 answers
RELEVANCY SCORE 64.8

Hi, Everybody!
This is my very first post here. I'm 52 and I don't know much about computers (still in a first stage of the learning process) so any little help is priceless for me. Thanks in advance. I hope I can help from time to time too, at least by sharing information.

(My computer is a Vista Home Premium Dual Core 64 bit and) at about 7:45 this morning, my Prevx detected mpeg2data.ax as malware while my Xara Xtreme 5 was downloading sample drawing templates. Is this just a false positive or said file may be corrupted? My Prevx can't proceed to the cleaning job (it starts scanning again and detect the said file as malware over and over). Could Windows be preventing the cleaning to protect the file? Could an intruder program be neutralizing my Prevx? I run my G Data already too and it didn't detect anything?
THANKS FOR ANY HELP!
vidDa.

Read other answers
RELEVANCY SCORE 64.8

I upgraded recently to AVG 7.5 free version (on a Win XP, Servpack 2 computer). On the first virus check, AVG detected a problem; it identified the file sporder.dll in the Windows\system32\ActiveScan folder. Because the file was not in system32 itself, I was not too worried. Then I discovered that the sporder.dll file (at least, the legitimate version of it) is apparently a Winsock 2 related file, and that some of my XP Servpack 2 friends DO have sporder.dll in their [uninfected] Windows/system32 folders. Some sites even offer you the chance to download the legitimate sporder.dll to put in your Windows/system32 area if you do not have it. (I notice that there is now a sporder.dll file in my AVG Programs folder; but my AVG Virus Vault is empty.) Spybot in its Tools/WinsockLSPs display reports no problems on my computer. I suppose my question is: should a good XP Servpack 2 computer ALWAYS have a genuine copy of sporder.dll in its Windows/system32 folder, or does the file only get there in certain circumstances?? The file specs of the legitimate sporder are apparently "WinSock2 reorder service providers; file version: 5.0.2134.1".

Thanks to BC for helping with so many problems.

A:False Positive Perhaps In Avg7.5

Hello Wenta69, First let me say welcome to BC. Take a look at these links. Link > AVG ForumThere are legitimate and malware versions of this file... only scanning them will tell you if they are malware or not. If they scanned an nothing flagged them you are ok. Now more about the ones you did find... these are known spyware related trojans... that means that an antivirus program will detect and remove the trojan but there is more to spyware than just that... use antispyware utils to help clean up the rest ( if any ) of the spyware components that may exist. Here is a post about how I prefer to clean a system, these instructions also include cleaning spyware which often is as bad or worse than many virus's as well as other useful information HOW TO CLEAN AN INFECTED COMPUTER. If you suspect a file to be a false positive. Test the file at [virusscan.jotti.org] and if it is a false positive, archive (zip, arc, tar etc) the file using a password and email a copy to [email protected] with a brief description as well as the password you used to archive it with. If it is a false positive , turn off hueristic scanning for the time being. When Grisoft adjusts the virus defintions you can turn it back on. More info and a download of the file herehttp://www.bleepingcomputer.com/files/sporder.phphttp://www.bleepingcomputer.com/filedb/spo....dll-31037.html

Read other 2 answers
RELEVANCY SCORE 64.8

HiJust done a online scan with Trend Micro's "Housecall" and its picked up ADWARE_MEMWATCHER here: C:\WINDOWS\system32\drivers\etc\host\127.0.0.1.I think it may be a false positive and have something to do with Spybot S&D?Am I infected?Thanks in advance.__________________________Logfile of Trend Micro HijackThis v2.0.2Scan saved at 20:24:17, on 24/09/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZONELABS\vsmon.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Acronis\Schedule2\schedul2.exeC:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exeC:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeC:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exeC:\Program Files\Zone Labs\ZoneAlarm&#... Read more

A:Adware_memwatcher - False Positive?

to BleepingComputer.comI want to apologise that it has taken so long to get back to you. We on the HJT Team are working as fast as possible to get your log answered.If you do not still need help, please let me know, so that I can move on to other users who still need help.Please take note of the following:While a HJT Team member is working with you, please refrain from making any changes to your computer.Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.Please reply using the button in the lower left hand corner of your screen.Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" .If you would still like help, please follow the instructions below:We need to create an OTViewIt ReportPlease download OTViewIt by OldTimer.Save it to your d... Read more

Read other 2 answers