False Positive?!

Status
Not open for further replies.
P

Plexx

Thread author
Could someone tell me that what's shown is a FP?

HMP, CAV, ESET Online and Panda did not detect it.

I can't even locate safehost folder...

malwarebytesr.jpg
 

DiabloBlack

New Member
Nov 5, 2011
193
From what I have found so far on Google, this looks very real, possibly a fake keygen. Did you have MBAM remove these files? Have you completed another scan with MBAM?
 

McLovin

Level 76
Verified
Helper
Malware Hunter
Apr 17, 2011
9,228
I would say just by looking at them they are False Positives, but I'm not sure. Like Diablo said have you removed them and ran another scan?
 
P

Plexx

Thread author
Removed the files and OS screwed up...

Using second laptop to post this...

Time to boot Linux to get some backups and run a clean backup.

I might as well replace some paid tools with free versions. Trust my luck...
 

Ramblin

Level 3
May 14, 2011
1,014
biozfear said:
Removed the files and OS screwed up...

I might as well replace some paid tools with free versions. Trust my luck.
I don't know if the file was malicious but what I know is you should have never deleted those files before making sure that they were actually malicious. As of now, you still don't know if you were actually infected, deleting those files was a mistake.

For the future, get Sandboxie so you wont depend on anti viruses/malware scans that often make mistakes.

Bo
 

bogdan

Level 1
Jan 7, 2011
1,362
I don't think it was a false positive. Unfortunately Malwarebytes was unable to fix the damage (you should probably report this problem on their forum).
 

WinAndLinuxTutorials

Level 4
Verified
Helper
Aug 23, 2011
2,294
No, it looks for me as a malware, it isn't a false detection.
About the safehost folder (How to locate it):
1. Open My Computer
2. In the Address bar, type the following: %systemroot%\system32\safehost
3. Press enter
4. Upload the file to VirusTotal.

Hope this helps you :)
 
D

Deleted member 178

Thread author
It is a Trojan Dropper wrapped in a fake keygen. As you picture show, it created some registry keys. These registry locations shown on your picture are often used by trojans.

http://security.fnal.gov/cookbook/WinStartup.html

http://www.greatis.com/webhelp/regrun___detailed_instructions/start_control/active_setup_registry_key.htm
 
P

Plexx

Thread author
Ran a backup of the image (last one I had with Acronis) and well it is infected.

I am unable to get to that folder using tips provided.

How exactly I got infected beats me. I have tried using Kaspersky to boot now and also it doesn't detect.

I have just left the file and removed entries yet I am getting all sorts of problems. Looks like I will need to do a clean install.

I suspect the infection was due to an old backup file. What troubles me is that only Malwarebytes detected.

I can't upload to VT since I cannot get to that location. Before getting this laptop and the files from the old pc, I wasn't running Sandboxie nor Bufferzone. Guess it was already too late when I started using Virtualization software.


The only thing I hate about clean installs is the fact that I have to install all applications and games again and I have to patch every game I play... Oh well, should have cross checked the backup files first. Lesson learnt.

Thanks everyone for your help.
 
D

Deleted member 178

Thread author
CIS HIPS didn't blocked it? or generate a popup?
 
P

Plexx

Thread author
No action from CIS. That's the problem. No tool detected anything apart from Malwarebytes.

All personal files backed up and about to launch later on a clean install. After that I will use the Malwarebytes to scan my old desktop (got to plug in and set it up) and hopefully will try to detect the source.
 
D

Deleted member 178

Thread author
That is weird, it seems that this malware may had no activity but when you try to removed it, it screwed the system.
 

Chiron

Level 1
Feb 24, 2011
250
umbrapolaris said:
That is weird, it seems that this malware may had no activity but when you try to removed it, it screwed the system.

Possibly it's an old infection.
 
D

Deleted member 178

Thread author
Chiron said:
Possibly it's an old infection.

Yes i think so too, it seems to be a fake Keygen, and to run a keygen you must allow it; then results the infection.
 
P

Plexx

Thread author
Found it on the old Desktop. It was indeed a Keygen I used to test and I must have ran by mistake instead of running on VMWare...

I have my system now backed up but here comes the worse part. Reinstall everything.
 
Status
Not open for further replies.