False Positive?!

  • Thread starter Thread starter Plexx
  • Start date Start date
Status
Not open for further replies.
P

Plexx

Thread author
Could someone tell me that what's shown is a FP?

HMP, CAV, ESET Online and Panda did not detect it.

I can't even locate safehost folder...

malwarebytesr.jpg
 
From what I have found so far on Google, this looks very real, possibly a fake keygen. Did you have MBAM remove these files? Have you completed another scan with MBAM?
 
I would say just by looking at them they are False Positives, but I'm not sure. Like Diablo said have you removed them and ran another scan?
 
Removed the files and OS screwed up...

Using second laptop to post this...

Time to boot Linux to get some backups and run a clean backup.

I might as well replace some paid tools with free versions. Trust my luck...
 
biozfear said:
Removed the files and OS screwed up...

I might as well replace some paid tools with free versions. Trust my luck.
Click to expand...
I don't know if the file was malicious but what I know is you should have never deleted those files before making sure that they were actually malicious. As of now, you still don't know if you were actually infected, deleting those files was a mistake.

For the future, get Sandboxie so you wont depend on anti viruses/malware scans that often make mistakes.

Bo
 
No, it looks for me as a malware, it isn't a false detection.
About the safehost folder (How to locate it):
1. Open My Computer
2. In the Address bar, type the following: %systemroot%\system32\safehost
3. Press enter
4. Upload the file to VirusTotal.

Hope this helps you :)
 
It is a Trojan Dropper wrapped in a fake keygen. As you picture show, it created some registry keys. These registry locations shown on your picture are often used by trojans.

http://security.fnal.gov/cookbook/WinStartup.html

http://www.greatis.com/webhelp/regrun___detailed_instructions/start_control/active_setup_registry_key.htm
 
Ran a backup of the image (last one I had with Acronis) and well it is infected.

I am unable to get to that folder using tips provided.

How exactly I got infected beats me. I have tried using Kaspersky to boot now and also it doesn't detect.

I have just left the file and removed entries yet I am getting all sorts of problems. Looks like I will need to do a clean install.

I suspect the infection was due to an old backup file. What troubles me is that only Malwarebytes detected.

I can't upload to VT since I cannot get to that location. Before getting this laptop and the files from the old pc, I wasn't running Sandboxie nor Bufferzone. Guess it was already too late when I started using Virtualization software.


The only thing I hate about clean installs is the fact that I have to install all applications and games again and I have to patch every game I play... Oh well, should have cross checked the backup files first. Lesson learnt.

Thanks everyone for your help.
 
CIS HIPS didn't blocked it? or generate a popup?
 
No action from CIS. That's the problem. No tool detected anything apart from Malwarebytes.

All personal files backed up and about to launch later on a clean install. After that I will use the Malwarebytes to scan my old desktop (got to plug in and set it up) and hopefully will try to detect the source.
 
That is weird, it seems that this malware may had no activity but when you try to removed it, it screwed the system.
 
Chiron said:
Possibly it's an old infection.
Click to expand...

Yes i think so too, it seems to be a fake Keygen, and to run a keygen you must allow it; then results the infection.
 
Found it on the old Desktop. It was indeed a Keygen I used to test and I must have ran by mistake instead of running on VMWare...

I have my system now backed up but here comes the worse part. Reinstall everything.
 
Status
Not open for further replies.

You may also like...