Ghostpress identified as malware - is this a false positive?

Status
Not open for further replies.
Gillian A

Gillian A

New Member
Thread author
Mar 5, 2025
3
Dear,
I ran a Malwarebytes scan early today (March 5 2025) - Windows 10 desktop with PCMatic.
Both ghostpress.exe and ghostpress.zip were identified as "Malware.AI.3196095167."
Both of these files were installed October 21 2017 and have not previously been identified as malware on a Malwarebytes scan.
Is this a false positive?
Thanks very much,
Gillian A
 
icotonev

icotonev

Super Moderator
Verified
Staff Member
Mar 9, 2017
655
Hello..! Welcome to MalwareTips..! :)

My name is icotonev and I'm here to help you remove malware ..! Before we begin, please note the following:
  • First, please keep in mind most of us at MalwareTips volunteer our assistance for your benefit in your time of need. Please try to match our commitment to you with your patience toward us.Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.
  • It is important to not run any tools or take any steps other than those I will provide for you.Also, do not uninstall or install any software during the procedure, unless I ask you to do so.
  • Cracked or pirated programs are not only illegal, but also can make your computer a malware target. Having such programs installed, is the easiest way to get infected. Thus, no need to clean the computer, since, soon or later, it will get infected again. If you have such programs, please uninstall them now, before we start the cleaning procedure.
  • Please perform all steps in the order they are listed. If things are not clear or you experience problems be sure to stop and let me know.
  • Please attach all logs into your post unless otherwise requested.
  • When your computer is clean I will let you know, provide instructions to remove tools and reports, and offer you information about how you can combat future infections.
  • If you do not reply to your topic after 3 days I will assume it has been abandoned and I will close it.

www.malwarebytes.com

Malware.AI | Malwarebytes Labs

Malware.AI.(id-nr) are detection names produced by the Artificial Intelligence module in Malwarebytes 4 and Malwarebytes business products.
www.malwarebytes.com www.malwarebytes.com




This looks like an FP from machine learning engine...However, let's check the files of VirusTotal
Select Choose file
Individually navigate to the following file and click Open
ghostpress.exe and ghostpress.zip
Select Confirm upload.
Once completed, highlight the information in the address bar and copy and paste the links in your reply.

Next ....:

Please follow the following instruction ..:

Download Farbar Recovery Scan Tool and save it to your desktop. --> IMPORTANT

If your antivirus software detects the tool as malicious, it’s safe to allow FRST to run. It is a false-positive detection.
If English is not your primary language, right click on FRST.exe/FRST64.exe and rename to FRSTEnglish.exe/FRST64English.exe

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click the FRST icon to run the tool. When the tool opens click Yes to disclaimer.
  • Press Scan button and wait for a while.
  • The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
  • Please attach the content of these two logs in your next reply.
---------------------------------------------------

In your next reply, please include:
  • FRST.txt
  • Addition.txt
 
icotonev

icotonev

Super Moderator
Verified
Staff Member
Mar 9, 2017
655
Gillian A said:
I ran a Malwarebytes scan early today (March 5 2025)
Click to expand...

I missed ..:

  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.
In your next reply, please post:
  1. The Malwarebytes report
 
Gillian A

Gillian A

New Member
Thread author
Mar 5, 2025
3
icotonev said:
Hello..! Welcome to MalwareTips..! :)

My name is icotonev and I'm here to help you remove malware ..! Before we begin, please note the following:
  • First, please keep in mind most of us at MalwareTips volunteer our assistance for your benefit in your time of need. Please try to match our commitment to you with your patience toward us.Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.
  • It is important to not run any tools or take any steps other than those I will provide for you.Also, do not uninstall or install any software during the procedure, unless I ask you to do so.
  • Cracked or pirated programs are not only illegal, but also can make your computer a malware target. Having such programs installed, is the easiest way to get infected. Thus, no need to clean the computer, since, soon or later, it will get infected again. If you have such programs, please uninstall them now, before we start the cleaning procedure.
  • Please perform all steps in the order they are listed. If things are not clear or you experience problems be sure to stop and let me know.
  • Please attach all logs into your post unless otherwise requested.
  • When your computer is clean I will let you know, provide instructions to remove tools and reports, and offer you information about how you can combat future infections.
  • If you do not reply to your topic after 3 days I will assume it has been abandoned and I will close it.

www.malwarebytes.com

Malware.AI | Malwarebytes Labs

Malware.AI.(id-nr) are detection names produced by the Artificial Intelligence module in Malwarebytes 4 and Malwarebytes business products.
www.malwarebytes.com www.malwarebytes.com




This looks like an FP from machine learning engine...However, let's check the files of VirusTotal
Select Choose file
Individually navigate to the following file and click Open
ghostpress.exe and ghostpress.zip
Select Confirm upload.
Once completed, highlight the information in the address bar and copy and paste the links in your reply.

Next ....:

Please follow the following instruction ..:

Download Farbar Recovery Scan Tool and save it to your desktop. --> IMPORTANT

If your antivirus software detects the tool as malicious, it’s safe to allow FRST to run. It is a false-positive detection.
If English is not your primary language, right click on FRST.exe/FRST64.exe and rename to FRSTEnglish.exe/FRST64English.exe

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click the FRST icon to run the tool. When the tool opens click Yes to disclaimer.
  • Press Scan button and wait for a while.
  • The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
  • Please attach the content of these two logs in your next reply.
---------------------------------------------------

In your next reply, please include:
  • FRST.txt
  • Addition.txt
Click to expand...
Hi icotonev,

Thank you for the instructions!

I think I uploaded the ghostpress files okay but can’t see anything that says “confirm upload”.
For ghostpress.exe - VirusTotal
For ghostpress.zip - VirusTotal

Fabar Recovery Scan Tool – my computer is 64 so I downloaded FRST64. As you advised, it was not allowed to run:
Windows protected your PC
Microsoft Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.
App: FRST64.exe
Publisher: Unknown publisher
I selected “Run anyway.”

However, running from the browser (Firefox) and running as administrator from the desktop resulted in the same error message:
C:\Users\Gillian\Desktop\FRST64.exe
X Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

Turned out the problem was PC Matic:
Recently Blocked Applications
FRSTEnglish.exe 3/5/2005 1:36:02 PM Allow
I clicked “Allow”
FRSTEnglish.exe 3/5/2025 1:36:53 PM

And ran the scan - Addition.txt and FRST.txt are attached.

Will try re-running the Malwarebytes scan next -

All the best,
Gillian A
 

Attachments

  • Addition.txt
    59 KB · Views: 5
  • FRST.txt
    50.2 KB · Views: 4
Gillian A

Gillian A

New Member
Thread author
Mar 5, 2025
3
icotonev said:
I missed ..:

  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.
In your next reply, please post:
  1. The Malwarebytes report
Click to expand...
Hi icontonev,
Here are two most Malwarebytes reports - 074451.txt is the one from this morning, and 140810.txt is from just now.
I included both of them because the results are different -
Thanks very much,
Gillian A
 

Attachments

  • Malwarebytes Scan Report 2025-03-05 140810.txt
    2 KB · Views: 5
  • Malwarebytes Scan Report 2025-03-05 074451.txt
    1.7 KB · Views: 6
icotonev

icotonev

Super Moderator
Verified
Staff Member
Mar 9, 2017
655
Good morning , Gillian A..! :)
No signs of an active infection that I can see in your FRST logs. There are some things I want to look at, but they are not a reason for concern.

About Malwarebytes Detection.. for me it's False positives..! Confirmed ..! Is certainly FP:



I would like you to run a tool named SecurityCheck to inquire about the current-security-update status of some applications:

Scan with SecurityCheck by glax24
  • Temporarily disable Microsoft SmartScreen only if it blocks the download of the software. The program is safe
  • Download SecurityCheck by glax24 from here
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • This tool is safe. Smartscreen is overly sensitive. You can check the VirusTotal scan of the tool from here
  • Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow it to run
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file. Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt
 
Last edited:
icotonev

icotonev

Super Moderator
Verified
Staff Member
Mar 9, 2017
655
Hello , Gillian A..!
It has been 2 days since my last post.If you have not replied within 24 hours I will assume you have abandoned the Topic and it will be closed.

Thank you..!
 
icotonev

icotonev

Super Moderator
Verified
Staff Member
Mar 9, 2017
655
Due to lack of activity, this topic is now closed. You requested help but did not respond to follow-up questions or instructions within three days and your topic has been moved here.
If you still need help, open a new topic, and wait for a new helper.
 
Status
Not open for further replies.

Similar threads

B
Solved Microsoft Defender Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Replies
20
Views
1,204
Windows Malware Removal Help & Support
icotonev
icotonev
C
  • Locked
Emsisoft Emergency Kit's temp files detected as Trojan:Script/Wacatac.B!ml by Windows Security
Replies
8
Views
1,364
Windows Malware Removal Help & Support
Can't Decide
C
enaph
    • Like
    • +Reputation
Malware News Unpatched D-Link Routers Worldwide Targeted by New Malware
Replies
3
Views
542
Security News
SeriousHoax
SeriousHoax

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top