Windows Defender False Positive?

Status
Not open for further replies.

Wordward

Level 3
Thread author
Verified
Well-known
Jun 21, 2011
136
So on two different laptops, one is actually an ASUS Notebook. Windows Defender finds this yesterday and again today. Misleading:Win32/Chekuem.
file: C:\WINDOWS\system32\drivers\rawdsk3.sys
Right click properties shows information on the file that I googled and found this so far. Software components for data protection, secure storage and transfer | EldoS
Direct access to disks and protected files from user-mode applications in Windows - RawDisk™

I understand Microsoft recognizes it as a threat. I looked it up. But on my ASUS I have Emsisoft Anti-Malware installed and Windows Defender is turned off. I did find Periodic Scanning was on, which I thought was off, so I turned it off again. Maybe an update enabled it? But on the Notebook and the laptop, both running the latest Windows 10, there is one common denominator. CCleaner. I started CCleaner on the ASUS and got the notice of the threat a second time. I also got a third threat notice on it. Trojan:Win32/Skeeyah.G
file: C:\Users\Darryl\Downloads\PotentiallyUnwanted.exe

A scan on the laptop found Misleading:Win32/Chekuem again even after quarantining it. The suggested action is to remove and restart your device. However, it then reads 0 threats found. This is what makes me wonder if it's not a false positive?
 
Last edited:
D

Deleted member 65228

I did some research for you to find out what I could with such limited details.

The detection "Misleading:Win32/Checkuem" allegedly has an alert level of High and the detection was introduced in a new signature update file on the 2nd of February 2018 (02/02/18 - yesterday). However, the start of the detection name implies that the detection is aimed at software which may be potentially unwanted, as opposed to being truly verified as malicious - in other words, the software the blocked component belongs to is likely going to behave in a misleading manner to be precise for this scenario.

rawdsk3.sys is a device driver developed by a company named EldoS and can be found at a sub-domain for "SecureBlackBox" at their official website; the device driver developed by them has been digitally signed with a certificate by IOLO Technologies LLC.

Please see here:
Direct access to disks and protected files from user-mode applications in Windows - RawDisk™
Malware scan of rawdsk3.sys (RawDisk) 2682d7631cffec68fac0f7c77c719eaf3ccfbc0f - Reason Core Security Labs
iolo technologies – Windows PC Tune-up Software Experts

Here's a description of what the device driver (well, the library for RawDisk) can be used for.

RawDisk library offers software developers direct access to files, disks and partitions of the disks (hard drives, flash disks etc.) for user-mode applications, bypassing security limitations of Windows® operating systems.

The device driver rawdsk3.sys which is being flagged could be a false positive on Microsoft's part however the abuse in malicious software is definitely see-able due to what the device driver can be utilised for, and thus this could be why a detection was added. There could be many contributing factors here, because we aren't even aware at this current moment in regards to whether the device driver being flagged on your machine is even genuine or a rogue copy.

The Trojan:Win32/Skeeyah.G detection is interesting. Assuming you still have the listing for this flagged object in the Windows Defender UI, could you send a screenshot? I'm interested in seeing the details provided by Windows Defender for the object flagged with this detection name.

You should know that CCleaner were breached a few months ago, and Avast only realised after a few weeks and did everything they could to resolve the situation. The breach resulted in malicious copies of CCleaner being pushed out to the customers, however the damage was quite minimal and some of the payload was not even carried out in time before the attack was stopped and cleaned up. You can read more about it at the following links.
Avast Threat Labs analysis of CCleaner incident
Cisco's Talos Intelligence Group Blog: CCleanup: A Vast Number of Machines at Risk

Although I am not sure what you are saying about CCleaner. CCleaner was flagged, or you opened it and something else was flagged?

Are you willing to share the flagged objects with me over a Private Message?
 
Last edited by a moderator:

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458

Wordward

Level 3
Thread author
Verified
Well-known
Jun 21, 2011
136
I scanned with EAM, Zemana, and Malwarebytes Anti-Malware on my ASUS. Nothing found except for an old Syswow64 Auslogics file by Hitman Pro. I'm not signed up for Virus Total, but I may do that later. The file C:\WINDOWS\system32\drivers\rawdsk3.sys still shows in the Windows 32 driver folder, dated February 2016. Shouldn't it be missing since it shows in Windows Defender quarantine? And I'm not sure who Eldos Corporation is other than what the links tell me, or how the driver got on my Notebook or other laptop. The laptop only shows it as a system file with the same date and does not show Eldos Corporation, but when I clicked properties on that file Windows Defender warned me again. I quarantined it again and now it shows the file listed there three times, so it must not be truly quarantined. I restarted the laptop and the file was gone. But I restored it just now and scanned via context menu. Now it say Windows Defender skipped an item due to exclusion or network scanning settings. lol I read this http://systemexplorer.net/file-database/file/rawdsk3-sys.so I'm not going to worry about it. But the reboot and restore must have fixed the random pop up alert.
 

Wordward

Level 3
Thread author
Verified
Well-known
Jun 21, 2011
136
I did some research for you to find out what I could with such limited details.
The Trojan:Win32/Skeeyah.G detection is interesting. Assuming you still have the listing for this flagged object in the Windows Defender UI, could you send a screenshot? I'm interested in seeing the details provided by Windows Defender for the object flagged with this detection name.

You should know that CCleaner were breached a few months ago, and Avast only realised after a few weeks and did everything they could to resolve the situation. The breach resulted in malicious copies of CCleaner being pushed out to the customers, however the damage was quite minimal and some of the payload was not even carried out in time before the attack was stopped and cleaned up. You can read more about it at the following links.
Avast Threat Labs analysis of CCleaner incident
Cisco's Talos Intelligence Group Blog: CCleanup: A Vast Number of Machines at Risk

Although I am not sure what you are saying about CCleaner. CCleaner was flagged, or you opened it and something else was flagged?

Are you willing to share the flagged objects with me over a Private Message?

I just made a reference that CCleaner was on both devices thinking it may have had some relevance, but apparently it doesn't. As far as the other file, Trojan:Win32/Skeeyah.G
C:\Users\Darryl\Downloads\PotentiallyUnwanted.exe, I restored it, along with the other quarantined items and then did another Quick Scan with Windows Defender. I couldn't use context menu even with EAM protection disabled. Nothing found this time. I don't know why this started yesterday and happened again today or why a restore and reboot seemed to fix what is most likely false positive. But it has been interesting. I appreciate all the info given ab out this and the suggestions. I have been using Windows Defender on the laptop for quite awhile and never had any problems or malware alerts. I also use it on the ASUS when trying another AV. I'd be interested if anyone else has that file in their driver folder? As far as the Trojan:Win32/Skeeyah.G
C:\Users\Darryl\Downloads\PotentiallyUnwanted.exe. I just now saw that there was a folder called Potentially Unwanted there. I think it was one of those simulated tests, most likely that I got from here somewhere. lol When I tried to delete it, an EAM alert popped up asking me to quaranI'm thinking this was definitely two different situations that Windows Defender found because the Trojan:Win32/Skeeyah.G was only found on my ASUS. Thanks again everyone.
 
Last edited:
  • Like
Reactions: Vasudev

DonPhil

New Member
Feb 7, 2018
1
So on two different laptops, one is actually an ASUS Notebook. Windows Defender finds this yesterday and again today. Misleading:Win32/Chekuem.
file: C:\WINDOWS\system32\drivers\rawdsk3.sys
[snip] This is what makes me wonder if it's not a false positive?

Reply:
The Windows Defender report "Misleading: \Win32/Checkeum"is reported on this Win7 desktop as linked to Iolo System Mechanic file SMXMktgRestartHelper.exe and is identified on www.pcmag.com as spyware (for identity theft etc.)

This computer has no files named chekue* or rawds*
SMXMktgRestartHelper.exe is dated with the (correct) same date in 2017 of installation of the whole System Mechanic package.

Together these suggest the Win Defender report is a false positive, at least here.
 

KirbY1337

New Member
Feb 9, 2018
1
what's more weird is that microsoft security essentials found this as a virus

C:\Program Files\Sony\VAIO Care\Iolo\ioloToolsTypeLib.dll
ile:C:\Program Files\Sony\VAIO Care\Iolo\ioloTools.exe
typelib:HKLM\SOFTWARE\CLASSES\TYPELIB\{1BE26DDD-B9B9-464D-9EDA-7415E53F2B58}
typelib:HKLM\SOFTWARE\Wow6432Node\CLASSES\TYPELIB\{1BE26DDD-B9B9-464D-9EDA-7415E53F2B58}
typelibversion:HKLM\SOFTWARE\CLASSES\TYPELIB\{1BE26DDD-B9B9-464D-9EDA-7415E53F2B58}\1.1
typelibversion:HKLM\SOFTWARE\Wow6432Node\CLASSES\TYPELIB\{1BE26DDD-B9B9-464D-9EDA-7415E53F2B58}\1.1
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{0033698F-1332-4963-99F3-7BC36ABFE13E}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{0F8A26B3-2B10-4AAB-A97F-393333B9D5C9}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{28637EB6-7F05-40C6-BD96-1850B9E8603F}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{2B721EEB-BDA2-4F5A-AF5E-56213EB47BFD}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{3D74091E-BA60-40EC-A09D-81DF16A7EC12}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{40D797FB-1418-4689-8C47-634A8E21E77F}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{57EED195-35A3-4425-A3DA-9638746A0F78}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{816D649C-F0ED-41FF-956C-6568609F4570}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{935B5B76-ABBD-407D-B5E1-AACADF5045E6}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{9D8E5931-AF9E-4A20-8B90-2C82860B13F8}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{B54B80F3-9227-4D46-BF22-ABBF75174412}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{B5FC8155-91F9-4B76-BAE1-462C95CE85B2}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{C382A7AC-33DB-46D3-A34D-7A22FBB92BFC}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{C5FD77DF-C570-483A-9CE9-146ACF651A83}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{CDFEC96E-EF0B-4F37-96CC-32E2CB2102E3}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{EDF15D72-F2E1-4B0A-93AC-FFB3CFCD71CD}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{F7D7E8DE-A7AA-4329-A166-18CABA3F065C}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{0033698F-1332-4963-99F3-7BC36ABFE13E}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{0F8A26B3-2B10-4AAB-A97F-393333B9D5C9}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{28637EB6-7F05-40C6-BD96-1850B9E8603F}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{2B721EEB-BDA2-4F5A-AF5E-56213EB47BFD}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{3D74091E-BA60-40EC-A09D-81DF16A7EC12}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{40D797FB-1418-4689-8C47-634A8E21E77F}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{57EED195-35A3-4425-A3DA-9638746A0F78}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{816D649C-F0ED-41FF-956C-6568609F4570}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{935B5B76-ABBD-407D-B5E1-AACADF5045E6}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{9D8E5931-AF9E-4A20-8B90-2C82860B13F8}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{B54B80F3-9227-4D46-BF22-ABBF75174412}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{B5FC8155-91F9-4B76-BAE1-462C95CE85B2}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{C382A7AC-33DB-46D3-A34D-7A22FBB92BFC}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{C5FD77DF-C570-483A-9CE9-146ACF651A83}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{CDFEC96E-EF0B-4F37-96CC-32E2CB2102E3}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{EDF15D72-F2E1-4B0A-93AC-FFB3CFCD71CD}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{F7D7E8DE-A7AA-4329-A166-18CABA3F065C}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{0033698F-1332-4963-99F3-7BC36ABFE13E}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{0F8A26B3-2B10-4AAB-A97F-393333B9D5C9}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{28637EB6-7F05-40C6-BD96-1850B9E8603F}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{2B721EEB-BDA2-4F5A-AF5E-56213EB47BFD}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{3D74091E-BA60-40EC-A09D-81DF16A7EC12}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{40D797FB-1418-4689-8C47-634A8E21E77F}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{57EED195-35A3-4425-A3DA-9638746A0F78}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{816D649C-F0ED-41FF-956C-6568609F4570}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{935B5B76-ABBD-407D-B5E1-AACADF5045E6}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{9D8E5931-AF9E-4A20-8B90-2C82860B13F8}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{B54B80F3-9227-4D46-BF22-ABBF75174412}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{B5FC8155-91F9-4B76-BAE1-462C95CE85B2}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{C382A7AC-33DB-46D3-A34D-7A22FBB92BFC}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{C5FD77DF-C570-483A-9CE9-146ACF651A83}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{CDFEC96E-EF0B-4F37-96CC-32E2CB2102E3}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{EDF15D72-F2E1-4B0A-93AC-FFB3CFCD71CD}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{F7D7E8DE-A7AA-4329-A166-18CABA3F065C}
regkey:HKLM\SOFTWARE\CLASSES\TYPELIB\{1BE26DDD-B9B9-464D-9EDA-7415E53F2B58}\1.1
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\CLSID\{2A090754-16A6-407D-883D-A5C0F8CF9992}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\CLSID\{C9480C5A-8921-4C96-BAB1-3D56AE999B70}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{0033698F-1332-4963-99F3-7BC36ABFE13E}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{0F8A26B3-2B10-4AAB-A97F-393333B9D5C9}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{28637EB6-7F05-40C6-BD96-1850B9E8603F}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{2B721EEB-BDA2-4F5A-AF5E-56213EB47BFD}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{3D74091E-BA60-40EC-A09D-81DF16A7EC12}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{40D797FB-1418-4689-8C47-634A8E21E77F}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{57EED195-35A3-4425-A3DA-9638746A0F78}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{816D649C-F0ED-41FF-956C-6568609F4570}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{935B5B76-ABBD-407D-B5E1-AACADF5045E6}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{9D8E5931-AF9E-4A20-8B90-2C82860B13F8}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{B54B80F3-9227-4D46-BF22-ABBF75174412}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{B5FC8155-91F9-4B76-BAE1-462C95CE85B2}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{C382A7AC-33DB-46D3-A34D-7A22FBB92BFC}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{C5FD77DF-C570-483A-9CE9-146ACF651A83}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{CDFEC96E-EF0B-4F37-96CC-32E2CB2102E3}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{EDF15D72-F2E1-4B0A-93AC-FFB3CFCD71CD}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{F7D7E8DE-A7AA-4329-A166-18CABA3F065C}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\TYPELIB\{1BE26DDD-B9B9-464D-9EDA-7415E53F2B58}\1.1
clsid:HKLM\SOFTWARE\Wow6432Node\CLASSES\CLSID\{2A090754-16A6-407D-883D-A5C0F8CF9992}
clsid:HKLM\SOFTWARE\Wow6432Node\CLASSES\CLSID\{C9480C5A-8921-4C96-BAB1-3D56AE999B70}

yet weird but funny lol
is this a false alarm?

OS: Windows 7
Laptop:Sony F Series Laptop
 
  • Like
Reactions: Vasudev

Vasudev

Level 33
Verified
Nov 8, 2014
2,250
what's more weird is that microsoft security essentials found this as a virus

C:\Program Files\Sony\VAIO Care\Iolo\ioloToolsTypeLib.dll
ile:C:\Program Files\Sony\VAIO Care\Iolo\ioloTools.exe
typelib:HKLM\SOFTWARE\CLASSES\TYPELIB\{1BE26DDD-B9B9-464D-9EDA-7415E53F2B58}
typelib:HKLM\SOFTWARE\Wow6432Node\CLASSES\TYPELIB\{1BE26DDD-B9B9-464D-9EDA-7415E53F2B58}
typelibversion:HKLM\SOFTWARE\CLASSES\TYPELIB\{1BE26DDD-B9B9-464D-9EDA-7415E53F2B58}\1.1
typelibversion:HKLM\SOFTWARE\Wow6432Node\CLASSES\TYPELIB\{1BE26DDD-B9B9-464D-9EDA-7415E53F2B58}\1.1
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{0033698F-1332-4963-99F3-7BC36ABFE13E}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{0F8A26B3-2B10-4AAB-A97F-393333B9D5C9}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{28637EB6-7F05-40C6-BD96-1850B9E8603F}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{2B721EEB-BDA2-4F5A-AF5E-56213EB47BFD}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{3D74091E-BA60-40EC-A09D-81DF16A7EC12}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{40D797FB-1418-4689-8C47-634A8E21E77F}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{57EED195-35A3-4425-A3DA-9638746A0F78}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{816D649C-F0ED-41FF-956C-6568609F4570}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{935B5B76-ABBD-407D-B5E1-AACADF5045E6}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{9D8E5931-AF9E-4A20-8B90-2C82860B13F8}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{B54B80F3-9227-4D46-BF22-ABBF75174412}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{B5FC8155-91F9-4B76-BAE1-462C95CE85B2}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{C382A7AC-33DB-46D3-A34D-7A22FBB92BFC}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{C5FD77DF-C570-483A-9CE9-146ACF651A83}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{CDFEC96E-EF0B-4F37-96CC-32E2CB2102E3}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{EDF15D72-F2E1-4B0A-93AC-FFB3CFCD71CD}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{F7D7E8DE-A7AA-4329-A166-18CABA3F065C}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{0033698F-1332-4963-99F3-7BC36ABFE13E}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{0F8A26B3-2B10-4AAB-A97F-393333B9D5C9}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{28637EB6-7F05-40C6-BD96-1850B9E8603F}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{2B721EEB-BDA2-4F5A-AF5E-56213EB47BFD}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{3D74091E-BA60-40EC-A09D-81DF16A7EC12}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{40D797FB-1418-4689-8C47-634A8E21E77F}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{57EED195-35A3-4425-A3DA-9638746A0F78}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{816D649C-F0ED-41FF-956C-6568609F4570}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{935B5B76-ABBD-407D-B5E1-AACADF5045E6}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{9D8E5931-AF9E-4A20-8B90-2C82860B13F8}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{B54B80F3-9227-4D46-BF22-ABBF75174412}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{B5FC8155-91F9-4B76-BAE1-462C95CE85B2}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{C382A7AC-33DB-46D3-A34D-7A22FBB92BFC}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{C5FD77DF-C570-483A-9CE9-146ACF651A83}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{CDFEC96E-EF0B-4F37-96CC-32E2CB2102E3}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{EDF15D72-F2E1-4B0A-93AC-FFB3CFCD71CD}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{F7D7E8DE-A7AA-4329-A166-18CABA3F065C}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{0033698F-1332-4963-99F3-7BC36ABFE13E}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{0F8A26B3-2B10-4AAB-A97F-393333B9D5C9}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{28637EB6-7F05-40C6-BD96-1850B9E8603F}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{2B721EEB-BDA2-4F5A-AF5E-56213EB47BFD}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{3D74091E-BA60-40EC-A09D-81DF16A7EC12}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{40D797FB-1418-4689-8C47-634A8E21E77F}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{57EED195-35A3-4425-A3DA-9638746A0F78}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{816D649C-F0ED-41FF-956C-6568609F4570}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{935B5B76-ABBD-407D-B5E1-AACADF5045E6}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{9D8E5931-AF9E-4A20-8B90-2C82860B13F8}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{B54B80F3-9227-4D46-BF22-ABBF75174412}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{B5FC8155-91F9-4B76-BAE1-462C95CE85B2}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{C382A7AC-33DB-46D3-A34D-7A22FBB92BFC}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{C5FD77DF-C570-483A-9CE9-146ACF651A83}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{CDFEC96E-EF0B-4F37-96CC-32E2CB2102E3}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{EDF15D72-F2E1-4B0A-93AC-FFB3CFCD71CD}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{F7D7E8DE-A7AA-4329-A166-18CABA3F065C}
regkey:HKLM\SOFTWARE\CLASSES\TYPELIB\{1BE26DDD-B9B9-464D-9EDA-7415E53F2B58}\1.1
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\CLSID\{2A090754-16A6-407D-883D-A5C0F8CF9992}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\CLSID\{C9480C5A-8921-4C96-BAB1-3D56AE999B70}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{0033698F-1332-4963-99F3-7BC36ABFE13E}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{0F8A26B3-2B10-4AAB-A97F-393333B9D5C9}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{28637EB6-7F05-40C6-BD96-1850B9E8603F}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{2B721EEB-BDA2-4F5A-AF5E-56213EB47BFD}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{3D74091E-BA60-40EC-A09D-81DF16A7EC12}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{40D797FB-1418-4689-8C47-634A8E21E77F}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{57EED195-35A3-4425-A3DA-9638746A0F78}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{816D649C-F0ED-41FF-956C-6568609F4570}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{935B5B76-ABBD-407D-B5E1-AACADF5045E6}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{9D8E5931-AF9E-4A20-8B90-2C82860B13F8}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{B54B80F3-9227-4D46-BF22-ABBF75174412}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{B5FC8155-91F9-4B76-BAE1-462C95CE85B2}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{C382A7AC-33DB-46D3-A34D-7A22FBB92BFC}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{C5FD77DF-C570-483A-9CE9-146ACF651A83}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{CDFEC96E-EF0B-4F37-96CC-32E2CB2102E3}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{EDF15D72-F2E1-4B0A-93AC-FFB3CFCD71CD}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{F7D7E8DE-A7AA-4329-A166-18CABA3F065C}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\TYPELIB\{1BE26DDD-B9B9-464D-9EDA-7415E53F2B58}\1.1
clsid:HKLM\SOFTWARE\Wow6432Node\CLASSES\CLSID\{2A090754-16A6-407D-883D-A5C0F8CF9992}
clsid:HKLM\SOFTWARE\Wow6432Node\CLASSES\CLSID\{C9480C5A-8921-4C96-BAB1-3D56AE999B70}

yet weird but funny lol
is this a false alarm?

OS: Windows 7
Laptop:Sony F Series Laptop
WD now removes Snake oil or fake tweaking/speed up apps.
W10 doesn't need speedup utility like earlier versions. So Winaero tweaker will be enough that gets rid off most older tweaks like TCP/IP, Large Prefetch Cache, Kernel and User worker threads etc.. With Winaero tweaker you just to tweak Windows UI with additional options and I used cmd/powershell in context menu as well as power options.
 
5

509322

So on two different laptops, one is actually an ASUS Notebook. Windows Defender finds this yesterday and again today. Misleading:Win32/Chekuem.
file: C:\WINDOWS\system32\drivers\rawdsk3.sys
Right click properties shows information on the file that I googled and found this so far. Software components for data protection, secure storage and transfer | EldoS
Direct access to disks and protected files from user-mode applications in Windows - RawDisk™

I understand Microsoft recognizes it as a threat. I looked it up. But on my ASUS I have Emsisoft Anti-Malware installed and Windows Defender is turned off. I did find Periodic Scanning was on, which I thought was off, so I turned it off again. Maybe an update enabled it? But on the Notebook and the laptop, both running the latest Windows 10, there is one common denominator. CCleaner. I started CCleaner on the ASUS and got the notice of the threat a second time. I also got a third threat notice on it. Trojan:Win32/Skeeyah.G
file: C:\Users\Darryl\Downloads\PotentiallyUnwanted.exe

A scan on the laptop found Misleading:Win32/Chekuem again even after quarantining it. The suggested action is to remove and restart your device. However, it then reads 0 threats found. This is what makes me wonder if it's not a false positive?

No one giving you advice in this thread is a malware removal expert.

You should be asking for advice here: Malware Removal Assistance For Windows

Read the pinned posts at the top of the thread and follow them.

Your device could be compromised or it might not. No one here at this forum is officially authorized by MalwareTips (or qualified) to answer that question except for @TwinHeadedEagle.
 
Last edited by a moderator:
  • Like
Reactions: Vasudev
5

509322

what's more weird is that microsoft security essentials found this as a virus

C:\Program Files\Sony\VAIO Care\Iolo\ioloToolsTypeLib.dll
ile:C:\Program Files\Sony\VAIO Care\Iolo\ioloTools.exe
typelib:HKLM\SOFTWARE\CLASSES\TYPELIB\{1BE26DDD-B9B9-464D-9EDA-7415E53F2B58}
typelib:HKLM\SOFTWARE\Wow6432Node\CLASSES\TYPELIB\{1BE26DDD-B9B9-464D-9EDA-7415E53F2B58}
typelibversion:HKLM\SOFTWARE\CLASSES\TYPELIB\{1BE26DDD-B9B9-464D-9EDA-7415E53F2B58}\1.1
typelibversion:HKLM\SOFTWARE\Wow6432Node\CLASSES\TYPELIB\{1BE26DDD-B9B9-464D-9EDA-7415E53F2B58}\1.1
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{0033698F-1332-4963-99F3-7BC36ABFE13E}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{0F8A26B3-2B10-4AAB-A97F-393333B9D5C9}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{28637EB6-7F05-40C6-BD96-1850B9E8603F}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{2B721EEB-BDA2-4F5A-AF5E-56213EB47BFD}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{3D74091E-BA60-40EC-A09D-81DF16A7EC12}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{40D797FB-1418-4689-8C47-634A8E21E77F}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{57EED195-35A3-4425-A3DA-9638746A0F78}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{816D649C-F0ED-41FF-956C-6568609F4570}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{935B5B76-ABBD-407D-B5E1-AACADF5045E6}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{9D8E5931-AF9E-4A20-8B90-2C82860B13F8}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{B54B80F3-9227-4D46-BF22-ABBF75174412}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{B5FC8155-91F9-4B76-BAE1-462C95CE85B2}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{C382A7AC-33DB-46D3-A34D-7A22FBB92BFC}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{C5FD77DF-C570-483A-9CE9-146ACF651A83}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{CDFEC96E-EF0B-4F37-96CC-32E2CB2102E3}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{EDF15D72-F2E1-4B0A-93AC-FFB3CFCD71CD}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{F7D7E8DE-A7AA-4329-A166-18CABA3F065C}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{0033698F-1332-4963-99F3-7BC36ABFE13E}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{0F8A26B3-2B10-4AAB-A97F-393333B9D5C9}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{28637EB6-7F05-40C6-BD96-1850B9E8603F}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{2B721EEB-BDA2-4F5A-AF5E-56213EB47BFD}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{3D74091E-BA60-40EC-A09D-81DF16A7EC12}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{40D797FB-1418-4689-8C47-634A8E21E77F}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{57EED195-35A3-4425-A3DA-9638746A0F78}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{816D649C-F0ED-41FF-956C-6568609F4570}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{935B5B76-ABBD-407D-B5E1-AACADF5045E6}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{9D8E5931-AF9E-4A20-8B90-2C82860B13F8}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{B54B80F3-9227-4D46-BF22-ABBF75174412}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{B5FC8155-91F9-4B76-BAE1-462C95CE85B2}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{C382A7AC-33DB-46D3-A34D-7A22FBB92BFC}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{C5FD77DF-C570-483A-9CE9-146ACF651A83}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{CDFEC96E-EF0B-4F37-96CC-32E2CB2102E3}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{EDF15D72-F2E1-4B0A-93AC-FFB3CFCD71CD}
interface:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{F7D7E8DE-A7AA-4329-A166-18CABA3F065C}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{0033698F-1332-4963-99F3-7BC36ABFE13E}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{0F8A26B3-2B10-4AAB-A97F-393333B9D5C9}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{28637EB6-7F05-40C6-BD96-1850B9E8603F}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{2B721EEB-BDA2-4F5A-AF5E-56213EB47BFD}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{3D74091E-BA60-40EC-A09D-81DF16A7EC12}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{40D797FB-1418-4689-8C47-634A8E21E77F}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{57EED195-35A3-4425-A3DA-9638746A0F78}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{816D649C-F0ED-41FF-956C-6568609F4570}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{935B5B76-ABBD-407D-B5E1-AACADF5045E6}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{9D8E5931-AF9E-4A20-8B90-2C82860B13F8}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{B54B80F3-9227-4D46-BF22-ABBF75174412}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{B5FC8155-91F9-4B76-BAE1-462C95CE85B2}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{C382A7AC-33DB-46D3-A34D-7A22FBB92BFC}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{C5FD77DF-C570-483A-9CE9-146ACF651A83}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{CDFEC96E-EF0B-4F37-96CC-32E2CB2102E3}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{EDF15D72-F2E1-4B0A-93AC-FFB3CFCD71CD}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{F7D7E8DE-A7AA-4329-A166-18CABA3F065C}
regkey:HKLM\SOFTWARE\CLASSES\TYPELIB\{1BE26DDD-B9B9-464D-9EDA-7415E53F2B58}\1.1
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\CLSID\{2A090754-16A6-407D-883D-A5C0F8CF9992}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\CLSID\{C9480C5A-8921-4C96-BAB1-3D56AE999B70}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{0033698F-1332-4963-99F3-7BC36ABFE13E}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{0F8A26B3-2B10-4AAB-A97F-393333B9D5C9}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{28637EB6-7F05-40C6-BD96-1850B9E8603F}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{2B721EEB-BDA2-4F5A-AF5E-56213EB47BFD}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{3D74091E-BA60-40EC-A09D-81DF16A7EC12}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{40D797FB-1418-4689-8C47-634A8E21E77F}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{57EED195-35A3-4425-A3DA-9638746A0F78}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{816D649C-F0ED-41FF-956C-6568609F4570}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{935B5B76-ABBD-407D-B5E1-AACADF5045E6}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{9D8E5931-AF9E-4A20-8B90-2C82860B13F8}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{B54B80F3-9227-4D46-BF22-ABBF75174412}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{B5FC8155-91F9-4B76-BAE1-462C95CE85B2}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{C382A7AC-33DB-46D3-A34D-7A22FBB92BFC}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{C5FD77DF-C570-483A-9CE9-146ACF651A83}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{CDFEC96E-EF0B-4F37-96CC-32E2CB2102E3}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{EDF15D72-F2E1-4B0A-93AC-FFB3CFCD71CD}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\INTERFACE\{F7D7E8DE-A7AA-4329-A166-18CABA3F065C}
regkey:HKLM\SOFTWARE\Wow6432Node\CLASSES\TYPELIB\{1BE26DDD-B9B9-464D-9EDA-7415E53F2B58}\1.1
clsid:HKLM\SOFTWARE\Wow6432Node\CLASSES\CLSID\{2A090754-16A6-407D-883D-A5C0F8CF9992}
clsid:HKLM\SOFTWARE\Wow6432Node\CLASSES\CLSID\{C9480C5A-8921-4C96-BAB1-3D56AE999B70}

yet weird but funny lol
is this a false alarm?

OS: Windows 7
Laptop:Sony F Series Laptop

Follow the advice in the post immediately above.
 

Wordward

Level 3
Thread author
Verified
Well-known
Jun 21, 2011
136
I believe that the file found in C:\WINDOWS\system32\drivers\rawdsk3.sys is, in fact, from an old Iolo System Mechanic install, which I had on both devices at one time. VirusTotal reports didn't show anything malicious about rawdsk3.sys, so a false positive I'm sure. As far as the C:\Users\Darryl\Downloads\PotentiallyUnwanted.exe.? It was flagged by Emisisoft Anti-Malware after restoring it from the Recycle Bin. It quarantined it. That I believe was maybe a test program I downloaded to see if your AV reacts. It read Potentially Unwanted right on the icon you clicked to open it. Thanks for everyone's help and comments. I like this security forum better than another one I won't mention or comment why. I think many of you know the answer to that. lol Take care.
 
  • Like
Reactions: Vasudev
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top