Jump to content


Photo

Are These False Positives...?


  • Please log in to reply
5 replies to this topic

#1 Yorke and Vedder

Yorke and Vedder

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 20 June 2007 - 09:01 AM

I did a scan (after updating definitions and such for Adaware 2007 Free) in Windows Safe Mode. Every time I do a scan in that mode, two items keep coming up:

20070619 21-52-20 : Failed to Quarantine Root: HKU Path: S-1-5-19_Classes\\interface\{59ebb576-ceb0-42fa-9917-da6254a275ad} belonging to VX2

20070619 21-52-20 : Failed to Quarantine Root: HKU Path: S-1-5-19_Classes\\interface\{67972704-3546-4e3d-ab46-e39dbae06123} belonging to WurldMedia

No matter what I do, I can't find the registry entries. I've researched both items online, and none of their signature files/registry entries/processes show up in my PC. When I do the scan during a normal Windows session, these items do not show up at all. I've also did scans (Safe Mode or otherwise) using Webroot Spy Sweeper, AVG Free, Symantec's Norton Antivirus and Hijack This!, nothing pops up at all.

So... Are these results false positives....? To be honest, I'm not quite sure what FPs are, but this situation's driving me nuts. I'm afraid to do anything in my PC right now since Adaware lists these two items with really high TEC ratings (10 for VX2 and 9 for Wurld Media). Can anyone please, please help me figure this out...?

Thanks in advance.

#2 Raziel v. Nosgoth

Raziel v. Nosgoth

    Advanced Member

  • Guests
  • PipPipPip
  • 3114 posts

Posted 20 June 2007 - 09:27 AM

I did a scan (after updating definitions and such for Adaware 2007 Free) in Windows Safe Mode. Every time I do a scan in that mode, two items keep coming up:

20070619 21-52-20 : Failed to Quarantine Root: HKU Path: S-1-5-19_Classes\\interface\{59ebb576-ceb0-42fa-9917-da6254a275ad} belonging to VX2

20070619 21-52-20 : Failed to Quarantine Root: HKU Path: S-1-5-19_Classes\\interface\{67972704-3546-4e3d-ab46-e39dbae06123} belonging to WurldMedia

No matter what I do, I can't find the registry entries. I've researched both items online, and none of their signature files/registry entries/processes show up in my PC. When I do the scan during a normal Windows session, these items do not show up at all. I've also did scans (Safe Mode or otherwise) using Webroot Spy Sweeper, AVG Free, Symantec's Norton Antivirus and Hijack This!, nothing pops up at all.

So... Are these results false positives....? To be honest, I'm not quite sure what FPs are, but this situation's driving me nuts. I'm afraid to do anything in my PC right now since Adaware lists these two items with really high TEC ratings (10 for VX2 and 9 for Wurld Media). Can anyone please, please help me figure this out...?

Thanks in advance.


Hi, Y & V.
Please have a look to my answer from today
Regards
Raziel
vae victis
( morituri te salutant )

#3 LS Pekka

LS Pekka

    Advanced Member

  • Members
  • PipPipPip
  • 452 posts

Posted 20 June 2007 - 01:30 PM

Hi Yorke and Vedder!

False Positive (FP) is the condition in which Ad-Aware will incorrectly identify
a legitimate object as malware/adware. Both class id:s from your safe-mode scan corresponds to malware, VX2 and WurldMedia that have
been in detection for a long period of time, without updates. HKU\S-1-5-19 is the SID (Security Identifier) for the
local service account, an account which runs with limited access and fewer privileges. Running individual services or processes
as the Local Service account is Microsofts way of safeguarding your system. After a software uninstall there can still be class
keys and Interface keys left on the system. Both of the keys that you presented pose no actual threat to your system.

Regards,

Pekka

Lavasoft Research

#4 Yorke and Vedder

Yorke and Vedder

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 20 June 2007 - 09:34 PM

Hi Yorke and Vedder!

False Positive (FP) is the condition in which Ad-Aware will incorrectly identify
a legitimate object as malware/adware. Both class id:s from your safe-mode scan corresponds to malware, VX2 and WurldMedia that have
been in detection for a long period of time, without updates. HKU\S-1-5-19 is the SID (Security Identifier) for the
local service account, an account which runs with limited access and fewer privileges. Running individual services or processes
as the Local Service account is Microsofts way of safeguarding your system. After a software uninstall there can still be class
keys and Interface keys left on the system. Both of the keys that you presented pose no actual threat to your system.

Regards,

Pekka

Lavasoft Research


Thank you for the prompt response, Pekka!

I think I understand what you're saying, but I wouldn't bet my life on it... lol. So... Technically speaking, I've got nothing to worry about...?

One thing I did forget to mention was that I tried using Lavasoft's VX2 remover, but it wouldn't install for Adaware 2007 free, so I switched back to Adaware SE (free) and installed the plug-in then. When I scanned with SE, neither "infection" showed up, and when I tried running the removal tool, it immediately told me that my system was clean.

I really, really want to believe that there is no actual infection in my system, and if that is your opinion as a professional, then that'll be enough for me. However... Is there any way at all to remove those two entries/items/whatever? Looking at those two items listed every time I scan with Adaware 2007 makes me really nervous... But I suppose I could learn to live with them if that's what it comes down to...

Also, any idea as to why these infections are showing up only in Safe Mode? By the way, is that the best practice? To scan in Safe Mode, I mean.

Thanks again for all the help!

P.S.: Raziel, I responded to your post in the other thread.

Quick update: The computer I've been referring to so far is my laptop. I left Adaware 2007 free scanning my desktop this morning and when I got home, it showed exactly the same two entries/infections/etc... Similarly, Adaware was not able to quarantine/delete either item.

Now, at no point do I ever recall having both computers infected by the same virus/malware/spyware/etc... In fact, never have the two been infected by anything at the same time... I don't know what to make of this. Any ideas/suggestions?

Edited by Yorke and Vedder, 20 June 2007 - 11:04 PM.


#5 LS Pekka

LS Pekka

    Advanced Member

  • Members
  • PipPipPip
  • 452 posts

Posted 21 June 2007 - 12:57 AM

Hi again, Yorke and Vedder!

In most cases you should start scanning in regular mode, unless you know you already have malware on the system and it cannot be removed in regular mode. Some malware files can be harder to delete when they are in use, then a safe
mode scan could be effective. A operating system in safe mode loads a minimum of system critical executable modules, drivers and services. Then, hopefully, the malware does not load and can be more easily removed. Some malware register
their services and drivers to load also on safeboot, so they will be as hard to remove with safe mode scans.

Make sure you have the latest Ad-Aware updates installed and do a Full System Scan. When the scan is complete, select and remove all malware objects. Repeat these steps in safe mode if necessary.

If the malware registry keys still remain in the registry, try to search for the malware(VX2 and WurldMedia) class id:s
59ebb576-ceb0-42fa-9917-da6254a275ad and 67972704-3546-4e3d-ab46-e39dbae06123 manually in the registry editor (regedit). Repeat search in safe mode if necessary.

If you can't find the keys then try to 'Do a system scan only' (in safe mode) with the freeware program 'HijackThis'. This scan may give you additional information which could turn out to be helpful in your problem solving process. Then press the button 'save log'.

If you want further assistance, please post logfiles from the scans with Ad-Aware and HijackThis.

Regards,

Pekka

Lavasoft Research

#6 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 03 August 2007 - 05:24 PM

As there has been no response on this topic since June 20, I'm assuming the Original Topic Starter has resolved this question.
These two detections were fixed in July
(see this topic)
http://www.lavasofts...showtopic=10724

I'll go ahead and move this to the "Resolved/Inactive" section (read only). If you should have any further issues, please feel free to start a new topic :D
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users