Greetings all. I have never posted to a support forum before, so if I make any procedural errors, I apologise in advance. My issue is that in an effort to maintain a high level of security on my computer, I do not rely on just one application, no matter how good its reputation. Basically I am running the Anniversary edition of Ad-Aware Pro and Trend Micro Internet Security Pro, as well as running ESET from time to time. I believe that all of these products are excellent. However, Ad-Aware persists in identifying the following files as 'A malicious program is running, so Ad-Aware is run ning a background scan' or similar. system32\hdfhok.dll and system32\kdfinj.dll. I have made extensive research on these files, including an online support session with an Ad-Aware professional, who, after analysing the files using Hijack This, assured me that they were not malicious. In fact they are support files for Trend Micro's keystroke encryption and wireless wireless advisor. Even though I have listed both these files in the 'ignore' list, every time I start a browser, Ad-Aware pops up saying that a malicious process has been identified. That means that I have to close Ad-Aware down every time I open a browser. I have advised Ad-Aware of this before, but received no reply.
I know that we live in a very tricky world, and that you should trust no-one's advice in the world of computer security unless you take great care, but Ad-Aware, could you please look at this one and, if what I say is true, could you stop your program from running a scan every time it sees these dll's running?
Kind regards,
Don3931.
Full Version: Falso Positive persists
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive False Postive Issues
QUOTE(Don3931 @ Aug 16 2009, 02:27 AM) 
Greetings all. I have never posted to a support forum before, so if I make any procedural errors, I apologise in advance. My issue is that in an effort to maintain a high level of security on my computer, I do not rely on just one application, no matter how good its reputation. Basically I am running the Anniversary edition of Ad-Aware Pro and Trend Micro Internet Security Pro, as well as running ESET from time to time. I believe that all of these products are excellent. However, Ad-Aware persists in identifying the following files as 'A malicious program is running, so Ad-Aware is run ning a background scan' or similar. system32\hdfhok.dll and system32\kdfinj.dll. I have made extensive research on these files, including an online support session with an Ad-Aware professional, who, after analysing the files using Hijack This, assured me that they were not malicious. In fact they are support files for Trend Micro's keystroke encryption and wireless wireless advisor. Even though I have listed both these files in the 'ignore' list, every time I start a browser, Ad-Aware pops up saying that a malicious process has been identified. That means that I have to close Ad-Aware down every time I open a browser. I have advised Ad-Aware of this before, but received no reply.
I know that we live in a very tricky world, and that you should trust no-one's advice in the world of computer security unless you take great care, but Ad-Aware, could you please look at this one and, if what I say is true, could you stop your program from running a scan every time it sees these dll's running?
Kind regards,
Don3931.
I know that we live in a very tricky world, and that you should trust no-one's advice in the world of computer security unless you take great care, but Ad-Aware, could you please look at this one and, if what I say is true, could you stop your program from running a scan every time it sees these dll's running?
Kind regards,
Don3931.
Hi Don3931!
Would it be possible for you to zip the detected files (with password: infected) and attach that zipped file to the post?
You wrote: "Even though I have listed both these files in the 'ignore' list, every time I start a browser, Ad-Aware pops up saying that a malicious process has been identified."
Answer: The detection is made by the "Process Watch" module in "Ad-Watch". Clicking on the Ad-Watch icon in Ad-Aware Pro opens the Ad-Watch window in Ad-Aware and you have the option to turn the different modules (Process Watch, Registry Watch and Network Watch on or off (off is not recommended). There is also a possibility to edit the rules for the different modules. As the detection in this case is made by the "Process Watch" module you can edit the rules under "Processes:" in order to toggle the permissions for the chosen processes (if you are sure that they are not malicious). There is also a possibility to alter the settings for the "Process Watch" by clicking on the "Ad-Watch" icon and then on the "Settings" button in the upper right corner in the "Ad-Watch" window. This gives the usersĀ“ the option to tweak the behavior of Ad-Watch by for example chosing an lower level on the "behavior-based" detection (mild, medium or strict) - more info on that is available here, http://www.lavasoftsupport.com/index.php?showtopic=19734.
It would be much appreciated if you can attach the detected files to the post in a password protected zip file. That would allow us to investigate the files further and if it turns out that they are falsely detected they will be removed from detection.
Best regards,
LS Pekka
Lavasoft Malware Labs
QUOTE(LS Pekka @ Aug 16 2009, 09:01 AM)
Hi Don3931!
Would it be possible for you to zip the detected files (with password: infected) and attach that zipped file to the post?
You wrote: "Even though I have listed both these files in the 'ignore' list, every time I start a browser, Ad-Aware pops up saying that a malicious process has been identified."
Answer: The detection is made by the "Process Watch" module in "Ad-Watch". Clicking on the Ad-Watch icon in Ad-Aware Pro opens the Ad-Watch window in Ad-Aware and you have the option to turn the different modules (Process Watch, Registry Watch and Network Watch on or off (off is not recommended). There is also a possibility to edit the rules for the different modules. As the detection in this case is made by the "Process Watch" module you can edit the rules under "Processes:" in order to toggle the permissions for the chosen processes (if you are sure that they are not malicious). There is also a possibility to alter the settings for the "Process Watch" by clicking on the "Ad-Watch" icon and then on the "Settings" button in the upper right corner in the "Ad-Watch" window. This gives the usersĀ“ the option to tweak the behavior of Ad-Watch by for example chosing an lower level on the "behavior-based" detection (mild, medium or strict) - more info on that is available here, http://www.lavasoftsupport.com/index.php?showtopic=19734.
It would be much appreciated if you can attach the detected files to the post in a password protected zip file. That would allow us to investigate the files further and if it turns out that they are falsely detected they will be removed from detection.
Best regards,
LS Pekka
Lavasoft Malware Labs
Would it be possible for you to zip the detected files (with password: infected) and attach that zipped file to the post?
You wrote: "Even though I have listed both these files in the 'ignore' list, every time I start a browser, Ad-Aware pops up saying that a malicious process has been identified."
Answer: The detection is made by the "Process Watch" module in "Ad-Watch". Clicking on the Ad-Watch icon in Ad-Aware Pro opens the Ad-Watch window in Ad-Aware and you have the option to turn the different modules (Process Watch, Registry Watch and Network Watch on or off (off is not recommended). There is also a possibility to edit the rules for the different modules. As the detection in this case is made by the "Process Watch" module you can edit the rules under "Processes:" in order to toggle the permissions for the chosen processes (if you are sure that they are not malicious). There is also a possibility to alter the settings for the "Process Watch" by clicking on the "Ad-Watch" icon and then on the "Settings" button in the upper right corner in the "Ad-Watch" window. This gives the usersĀ“ the option to tweak the behavior of Ad-Watch by for example chosing an lower level on the "behavior-based" detection (mild, medium or strict) - more info on that is available here, http://www.lavasoftsupport.com/index.php?showtopic=19734.
It would be much appreciated if you can attach the detected files to the post in a password protected zip file. That would allow us to investigate the files further and if it turns out that they are falsely detected they will be removed from detection.
Best regards,
LS Pekka
Lavasoft Malware Labs
Thank you LS Pekka
I am currently unable to send the files as they have disappeared from the system 32 directory! This is perhaps because, before I saw your reply I uninstalled the Trend Micro Toolbar (which incorporates the keystroke encryption feature) to see if the Ad-Aware warning would disappear. It did. I then reinstalled the toolbar which involved downloading directly from Trend Micro, ran a browser and, bingo, the warning re-appeared. However the files have not been re-installed into the system 32 directory. Now I am really confused. I have attached a screenshot of the Ad-Aware detection/ignore screen just so you don't think I am dreaming all this!
I will persist with my investigations and really appreciate your assistance.
Kind regards,
Don.
I am currently unable to send the files as they have disappeared from the system 32 directory! This is perhaps because, before I saw your reply I uninstalled the Trend Micro Toolbar (which incorporates the keystroke encryption feature) to see if the Ad-Aware warning would disappear. It did. I then reinstalled the toolbar which involved downloading directly from Trend Micro, ran a browser and, bingo, the warning re-appeared. However the files have not been re-installed into the system 32 directory. Now I am really confused. I have attached a screenshot of the Ad-Aware detection/ignore screen just so you don't think I am dreaming all this!
I will persist with my investigations and really appreciate your assistance.
Kind regards,
Don.
QUOTE(Don3931 @ Aug 16 2009, 02:00 PM)
Thank you LS Pekka
I am currently unable to send the files as they have disappeared from the system 32 directory! This is perhaps because, before I saw your reply I uninstalled the Trend Micro Toolbar (which incorporates the keystroke encryption feature) to see if the Ad-Aware warning would disappear. It did. I then reinstalled the toolbar which involved downloading directly from Trend Micro, ran a browser and, bingo, the warning re-appeared. However the files have not been re-installed into the system 32 directory. Now I am really confused. I have attached a screenshot of the Ad-Aware detection/ignore screen just so you don't think I am dreaming all this!
I will persist with my investigations and really appreciate your assistance.
Kind regards,
Don.
I am currently unable to send the files as they have disappeared from the system 32 directory! This is perhaps because, before I saw your reply I uninstalled the Trend Micro Toolbar (which incorporates the keystroke encryption feature) to see if the Ad-Aware warning would disappear. It did. I then reinstalled the toolbar which involved downloading directly from Trend Micro, ran a browser and, bingo, the warning re-appeared. However the files have not been re-installed into the system 32 directory. Now I am really confused. I have attached a screenshot of the Ad-Aware detection/ignore screen just so you don't think I am dreaming all this!
I will persist with my investigations and really appreciate your assistance.
Kind regards,
Don.
Hi again Don3931!
Would it be possible for you to post the Ad-Aware log-file from the scan where the objects were detected?
Here are some instructions on how to locate the Ad-Aware log-file,
http://www.lavasoftsupport.com/index.php?showtopic=18033
Regards,
LS Pekka
Lavasoft Malware Labs
QUOTE(LS Pekka @ Aug 16 2009, 11:00 PM)
Hi again Don3931!
Would it be possible for you to post the Ad-Aware log-file from the scan where the objects were detected?
Here are some instructions on how to locate the Ad-Aware log-file,
http://www.lavasoftsupport.com/index.php?showtopic=18033
Regards,
LS Pekka
Lavasoft Malware Labs
Would it be possible for you to post the Ad-Aware log-file from the scan where the objects were detected?
Here are some instructions on how to locate the Ad-Aware log-file,
http://www.lavasoftsupport.com/index.php?showtopic=18033
Regards,
LS Pekka
Lavasoft Malware Labs
Hello again LS Pekka
I have just completed a complete re-install of Windows onto a new hard drive, installed Ad-Aware Pro Anniversary edition and Trend Micro Internet Security Pro as before. On this clean install Ad-Watch Live detected a 'malicoius process' (see attachment) and asked if I wanted to submit the file 'kdfhok.dll.8' for analysis, which I did. The file is ONLY detected when opening Internet Explorer, and typing anything into the search window, which had Trend Micro's keystroke encryption toolbar active. If I use Firefox, there is no problem.
Hope this helps,
Cheers,
Don
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.