ESET Rogue Application Remover released

A new version of ERAR 1.0.0.2 has been released. The main changes are:
- automatic update check
- registry values are no longer fixed if no malware is found on the disk (can be forced using a switch)

 

Hi

Was testing the new version of Eset EraRemover 64 bit, dated September 14, 2012 .And to keep the story short, EraRemover detected Roboform 64 bit as a Rogue. Did submit a report, when EraRemover asked for it. Not sure where to post a false positive when we are talking about the tool EraRemover , so I have posted it here.

Some Data: Roboform64bit : SHA1: 67fb8125176a2a9d2b3e9ac25f248701db27c029 MD5: 6bad72e3982d728cc3590d34ba970915

Windows 64 bit, (test laptop), Browser IE9 64bit version 9.08112.16421 .

Regards, Janus

 

I ran it on my production box, which I think/assume is 100% clean.

It prompted me about "flashplayerupdateservice.exe", to remove or not. I chose "N", since as far as I know, this is the legit flash updater. Can some explain why ESET Rogue Application Remover want to kill flashplayerupdateservice.exe service and task?

it also wanted to kill the dropbox.exe, which I said "N" to as well.

it wanted to kill a Softros Systems Messenger (rinky dink LAN IM), which we have used for years. Work great, but I guess maybe it could be rouge? I said "N".

I didnt find any legit baddies as far as I can tell.

restarting now.

reminds me of combofix, at least the look and feel.

 

This misdetection issue is known and a newer version of the Advanced heuristics module will fix it. Please provide the MD5/SHA1 hashes of the Softros Systems Messenger file that is incorrectly detected by ERAR so that we can verify that it's the same issue as with the other 2 files.

 

Version 1.0.4.1 tried killing Gmail Notifier...That shouldn't happen.. >

 

We couldn't reproduce the detection. Everything is alright and there's nothing wrong with the application that might trigger the detection. If you can reproduce it, please upload the scan report somewhere and PM me the download link.

 

I think I have done this correctly....

filename: Messenger.exe
MD5: 331ed1c8e89590bf5ed06539698a206d
SHA1: 0dbae8e58985c787b22968315d56455c63de7bf7

filename:MessengerSvc.dll
MD5: da7f045af8327472e4d59c43744413ea
SHA1: b4f10f15c3d847ba4974d1c629c55389ebfef084

filename:Msgctrl.exe
MD5: ef65413a312790aac1c518f210ba3d8c
SHA1: a828412ae16b678b63a741a157cfacc163723b48

There may be other files that were flagged related to this program.

Here is the official site for the program: http://messenger.softros.com/

I am running 4.5.1, but there are newer versions out.

Hope this helps.