False/Positive?

Discussion in 'ewido anti-spyware forum' started by KSFINN, Jun 4, 2007.

Thread Status:
Not open for further replies.
  1. KSFINN

    KSFINN Registered Member

    Joined:
    Apr 15, 2007
    Posts:
    25
    Location:
    Wisconsin USA
    Can anyone tell me if this is a False/Positive.?

    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 10:03:50 PM 6/3/2007

    + Scan result:



    HKLM\SOFTWARE\Classes\AppID\{FD452F78-C495-40A1-B5BD-D8A586CA7F23} -> Adware.RogueSuspect : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\CLSID\{17BB6D1C-BCD3-4667-B56D-ABBBD2230042} -> Adware.RogueSuspect : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\CLSID\{856D8ADB-99C3-4AEA-B294-E3FBDBC198CF} -> Adware.RogueSuspect : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\CLSID\{FF1AECC7-0C21-4B5F-BD3F-8D5B0BF042D9} -> Adware.RogueSuspect : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\Interface\{157BF1E5-C86C-48E7-ADCC-2890C45B63CE} -> Adware.RogueSuspect : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\Interface\{1A5D27ED-D7EC-4ED3-A631-64CAA8482D27} -> Adware.RogueSuspect : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\Interface\{C5B002C9-E508-4723-AB34-2AC6B5E3DC0E} -> Adware.RogueSuspect : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\TypeLib\{D89D48EF-8915-4729-954E-69F3C6C3F19E} -> Adware.RogueSuspect : Cleaned with backup (quarantined).


    ::Report end
     
  2. karl.ewido

    karl.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    236
    Location:
    Germany
    Please verify if you are using the latest version 7.5.1.36 of the AVG Anti-Spyware (see our download website), if you are using the latest Version then please restore these quarantined Registry keys.

    Please send us exported *.reg files of these detected Registry keys:
    http://www.ewido.net/en/malware/
    Use for that the Windows Registry Editor (regedit.exe).

    In the Windows Start menu click on 'Run' enter now regedit.exe and press OK.

    Now search or go to the detected keys (they look like folders in the Windows Explorer).

    Now select only this detected key, right click and choose in the context menu the Option 'Export..', now choose your desktop and a good filename.

    NOTE: Choose only the detected key for the export at the bottom of the 'Save as' dialog and not(!) ALL, this would export the whole Registry in huge files.
     
  3. KSFINN

    KSFINN Registered Member

    Joined:
    Apr 15, 2007
    Posts:
    25
    Location:
    Wisconsin USA
    I'm using Version 7.5.0.50 FREE (Not Version 7.5.1.36) Should I restore these quaranteened registry keys.?
     
  4. KSFINN

    KSFINN Registered Member

    Joined:
    Apr 15, 2007
    Posts:
    25
    Location:
    Wisconsin USA
    I restored the files then deleted Version 7.5.0.50 and downloaded the updated Version 7.5.1.36. I will post again if I encounter the same problem.
     
  5. KSFINN

    KSFINN Registered Member

    Joined:
    Apr 15, 2007
    Posts:
    25
    Location:
    Wisconsin USA
    I downloaded the updated version 7.5.1.36. I ran 2 scans back to back. The first scan detected the same adware so I restored it as you recommendened above. I then ran the second scan and it detected the same Adware again so this time I selected Add to my Ignored List. Is this the correct thing to do.?
     
  6. karl.ewido

    karl.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    236
    Location:
    Germany
    Please read again my first posting in this thread, we need the exported registry (file extension *.reg) of the detected keys.
    Restore with the new AVG AS Version all quarantined Registry entries, also remove the ignore/exception list entry and scan again, then after the scan do nothing, just ignore the result (but do not(!) add these entries to the exception list), save the Scan report log to the desktop and close the AVG AS.
    Now use the regedit.exe, locate the detected keys (see scan report log for the exact name an path). See again in the previous posting for details.

    And you do not need to use everytime for your replys the quote function ;)
     
  7. KSFINN

    KSFINN Registered Member

    Joined:
    Apr 15, 2007
    Posts:
    25
    Location:
    Wisconsin USA
    I followed your instructions exactly as you indicated and sent the Adware.RogueSuspect files for analizes(sp). Please get back to me as soon as possible with the results and to let me know how I can stop AVG AntiSpyware from constantly detecting this Adware.
     
  8. MTLFS01

    MTLFS01 Registered Member

    Joined:
    Jun 21, 2006
    Posts:
    8
    Location:
    Montreal, Canada
    Hi I encountered exactly the same problem. Followed your directions and sent you the file. Would really like to know if I can ignore this and when can we expect a fix if indeed it's a false positive..Thanks...Frank
     
  9. KSFINN

    KSFINN Registered Member

    Joined:
    Apr 15, 2007
    Posts:
    25
    Location:
    Wisconsin USA
    In your post you mention you sent me a file. What file is that.? I never received it. I agree it would be nice if they can figure this out ASP. Otherwise every time we run a scan it's going to continue to detect the same Adware over and over.!! I guess the only thing we can do is always restore it or don't run any more scans and wait until we hear from them. I guess that's what their saying we should do for now.
     
  10. karl.ewido

    karl.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    236
    Location:
    Germany
    @ KSFINN: Please check here your inbox for your private messages because i sent you some minutes ago a question.
     
  11. MTLFS01

    MTLFS01 Registered Member

    Joined:
    Jun 21, 2006
    Posts:
    8
    Location:
    Montreal, Canada

    How about it Karl can I ignore these files as FP, it's still picking it up as follows:

    HKLM\SOFTWARE\Classes\AppID\{FD452F78-C495-40A1-B5BD-D8A586CA7F23} -> Adware.RogueSuspect : Ignored.
    HKLM\SOFTWARE\Classes\CLSID\{17BB6D1C-BCD3-4667-B56D-ABBBD2230042} -> Adware.RogueSuspect : Ignored.
    HKLM\SOFTWARE\Classes\CLSID\{856D8ADB-99C3-4AEA-B294-E3FBDBC198CF} -> Adware.RogueSuspect : Ignored.
    HKLM\SOFTWARE\Classes\CLSID\{FF1AECC7-0C21-4B5F-BD3F-8D5B0BF042D9} -> Adware.RogueSuspect : Ignored.
    HKLM\SOFTWARE\Classes\Interface\{157BF1E5-C86C-48E7-ADCC-2890C45B63CE} -> Adware.RogueSuspect : Ignored.
    HKLM\SOFTWARE\Classes\Interface\{1A5D27ED-D7EC-4ED3-A631-64CAA8482D27} -> Adware.RogueSuspect : Ignored.
    HKLM\SOFTWARE\Classes\Interface\{C5B002C9-E508-4723-AB34-2AC6B5E3DC0E} -> Adware.RogueSuspect : Ignored.
    HKLM\SOFTWARE\Classes\TypeLib\{D89D48EF-8915-4729-954E-69F3C6C3F19E} -> Adware.RogueSuspect : Ignored.
    HKU\S-1-5-21-823518204-308236825-839522115-1003\Software\Ascentive -> Adware.RogueSuspect : Ignored.

    Thanks...Frank
     
  12. karl.ewido

    karl.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    236
    Location:
    Germany
    Sorry but i cannot send you a PM to ask for your email address so that i can try to find your email with the submitted registry file.
    Please activate the PM function and then i can send you a pm with my request.
     
  13. KSFINN

    KSFINN Registered Member

    Joined:
    Apr 15, 2007
    Posts:
    25
    Location:
    Wisconsin USA
    I'm also still having the same problem. I cannot get this issue resolved. I wonder whats up with this anyway. If you find anything out and how to fix this problem please contact me OK? o_O Thanks KSFINN
     
  14. karl.ewido

    karl.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    236
    Location:
    Germany
    I have received now the requested informations from another Support team member, so the detection of these entries will be removed with the next Signature Update.
     
  15. KSFINN

    KSFINN Registered Member

    Joined:
    Apr 15, 2007
    Posts:
    25
    Location:
    Wisconsin USA
    Re: False/Positive? karl.ewido

    Karl. Why was I unable to find these registry keys.? I followed your instructions as you indicated but when I went to regedit registry I could not find these registry keys you were asking for. I typed in regedit search option (20070605-113432) and it came back as does not exist plus I also manually searched for at least 1 hour or more. I found False/Positive registry keys from another anti-spyware program I have. Just don't understand why I couldn't find them for ewido AVG and was wondering if you can let me know what you think I might have been doing wrong.o_O I would like to know in case I may need to do this again in the future. I'm very glad that to hear that someone else got you the information that you needed and that it's going to be fixed with the next update. THANKS!! :)
     
  16. karl.ewido

    karl.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    236
    Location:
    Germany
    It is possible that you may use the wrong search strings and numbers so the Search function of the Registry Editor was not able to find these keys.
    But this false detection is fixed with one of the last Updates, so please update your AVG Anti-Spyware.
     
  17. MTLFS01

    MTLFS01 Registered Member

    Joined:
    Jun 21, 2006
    Posts:
    8
    Location:
    Montreal, Canada

    Most of the FP have been corrected but I still get this one on every scan..any ideas:

    HKU\S-1-5-21-823518204-308236825-839522115-1003\Software\Ascentive

    Signature 838,956
     
  18. karl.ewido

    karl.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    236
    Location:
    Germany
    The last detection Software\Ascentive will be fixed today with the first Signature Update.
     
Thread Status:
Not open for further replies.