• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
Followers 0
yorkeandvedder

Are These False Positives...?

6 posts in this topic

I did a scan (after updating definitions and such for Adaware 2007 Free) in Windows Safe Mode. Every time I do a scan in that mode, two items keep coming up:

 

20070619 21-52-20 : Failed to Quarantine Root: HKU Path: S-1-5-19_Classes\\interface\{59ebb576-ceb0-42fa-9917-da6254a275ad} belonging to VX2

 

20070619 21-52-20 : Failed to Quarantine Root: HKU Path: S-1-5-19_Classes\\interface\{67972704-3546-4e3d-ab46-e39dbae06123} belonging to WurldMedia

 

No matter what I do, I can't find the registry entries. I've researched both items online, and none of their signature files/registry entries/processes show up in my PC. When I do the scan during a normal Windows session, these items do not show up at all. I've also did scans (Safe Mode or otherwise) using Webroot Spy Sweeper, AVG Free, Symantec's Norton Antivirus and Hijack This!, nothing pops up at all.

 

So... Are these results false positives....? To be honest, I'm not quite sure what FPs are, but this situation's driving me nuts. I'm afraid to do anything in my PC right now since Adaware lists these two items with really high TEC ratings (10 for VX2 and 9 for Wurld Media). Can anyone please, please help me figure this out...?

 

Thanks in advance.

Share this post


Link to post
Share on other sites
I did a scan (after updating definitions and such for Adaware 2007 Free) in Windows Safe Mode. Every time I do a scan in that mode, two items keep coming up:

 

20070619 21-52-20 : Failed to Quarantine Root: HKU Path: S-1-5-19_Classes\\interface\{59ebb576-ceb0-42fa-9917-da6254a275ad} belonging to VX2

 

20070619 21-52-20 : Failed to Quarantine Root: HKU Path: S-1-5-19_Classes\\interface\{67972704-3546-4e3d-ab46-e39dbae06123} belonging to WurldMedia

 

No matter what I do, I can't find the registry entries. I've researched both items online, and none of their signature files/registry entries/processes show up in my PC. When I do the scan during a normal Windows session, these items do not show up at all. I've also did scans (Safe Mode or otherwise) using Webroot Spy Sweeper, AVG Free, Symantec's Norton Antivirus and Hijack This!, nothing pops up at all.

 

So... Are these results false positives....? To be honest, I'm not quite sure what FPs are, but this situation's driving me nuts. I'm afraid to do anything in my PC right now since Adaware lists these two items with really high TEC ratings (10 for VX2 and 9 for Wurld Media). Can anyone please, please help me figure this out...?

 

Thanks in advance.

 

Hi, Y & V.

Please have a look to my answer from today

Regards

Raziel

Share this post


Link to post
Share on other sites

Hi Yorke and Vedder!

 

False Positive (FP) is the condition in which Ad-Aware will incorrectly identify

a legitimate object as malware/adware. Both class id:s from your safe-mode scan corresponds to malware, VX2 and WurldMedia that have

been in detection for a long period of time, without updates. HKU\S-1-5-19 is the SID (Security Identifier) for the

local service account, an account which runs with limited access and fewer privileges. Running individual services or processes

as the Local Service account is Microsofts way of safeguarding your system. After a software uninstall there can still be class

keys and Interface keys left on the system. Both of the keys that you presented pose no actual threat to your system.

 

Regards,

 

Pekka

 

Lavasoft Research

Share this post


Link to post
Share on other sites
Hi Yorke and Vedder!

 

False Positive (FP) is the condition in which Ad-Aware will incorrectly identify

a legitimate object as malware/adware. Both class id:s from your safe-mode scan corresponds to malware, VX2 and WurldMedia that have

been in detection for a long period of time, without updates. HKU\S-1-5-19 is the SID (Security Identifier) for the

local service account, an account which runs with limited access and fewer privileges. Running individual services or processes

as the Local Service account is Microsofts way of safeguarding your system. After a software uninstall there can still be class

keys and Interface keys left on the system. Both of the keys that you presented pose no actual threat to your system.

 

Regards,

 

Pekka

 

Lavasoft Research

 

Thank you for the prompt response, Pekka!

 

I think I understand what you're saying, but I wouldn't bet my life on it... lol. So... Technically speaking, I've got nothing to worry about...?

 

One thing I did forget to mention was that I tried using Lavasoft's VX2 remover, but it wouldn't install for Adaware 2007 free, so I switched back to Adaware SE (free) and installed the plug-in then. When I scanned with SE, neither "infection" showed up, and when I tried running the removal tool, it immediately told me that my system was clean.

 

I really, really want to believe that there is no actual infection in my system, and if that is your opinion as a professional, then that'll be enough for me. However... Is there any way at all to remove those two entries/items/whatever? Looking at those two items listed every time I scan with Adaware 2007 makes me really nervous... But I suppose I could learn to live with them if that's what it comes down to...

 

Also, any idea as to why these infections are showing up only in Safe Mode? By the way, is that the best practice? To scan in Safe Mode, I mean.

 

Thanks again for all the help!

 

P.S.: Raziel, I responded to your post in the other thread.

 

Quick update: The computer I've been referring to so far is my laptop. I left Adaware 2007 free scanning my desktop this morning and when I got home, it showed exactly the same two entries/infections/etc... Similarly, Adaware was not able to quarantine/delete either item.

 

Now, at no point do I ever recall having both computers infected by the same virus/malware/spyware/etc... In fact, never have the two been infected by anything at the same time... I don't know what to make of this. Any ideas/suggestions?

Edited by Yorke and Vedder

Share this post


Link to post
Share on other sites

Hi again, Yorke and Vedder!

 

In most cases you should start scanning in regular mode, unless you know you already have malware on the system and it cannot be removed in regular mode. Some malware files can be harder to delete when they are in use, then a safe

mode scan could be effective. A operating system in safe mode loads a minimum of system critical executable modules, drivers and services. Then, hopefully, the malware does not load and can be more easily removed. Some malware register

their services and drivers to load also on safeboot, so they will be as hard to remove with safe mode scans.

 

Make sure you have the latest Ad-Aware updates installed and do a Full System Scan. When the scan is complete, select and remove all malware objects. Repeat these steps in safe mode if necessary.

 

If the malware registry keys still remain in the registry, try to search for the malware(VX2 and WurldMedia) class id:s

59ebb576-ceb0-42fa-9917-da6254a275ad and 67972704-3546-4e3d-ab46-e39dbae06123 manually in the registry editor (regedit). Repeat search in safe mode if necessary.

 

If you can't find the keys then try to 'Do a system scan only' (in safe mode) with the freeware program 'HijackThis'. This scan may give you additional information which could turn out to be helpful in your problem solving process. Then press the button 'save log'.

 

If you want further assistance, please post logfiles from the scans with Ad-Aware and HijackThis.

 

Regards,

 

Pekka

 

Lavasoft Research

Share this post


Link to post
Share on other sites

As there has been no response on this topic since June 20, I'm assuming the Original Topic Starter has resolved this question.

These two detections were fixed in July

(see this topic)

http://www.lavasoftsupport.com/index.php?showtopic=10724

 

I'll go ahead and move this to the "Resolved/Inactive" section (read only). If you should have any further issues, please feel free to start a new topic :D

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0