bha19 Posted February 2, 2014 ID:785765 Share Posted February 2, 2014 I installed sys internals a year ago or so it seems is the date my computer is telling me. Today for the 1st time my Malwarebytes pro scan says newsid.exe is a trojan agent. Should I remove it? Link to post Share on other sites More sharing options...
Fatdcuk Posted February 2, 2014 ID:785768 Share Posted February 2, 2014 Hi bha19, Please zip and attach the MBAM log showing the detection and also zip and attach the file in a reply. I can verify from there.Thanks in advance Link to post Share on other sites More sharing options...
Staff shadowwar Posted February 2, 2014 Staff ID:785846 Share Posted February 2, 2014 was able to find a copy. Fixed in the next update Link to post Share on other sites More sharing options...
John L. Galt Posted February 2, 2014 ID:785971 Share Posted February 2, 2014 I use WSCC - Windows System Control Center - to access all of Sysinternals tools as well as all of Nir Sofer's NirSoft tools. MBAM has *always* found exception with numerous tools provided by both sites, and I always have to add an exception for the folders where the tools from each website reside on my drive as well as in my PortableApps version of WSCC. If you'd like, I can remove the exclusions, let MBAM scan the files, and then send each of the ones that triggers a response in MBAM. Link to post Share on other sites More sharing options...
Staff shadowwar Posted February 2, 2014 Staff ID:786005 Share Posted February 2, 2014 Then depends. If they are pup nirsoft or the like then they are being detected correctly. If they are detected as trojan or the like then i would love to see them. Link to post Share on other sites More sharing options...
Mahhn Posted February 3, 2014 ID:786283 Share Posted February 3, 2014 Came in this morning to find hundreds of infections. newsid.exe. Second large false positive we've had from MBAM. Fotrunetly this is only in the set up direcoty and not buisness emparitive like the last one. Might want a bigger bed of testing before you send out updates. Link to post Share on other sites More sharing options...
Staff shadowwar Posted February 3, 2014 Staff ID:786325 Share Posted February 3, 2014 i have added newsid to our false positive filter to prevent this in the future. Link to post Share on other sites More sharing options...
jmerrill Posted March 18, 2014 ID:804627 Share Posted March 18, 2014 Yesterday's signatures (v2014.03.17.06 dated 3/17/2014 12:11:30pm) also led to the false positive for the Microsoft/SysInternals newsid.exe (dated 8/4/2009, 228152 bytes) on my machine. I will re-test with v2014.03.18.06 and let you know either way. Link to post Share on other sites More sharing options...
jmerrill Posted March 18, 2014 ID:804647 Share Posted March 18, 2014 newsid.exe is still marked as being Worm.Autorun using v2014.03.18.06 signatures. (However, there are other false positives -- within Samsung printer drivers -- that are no longer appearing.) Link to post Share on other sites More sharing options...
Staff shadowwar Posted March 18, 2014 Staff ID:804674 Share Posted March 18, 2014 Can you please attach a copy of that file and the scan log here in zip format please? Link to post Share on other sites More sharing options...
Staff shadowwar Posted March 18, 2014 Staff ID:804678 Share Posted March 18, 2014 i was able to find it. I added to false positive filter server and fixing definition now. Link to post Share on other sites More sharing options...
jmerrill Posted March 18, 2014 ID:804692 Share Posted March 18, 2014 Thank you; I've tested with the latest and it is no longer being reported as infected. (I would have attached a .zip to an earlier report except that the file has been checked before and is unchanged for years.) Link to post Share on other sites More sharing options...
Staff shadowwar Posted March 18, 2014 Staff ID:804698 Share Posted March 18, 2014 the previous one was a different version of newsid thats why this one slipped by. Both versions are on filtering server now Link to post Share on other sites More sharing options...
davidhh0 Posted March 19, 2014 ID:804819 Share Posted March 19, 2014 I got the false positive of file newsid.exehttps://www.virustotal.com/en/file/c2f4591f7e9598ceb47cbce280180b3e104f70509dce7d1e90ca758f69d79ddd/analysis/sha256 = c2f4591f7e9598ceb47cbce280180b3e104f70509dce7d1e90ca758f69d79dddsha1 = 4c64df34ef8f8faa757e1d4482486453d7425752md5 = 73e708d1126e7af86a4ef820c24d80e4Virustotal reports it as malwarebytes being the only virus program that reports it being bad. I unquarantined & updated malwarebytes to v2014.03.18.10 and re-scanned. No malicious items were detected this time. Thanks for fixing this false positive. Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now