Jump to content

False Positive


mountaintree16

Recommended Posts

I was doing a quick scan today, and 7 items were hit in my recycle bin.

Then I dragged the folder out of the recycle bin (the folder and its contents is the only thing currently in my recycle bin) onto the desktop, and did another scan. It came out clean.

Then I dragged the folder back into the recycle bin and ran a developer's scan, which I have pasted below.

I am fairly certain that these 7 hits are a false positive, both because they are just picture files, as well as the fact that they were not hit when residing on the desktop.

If it matters at all here, the hit files are files that I dredged up using Piriforms Recuva when searching for lost pictures... I stupidly had somehow lost some important pictures and was able to recover them using Recuva. This folder that contains the hits I haven't deleted yet but have retained in my recycle bin in case I want it, but I have recovered everything that I wanted already, this is just a spare folder.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4495

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

8/28/2010 2:21:58 PM

mbam-log-2010-08-28 (14-21-58).txt

Scan type: Quick scan

Objects scanned: 141011

Time elapsed: 14 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\RECYCLER\S-1-5-21-1059576790-1953410256-3873470355-1006\Dc386\DSC02634.JPG (Extension.Mismatch) -> No action taken. [AD453DC4FA448338632AF9FA8A18FBE0]

C:\RECYCLER\S-1-5-21-1059576790-1953410256-3873470355-1006\Dc386\DSC02634_1.JPG (Extension.Mismatch) -> No action taken. [AD453DC4FA448338632AF9FA8A18FBE0]

C:\RECYCLER\S-1-5-21-1059576790-1953410256-3873470355-1006\Dc386\DSC02640.JPG (Extension.Mismatch) -> No action taken. [AD453DC4FA448338632AF9FA8A18FBE0]

C:\RECYCLER\S-1-5-21-1059576790-1953410256-3873470355-1006\Dc386\DSC02640_1.JPG (Extension.Mismatch) -> No action taken. [AD453DC4FA448338632AF9FA8A18FBE0]

C:\RECYCLER\S-1-5-21-1059576790-1953410256-3873470355-1006\Dc386\DSCN4648_1.JPG (Extension.Mismatch) -> No action taken. [AD453DC4FA448338632AF9FA8A18FBE0]

C:\RECYCLER\S-1-5-21-1059576790-1953410256-3873470355-1006\Dc386\DSCN4694.JPG (Extension.Mismatch) -> No action taken. [AD453DC4FA448338632AF9FA8A18FBE0]

C:\RECYCLER\S-1-5-21-1059576790-1953410256-3873470355-1006\Dc386\DSC02571.JPG (Extension.Mismatch) -> No action taken. [AD453DC4FA448338632AF9FA8A18FBE0]

Link to post
Share on other sites

A Quick scan will not scan inside a folder on a desktop. A full scan will. You can also right click the folder and scan with malwarebytes.

Extension mismatch means for example these are exe or dll executable files but have a normally non executable extension like jpg.

If you want to pm me one or two i will take a look at it.

Have you actually been able to see the picture for these files? If you open the file with notepad are the first two bytes MZ

?

Link to post
Share on other sites

Thanks for getting back to me, shadowwar :P

As far as I know I can see the pictures in the folder. I didn't have time to investigate further yet because I had to run after doing those scans. I find it very weird that it picked up just 7 files. I will definitely perform a right-click scan on this folder and since its been a while since I did a full scan, that won't hurt either. For some reason I thought that a quick scan did scan desktop folders, good to know that that is not the case.

I will open the files w/ Notepad when I am at my machine (I am not at it right now) and get back to you as soon as possible.

I don't think that I have the permissions to send you a PM with an attachment (it didn't look like it when I just checked), however I would quite prefer to do that vs. attaching it here. :P

Thanks again :)

Link to post
Share on other sites

Shadowwar, I just tried to right click and hit "preview" on the first picture that was hit (since I wasn't able to see it as a thumbnail view in the folder), and Malwarebytes protection module promptly popped up asking me if wanted to ignore or quarantine (with the same extension.mismatch name hit). I hit quarantine, just in case.

So no, THESE particular pictures that were hit I cannot actually see a preview of.

YES, when I opened one of the culprits with Notepad (DSC02634_1.JPG), the first two bytes/letters say MZ. Then there's some text on errors and a lot of jibber jabber that's not readable.

I think I figured out half the puzzle here though. When I was trying recover all these pictures, I picked ones that didn't show a thumbnail to me, just in case they WERE recoverable (although I had a rather large hunch that they wouldn't be) and when I finally had recovered everything I wanted to, I guess the pictures with no thumbnail really were not recoverable, because I saw the generic thumbnail picture for XP on a lot of the pictures - the little orange and red sunset picture. I deleted all of these on the other two folders, this was the middle folder (I did my recovery three times, the last time being EVERYTHING, since I had to stop the first two times before I was done looking at all the pictures that Recuva found).

I also can't see a preview of a lot of OTHER pictures, but not all of them were hit, only those 7 in the log were hit.

Honestly I don't know why I had even kept these in that folder, I'd thought that I deleted them. Maybe I thought I'd be able to see them somehow after all.

So I am just happy to simply delete these pictures since I can't even see them anyway, but I'll wait on your reply before I do anything. If anything, I learned something new :P

I am going to go do something else now while I leave a full scan running - with the folder dragged out on the desktop.

Link to post
Share on other sites

If they start with MZ in notepad they definitely are some kind of exe or dll file that you recovered. Try renaming the extension from .jpg to .exe and hit properties on them. The version tab should appear and might tell you what they actually are. Also if you rename the extension they will no longer be detected. Malware tries to hide exe's from scanners by renaming them to a non executable extension like jpg. However this isn't caused by malware but recuva putting the wrong extension on them. They could also just be a piece of a valid exe or dll that the recuva could not fully grab.

Link to post
Share on other sites

I changed DSCN4648_1.JPG to .exe and tried to open it and it said it was not a valid Win32 application. I tried opening it because the properties gave me no useful information. Then I changed it back to .jpg This one, the first two letters opening it with Notepad was also MZ.

As it so happens, this file was right next to another one of the same name but the _1 part was _2. Otherwise the file name was exactly the same, and _2 it was a picture that I had recovered (one of the ones that I was looking for).

So as you said, it had to have been Recuva putting the wrong extension or doing something funky to the file. I don't have the time to investigate the others right now, but I'll do that tonight.

Thanks again for helping me figure this out :)

Link to post
Share on other sites

:blush: I am just going to delete all those blank .jpg files then... I can't view them, no sense in them taking up space. Glad to know I am not infected, that's the most important thing :excl:

Thanks again, have a great day!

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.