Jump to content

How do I know if it is a false positive or not?


katiekins

Recommended Posts

Hi all

I am new to all this in depth security stuff and just used to trust all my anti virus programme as with Malwarebytes.

Generally if I find an infection I just go to fix all and don't really look into it.

So my question is .... How do I know or suspect it could be a false positive? Is there a clue somewhere? Also by putting it in quarantine/ deleting it do I lose files and stuff?

I ask this because after finding several problems in the past week and just fixing most of them some of my programmes aren't working and needed to be reinstalled (windows media player is one, msn, and real player I was and I am still having issues with a sound problem? These all worked fine until I ran scans. Could this be the virus, the deletion/ quarantine ofn the virus or nothing to do with them.

For example the types of infections I have come up with are ....

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{4925B664-BDFA-4E68-B325-EC00937E8110} (Password.Stealer) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4925B664-BDFA-4E68-B325-EC00937E8110} (Password.Stealer) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{9FE088DC-C3B2-479C-A314-08F90CE5166F} (Password.Stealer) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9FE088DC-C3B2-479C-A314-08F90CE5166F} (Password.Stealer) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9FE088DC-C3B2-479C-A314-08F90CE5166F} (Password.Stealer) -> Quarantined and deleted successfully.

Which shows I quarantined and deleted

and

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Which I added to my ignore list as I am still trying to find out/ figure out what this is (means)

Any explanation would be appreciated!!!

Thanks

Link to post
Share on other sites

  • Staff

The best thing is to do a google search if you arent sure about these. None of these things were files that got deleted but registry entries. Either your antivirus or a previous run of mbam may have deleted the files. None of these should have disabled your programs.

For example

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{9FE088DC-C3B2-479C-A314-08F90CE5166F} (Password.Stealer) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{4925B664-BDFA-4E68-B325-EC00937E8110} (Password.Stealer) -> Quarantined and deleted successfully.

http://www.systemlookup.com/CLSID/71652-vecrits93_dll.html

http://www.systemlookup.com/ActiveSetup/31...rits93_dll.html

These:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

PUM mean potentially unwanted modification. Means that these are set to disabled. Normally in a fresh windows install they are not. Some Antivirus companies set it this way because they monitor it on their own OR a LOT of malware disables these.

These are the alerts windows gives you about firewall being turned off or your antivirus being out of date. When its disabled you would no longer receive these alerts.

Link to post
Share on other sites

Thanks for the reply.

I understand about the security center notifications being turned off ... I am guessing it might have been McAfee as I only got these warnings after installing it. Am I right to undrrstand they do this to reduce the risk of confliction and getting duplicate warnings?

The rest however I am struggling to understand.

The best thing is to do a google search if you arent sure about these. None of these things were files that got deleted but registry entries. Either your antivirus or a previous run of mbam may have deleted the files. None of these should have disabled your programs.

For example

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{9FE088DC-C3B2-479C-A314-08F90CE5166F} (Password.Stealer) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{4925B664-BDFA-4E68-B325-EC00937E8110} (Password.Stealer) -> Quarantined and deleted successfully.

http://www.systemlookup.com/CLSID/71652-vecrits93_dll.html

http://www.systemlookup.com/ActiveSetup/31...rits93_dll.html

So would the location (in this case registry entries) where the virus was have been deleted then? Can this have a major impact on my computor?

I ask this as since quarantine/ deleting these I have had lots of problems with win 32 locations not being found when I try to download updates, missing audio codes etc .... wasn't sure if it is all linked.

As I said I am a complete novice to this in depth security stuff so please bear with me.

Also, how do you suspect/ decide whether it is a FP or an invection/ virus etc?

Thanks

Link to post
Share on other sites

These are dead traces left behind from a different scanner when the original infection was removed. Our scanner would have removed both the files and traces.

If you delete these nothing will happen.

If you leave these nothing will happen.

These are just traces as their targets no longer exist.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.