False Positives by IMF

[enoskype]

Let's post the Reports that we suspect as False Positives.

 

Cheers.

[zer0ne]

extractMHT.exe

 

extractMHT.exe

 

IObit Malware Fighter

OS: Windows XP
Version: 0.1.0.206
Time Elapsed: 00:04:39
Objects Scanned: 56186
Threats Found: 1
save time: 12/27/2010 7:28:37 PM

|Name|Type|Description|ID|
Trojan.Agent, FILE, D:\Program Files\Universal Extractor\bin\extractMHT.exe, 171241

 

VirusTotal Report

http://www.virustotal.com/file-scan/report.html?id=862960370cd3b98ac3b4e16f5013f0f1bb665f795e4128b9ecc81cbfa2cfe193-1293429640

 

Download File (extractMHT.exe)

http://www.mediafire.com/?3uj3w62x9bh39ix

 

 

WEB Site Applications (This File)

http://legroom.net/software/uniextract

[enoskype]

ClassicExplorerSettings.exe False Positive?

 

IObit Malware Fighter

OS: Windows 7

Version: 0.1.0.206

Time Elapsed: 00:00:00

Objects Scanned: 1

Threats Found: 1

save time: 28.12.2010 01:05:14

|Name|Type|Description|ID|

Trojan.Downloader, FILE, C:\Program Files\Classic Shell\ClassicExplorerSettings.exe, 157822

 

 

IObit Cloud Link for Report of ClassicExplorerSettings.exe

<TABLE cellSpacing=0 cellPadding=0 width="100%"><TBODY><TR class=odd><TD height=32 width=100 align=right></TD><TD class=title1 vAlign=bottom>Threat</TD></TR><TR class=odd><TD height=33 align=right></TD><TD vAlign=top>Cloud Scan: SAFE</TD></TR></TBODY></TABLE>

File Basic Info:

 

<DL><DD><TABLE cellSpacing=0 cellPadding=0 width="100%"><TBODY><TR id=reportFileIcon-box><TD width=120 align=right>File Icon:</TD><TD>http://cloud.iobit.com/attachment.php?etag=e2ce35e80cc269d3f79e75736e93fbe4</TD></TR><TR id=reportBaseName-box class=odd><TD align=right>File Name:</TD><TD>classicexplorersettings.exe</TD></TR><TR id=reportBaseSize-box><TD align=right>File Size:</TD><TD>59.5 KB (60,928 Bytes)</TD></TR><TR id=reportBaseMD5-box class=odd><TD align=right>File MD5:</TD><TD>e2ce35e80cc269d3f79e75736e93fbe4</TD></TR><TR id=reportBaseSHA1-box><TD align=right>File SHA1:</TD><TD>8AFD41731747E0F8ACEA2857B6074E4959456896</TD></TR><TR style="DISPLAY: none" id=reportBaseSHA256-box class=odd><TD align=right>File SHA256:</TD><TD>NA</TD></TR><TR id=reportBaseFiletype-box><TD align=right>File Type:</TD><TD>exe</TD></TR></TBODY></TABLE></DD></DL>

 

Virus Total Report link for Report of ClassicExplorerSettings.exe

 

File name: ClassicExplorerSettings.exe

Submission date: 2010-12-27 23:17:00 (UTC)

Current status: finished

Result: 0/ 43 (0.0%)

 

 

 

Cheers.

[Pablo Jakelaitis]

I sent two threats to the cloud, and was not detected anything.

 

I wonder how to send malware to IObit

[Pablo Jakelaitis]

That's what I meant,

 

IObit community could sort the files as safe a dangerous, so IObit rate the file as malware

[Doriginal]

IMF is reporting all my portable programs as malware.

Too many to list, but another anti malware program called hitman pro, also does this.

 

Definitely false positives, MSE, SAS, and Malwarebytes give no flags.

Plus I have had these on here for months with no problems.

 

Just as a test, download some portable apps from some popular portable app sites and you will see a ton of flags.

Most of my apps are portible so I have alot of false positives, around 75 or so, but IMF identifies all the components of the portable apps as malware.

 

Nice program BTW, very clean and simple interface.

I would suggest changing the name though.

Malware Fighter sounds to generic,

IOBit Malware Removal or Remover sounds better IMO.

[itobe]

IMF is reporting all my portable programs as malware.

Too many to list, but another anti malware program called hitman pro, also does this.

 

Definitely false positives, MSE, SAS, and Malwarebytes give no flags.

Plus I have had these on here for months with no problems.

 

Just as a test, download some portable apps from some popular portable app sites and you will see a ton of flags.

Most of my apps are portible so I have alot of false positives, around 75 or so, but IMF identifies all the components of the portable apps as malware.

 

Nice program BTW, very clean and simple interface.

I would suggest changing the name though.

Malware Fighter sounds to generic,

IOBit Malware Removal or Remover sounds better IMO.

 

Dear Doriginal,

 

Thank you very much for your kindly reply.

Do you mean IMF find a lot of false positives after a scan?

If so, would you please save a scan report and attach it to us for further investigation?

 

Thank you in advance and best regards.

[samtso]

DPT.exe FP?

 

IObit Malware Fighter

 

OS: Windows XP

Version: 0.1.0.206

Time Elapsed: 01:43:27

Objects Scanned: 267772

Threats Found: 1

save time: 2010/12/31 上午 11:38:48

 

|Name|Type|Description|ID|

Trojan.Crypt, FILE, F:\Programs\Display Utilities\Dead Pixel Tester\DPT-2.2.exe, 172255

 

Threat

Cloud Scan: SAFE

 

File Basic Info:File Icon:

File Name: dpt-2.2.exe

File Size: 188 KB (192,512 Bytes)

File MD5: 30d745b0416ec10d1b75cb6fd772872c

File SHA1: 975AE7A02D2CAD2F557391D2D58DCA3C33A05556

File SHA256: NA

File Type: exe

 

Report Link: http://cloud.iobit.com/index.php?id=14bb8bdea228fd0516e26db1f481f53c351f040fecece9380ff7f4ce05d2ae52952c63373d6f6e01ea521ab82a104237bd228dc3704d84218bb8&signature=168ac12232b628c1ed

 

VirusTotal is under extreme workload and can't run an analysis at this moment, but I'm quite sure this is an FP.

 

Thanks and Cheers.

[captainron]

That's what I meant,

 

IObit community could sort the files as safe a dangerous, so IObit rate the file as malware

 

That didn't work out too well for other vendors who tried it. They were getting botted to drive customers away from competing software vendors..They eventually had to use customer based sessions to stop it, and free users only got credited when it matched up against paid subscriber submissions.

 

I submitted some samples that were populer malware droppers that were repacked, and didn't get detected.

[Pablo Jakelaitis]

That didn't work out too well for other vendors who tried it. They were getting botted to drive customers away from competing software vendors..They eventually had to use customer based sessions to stop it, and free users only got credited when it matched up against paid subscriber submissions.

 

I submitted some samples that were populer malware droppers that were repacked, and didn't get detected.

 

I understand your point of view,

 

But the classification of harmful files could only be awarded to selected members of the community, thus avoiding future problems.

[SECURITY360]

Entendi o seu ponto de vista,

 

Mas a classificação de arquivos nocivos só poderia ser atribuída aos membros selecionados da comunidade, assim evitarmos problemas futuros.

 

I hate to be me to say this, but administrators are prohibited from speaking another language other than English :cry:

 

saludos :mrgreen:

[Pablo Jakelaitis]

I know I wish the forum had many languages as the site of IObit, because when Google translator performs the translation of the site, there are items that are incorrectly translated or not translated, so that we would like resurfaced the translation

the site.

[enoskype]

Guys , please follow the rules of the Forum.

 

This Forum is in English.

 

If you want to write something in another language, please at least write the translation of it for everybody to understand.

 

@Pablo Jakelaitis,

It is not that hard to make it translated what you have written in your post #10 above, and it is quite understandable what is translated by Google.

 

Entendi o seu ponto de vista,

 

Mas a classificação de arquivos nocivos só poderia ser atribuída aos membros selecionados da comunidade, assim evitarmos problemas futuros.

 

Google translation:

 

I understand your point of view,

 

But the classification of harmful files could only be awarded to selected members of the community, thus avoiding future problems.

 

 

You don't have to use Google Translate but may prefer other translators if you don't like the way Google translate.

 

Cheers.

[Pablo Jakelaitis]

Hello enoskype,

 

I wish the forum was organized IObit also in other languages, so everyone can enjoy the support of the forum.

 

 

I was thinking, now the site of IObit is translated by Google Translate, But everyone who has viewed the site from IObit, Have Noticed That translations meaningless or items are not translated, I was wondering if IObit Not Have enough servers to host each site with Its Own language.

 

Since You Can not open the site to enter each item, the translators smoke here and download the file numbered each sentence in front of the site for translation, as if the translation of the program, only the site.

 

PS: This is just a suggestion, if you ask a question, reply with quote some phrase.

Post here what you think of the idea.

[enoskype]

Since You Can not open the site to enter each item, the translators smoke here and download the file numbered each sentence in front of the site for translation, as if the translation of the program, only the site.

 

Will you elaborate the above please.

 

On the other hand, I don't think IObit has enough web resources to have their web site kept in different languages separately.

 

Cheers.

[Pablo Jakelaitis]

Will you elaborate the above please.

 

Hello enoskype,

 

I do not understand what you mean by:

 

Will you please elaborate the above.

[enoskype]

Since You Can not open the site to enter each item, the translators smoke here and download the file numbered each sentence in front of the site for translation, as if the translation of the program, only the site.

 

I did not understand what you mean in the above quote. :mrgreen:

 

Please try to write it in some other words and openly in details, so I can understand.:grin:

 

Cheers.

[Ibrad]

FP's on HitmanPRO and Malwarebytes

 

Video of the FP's: http://www.youtube.com/watch?v=c3_ApT0EiqI

[enoskype]

Thanks for the link Ibrad.

 

Certainly MBAM detection as a malware is a nasty FP.

 

I wonder why the author of the video does not try the scan function of IMF though. :?:

 

Cheers.

[Pablo Jakelaitis]

I did not understand what you mean in the above quote. :mrgreen:

 

Please try to write it in some other words and openly in details, so I can understand.:grin:

 

Cheers.

 

Hello,

 

For example we realize that the translation product IObit we could sign up to perform the translation.

 

Hence IObit prepare a notebook with the words of the site that would translate

 

SAMPLE PACK NOTES:

_______________________________________________________________

 

Name of Country: Brazil

 

01-Products

02-Buy

03-Downloads

04-Support

05-Company

06-Share

07-Smart Defrag

08-Best Free Disk Defragmenter with 30M Users

2009 - Learn More

10-Welcome

11-Home Products

12-Business Products

13-All Products

14-Popular Products

The 15-Word's Top sys ...

16-Protect your PC from the ...

17 - Fast Speeds Up PC is Gamming

18-Media Review

______________________________________________________________

 

 

Look at Picture 1

 

After the translator performed the translation we would send the translated files and IObit they would commit to the site normally, each numbered item have already been translated, its corresponding button

 

See the Picture 2 would look like in Portuguese of Brazil.

 

NOTE: Do not have Photoshop, I used Paint

[Ibrad]

No idea but I am looking forward to the second beta (I always wait till the later beta before I try a product) and I hope to see the MBAM and HitManPRO fps fixed soon.

[brigrove]

False positives

 

FALSE POSITIVES

 

IObit Malware Fighter

 

In between the lines of your report, I've added the results under virus

total and notes about the program and/or where I obtained it

I've also added the results of yur cloud scan (all were SAFE)

 

OS: Windows XP

Version: 0.1.0.206

Time Elapsed: 04:43:58

Objects Scanned: 461808

Threats Found: 5

save time: 18/01/2011 09:16:34

 

|Name|Type|Description|ID|

Trojan.Crypt, FILE, C:\WINDOWS\system32\OpenExpert.dll, 170088

Trojan.Dropper, FILE, C:\Program Files\Microsoft.NET\SDK\v1.1\QuickStart\howto\samples\io\readwrite\cp\ReadWrite.exe, 156884

Misleading.Rogueware, FILE, C:\Backup\Documents and Settings\Brian Grove\My Documents\desktop shortcuts\clocks screensaver AJScreenInstall.exe, 21181

Win32.ChinDoor.11, FILE, D:\INSTALLED PROGRAMS\EmailAvenger NEEDS NET 1.1\Renegade_Minds_Email_Avenger.exe, 156522

Trojan.Spyware, FILE, F:\PORTABLEAPS\PortableApps\OpenOfficePortable\App\openoffice\program\package2.dll, 168242

 

OpenExpert.dll - result in virus total 3/42

I have used this program for years without problems (Note - none of the various firewalls I've used in that time detected any suspicious behaviour)

CAT-QuickHeal 11.00 2010.08.21 TrojanDropper.Agent.aohd

ClamAV 0.96.2.0-git 2010.08.22 PUA.Packed.ASPack

Comodo 5815 2010.08.22 Heur.Packed.Unknown

Cloud Scan: SAFE

 

ReadWrite.exe - result in virus total 0/42

This was in an official Microsoft :NET download

I know I joke that Microsoft products are so unreliable that they should be classified as malware, but...

Cloud Scan: SAFE

 

clocks screensaver AJScreenInstall.exe - originally the filename was

AJScreenInstall.exe - result in virus total 0/42

I used this program for months without problems (Note - the firewall I used in that time did not detect any suspicious behaviour)

Cloud Scan: SAFE

 

Renegade_Minds_Email_Avenger.exe - result in virus total 4/42

McAfee-GW-Edition 6.8.5 2010.01.30 Heuristic.LooksLike.Win32.Suspicious.J!87

Rising 22.32.05.04 2010.01.30 Hack.Win32.PsKill.a

Symantec 20091.2.0.41 2010.01.30 Suspicious.Insight

TrendMicro 9.120.0.1004 2010.01.30 PAK_Generic.001

One anti malware program had a listing about this saying that it was probably not malware but the characteristics had the potential to be malware

Cloud Scan: SAFE

 

F:\PORTABLEAPS\PortableApps\OpenOfficePortable\App\openoffice\program\

package2.dll - result in virus total 1/42

Prevx 3.0 2011.01.15 Medium Risk Malware

Part of the official Open Office Portable release

Cloud Scan: SAFE

[MagicHunter]

IObit Malware Fighter

 

OS: Windows 7

Version: 0.1.0.206

Time Elapsed: 00:02:40

Objects Scanned: 50963

Threats Found: 3

save time: 1/19/2011 1:44:26 AM

 

|Name|Type|Description|ID|

Spyware.Password, FILE, C:\Windows\system32\OLE32Init.exe, 153995

Spyware.Password, FILE, C:\Windows\svchost .exe, 153995

Trojan.Cript, FILE, C:\Windows\system32\OLE32Init.exe, 12559

 

File name: SVCHOST.EXE

Submission date: 2011-01-18 23:51:59 (UTC)

Current status: finished

Result: 1 /42 (2.4%)

 

IObit Cloud

 

Cheers.

[enoskype]

Hi Magic, I don't see the file's IObit Cloud scan result (N/A). Are you sure you did it right?

 

Cheers.

[MagicHunter]

I am not sure if I did it right or not.

 

I just pressed "Browse File"

Navigate to "svchost.exe" and open it.

Now IObit Cloud runs "Load File", "Upload File", "Queue", "Analyze", "Report"

and that's the result I got...

 

Did I do it wrong?

 

Cheers.