Jump to content
ritchie58

New Tdsskiller False Positives & Contact Us Error Message

Recommended Posts

While launching TDSSKiller anti-rootkit utility today I recieved several quarantine responses by the SPERO detection engine when the executable attempted to update from version 3.0.0.25 to 3.0.0.26. This is not normal as I've never had any conflicts with this utility and Immunet before. Even after restoring 3.0.0.25 Immunet also attempted to quarantine the zip file (quarantine failed) for the new 3.0.0.26 build after downloading to C:\Users\Ritchie\Downloads\Software Installers. Since I place the .exe on my Desktop I used this exclusion which seems to have corrected the problem for now, C:\Users\Ritchie\Desktop\TDSSKiller. With this exclusion added the TDSSKiller GUI will launch and a scan is possible.

 

I have included the MD5-SHA256 for the newest build (see Images). Let me know if you would also like the SDT dump sent in.

 

OS: Win 7 Ultimate x64 SP1 - Immunet Plus version (TETRA enabled, ClamAV disabled): 3.1.8.9583

 

TDSSKiller 3.0.0.26 zip installer: tdsskiller3.0.0.26.zip

 

post-175-0-67782000-1395782789_thumb.jpgpost-175-0-55167400-1395782790_thumb.jpg

post-175-0-87008200-1395783370_thumb.jpg

  • Like 1

Share this post


Link to post
Share on other sites

Forum member DimitriAus also had dificulty uplaoading a FP report at the same site. His thread can be found at the previous False Positives topic. He may not have archived the file in question to a .zip file prior to submission as he didn't mention that though. The file I attempted to submit "WAS" a .zip file and I filled in all necessary text fields but still got the error message.

  • Like 1

Share this post


Link to post
Share on other sites

Hi Ritchie,

 

That error in the Contact Us page might just cause me a heart attack.

 

Thanks for the heads up.

 

I think the pic you sent in is enough for what we need, but I'll let you know if otherwise.

 

Thanks,

 

-Jose

  • Like 1

Share this post


Link to post
Share on other sites

LOL! Sure, no problem my friend and don't have a heart attack man! Seriously though, thanks for looking into the issues and let me know if you need any additional data.

 

Best wishes, Ritchie...

  • Like 1

Share this post


Link to post
Share on other sites

Since I use the free version I also use TDSSKiller as a root-kit scanner and would like to see this false positive corrected too.

Edited by Robert G.
  • Like 1

Share this post


Link to post
Share on other sites

It has been marked as clean, so let me know if anybody is still having this issue. (Was marked a few days ago, I just lost track of this thread).

 

Cheers,

 

-Jose

Share this post


Link to post
Share on other sites

Cool! Thanks Jose. I do have a Sceduled Scan in place where it scans my entire C:\ drive once a week and SPERO did hit on the 3.0.0.25 installer with the same detection name that I have archived. I like to keep the previous installer of any software I'm using just in case.

Share this post


Link to post
Share on other sites

Hi Ritchie,

 

Just one sec: You hit a different detection on 3.0.0.25 as well? (Well, same detection name, but another hit I mean)?

 

-Jose

Share this post


Link to post
Share on other sites

Yup, that's the case Jose. I took a screen shot. It's really no big deal though. I doubt I'd have a reason to revert back to the old build since version .26 is working without issues. I'm assuming it would be ok now to delete that exclusion I made for the .26 executable on my Desktop. One way to find out is delete the exclusion and launch the program to see what happens I guess.

 

Deleted the exception and the .26 executable launched with no detection! Sweet! I did decide to delete the old .25 zip file so it wouldn't cause me any more problems and another detection occured when moving the file to the Recycle Bin. I did expect that to happen though so I had Immunet delete the file after the quarantine response.

 

post-175-0-47759600-1396390435_thumb.jpg

Edited by ritchie58
Tried Program without Exclusion

Share this post


Link to post
Share on other sites

Got some bad news Jose. While attempting to update to the newest 3.0.0.30 version the exact same thing happened. While downloading the .zip file and moving the .exe to the Desktop I encountered the exact same quarantine responses with the same detection name as before (see images). Do you want me to run the Hash calculator for this build too? Something has to be done so future builds of TDSSKiller do not keep getting quarantined. This utility does get updated quite frequently!

 

Cheers, Ritchie...

 

post-175-0-31684000-1396999712_thumb.jpgpost-175-0-83025900-1396999724_thumb.jpg

Share this post


Link to post
Share on other sites

Ritchie:

 

Just to let you know, we have cleared both .30 and .31 from this issue, and are having our response team look at this ASAP.

 

Spero detections are slightly harder to fix unfortunately.

 

Cheers,

 

-Jose

  • Like 1

Share this post


Link to post
Share on other sites

Thanks so much for looking into this issue once again Jose! I do hope something can be done to avoid any further FP's in the future.

 

Best wishes, Ritchie...

Share this post


Link to post
Share on other sites

Version .32 just got the same treatment! There's "got to be something" that can be done so future versons don't keep getting quarantined over and over again!

 

post-175-0-62732200-1398208086_thumb.jpg

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×