New Tdsskiller False Positives & Contact Us Error Message

[ritchie58]

While launching TDSSKiller anti-rootkit utility today I recieved several quarantine responses by the SPERO detection engine when the executable attempted to update from version 3.0.0.25 to 3.0.0.26. This is not normal as I've never had any conflicts with this utility and Immunet before. Even after restoring 3.0.0.25 Immunet also attempted to quarantine the zip file (quarantine failed) for the new 3.0.0.26 build after downloading to C:\Users\Ritchie\Downloads\Software Installers. Since I place the .exe on my Desktop I used this exclusion which seems to have corrected the problem for now, C:\Users\Ritchie\Desktop\TDSSKiller. With this exclusion added the TDSSKiller GUI will launch and a scan is possible.

 

I have included the MD5-SHA256 for the newest build (see Images). Let me know if you would also like the SDT dump sent in.

 

OS: Win 7 Ultimate x64 SP1 - Immunet Plus version (TETRA enabled, ClamAV disabled): 3.1.8.9583

 

TDSSKiller 3.0.0.26 zip installer: tdsskiller3.0.0.26.zip

 

[ritchie58]

I have also tried several attempts to submit the FP at this Contact Us page but got a rather vague error message each time (see image). http://www.immunet.c...tact/index.html

 

 

[ritchie58]

Forum member DimitriAus also had dificulty uplaoading a FP report at the same site. His thread can be found at the previous False Positives topic. He may not have archived the file in question to a .zip file prior to submission as he didn't mention that though. The file I attempted to submit "WAS" a .zip file and I filled in all necessary text fields but still got the error message.

[Jose]

Hi Ritchie,

 

That error in the Contact Us page might just cause me a heart attack.

 

Thanks for the heads up.

 

I think the pic you sent in is enough for what we need, but I'll let you know if otherwise.

 

Thanks,

 

-Jose

[ritchie58]

LOL! Sure, no problem my friend and don't have a heart attack man! Seriously though, thanks for looking into the issues and let me know if you need any additional data.

 

Best wishes, Ritchie...

[Robert G.]

Since I use the free version I also use TDSSKiller as a root-kit scanner and would like to see this false positive corrected too.

[ritchie58]

Hey Bob! I think Jose will take care of the issue now that he's aware of the situation.

[Jose]

It has been marked as clean, so let me know if anybody is still having this issue. (Was marked a few days ago, I just lost track of this thread).

 

Cheers,

 

-Jose

[ritchie58]

Cool! Thanks Jose. I do have a Sceduled Scan in place where it scans my entire C:\ drive once a week and SPERO did hit on the 3.0.0.25 installer with the same detection name that I have archived. I like to keep the previous installer of any software I'm using just in case.

[Jose]

Hi Ritchie,

 

Just one sec: You hit a different detection on 3.0.0.25 as well? (Well, same detection name, but another hit I mean)?

 

-Jose

[ritchie58]

Yup, that's the case Jose. I took a screen shot. It's really no big deal though. I doubt I'd have a reason to revert back to the old build since version .26 is working without issues. I'm assuming it would be ok now to delete that exclusion I made for the .26 executable on my Desktop. One way to find out is delete the exclusion and launch the program to see what happens I guess.

 

Deleted the exception and the .26 executable launched with no detection! Sweet! I did decide to delete the old .25 zip file so it wouldn't cause me any more problems and another detection occured when moving the file to the Recycle Bin. I did expect that to happen though so I had Immunet delete the file after the quarantine response.

 

[Jose]

Hey,

 

Both of these should be good now.

 

Cheers,

 

-Jose

[ritchie58]

Got some bad news Jose. While attempting to update to the newest 3.0.0.30 version the exact same thing happened. While downloading the .zip file and moving the .exe to the Desktop I encountered the exact same quarantine responses with the same detection name as before (see images). Do you want me to run the Hash calculator for this build too? Something has to be done so future builds of TDSSKiller do not keep getting quarantined. This utility does get updated quite frequently!

 

Cheers, Ritchie...

 

[Jose]

Ritchie:

 

Just to let you know, we have cleared both .30 and .31 from this issue, and are having our response team look at this ASAP.

 

Spero detections are slightly harder to fix unfortunately.

 

Cheers,

 

-Jose

[ritchie58]

Thanks so much for looking into this issue once again Jose! I do hope something can be done to avoid any further FP's in the future.

 

Best wishes, Ritchie...

[ritchie58]

Version .32 just got the same treatment! There's "got to be something" that can be done so future versons don't keep getting quarantined over and over again!