Skip to main content

Are these false positives?

  • November 22, 2015
  • 3 replies
  • 43 views

Hello,
 
I am new here so please bear with me... :)
 
I had some problems with my PC, it would sometimes completely freeze and a restart was needed to unblock it (the install is relatively new so these things shouldn't happen).
 
When I installed webroot SecureAnywhere it immediately found several infections, which were apparently all due to Handy Andy Android emulator. I will paste the problematic entries below. The problem is, the authors of that software claim that they have never included any malware or adware in their software, and the other sources on the internet mostly agree with that claim. But I still have my doubts.... My PC is working normally for now, though, so that's defo a good thing.
 
Here are some highlights from the scan log:
 
-------------------------
Wed 2015-11-18 05:09:39.0170 Infection detected: c:program filesandysetup.exe [MD5: 732EB198593ADE477060E2D6D2466F26] [3/10081010] [(null)]
Wed 2015-11-18 05:09:39.0171 Infection found in realtime: c:program filesandysetup.exe [MD5: 732EB198593ADE477060E2D6D2466F26, Size: 1007816 bytes] [268963856/00000003] [(null)]
Wed 2015-11-18 05:09:39.0172 Infection found in realtime: c:program filesandysetup.exe [MD5: 732EB198593ADE477060E2D6D2466F26, Size: 1007816 bytes] [268963856/00000003] [(null)]
Wed 2015-11-18 07:08:05.0823 Scan Started: [ID: 23 - Flags: 1575/16]
Wed 2015-11-18 07:09:49.0262 Infection detected: c:users
ichardappdata
oamingandysetup.exe [MD5: 732EB198593ADE477060E2D6D2466F26] [3/10081010] [W32.Malware.Gen]
Wed 2015-11-18 07:09:49.0266 Infection detected: c:program filesandyofflineinstaller45.5setup.exe [MD5: 732EB198593ADE477060E2D6D2466F26] [3/10081010] [W32.Malware.Gen]
Wed 2015-11-18 07:09:49.0268 Infection detected: c:program filesandysetup.exe [MD5: 732EB198593ADE477060E2D6D2466F26] [3/10081010] [W32.Malware.Gen]
Wed 2015-11-18 07:09:49.0271 Infection detected: c:users
ichardappdatalocal empandy_45.5_x64setup.exe [MD5: 732EB198593ADE477060E2D6D2466F26] [3/10081010] [W32.Malware.Gen]
Wed 2015-11-18 07:09:50.0132 Scan Results: Files Scanned: 38237, Duration: 1m 44s, Malicious Files: 4
Wed 2015-11-18 07:09:50.0154 Scan Finished: [ID: 23 - Seq: 2147000000]
 
 
then again after some time...
 
Thu 2015-11-19 01:04:56.0450 Infection detected: c:program filesandysetup.exe [MD5: 732EB198593ADE477060E2D6D2466F26] [3/10081010] [(null)]
Thu 2015-11-19 01:04:56.0451 Infection found in realtime: c:program filesandysetup.exe [MD5: 732EB198593ADE477060E2D6D2466F26, Size: 1007816 bytes] [268963856/00000003] [(null)]
Thu 2015-11-19 01:04:56.0453 Infection found in realtime: c:program filesandysetup.exe [MD5: 732EB198593ADE477060E2D6D2466F26, Size: 1007816 bytes] [268963856/00000003] [(null)]
Thu 2015-11-19 07:08:00.0189 Scan Started: [ID: 24 - Flags: 1575/16]
Thu 2015-11-19 07:09:54.0776 Infection detected: c:users
ichardappdata
oamingandysetup.exe [MD5: 732EB198593ADE477060E2D6D2466F26] [3/10081010] [W32.Malware.Gen]
Thu 2015-11-19 07:09:54.0780 Infection detected: c:program filesandyofflineinstaller45.5setup.exe [MD5: 732EB198593ADE477060E2D6D2466F26] [3/10081010] [W32.Malware.Gen]
Thu 2015-11-19 07:09:54.0782 Infection detected: c:program filesandysetup.exe [MD5: 732EB198593ADE477060E2D6D2466F26] [3/10081010] [W32.Malware.Gen]
Thu 2015-11-19 07:09:54.0784 Infection detected: c:users
ichardappdatalocal empandy_45.5_x64setup.exe [MD5: 732EB198593ADE477060E2D6D2466F26] [3/10081010] [W32.Malware.Gen]
Thu 2015-11-19 07:09:56.0046 Scan Results: Files Scanned: 39437, Duration: 1m 55s, Malicious Files: 4
Thu 2015-11-19 07:09:56.0075 Scan Finished: [ID: 24 - Seq: 2147000000]
 
.....
 
 
Fri 2015-11-20 13:49:12.0791 <<< Service shut down successfully. Uptime: 5838 minute(s)
Fri 2015-11-20 17:07:21.0448 WF Configuration : 0x1E7
Fri 2015-11-20 17:07:21.0526 >>> Service started [v9.0.6.18]
Fri 2015-11-20 17:07:21.0526 Terminated abruptly in the last session
Fri 2015-11-20 17:07:35.0181 User process connected successfully from PID 824, Session 1
Fri 2015-11-20 17:07:49.0282 Connecting to 80 - 80
Fri 2015-11-20 17:10:13.0832 Scan Started: [ID: 26 - Flags: 551/16]
Fri 2015-11-20 17:11:22.0803 Monitoring process C:Windowssystem32wbemWMIADAP.EXE [005247E3057BC5D5C3F8C6F886FFC10C]. Type: 1 (7732)
Fri 2015-11-20 17:11:40.0947 Connected to B14
Fri 2015-11-20 17:11:40.0947 Infection detected: c:users
ichardappdata
oamingandysetup.exe [MD5: 732EB198593ADE477060E2D6D2466F26] [3/10081010] [W32.Malware.Gen]
Fri 2015-11-20 17:11:40.0947 Infection detected: c:program filesandyofflineinstaller45.5setup.exe [MD5: 732EB198593ADE477060E2D6D2466F26] [3/10081010] [W32.Malware.Gen]
Fri 2015-11-20 17:11:40.0947 Infection detected: c:program filesandysetup.exe [MD5: 732EB198593ADE477060E2D6D2466F26] [3/10081010] [W32.Malware.Gen]
Fri 2015-11-20 17:11:40.0947 Infection detected: c:users
ichardappdatalocal empandy_45.5_x64setup.exe [MD5: 732EB198593ADE477060E2D6D2466F26] [3/10081010] [W32.Malware.Gen]
Fri 2015-11-20 17:11:41.0213 Scan Results: Files Scanned: 35210, Duration: 1m 27s, Malicious Files: 4
Fri 2015-11-20 17:11:41.0244 Scan Finished: [ID: 26 - Seq: 2147000000]
Fri 2015-11-20 17:12:23.0621 Saved updated configuration
Fri 2015-11-20 17:12:28.0163 Monitoring process C:Windowssystem32wbemWMIADAP.EXE [005247E3057BC5D5C3F8C6F886FFC10C]. Type: 1 (7732)
Fri 2015-11-20 17:16:50.0491 Begin passive write scan (1 file(s))
Fri 2015-11-20 17:16:50.0722 End passive write scan (1 file(s))
Fri 2015-11-20 17:38:03.0459 WF Configuration : 0x1E7
Fri 2015-11-20 17:38:07.0341 Scan Started: [ID: 27 - Flags: 551/16]
Fri 2015-11-20 17:39:43.0525 Infection detected: c:users
ichardappdata
oamingandysetup.exe [MD5: 732EB198593ADE477060E2D6D2466F26] [3/10081010] [W32.Malware.Gen]
Fri 2015-11-20 17:39:43.0526 Infection detected: c:program filesandyofflineinstaller45.5setup.exe [MD5: 732EB198593ADE477060E2D6D2466F26] [3/10081010] [W32.Malware.Gen]
Fri 2015-11-20 17:39:43.0528 Infection detected: c:program filesandysetup.exe [MD5: 732EB198593ADE477060E2D6D2466F26] [3/10081010] [W32.Malware.Gen]
Fri 2015-11-20 17:39:43.0529 Infection detected: c:users
ichardappdatalocal empandy_45.5_x64setup.exe [MD5: 732EB198593ADE477060E2D6D2466F26] [3/10081010] [W32.Malware.Gen]
Fri 2015-11-20 17:39:43.0777 Scan Results: Files Scanned: 36508, Duration: 1m 36s, Malicious Files: 4
Fri 2015-11-20 17:39:43.0812 Scan Finished: [ID: 27 - Seq: 2147000000]
Fri 2015-11-20 17:39:46.0187 Determination flags modified: c:program filesandyofflineinstaller45.5setup.exe - MD5: 732EB198593ADE477060E2D6D2466F26, Size: 1007816 bytes, Flags: 00000020
Fri 2015-11-20 17:39:46.0187 Determination flags modified: c:program filesandyofflineinstaller45.5setup.exe - MD5: 732EB198593ADE477060E2D6D2466F26, Size: 1007816 bytes, Flags: 00000020
Fri 2015-11-20 17:39:51.0819 Performing cleanup entry: 5
Fri 2015-11-20 17:39:51.0819 Performing cleanup entry: 6
Fri 2015-11-20 17:39:51.0819 Performing cleanup entry: 7
Fri 2015-11-20 17:39:51.0819 Performing cleanup entry: 8
Fri 2015-11-20 17:39:55.0520 Scan Started: [ID: 28 - Flags: 551/144]
Fri 2015-11-20 17:41:16.0744 Scan Results: Files Scanned: 36267, Duration: 1m 21s, Malicious Files: 0
Fri 2015-11-20 17:41:16.0753 Scan Finished: [ID: 28 - Seq: 2147000000]
Fri 2015-11-20 17:46:47.0242 Begin passive write scan (1 file(s))
Fri 2015-11-20 17:46:47.0484 End passive write scan (1 file(s))
Fri 2015-11-20 17:47:04.0772 Saved the product log to C:UsersRichardDesktopLOGSlog.log
Fri 2015-11-20 17:54:11.0417 Begin passive write scan (43 file(s))
Fri 2015-11-20 17:54:11.0847 End passive write scan (43 file(s))
Fri 2015-11-20 17:54:20.0421 Begin passive write scan (1 file(s))
Fri 2015-11-20 17:54:21.0254 End passive write scan (1 file(s))
Fri 2015-11-20 17:54:35.0428 Begin passive write scan (6 file(s))
Fri 2015-11-20 17:54:36.0277 End passive write scan (6 file(s))
Fri 2015-11-20 18:03:52.0830 System shutting down.
Fri 2015-11-20 18:03:53.0532 Configuration Saved: CSCS6AAF6FD61778A8B08F61DBA5D47E5977,00011,00021,00031,00041,00051,00061,00070,00081,00091,000A1,000B1,000C1,000D0,000E1,000F0,001011,00118,00120,00130,00140,00151,00161,00170,00181,00191,001A0,001B0,001C1,001D0,001E0,001F1,00201,00211,00221,00231,00240,00251,00260,00270,00281,00291,002A0,002B1,002C1,002D0,002E1,002F1,00301,00311,00321,00331,00341,00351,00361,00371,00381,00390,003A1,003B1,003C2,003D1,003E1,003F1,00401,00411,00421,00431,00441,00451,00461,00471,00481,00491,004A1,004B1,004C1,004D1,004E1,004F1,00501,00511,00521,00530,00541,00551,00561,00571,00581,00591,005A1,005B1,005C0,005D0,005E1,005F0,00601,00613,00620,00630,00641,00653,00663,00673,00681,00693,006A0,006B0,006C1,006D2,006E0,006F0,00701,00711,00720,00730,00741,00753,00760,00770,00781,00791,007A0,007B0,007C0,007D0,007E0,007F0,00800,00810,00820,00830,00840,00850,00861,00870,00880,00891,008A0,008B0,008C0,008D0,008E0,008F0,00900,00910,00920,00930,00940,00950,00960,00970,00980,00990,009A0,009B0,009C0,009D0,009E0,009F0,00A00,00A10,00A20,00A30,00A40,00A50,00A60,00A70,00A80,00A90,00AA0,00AB0,00AC0,00AD0,00AE0,00AF0,00B00,00B11,00B20,00B30,00B40,00B51,00B61,00B71,00B80,00B90,00BA0,00BB0,00BC0,00BD0,00BE0,00BF0,00C00,
Fri 2015-11-20 18:03:53.0532 Keycode: SA84WTFTA39BBA96FD59
Fri 2015-11-20 18:03:53.0532 <<< Service shut down successfully. Uptime: 56 minute(s)
 
 
 
And this is from the threat log:
 

Automated Cleanup Engine
Starting Cleanup at 20/11/2015 - 16:39:51 GMT
Starting Routine> Removing c:users
ichardappdata
oamingandysetup.exe...#(PX5: 4A7F1542C81C71C4607D0F19FFC80A00F221F105 - MD5: 732EB198593ADE477060E2D6D2466F26)...
Deleting File> c:users
ichardappdata
oamingandysetup.exe
Writing Registry Value> HKLMSoftwareMicrosoftWindowsCurrentVersionUninstallAndy OS - UninstallString
Deleting Registry Value> HKLMSoftwareMicrosoftWindowsCurrentVersionUninstallAndy OS - UninstallString
Starting Routine> Removing c:program filesandyofflineinstaller45.5setup.exe...#(PX5: 4A7F1542C81C71C4607D0F19FFC80A00F221F105 - MD5: 732EB198593ADE477060E2D6D2466F26)...
Deleting File> c:program filesandyofflineinstaller45.5setup.exe
Starting Routine> Removing c:program filesandysetup.exe...#(PX5: 4A7F1542C81C71C4607D0F19FFC80A00F221F105 - MD5: 732EB198593ADE477060E2D6D2466F26)...
Deleting File> c:program filesandysetup.exe
Starting Routine> Removing c:users
ichardappdatalocal empandy_45.5_x64setup.exe...#(PX5: 4A7F1542C81C71C4607D0F19FFC80A00F221F105 - MD5: 732EB198593ADE477060E2D6D2466F26)...
Deleting File> c:users
ichardappdatalocal empandy_45.5_x64setup.exe
 
---------------------------------------------------------------------------
 
So, I would like to know if this was a real threat or a false positive... can anybody shed some light on it here?
 

3 replies

Baldrick
Gold VIP
  • Gold VIP
  • 16060 replies
  • November 22, 2015
Hi masterben
 
Welcome to the Community Forums.
 
I am afraid that the only foolproof way of determining that is to Open a Support Ticket and submit what you have posted to the SupportTeam so they can check these and if they are FP, correct the listings in the Webroot Cloud.
 
Any comments from us in the Commumity would be pure speculation. Having said that if you are experienceing nothing abnormal in terms of how your system is processing it is likely that they are FPs...but best to get this checked out by the professionals...the SUpport Ticket line is personed 24/7.
 
Regards, Baldrick

  • Author
  • Fresh Face
  • 1 reply
  • November 22, 2015
Thanks for the suggestion, Baldrick.
 
I will submit a support ticket there.

Baldrick
Gold VIP
  • Gold VIP
  • 16060 replies
  • November 22, 2015
Hi masterben
 
No worries...you can provide a link to this thread in the Ticket so that you do not have to write it out all over again.
 
I very much suspect FPs given that the app concerned is far from being anywhere clsoe to mainstream (from my research) and hopefully that will prove to be the case/the Support Team can get them whitelisted for you.
 
Regards, Baldrick

Reply