AdwCleaner and Hitman Pro false positive alerts in registry 621ap

Hitman Pro detecting couple of malware/spyware registry entries after installing Free manager

Addon bullying behavior
even after deleting firefox addon from program files/fdm folder
fdm tries to push addon via program data\fdm
I have to deny assess to program data\fdm folder to stop this behavior

Custom location auto category not working and the pop-up warning is buggy
developers have ignored my previous mails
I am switching to open source uget
good bye and best of luck with milky beta, you guys are kidding right!

[Usher]

managers are designed to co-operate with web browsers and by default they install browser extensions - so FDM works OK. On the other side, malware monitors are designed to warn about any installed browser extension (no matter who or what is installing them) - so Hitman Pro also works OK.
If you don't like FDM's way of integration with any browser, just turn off proper monitoring options in FDM. If you see any phone-home-like outcoming actions taken by FDM, read the FDM FAQ, please.

You should NOT use any program (including both Hitman Pro and FDM) if you don't understand how it works or don't want to configure it properly.

If you want to learn more, DO follow the reporting rules and provide needed details, please. Helpful links are in my signature.

[dko]

Hi,
With reference to this topic, incldued in this post is a log of FDM connected Registry entries that Hitman Pro has been raising concern over for several months now each tiem I have run it.

My current FDM Version 3.9.7 Build 1625. O/S Windows 10 Pro (x64). L never used to gets these a few months back. For some reason Hitman Pro seems to think they are (OpenManager).
Is there a connection between FDM and ODM and if not does FDM use some files used by ODM or named the same as ODM?

I deleted the Registry entries and ran Hitman Pro and the related warnings were gone.
I reinstalled FDM again and the registry entries were reinstated by the FDM installer (ed from this site) and the HMP warning entries appeared again.
As far as settings (mentioned to the other poster, I can see none in HMP (free) that can be changed without reducing its ability to detect (it has no white List if registry entries are false-positives either). Equally there are no entries I would wish to disable in FDM. I also confirm Malwarebytes Anti-Malware does not report these entries but then MWBAM and HMP do not overlap 100% hence why I run both from time to time (to my Avast antivirus and Windows 10 Firewall which run in the background all the time)

Here is the HMP Log

HitmanPro 3.7.10.251
http://www.hitmanpro.com

Computer name . . . . : MERLIN
Windows . . . . . . . : 10.0.0.10586.X64/8
name . . . . . . : MERLIN\Dave
UAC . . . . . . . . . : Enabled
License . . . . . . . : Free

Scan date . . . . . . : 2015-12-01 18:49:41
Scan mode . . . . . . : Normal
Scan duration . . . . : 3m 41s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No

Threats . . . . . . . : 0
Traces . . . . . . . : 21

Objects scanned . . . : 1,515,301
Files scanned . . . . : 24,334
Remnants scanned . . : 250,673 files / 1,240,294 keys

Potential Unwanted Programs _________________________________________________

HKLM\SOFTWARE\Classes\Interface\{0DC81A74-1FBD-4EF6-82B2-DE3FA05E8233}\ (OpenManager)
HKLM\SOFTWARE\Classes\Interface\{1B26E4A2-7F09-4365-9AB8-13E6891E42CB}\ (OpenManager)
HKLM\SOFTWARE\Classes\Interface\{21402197-BB5B-476C-AA1D-3FFED8ED813A}\ (OpenManager)
HKLM\SOFTWARE\Classes\Interface\{42E8D680-A18B-4CAA-ACE0-18EA05E4A056}\ (OpenManager)
HKLM\SOFTWARE\Classes\Interface\{454A4044-16EC-4D64-9069-C5B8832B7B55}\ (OpenManager)
HKLM\SOFTWARE\Classes\Interface\{4FEB1BAD-35AD-4A08-B6EC-E6D832F1ED4D}\ (OpenManager)
HKLM\SOFTWARE\Classes\Interface\{8F2B3016-17D4-447A-B207-FFA8957A834A}\ (OpenManager)
HKLM\SOFTWARE\Classes\Interface\{E66B63B0-49F8-47E3-A9BA-799287B59E87}\ (OpenManager)
HKLM\SOFTWARE\Classes\Interface\{F8FA5B48-B7A2-4BC6-8389-9587643A4660}\ (OpenManager)
HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{0DC81A74-1FBD-4EF6-82B2-DE3FA05E8233}\ (OpenManager)
HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{1B26E4A2-7F09-4365-9AB8-13E6891E42CB}\ (OpenManager)
HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{21402197-BB5B-476C-AA1D-3FFED8ED813A}\ (OpenManager)
HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{42E8D680-A18B-4CAA-ACE0-18EA05E4A056}\ (OpenManager)
HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{454A4044-16EC-4D64-9069-C5B8832B7B55}\ (OpenManager)
HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{4FEB1BAD-35AD-4A08-B6EC-E6D832F1ED4D}\ (OpenManager)
HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{8F2B3016-17D4-447A-B207-FFA8957A834A}\ (OpenManager)
HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{E66B63B0-49F8-47E3-A9BA-799287B59E87}\ (OpenManager)
HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{F8FA5B48-B7A2-4BC6-8389-9587643A4660}\ (OpenManager)
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2f23ab71-4ac6-41f2-a955-ea576e553146}\ (SaleCharger)
HKU\S-1-5-21-2992085237-2805390675-3250878708-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2f23ab71-4ac6-41f2-a955-ea576e553146}\ (SaleCharger)

Repairs _____________________________________________________________________

hosts
C:\WINDOWS\system32\drivers\etc\

[/code]


The Salecharger and Hosts entries I have checked out and are unrelated and have been ed in my investigations.

Hope this helps and is sufficient. Always happy to provide more info if required
Regards DKO

[Usher]

Is there a connection between FDM and ODM and if not does FDM use some files used by ODM or named the same as ODM?

Open manager (ODM) seems to be some kind of branded FDM version so it just reuses most of FDM code. In your report there seem to be only valid FDM entries so as a Hitman you should send report to HitmanPro devs about false positive alert.

Note that it's not the first such alert, f.e. some malware scanners in the past warned about programs packed with UPX or installers built with NSIS. Currently some software portals insinst on using their adware ers or use adware wrappers for regular installers so some malware scanners may report false positive alerts for any software ed from such sites. Even Sourceforge site allows to use such adware wrappers - it's done either by developers' agreement or for unmaintained projects, see: https://en.wikipedia.org/wiki/SourceForge#Controversies

[Anselmo]

Hi.
I have Free Manager version 3.9.7.1625.
AdwCleaner also report the same Registry entries as malicious.
I deleted the Registry entries and Free Manager do not work properly.

[Usher]

Why did you delete valid FDM registry entries? Have you any problems with reinstalling FDM? Have you reported false positive alert to AdwCleaner developers?

[Anselmo]

A scan with AdwCleaner (version 5.025) found the following infected registry entries:

HKLM\SOFTWARE\Classes\Interface\{0DC81A74-1FBD-4EF6-82B2-DE3FA05E8233}
HKLM\SOFTWARE\Classes\Interface\{1B26E4A2-7F09-4365-9AB8-13E6891E42CB}
HKLM\SOFTWARE\Classes\Interface\{21402197-BB5B-476C-AA1D-3FFED8ED813A}
HKLM\SOFTWARE\Classes\Interface\{42E8D680-A18B-4CAA-ACE0-18EA05E4A056}
HKLM\SOFTWARE\Classes\Interface\{454A4044-16EC-4D64-9069-C5B8832B7B55}
HKLM\SOFTWARE\Classes\Interface\{4FEB1BAD-35AD-4A08-B6EC-E6D832F1ED4D}
HKLM\SOFTWARE\Classes\Interface\{8F2B3016-17D4-447A-B207-FFA8957A834A}
HKLM\SOFTWARE\Classes\Interface\{E66B63B0-49F8-47E3-A9BA-799287B59E87}
HKLM\SOFTWARE\Classes\Interface\{F8FA5B48-B7A2-4BC6-8389-9587643A4660}
[x64] HKLM\SOFTWARE\Classes\Interface\{0DC81A74-1FBD-4EF6-82B2-DE3FA05E8233}
[x64] HKLM\SOFTWARE\Classes\Interface\{1B26E4A2-7F09-4365-9AB8-13E6891E42CB}
[x64] HKLM\SOFTWARE\Classes\Interface\{21402197-BB5B-476C-AA1D-3FFED8ED813A}
[x64] HKLM\SOFTWARE\Classes\Interface\{42E8D680-A18B-4CAA-ACE0-18EA05E4A056}
[x64] HKLM\SOFTWARE\Classes\Interface\{454A4044-16EC-4D64-9069-C5B8832B7B55}
[x64] HKLM\SOFTWARE\Classes\Interface\{4FEB1BAD-35AD-4A08-B6EC-E6D832F1ED4D}
[x64] HKLM\SOFTWARE\Classes\Interface\{8F2B3016-17D4-447A-B207-FFA8957A834A}
[x64] HKLM\SOFTWARE\Classes\Interface\{E66B63B0-49F8-47E3-A9BA-799287B59E87}
[x64] HKLM\SOFTWARE\Classes\Interface\{F8FA5B48-B7A2-4BC6-8389-9587643A4660}

AdwCleaner recommended deleting the infected items.
After restart, I tried to use Free Manager (version 3.9.7.1625) and was not working properly.
I uninstalled FDM and then I installed it successfully.
Another scan with AdwCleaner detects again the same registry entries infected.

I'm not an expert, I do not know if it's a false alarm.
I have to report a false positive alert to AdwCleaner developers?

[Usher]

I'm not an expert, I do not know if it's a false alarm.

Of course you know they are. The same registry entries have been already reported in earlier messages. You have read those messages so you know the conclusion - it IS a false alarm.

I have to report a false positive alert to AdwCleaner developers?

Yes, of course.

[click-click]

When FDM is installed and I do a scan of the installation, I see several registry entries being flagged. The scan indicates
that these entries belong to a program called OpenManager. Why does FDM create the same entries as
OpenManager and is that really necessary?

Code: Select all

Potential Unwanted Programs _________________________________________________

   HKLM\SOFTWARE\Classes\Interface\{0DC81A74-1FBD-4EF6-82B2-DE3FA05E8233}\ (OpenManager)
   HKLM\SOFTWARE\Classes\Interface\{1B26E4A2-7F09-4365-9AB8-13E6891E42CB}\ (OpenManager)
   HKLM\SOFTWARE\Classes\Interface\{21402197-BB5B-476C-AA1D-3FFED8ED813A}\ (OpenManager)
   HKLM\SOFTWARE\Classes\Interface\{42E8D680-A18B-4CAA-ACE0-18EA05E4A056}\ (OpenManager)
   HKLM\SOFTWARE\Classes\Interface\{454A4044-16EC-4D64-9069-C5B8832B7B55}\ (OpenManager)
   HKLM\SOFTWARE\Classes\Interface\{4FEB1BAD-35AD-4A08-B6EC-E6D832F1ED4D}\ (OpenManager)
   HKLM\SOFTWARE\Classes\Interface\{8F2B3016-17D4-447A-B207-FFA8957A834A}\ (OpenManager)
   HKLM\SOFTWARE\Classes\Interface\{E66B63B0-49F8-47E3-A9BA-799287B59E87}\ (OpenManager)
   HKLM\SOFTWARE\Classes\Interface\{F8FA5B48-B7A2-4BC6-8389-9587643A4660}\ (OpenManager)