Jump to content
LxCi

False Positive: RUIFltr.sys, RUINetf.sys +

Recommended Posts

LxCi   

Greetings from the Great Country of TEXAS,

 

Due to my own error and misunderstanding of what was discovered and had it removed.  Did some investigating into what had been removed and discovered the "RUIFLTR.SYS, RUINETF.SYS, NETFILTER2.SYS" files plus about sixteen (16) registry entries that were placed there by Microsoft by an update that was done on 06/10/2009.  Below find some information about that install and my EditPad Lite v7 does not display some characters: [bracketed data is from me]

 

[below dated 06/10/2009]

C:\Windows\winsxs\x86_microsoft-windows-t..ied-chinese-quanpin_31bf3856ad364e35_6.1.7600.16385_none_f79af98021986eab

[below "?" are because cannot be displayed as it is in Simple Chinese]
RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"
"RUI"="?"


C:\Windows\winsxs\x86_microsoft-windows-t..ional-chinese-array_31bf3856ad364e35_6.1.7600.16385_none_64b02463c341f83d

"YRUI"="?"
 

The above information is found on two (2) of my computers both x64 systems one system is x32 and does not have the above data entries.

 

Just one question, how may I reinstall those two (2) DotSYS files plus the Reg entries?

 

Share this post


Link to post
Share on other sites

Hello LxCi,

 

The items which were removed should likely still be in your quarantine. Click the 'System Tools' button, then click the 'Quarantine' button. Items can be restored from there, then the next time they are detected simply click the thumbs-up icon to trust them and they will no longer be detected.

 

Also, I would like you to submit a customer support request so we can get some more information about this detection.

 

Gabe Burch
Primary Malware Researcher
SUPERAntiSpyware

Share this post


Link to post
Share on other sites
LxCi   

Gabe Burch,

 

Have been trying to logon to post for about the last hour or more.  All that could be seen were blank white pages except for the Index area.

 

Below is a message attempted to send in reply which came back undeliverable:

"

Thank you for this informaton, but; checking the Quarantine under SysTools there is NOTHING listed plus the check box at the bottom is set to your default of thirty (30) days have changed to 130 days.  Those files in my post were discovered on this system on 06/24/2016 and nothing found about them as you mentioned in your message.  The only place showing is under SUPERAntiSpyware Scan Logs cannot find any way of displaying what is within.  Have seven (7) discovered on 07/03/2016 and nineteen (19) on 06/24/2016 which are those of the report posted in the forums.
 
With nothing showing under System Tools and Program Settings, except what is mentioned above.  I have saved a copy of a quarantine file, 'quarantine.db' from 06/24/2016 159KB in a special folder if you would like for me to send it as an attachment.  Also have WINSXS folder as Excluded in Scanner Options.
 
Please understand, this is not a normal newbie am a very curious animal and do my own investigatons.  Learning what is possible even going against Micro(µ)soft's wishes to keep my system as protected as possible, even to the point of going against so called Experts, MSVP, Forum, GEEKS, et ceteras . . .  Have even run two (2) fire walls, two (2) antivirus monitors and scanners, with up to four (4) adware, spyware, malware, et ceteras . . . all at the same time without the difficulties predicted.  Have surfed the net since about 1974 using Unix software at DOS CMD Line before WWW and Windows were ever implemented.
 
I go against the grain . . because it is MY system to maintain
 
TIA, CU L8R,
'd' or 'e'
"Lone Wanderer"

P.S. I opened the Submit Malware Samples clicking on the "+" sign and selecting the file saved in a special folder as mentioned above and (sent) was displayed on that entry.  Do not know where it was sent, if you wish me to attach it here let me know.

Thank you for reading this rambling mess

'd'
"LONE Wanderer"

Share this post


Link to post
Share on other sites

Hello LxCi,

 

I do find it odd that the files are not in the quarantine, but perhaps they were were removed by one of your other AV/Anti-Malware programs.

 

Please fill out a customer support request and we will be able to send you a customized diagnostic which will give us more information about this detection and hopefully determine whether this is a false positive.

 

Gabe

Share this post


Link to post
Share on other sites
LxCi   

Gabe,

 

Have done that and have a report that was blocked by WinPrivacy and now am attaching it to this message.  They gave me a file SUPERSysteminspector to run and took me a bit of time to figure-out how to stop Avast! from blocking it every time the attempt was made to get it to run.

 

Seems it is TOO large, 500K, will attempt to use 7zip to compress.  Will return later

 

Looks like it is a compressed file and will not zip any farther.

 

Now what:?  e-mailed the file and it is on it's way.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×