Author Topic: False positve  (Read 5105 times)

0 Members and 1 Guest are viewing this topic.

November 16, 2017, 07:46:05 am

mr5Adlice

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
False positve
« on: November 16, 2017, 07:46:05 am »
It detect svchost as proc.runPe and idk if it was a false positive any help is appreciated


Here is the JSON file download- https://drive.google.com/file/d/1hulFVduEhRWBlnbJ9_ofkXuXPJ7eTN0s/view?usp=sharingFNHTN8

Reply #1November 16, 2017, 07:51:32 am

mr5Adlice

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: False positve
« Reply #1 on: November 16, 2017, 07:51:32 am »
Here the .txt file just incase


RogueKiller V12.11.24.0 (x64) [Nov 13 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.16299) 64 bits version
Started in : Normal mode
User : matth [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 11/16/2017 00:59:08 (Duration : 00:23:31)

Processes : 1
[Proc.RunPE] svchost.exe(3028) -- c:\Windows\System32\svchost.exe[7] -> Found

Registry : 15
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : https://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-df066c95  -> Found
[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : https://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-df066c95  -> Found
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://hp17win10.msn.com/?pc=HCTE  -> Found
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://hp17win10.msn.com/?pc=HCTE  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3448816122-827311409-3711641623-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://hp17win10.msn.com/?pc=HCTE  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3448816122-827311409-3711641623-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://hp17win10.msn.com/?pc=HCTE  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://hp17win10.msn.com/?pc=HCTE  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://hp17win10.msn.com/?pc=HCTE  -> Found
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://hp17win10.msn.com/?pc=HCTE  -> Found
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://hp17win10.msn.com/?pc=HCTE  -> Found
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://hp17win10.msn.com/?pc=HCTE  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3448816122-827311409-3711641623-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://hp17win10.msn.com/?pc=HCTE  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3448816122-827311409-3711641623-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://hp17win10.msn.com/?pc=HCTE  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://hp17win10.msn.com/?pc=HCTE  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://hp17win10.msn.com/?pc=HCTE  -> Found

Tasks : 1
[Suspicious.Path] \Hewlett-Packard\HP Support Assistant\HP Support Assistant printer driver installation -- C:\WINDOWS\TEMP\sp81731.exe -> Found

Files : 1
[PUP.uTorrentAds][File] C:\Users\matth\AppData\Roaming\uTorrent\updates\3.5.0_44090\utorrentie.exe -> Found

WMI : 0

Hosts File : 0

Antirootkit : 0 (Driver: Loaded)

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: HGST HTS721010A9E630 +++++
--- User ---
[MBR] e41bc5ab5d8867337f68978416e26cae
[BSP] 6660c97e02e685edf7c7681da1a25e0d : Empty MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 260 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 534528 | Size: 16 MB
2 - Basic data partition | Offset (sectors): 567296 | Size: 940210 MB
3 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1926117376 | Size: 980 MB
4 - [SYSTEM] Basic data partition | Offset (sectors): 1928124416 | Size: 12396 MB
User = LL1 ... OK
User = LL2 ... OK

Reply #2November 16, 2017, 02:05:17 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2575
  • Reputation:
    97
    • View Profile
Re: False positve
« Reply #2 on: November 16, 2017, 02:05:17 pm »
Hi mr5Adlice,

Welcome to Adlice.com Forum.
Yes, it's indeed a false positive. Do you use BitLocker on this computer ?

Regards.

Reply #3November 18, 2017, 08:46:29 pm

mr5Adlice

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: False positve
« Reply #3 on: November 18, 2017, 08:46:29 pm »
i cant say i know if i do or not use bitlocker. Sorry for the extremely late reply

Reply #4November 18, 2017, 11:57:09 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2575
  • Reputation:
    97
    • View Profile
Re: False positve
« Reply #4 on: November 18, 2017, 11:57:09 pm »
Hi mr5Adlice,

Thanks for the feedback. If you used it, you will have known.
Don't worry about the delay, it's perfectly fine.

Regards.