Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Scan Results


  • Please log in to reply
5 replies to this topic

#1 CKing123

CKing123

  • Members
  • 1,463 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia, Canada
  • Local time:08:13 PM

Posted 15 August 2015 - 12:30 PM

Mod Edit:  Split from  http://www.bleepingcomputer.com/forums/t/272337/false-positives-in-antivirus-programs - Hamluis.

 

Thanks for the advice!

 

Hitman Pro shows svchost as a suspicious program, but it is codesigned by Microsoft. It is considered "suspicious" because it runs at startup, and most programs can not detect them. It is a false positive. (It started showing svchost when I upgraded to Windows 10)

 

There are many Microsoft processes that are often false positives, yet one must be aware that Malware can disguise itself as such processes. It's best to go to the process folder & check it with VirusTotal. 

 

https://www.virustotal.com/en/documentation/desktop-applications/virustotal-uploader

 

You may also install System Explorer & when it installs, will offer to run a default scan, you should run it, the results will show in your default browser (if you're running Firefox with the NoScript add-on, be sure to allow the page). It's often referred to as a Task Manager on steroids because it shows a lot more detail. Just click the Download tab for the latest version, and be sure to select the installer (top link). Runs on Windows 2000 through Windows 10. 

 

http://systemexplorer.net/

 

When you run a scan with System Explorer, there's a link to the right of each file, that you can check with VirusTotal & when closing, it'll show in the notification area, one can monitor some items with this software just by hovering over that icon. Click on the icon anytime you wish to run a scan, or see the processes in more detail. 

 

Cat

 

 

So I ran system explorer and it did the security scan, and did not find anything.

 

Here is the result for that

 

Further, in the logs of hitman pro here is the part of svchost (the rest of the things that were detected were tracking cookies for chrome, which I removed them):

 

 C:\WINDOWS\system32\svchost.exe
      Size . . . . . . . : 39,856 bytes
      Age  . . . . . . . : 5.0 days (2015-08-08 17:03:01)
      Entropy  . . . . . : 6.0
      SHA-256  . . . . . : 8A88E067E89D1DCFCAFD842C0CB7DE5DC7E6754447F2064A2BDF8496B088BD52
      Product  . . . . . : Microsoft® Windows® Operating System
      Publisher  . . . . : Microsoft Corporation
      Description  . . . : Host Process for Windows Services
      Version  . . . . . : 10.0.10240.16384
      Copyright  . . . . : © Microsoft Corporation. All rights reserved.
      RSA Key Size . . . : 2048
      Service  . . . . . : UserDataSvc_Session1
      Process Type . . . : Critical
      LanguageID . . . . : 1033
      Authenticode . . . : Valid
      Running processes  : 444, 536, 688, 920, 976, 1108, 1280, 1508, 2200, 2292, 2612, 3140, 3416, 6728, 7832
      Fuzzy  . . . . . . : 24.0
         The file is completely hidden from view and most antivirus products. It may belong to a rootkit.
         This program is actively listening for inbound network connections.
         Time indicates that the file appeared recently on this computer.
         The file is in use by one or more active processes.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
         Starts automatically as a service during system bootup.
         This file's process is marked as system critical.
         The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
         Program is code signed with a valid Authenticode certificate.
      Startup
         HKLM\SYSTEM\ControlSet001\Services\OneSyncSvc_Session1\
         HKLM\SYSTEM\ControlSet001\Services\PimIndexMaintenanceSvc_Session1\
         HKLM\SYSTEM\ControlSet001\Services\UnistoreSvc_Session1\
         HKLM\SYSTEM\ControlSet001\Services\UserDataSvc_Session1\
         HKLM\SYSTEM\CurrentControlSet\Services\AJRouter\
         HKLM\SYSTEM\CurrentControlSet\Services\AppHostSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\AppIDSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\Appinfo\
         HKLM\SYSTEM\CurrentControlSet\Services\AppReadiness\
         HKLM\SYSTEM\CurrentControlSet\Services\AppXSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\AudioEndpointBuilder\
         HKLM\SYSTEM\CurrentControlSet\Services\Audiosrv\
         HKLM\SYSTEM\CurrentControlSet\Services\AxInstSV\
         HKLM\SYSTEM\CurrentControlSet\Services\BDESVC\
         HKLM\SYSTEM\CurrentControlSet\Services\BFE\
         HKLM\SYSTEM\CurrentControlSet\Services\BITS\
         HKLM\SYSTEM\CurrentControlSet\Services\BrokerInfrastructure\
         HKLM\SYSTEM\CurrentControlSet\Services\Browser\
         HKLM\SYSTEM\CurrentControlSet\Services\BthHFSrv\
         HKLM\SYSTEM\CurrentControlSet\Services\bthserv\
         HKLM\SYSTEM\CurrentControlSet\Services\CDPSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\CertPropSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC\
         HKLM\SYSTEM\CurrentControlSet\Services\CoreMessagingRegistrar\
         HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\DcomLaunch\
         HKLM\SYSTEM\CurrentControlSet\Services\DcpSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\defragsvc\
         HKLM\SYSTEM\CurrentControlSet\Services\DeviceAssociationService\
         HKLM\SYSTEM\CurrentControlSet\Services\DeviceInstall\
         HKLM\SYSTEM\CurrentControlSet\Services\DevQueryBroker\
         HKLM\SYSTEM\CurrentControlSet\Services\Dhcp\
         HKLM\SYSTEM\CurrentControlSet\Services\DiagTrack\
         HKLM\SYSTEM\CurrentControlSet\Services\DmEnrollmentSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\dmwappushservice\
         HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\
         HKLM\SYSTEM\CurrentControlSet\Services\DoSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\dot3svc\
         HKLM\SYSTEM\CurrentControlSet\Services\DPS\
         HKLM\SYSTEM\CurrentControlSet\Services\DsmSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\DsSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\Eaphost\
         HKLM\SYSTEM\CurrentControlSet\Services\embeddedmode\
         HKLM\SYSTEM\CurrentControlSet\Services\EntAppSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\EventLog\
         HKLM\SYSTEM\CurrentControlSet\Services\EventSystem\
         HKLM\SYSTEM\CurrentControlSet\Services\fdPHost\
         HKLM\SYSTEM\CurrentControlSet\Services\FDResPub\
         HKLM\SYSTEM\CurrentControlSet\Services\fhsvc\
         HKLM\SYSTEM\CurrentControlSet\Services\FontCache\
         HKLM\SYSTEM\CurrentControlSet\Services\gpsvc\
         HKLM\SYSTEM\CurrentControlSet\Services\hidserv\
         HKLM\SYSTEM\CurrentControlSet\Services\HomeGroupListener\
         HKLM\SYSTEM\CurrentControlSet\Services\HomeGroupProvider\
         HKLM\SYSTEM\CurrentControlSet\Services\icssvc\
         HKLM\SYSTEM\CurrentControlSet\Services\IKEEXT\
         HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\
         HKLM\SYSTEM\CurrentControlSet\Services\KtmRm\
         HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\
         HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\
         HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\
         HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager\
         HKLM\SYSTEM\CurrentControlSet\Services\lltdsvc\
         HKLM\SYSTEM\CurrentControlSet\Services\lmhosts\
         HKLM\SYSTEM\CurrentControlSet\Services\LSM\
         HKLM\SYSTEM\CurrentControlSet\Services\MapsBroker\
         HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\MSiSCSI\
         HKLM\SYSTEM\CurrentControlSet\Services\NcaSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\NcbService\
         HKLM\SYSTEM\CurrentControlSet\Services\NcdAutoSetup\
         HKLM\SYSTEM\CurrentControlSet\Services\Netman\
         HKLM\SYSTEM\CurrentControlSet\Services\netprofm\
         HKLM\SYSTEM\CurrentControlSet\Services\NetSetupSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\NgcCtnrSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\nsi\
         HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_Session2\
         HKLM\SYSTEM\CurrentControlSet\Services\p2pimsvc\
         HKLM\SYSTEM\CurrentControlSet\Services\p2psvc\
         HKLM\SYSTEM\CurrentControlSet\Services\PcaSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_Session2\
         HKLM\SYSTEM\CurrentControlSet\Services\pla\
         HKLM\SYSTEM\CurrentControlSet\Services\PlugPlay\
         HKLM\SYSTEM\CurrentControlSet\Services\PNRPAutoReg\
         HKLM\SYSTEM\CurrentControlSet\Services\PNRPsvc\
         HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent\
         HKLM\SYSTEM\CurrentControlSet\Services\Power\
         HKLM\SYSTEM\CurrentControlSet\Services\PrintNotify\
         HKLM\SYSTEM\CurrentControlSet\Services\ProfSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\QWAVE\
         HKLM\SYSTEM\CurrentControlSet\Services\RasAuto\
         HKLM\SYSTEM\CurrentControlSet\Services\RasMan\
         HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\
         HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry\
         HKLM\SYSTEM\CurrentControlSet\Services\RetailDemo\
         HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper\
         HKLM\SYSTEM\CurrentControlSet\Services\RpcSs\
         HKLM\SYSTEM\CurrentControlSet\Services\SCardSvr\
         HKLM\SYSTEM\CurrentControlSet\Services\ScDeviceEnum\
         HKLM\SYSTEM\CurrentControlSet\Services\Schedule\
         HKLM\SYSTEM\CurrentControlSet\Services\SCPolicySvc\
         HKLM\SYSTEM\CurrentControlSet\Services\SDRSVC\
         HKLM\SYSTEM\CurrentControlSet\Services\seclogon\
         HKLM\SYSTEM\CurrentControlSet\Services\SENS\
         HKLM\SYSTEM\CurrentControlSet\Services\SensorService\
         HKLM\SYSTEM\CurrentControlSet\Services\SensrSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\SessionEnv\
         HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
         HKLM\SYSTEM\CurrentControlSet\Services\ShellHWDetection\
         HKLM\SYSTEM\CurrentControlSet\Services\smphost\
         HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\
         HKLM\SYSTEM\CurrentControlSet\Services\SSDPSRV\
         HKLM\SYSTEM\CurrentControlSet\Services\SstpSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\StateRepository\
         HKLM\SYSTEM\CurrentControlSet\Services\stisvc\
         HKLM\SYSTEM\CurrentControlSet\Services\StorSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\svsvc\
         HKLM\SYSTEM\CurrentControlSet\Services\swprv\
         HKLM\SYSTEM\CurrentControlSet\Services\SysMain\
         HKLM\SYSTEM\CurrentControlSet\Services\SystemEventsBroker\
         HKLM\SYSTEM\CurrentControlSet\Services\TabletInputService\
         HKLM\SYSTEM\CurrentControlSet\Services\TapiSrv\
         HKLM\SYSTEM\CurrentControlSet\Services\TermService\
         HKLM\SYSTEM\CurrentControlSet\Services\Themes\
         HKLM\SYSTEM\CurrentControlSet\Services\tiledatamodelsvc\
         HKLM\SYSTEM\CurrentControlSet\Services\TimeBroker\
         HKLM\SYSTEM\CurrentControlSet\Services\TrkWks\
         HKLM\SYSTEM\CurrentControlSet\Services\UmRdpService\
         HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_Session2\
         HKLM\SYSTEM\CurrentControlSet\Services\upnphost\
         HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_Session2\
         HKLM\SYSTEM\CurrentControlSet\Services\UserManager\
         HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\vmicguestinterface\
         HKLM\SYSTEM\CurrentControlSet\Services\vmicheartbeat\
         HKLM\SYSTEM\CurrentControlSet\Services\vmickvpexchange\
         HKLM\SYSTEM\CurrentControlSet\Services\vmicrdv\
         HKLM\SYSTEM\CurrentControlSet\Services\vmicshutdown\
         HKLM\SYSTEM\CurrentControlSet\Services\vmictimesync\
         HKLM\SYSTEM\CurrentControlSet\Services\vmicvmsession\
         HKLM\SYSTEM\CurrentControlSet\Services\vmicvss\
         HKLM\SYSTEM\CurrentControlSet\Services\W32Time\
         HKLM\SYSTEM\CurrentControlSet\Services\w3logsvc\
         HKLM\SYSTEM\CurrentControlSet\Services\WalletService\
         HKLM\SYSTEM\CurrentControlSet\Services\WAS\
         HKLM\SYSTEM\CurrentControlSet\Services\WbioSrvc\
         HKLM\SYSTEM\CurrentControlSet\Services\Wcmsvc\
         HKLM\SYSTEM\CurrentControlSet\Services\wcncsvc\
         HKLM\SYSTEM\CurrentControlSet\Services\WcsPlugInService\
         HKLM\SYSTEM\CurrentControlSet\Services\WdiServiceHost\
         HKLM\SYSTEM\CurrentControlSet\Services\WdiSystemHost\
         HKLM\SYSTEM\CurrentControlSet\Services\WebClient\
         HKLM\SYSTEM\CurrentControlSet\Services\Wecsvc\
         HKLM\SYSTEM\CurrentControlSet\Services\WEPHOSTSVC\
         HKLM\SYSTEM\CurrentControlSet\Services\wercplsupport\
         HKLM\SYSTEM\CurrentControlSet\Services\WerSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\WiaRpc\
         HKLM\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc\
         HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\
         HKLM\SYSTEM\CurrentControlSet\Services\WinRM\
         HKLM\SYSTEM\CurrentControlSet\Services\WlanSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc\
         HKLM\SYSTEM\CurrentControlSet\Services\workfolderssvc\
         HKLM\SYSTEM\CurrentControlSet\Services\WPDBusEnum\
         HKLM\SYSTEM\CurrentControlSet\Services\WpnService\
         HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\
         HKLM\SYSTEM\CurrentControlSet\Services\WSService\
         HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\
         HKLM\SYSTEM\CurrentControlSet\Services\wudfsvc\
         HKLM\SYSTEM\CurrentControlSet\Services\WwanSvc\
         HKLM\SYSTEM\CurrentControlSet\Services\XblAuthManager\
         HKLM\SYSTEM\CurrentControlSet\Services\XblGameSave\
         HKLM\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc\
      Network Ports
         0.0.0.0:135
         0.0.0.0:49409
         0.0.0.0:49410
 
and I used "sc queryex (nameofprocess" for a few services and their PID was listed and it matched with the PID in hitman pro
 
It looks like a false positive, but I did a malwarebytes scan just to be sure, and it did not find anything

Edited by hamluis, 18 August 2015 - 11:21 AM.
PM sent new OP - Hamluis.

If I am helping you and I don't respond within 2 days, feel free to send me a PM

Sysnative Windows Update Senior Analyst 

Github | Keybase


BC AdBot (Login to Remove)

 


#2 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:11:13 PM

Posted 16 August 2015 - 03:05 AM

You may wish to download the Emsisoft Emergency Kit & run a Custom scan. This software will sniff out things that AV software & some AM software misses. 

 

https://www.emsisoft.com/en/software/eek/

 

For your convenience, you can download & install this to a folder in a USB Flash drive, that way you have it to scan other computers with. After the software downloads, extract to a folder of your choice (if a USB drive), the default is fine if not, it's great to have to perform a monthly maintenance scan with. I extract it in my Documents, to a folder called EEK, that way I can update it & copy to Flash drive if someone's computer needs a scan. 

 

Once extracted & installed, click onto the shortcut provided, and it starts the process by updating, once updated, you have your choice of scan. The Malware scan is shorter in time, the Custom is a deep scan. if selecting it, make sure to include all drives. What you can do is run the Malware scan & see what turns up in the places where Malware often resides, then the Custom one. This can take a few hours on a drive (or more) with a lot of data. Regardless, if the Malware (about 10 minute) scan turns up anything, then surely you want to run the Custom (formerly known as the Deep scan) afterwards. Quarantine any threats found & follow any instructions given, usually a reboot, after either scan. 

 

Cat


Edited by cat1092, 16 August 2015 - 03:06 AM.

Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#3 CKing123

CKing123
  • Topic Starter

  • Members
  • 1,463 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia, Canada
  • Local time:08:13 PM

Posted 16 August 2015 - 05:08 PM

I did the malware scan, and it found a toolbar (probably because I turned on find PUP)

 

I let it remove it


Edited by hamluis, 18 August 2015 - 11:15 AM.
Removed unnecessary quotebox - Hamluis.

If I am helping you and I don't respond within 2 days, feel free to send me a PM

Sysnative Windows Update Senior Analyst 

Github | Keybase


#4 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:11:13 PM

Posted 17 August 2015 - 05:30 AM

now that the Malware scan has found an issue, I suggest that you run a Custom scan, you should do this when you're not going to be running the computer for a long period of time. 

 

Or at bedtime, a Custom scan may take 4 to 6 hours, depending on how many files you have on the drive, and make sure that in the Power settings, it won't Sleep, change it to Never when on AC power & click OK to accept the changes.  Quarantine everything if finds, like you did with the Malware scan. 

 

Yes, Toolbars are usually a sign of PUP, that your installed security didn't catch, 

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#5 CKing123

CKing123
  • Topic Starter

  • Members
  • 1,463 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia, Canada
  • Local time:08:13 PM

Posted 17 August 2015 - 11:45 AM

I will do a full scan during the night.


If I am helping you and I don't respond within 2 days, feel free to send me a PM

Sysnative Windows Update Senior Analyst 

Github | Keybase


#6 CKing123

CKing123
  • Topic Starter

  • Members
  • 1,463 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia, Canada
  • Local time:08:13 PM

Posted 18 August 2015 - 10:05 AM

I did the full scan tonight, and it did not find anything.

 

Here's the log:

Emsisoft Emergency Kit - Version 10.0
Last update: 2015-08-16 9:50:46 AM
User account: STUDYPC\chira_000
 
Scan settings:
 
Scan type: Custom Scan
Objects: Rootkits, Memory, Traces, C:\
 
Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 2015-08-17 8:03:57 PM
 
Scanned 980487
Found 0
 
Scan end: 2015-08-18 6:06:27 AM
Scan time: 10:02:30
 
I checked Windows Defender, and it removed the toolbar way back, but it prob didn't completely remove it.

If I am helping you and I don't respond within 2 days, feel free to send me a PM

Sysnative Windows Update Senior Analyst 

Github | Keybase





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users