Jump to content
Crimsoncricket

Was this a false positive?

Recommended Posts

Sometimes JRT Version: 8.0.9 (09.30.2016) will delete the following registry key:

HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{815BDD98-12E6-49EC-9F07-0D457FAE7A95}

I first noticed this on November 12.  I ran a few random test scans and this didn't reoccur until the 18th.  This hasn't happened again when I ran another test scan a few days ago.  I haven't been able to find much about that key online.  It might be some sort of Amazon-related preset, but I'm confused as to why it returned.  Is this a false positive or should I be more concerned about this?

Share this post


Link to post
Share on other sites
16 hours ago, pondus said:

Remove “Ads by SearchScopes” virus (Easy Removal Guide)  >  https://malwaretips.com/blogs/ads-by-searchscopes-removal/

 

I had ran what they suggested and was told I was clean both before and after JRT removed that key.  I did some more research online and it seems like "SearchScopes" isn't always malware according to https://technet.microsoft.com/en-us/library/cc721975(v=ws.10).aspx.  I wonder if this has anything to do with my having to reinstall avast the day before I first noticed the issue.  It is possible I forgot to uncheck something during the process.  Did anyone else experiencing the issue do a similar reinstall beforehand? 

Share this post


Link to post
Share on other sites

Hi,

I don't consider this a false positive but I'd like to gather some more information as to why it keeps returning. Would you mind providing a couple of logs for me to analyze? If you don't mind, follow these steps:

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.

You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to the disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach logs to your reply if possible. Otherwise you may copy/paste the logs directly if you have to. You can also send these to me via private message if you'd prefer.

Thanks!

Share this post


Link to post
Share on other sites
1 hour ago, Crimsoncricket said:

I sent you the logs in an private message with the subject line "FRST logs."  I look forward to hearing what you have to say about them. 

Got them, thanks. Responded.

Share this post


Link to post
Share on other sites

What was the result of this research? I seem to be having the same trouble on multiple computers. Was there a false positive or was a cause of that registry entry determined?

Share this post


Link to post
Share on other sites
On 4/20/2017 at 11:37 AM, street9009 said:

What was the result of this research? I seem to be having the same trouble on multiple computers. Was there a false positive or was a cause of that registry entry determined?

Hi, sorry for the delay

I wasn't able to find a conclusive answer online but I suspect it's a searchscope with an affiliate referral tracker between Amazon and Hewlett Packard (HP). I don't consider it a false positive and this detection remained in JRT. While not malicious, it's also not needed and was mostly likely pre-installed/bundled with certain models of HP computers.

Hope this helps. Let me know if you have any other questions

Regards

Edited by thisisu

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.