Adlice forum
Software feedback => RogueKiller => Topic started by: Tigzy on November 14, 2014, 09:51:58 AM
-
Hello,
If you encounter this detection, this can mean several things:
- A real infection (like Zeus, Carberp, Poweliks, they are all using that thing)
- Your antivirus injecting your processes to protect you (in theory).
To know what's going on, and possibly whitelist the cases where it's a legit injection, please do the following:
Let's say you have [Proc.Injected] some_process.exe -- C:/path_to_parent_some_process.exe
- Download Process Hacker: http://processhacker.sourceforge.net/downloads.php
- Install it, launch it
- Find the process above
- Right click on it => Create dump (on the desktop)
- Zip the file (winzip, winrar, 7zip)
- Host it anywhere you want (Google Drive, Dropbox, ...) Make sure it's public.
- Put the link here.
We will analyse what is really injected, and whitelist if needed.
-
And you might try booting into safe mode and try running it.
-
Hi,
We have an infection with Proc.injected in svchost.exe and explorer.exe.
Roguekiller only found something, but processus came back at each logon.
https://drive.google.com/file/d/0B43o-k4ki3t4cVlUaUhrb0xraG8/view?usp=sharing (https://drive.google.com/file/d/0B43o-k4ki3t4cVlUaUhrb0xraG8/view?usp=sharing)
https://drive.google.com/file/d/0B43o-k4ki3t4ZFItYi13WE5LMlE/view?usp=sharing (https://drive.google.com/file/d/0B43o-k4ki3t4ZFItYi13WE5LMlE/view?usp=sharing)
I have the rapport too, if you need it : to see the hook.IEAT in explorer.exe.
Best regards.
-
Hello
I'd like the report as well please :)
@Ourko, I don't have access to some memory segments, are you sure you took a full dump?
-
I redo the "Create dump file" from the exe but with the administrator, and not a user with admin rights.
I join 2 reports too.
Thanks.
https://drive.google.com/file/d/0B43o-k4ki3t4YjU1UGZOaXJkRW8/view?usp=sharing
https://drive.google.com/file/d/0B43o-k4ki3t4UUJSMkRvTmRzcjg/view?usp=sharing
https://drive.google.com/file/d/0B43o-k4ki3t4QkpFempNSW5BY1E/view?usp=sharing
https://drive.google.com/file/d/0B43o-k4ki3t4bmNfU3VZbkgyYnM/view?usp=sharing
PS: je viens de voir qu'on pouvait parler en français :-)
Est ce que je dois ouvrir un post pour de l'aide au "nettoyage" ?
-
Hi
RogueKiller has detected a Proc.injected infection in DVDFab.exe
I have created dump file and report is below.
Could this be checked if it is a real infection?
Thankyou
https://drive.google.com/file/d/0B9TNFYkJVdqjOFZsdEpSU3hOWTA/view?usp=sharing
https://drive.google.com/file/d/0B9TNFYkJVdqjQXlVQ0ZIVWx5bTg/view?usp=sharing
-
Hi k9le,
Welcome to Adlice.com Forum.
The injection is not malicious. This will be fixed in the next release of RogueKiller.
Regards.
-
Hello,
Please advise if the injection in ekrn.exe (ESET Endpoint Antivirus) is malicious or not. The dump file is below.
https://dl.dropboxusercontent.com/u/2700674/ekrn.exe.zip
Thanks!
-
Hi zylicyde,
Welcome to Adlice.com Forum.
The injection is not malicious. This will be fixed in the next release of RogueKiller.
Regards.
-
hello
my computer is infected proc.injected
every time i reboot my computer they come back almost all the frequently used processes
the sharing folder contain the roguekiller report and explorer.exe dump
https://drive.google.com/open?id=0Bx3bbqeWRXLYflVyMklkUzhXZTFrZFFCZmpFQkE4cVFzNFNvd0lRMlNOdnBVdGR0M3Y4TW8
-
Hi dimitri33,
Welcome to Adlice.com Forum.
The dump you provided will be analyzed as soon as possible. I will keep you informed of the results.
Regards.
-
thanks "curson" iam waiting
can you give me a short explanation about the proc.injected ....is that mean iam under a hacker control? how could do that by a file or open port ?
i want to trace the hacker if its possible
thanks
-
Hi dimitri33,
The [Proc.Injected] detection means that the specified process running context has been altered in such a way such process could execute external code.
It is frequently used by antivirus softwares for protection purposes.
At first sight, the injection on your computer doesn't seem to be malware related. Please be patient.
Regards.
-
Hi dimitri33,
The injection on your system is caused by SpyShelter Anti-Keylogger.
We will withelist it as soon as possible.
Regards.
-
thanks curson
thats mean iam not hacked by someone ?
is there a way to be sure of that?
what is the best way to detect if someone spy on me or have acces on my computer?
do you propose any training or formation in this forum or by videos?
-
Hi dimitri33,
You are welcome.
thats mean iam not hacked by someone ?
is there a way to be sure of that?
As far as I can tell, your computer is not infected so you are not hacked.
what is the best way to detect if someone spy on me or have acces on my computer?
do you propose any training or formation in this forum or by videos?
If you are interested in malware detection and removal, I suggest you to join an UNITE (http://uniteagainstmalware.com/) training facility.
Regards.
-
Hi -- RK keeps killing my Dropbox.exe, saying it's a Proc.Injected.
Dump file:
https://www.dropbox.com/s/inlog1yu1go7rs3/Dropbox.exe.dmp.zip?dl=0
Thanks!
-
Hi bblack,
Welcome to Adlice.com Forum.
This detection is a false positive and will be fixed in RogueKiller next release.
Regards.
-
Hi there had myself one of those as well. It comes up every time I open the windows 10 weather app. Must be somewhat new as it certainly didn't happen when it still was warm.
Here is the required dump file https://drive.google.com/open?id=0B4-omLg910cWQ00ybGI0a1lkZ0U
Is that something I should be worried about ?
Thanks a lot in advance
-
Hi coldi,
Could you please post a report displaying the injection ?
Regards.
-
Thanks a lot for looking into it of course I'll add it here. Is that log working looks really strange ?
Okay probably should have opened it with a proper editor ^
-
Hi coldi,
The injection is legit.
This will be fixed in the next version of RogueKiller.
Regards.
-
That's good to hear thanks a lot and I thought I caught something during that problem on imgur.
-
Hi coldi,
You are very welcome.
Regards.
-
Hi there, found myself another one of those testing out the beta version this time it's the SkypeHost.exe .
Thought I might report it again hopefully it's another "false positive".
https://drive.google.com/open?id=0B4-omLg910cWbWh3alZYSTR1Mmc
Best regards
-
Hi coldi,
Thanks for your feedback.
The injection is indeed legit. This will be fixed in RogueKiller next release.
Regards.
-
ah a bit late but thanks a lot again for checking I guessed the app was fine.
-
Hi coldi,
You are very welcome.
Regards.
-
Hello. Roguekiller says I have a ton of proc.injected files, even antivirus. I didn't dump all of the files because it's nearly 150. Here is the archive - https://mega.nz/#!51MFRKRb!AZQEv1NQmR3kcCN5OTYFR1PbkBPHhx5rboRpJxYtuCQ
-
Hi Driver,
Welcome to Adlice.com Forum.
Could you please attach RogueKiller full report in your next reply ?
Regards.
-
Here is the log.
-
Hi Driver,
You are using an outdated version of RogueKiller.
Could you please download latest version, redo a scan and attach the generated report in your next reply ?
Regards.
-
New log.
-
Hi Driver,
The injection is caused by Crypto-Pro, which is legit.
We will whitelist it as soon as possible.
Did you know the following files :
C:\Users\Moa\AppData\Roaming\javaupd.exe
C:\Users\Moa\AppData\Local\Temp\agpiikow.sys
C:\Program Files (x86)\mIRC\mirc.exe
If not, I advice you to open a new thread in the Malware Removal (http://forum.adlice.com/index.php?board=5.0) section of the forum.
Regards.
-
I see, thanks.
Yes, I know these files, except agpiikow.sys, but it's not present in my system anymore.
-
Hi Driver,
You are welcome.
Thanks for the feedback.
Regards.
-
Hello.
Roguekiller is reporting Proc.Injected for Clipmate.exe. Should I be concerned?
Link to zip containing dmp and log: https://www.dropbox.com/s/p74pwptzffr37gz/ClipMate.dmp.zip?dl=0
Thank you.
-
Hi DaggerDave,
Welcome to Adlice.com Forum.
Could you please copy/paste RogueKiller full report as well ?
Regards.
-
Hi Curson,
Thanks for your help.
Here are the contents of the text export of the report. If am not sure whether the .json export of the report that I included in the zip archive might provide you with more details.
RogueKiller V12.1.1.0 (x64) [Apr 4 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 10 (10.0.10586) 64 bits version
Started in : Normal mode
User : David [Administrator]
Started from : F:\Users\David\Downloads\Programs\RogueKillerX64.exe
Mode : Scan -- Date : 04/08/2016 10:03:13
¤¤¤ Processes : 1 ¤¤¤
[Proc.Injected] ClipMate.exe(10364) -- O:\Program Files (x86)\ClipMate7\ClipMate.exe
¤¤¤ Registry : 18 ¤¤¤
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\AppSafe -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\ExpressFiles -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Lightspark Team -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\PIP -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\SlimWare Utilities, Inc. -> Found
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WUDFRd (\SystemRoot\system32\DRIVERS\WUDFRd.sys) -> Found
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-960806728-1607608830-987004840-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : proxy-nl.privateinternetaccess.com -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-960806728-1607608830-987004840-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : proxy-nl.privateinternetaccess.com -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 162.248.221.182 70.38.99.32 ([X][-]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 162.248.221.182 70.38.99.32 ([X][-]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{36939f71-5de6-4be9-bbcb-7353241f72c7} | DhcpNameServer : 172.27.35.1 ([X]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8d862535-ff56-4dcc-adf7-e596795860d4} | DhcpNameServer : 162.248.221.182 70.38.99.32 ([X][-]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b0b3febb-ac5c-4c9f-afe2-b1f3b287dce8} | NameServer : 162.248.221.182,70.38.99.32 ([X][-]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{df46461e-aaf3-4a0a-9a83-4ac6d1f4caea} | NameServer : 162.248.221.182,70.38.99.32 ([X][-]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{36939f71-5de6-4be9-bbcb-7353241f72c7} | DhcpNameServer : 172.27.35.1 ([X]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8d862535-ff56-4dcc-adf7-e596795860d4} | DhcpNameServer : 162.248.221.182 70.38.99.32 ([X][-]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b0b3febb-ac5c-4c9f-afe2-b1f3b287dce8} | NameServer : 162.248.221.182,70.38.99.32 ([X][-]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{df46461e-aaf3-4a0a-9a83-4ac6d1f4caea} | NameServer : 162.248.221.182,70.38.99.32 ([X][-]) -> Found
¤¤¤ Tasks : 3 ¤¤¤
[Suspicious.Path] %WINDIR%\Tasks\AppCloudUpdater.job -- C:\Users\David\AppData\Roaming\AppCloudUpdater\UpdateProc\UpdateTask.exe (/Check) -> Found
[Suspicious.Path] \AppCloudUpdater -- C:\Users\David\AppData\Roaming\AppCloudUpdater\UpdateProc\UpdateTask.exe (/Check) -> Found
[Suspicious.Path] \DelayedItemsByChemtableSoftware\Send to OneNote -- "C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk" (/tsr) -> Found
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 0 [Too big!] ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
¤¤¤ Web browsers : 7 ¤¤¤
[PUP][CHROME:Addon] Default : EditThisCookie [fngmhnnpilhplaeedifhccceomclgfbg] -> Found
[PUP][CHROME:Addon] Default : Chromium browser automation [jmbmjnojfkcohdpkpjmeeijckfbebbon] -> Found
[PUP][CHROME:Addon] Default : Awesome Dictionary Widget [ANTP] [kdigjjbkpjljoknifbgaijaemafihhga] -> Found
[PUP][CHROME:Addon] Default : Awesome New Tab Page [mgmiemnjjchgkmgbeljfocdjjnpjnmcg] -> Found
[PUP][CHROME:Addon] Default : Click&Clean App [pdabfienifkbhoihedcgeogidfmibmhp] -> Found
[PUM.Proxy][FIREFX:Config] 0fpo3x59.default : user_pref("network.proxy.http", "209.240.134.74"); -> Found
[PUM.Proxy][FIREFX:Config] 0fpo3x59.default : user_pref("network.proxy.http_port", 80); -> Found
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST3000DM001-1CH166 +++++
--- User ---
[MBR] a7e800f69b4cb2500665500759a0a577
[BSP] e897dd8278912e0e2e18aad99cb66889 : Empty|VT.Unknown MBR Code
Partition table:
0 - Basic data partition | Offset (sectors): 16065 | Size: 664124 MB
1 - Basic data partition | Offset (sectors): 1360143288 | Size: 404833 MB
2 - Basic data partition | Offset (sectors): 2189241810 | Size: 1136700 MB
3 - Basic data partition | Offset (sectors): 4517204902 | Size: 142310 MB
4 - Basic data partition | Offset (sectors): 4808656896 | Size: 513608 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: WDC WD40E31X-00HY4A0 +++++
--- User ---
[MBR] 29c4d127450b4c0343ff25ed8f29e666
[BSP] 5d38ebc157718a81a78a39db4bd81b69 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 1883100 MB
2 - Basic data partition | Offset (sectors): 3856855040 | Size: 1668139 MB
3 - Basic data partition | Offset (sectors): 7273205760 | Size: 264075 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive2: ST3000DM001-1CH166 +++++
--- User ---
[MBR] 9e3cc1b6227003de1a2076ae3c805e83
[BSP] dd84239348de550d8f702fb1123363d6 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 228585 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive3: ADATA SX900 +++++
--- User ---
[MBR] e3854da19d52a76bcb4108a8de60e198
[BSP] 1535218b785a463a7343d6643ab38b68 : Empty|VT.Unknown MBR Code
Partition table:
0 - | Offset (sectors): 40 | Size: 244198 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive4: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive5: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive6: Generic- SM/xD Picture USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive7: Generic- MS/MS-Pro USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive8: TRUSTED Mass Storage USB Device +++++
--- User ---
[MBR] 1bb36fb0db2124e6ef43a147496e1e5d
[BSP] 6bb52253c0292faa1444fc34eb5cf779 : Windows XP|VT.Unknown MBR Code
Partition table:
0 - DROBO GPT PARTITION | Offset (sectors): 40 | Size: 16777088 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive9: Microsoft Virtual Disk +++++
--- User ---
[MBR] 0086f36f0b7bc8b257f89fc226376c3d
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 102270 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )
-
Hi DaggerDave,
The injection is a false positive. We will whitelist it as soon as possible.
[PUM.Proxy][FIREFX:Config] 0fpo3x59.default : user_pref("network.proxy.http", "209.240.134.74"); -> Found
[PUM.Proxy][FIREFX:Config] 0fpo3x59.default : user_pref("network.proxy.http_port", 80); -> Found
Did you set this proxy yourself ? if not, you can delete these entries.
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\AppSafe -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\ExpressFiles -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Lightspark Team -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\PIP -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\SlimWare Utilities, Inc. -> Found
[Suspicious.Path] %WINDIR%\Tasks\AppCloudUpdater.job -- C:\Users\David\AppData\Roaming\AppCloudUpdater\UpdateProc\UpdateTask.exe (/Check) -> Found
[Suspicious.Path] \AppCloudUpdater -- C:\Users\David\AppData\Roaming\AppCloudUpdater\UpdateProc\UpdateTask.exe (/Check) -> Found
Those entries are PUPs. I advice you to delete them.
Regards.
-
Hi Tigzy, I have zipped .dmp file from ProcessHacker regarding my repeated Proc.Injected detections by Rogue Killer here is link:
http://www.filedropper.com/processhackerexe (http://www.filedropper.com/processhackerexe)
Looking forward to your analysis.
Here is report from most recent RK scan ( no longer detects the Proc.Injected processes )
RogueKiller V12.8.0.0 (x64) [Nov 7 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 10 (10.0.14393) 64 bits version
Started in : Normal mode
User : Client [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 11/07/2016 21:01:16 (Duration : 00:22:47)
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 2 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 135.19.0.18 70.80.0.66 24.200.0.1 ([Canada][Canada][-]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f5360646-7351-40e3-9350-ddd70472812e} | DhcpNameServer : 135.19.0.18 70.80.0.66 24.200.0.1 ([Canada][Canada][-]) -> Found
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ WMI : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD1002FAEX-00Z3A SCSI Disk Device +++++
--- User ---
[MBR] aa4fbfb426fcf5267b120e2e5d8e11d8
[BSP] 143fdc32b0aa50c7e931aecb7d91ff29 : Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 927815 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 1900167168 | Size: 450 MB
2 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 1901090816 | Size: 25599 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: WDC WD3202ABYS-01B7A0 +++++
--- User ---
[MBR] 96c730a9420de6f531c48a026eb3890c
[BSP] 6a4cdbb4432ea14b8cbaef9136369d0b : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 304207 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
User = LL2 ... OK
Best regards
DD
-
Hi planetboris,
Welcome to Adlice.com Forum.
Since the [Proc.Injected] element is no longer detected in the lastest version of RogueKiller, that means it was a false positive which is now fixed.
Don't hesistate to post a new log, if the detection shows up again.
Regards.
-
I hope I did this right. Dump is massive - sorry. I can just put it up. However, I "zipped it" because it was so big
https://drive.google.com/file/d/0B_nYg3QQRwsDaW1oeEozSm1RMGM/view?usp=sharing
From RKlogue: ¤¤¤ Processes : 1 ¤¤¤
[Proc.Injected|Proc.RunPE] Wow-64.exe(4756) -- C:\Program Files (x86)\World of Warcraft\Wow-64.exe[7] -> Found
System: Win 10 x64; 8 MB Ram
I've had a problem with my computer as a whole, I just posted in another thread. It runs sluggish/slow - like something is eating resources. It is random though over the last 6+ months more frequent. I am 50% confident this problem is magnified (more common) when I run the above game. The taskmanager disk usage goes up to 100% when I load a new process/program and "hangs"/stays there like something is going on - but it is not all I am doing is playing a game, working or on the net. While playing the above game the disk usage frequently spikes too (It happens with WOW more frequently; when initially loaded or during play). I contacted Microsoft directly as this 100% disk usage is a known issue. One of their technicians "took over" my computer for about an hour. they said hardware was fine. The MS tech assured me the problem was fixed. It still exists. My computer is essentially useless when this happens and it is happening fairly frequently. My computer is lagging/just like something else is using it too. I do not know if these 2 issues are correlated. Though, I am confident the problem is more frequent when playing this game.
I know on this site, they talk about injections: http://www.blizzhackers.cc
If the two are not related RKs finding & the computer running slow, I still need help. My computer after a long time is becoming unusable. Not sure what to
-
Hi BrokenPerson,
Thanks for your feedback.
Let's continue on your thread.
Regards.
-
Hey,
Roguekiller is giving a Proc.Injection for 3 processes Regasm, vbc.exe and notepad.exe
in this google drive you can find all 3 dumps created with processhacker. https://drive.google.com/drive/folders/1xg5bB5N04wjLh7kL2QVZJeDmUbSrnWd_
Thanks alot
-
Hi BoxDirty,
Welcome to Adlice.com Forum.
Could you please attach RogueKiller report ? Are you doing active developement on your computer (VB or C#, especially) ?
Regards.
-
Hey Curson,
Thanks alot and I uploaded the rogue killer report into the same google drive link. https://drive.google.com/drive/folders/1xg5bB5N04wjLh7kL2QVZJeDmUbSrnWd_
I wasnt sure what you wanted exactly so i added anything i could :D and no no develpment is being done on that computer.
-
Hi BoxDirty,
These are not legit injections. Your computer is infected.
Please open a new theard in the Malware removal (https://forum.adlice.com/index.php?board=5.0) section of the forum. I will then help you to get rid of it.
Regards.
-
Hi tienchien1,
Welcome to Adlice.com Forum.
Could you please attach RogueKiller report with your next reply ?
Regards.
-
I tienchien1,
PUMs detections are not not necessary malicious. Here, they match the MSN search engine and so, are legit.
The [Proc.Injected] detection is not present in your report. Could you please restart your computer, redo a scan and post the report with your next reply ?
Regards.
-
Hi tienchien1,
The injected executable is Battlefield 1 main executable. Since it's a very large file, it will be difficult.
Did you install any mod or hacking software ? If that's not the case, I think it's Origin anticheat feature being detected.
Regards.
-
Hi tienchien1,
Yes, if it's an infection a full system reformat will get rid of it.
However, since this is the only injected process, I really doubt there is an infection.
Regards.
-
https://www.dropbox.com/s/xgli7yradirjh2p/rundll32.exe.7z?dl=0
https://www.dropbox.com/s/b4hwub0cn6mtxk4/rundll32.exe1.7z?dl=0
https://www.dropbox.com/s/52txx407m3deq7u/rundll32.exe2.7z?dl=0
Screenshot: https://www.dropbox.com/s/slzted9yavafryd/Screenshot%202018-03-05%2002.08.24.png?dl=0
Report: https://www.dropbox.com/s/iwdiptckdcnyovn/report.html?dl=0
-
Hi Booky Banton,
Welcome to Adlice.com Forum.
These injections are legit, we will whitelist them as soon as possible.
Regards.
-
Hi!
Today I ran a scan with Roguekiller and it found explorer.exe as Proc.Infected.
I'm giving link to the rogurkiller log and explorer.exe dmp file. Kindly analyse it asap and let me know
https://www.sendspace.com/file/0lc8zj
https://www.sendspace.com/file/py4l6w
Regards,
Siddharth
-
Hi Siddharth,
Welcome to Adlice.com Forum.
Could you please relaunch RogueKiller, delete the [Adw.Butler] et [Adw.FastDataX] entries, then reboot your computer and check if explorer.exe is still injected ?
Regards.
-
After rebooting, I ran a scan with Roguekiller and it did not detected explorer as Proj.infected. So can you tell that removing the other entries can remove Proj.Infected ?
-
Hi Siddharth,
In this case, Adw.Butler implemented a driver which was responsible for the injection on explorer.exe.
Since RogueKiller removed the driver, explorer.exe is no longer injected.
Regards.
-
NEW UPDATES: Regarding the Warning/Virus: [Proc.Injected] within [svchost.exe] File!
(https://i.imgur.com/m8Ru9C5.png)
This is a re-edited Topic. I Created a Topic earler and needed help regarding this type of Virus. I was not sure if my Computer was Infected or not....
Hello Everyone. I was finally able to get rid of the Virus/Warning [Proc.Injected] within [svchost.exe] File by Replacing the Windows System Files with a fresh set of files from My Windows Installations CD. Incase someone else had the same problem, then this is how I fixed mine.
Please know that I DO NOT recommend using this method. Mainly because your Windows might fail to Restart, As mine did. There are probably better ways to replace your Windows System Files. In my case I had no other choice.
1. So based on the main topic, I used "Process Hacker" Software to detect the Process above the Infected filename svchost.exe . Such as:[/b]
- The Process above the infected svchost.exe file was called services.exe
- And Process above the services.exe was called: winini.exe
I suspected that one of the the following files seen below were causing the Infection:
C:\Windows\System32\wininit.exe
C:\Windows\System32\services.exe
C:\Windows\System32\svchost.exe
2. I basicly replaced all 3 files using a fresh set from my Windows Installation CD, and through the Command Line. But this did not come easy. After Replacing the files. My Windows failed to restart. .
3. I had to use the Windows "Startup Repair" Option from the Installations CD. After the Repair was Complete my windows started totally fine.
4. I then ran a Final Scan using "RogueKiller". And finally the "Proj.Inected" svchost.exe virus was completely gone.
I really hope that this could help someone else. But as I mentioned above. Please DO NOT attempt using this method for Replacing your Windows System Files. Please use a different way. Thank you.
Ps, I wanna send a huge thanks to the Adlice Team for their hard work and support within the forums. If it wasn't for this Topic and RogueKiller. I probably had been infected for very long time. So Thank you again!
-
Hi Miklo,
Welcome to Adlice.com Forum and thanks for your extented feedback.
There was indeed an odd injection into svchost.exe. The method you used to get rid of it is quite convulsed but thanks to your detailed explanations, I'm sure it can benefict some users.
Using the dumps you gave us, we will be able to analyse the injection in depth.
Also, thanks for the kind words, this is appreciated.
Regards.
-
Hi Miklo,
Welcome to Adlice.com Forum and thanks for your extented feedback.
There was indeed an odd injection into svchost.exe. The method you used to get rid of it is quite convulsed but thanks to your detailed explanations, I'm sure it can benefict some users.
Using the dumps you gave us, we will be able to analyse the injection in depth.
Also, thanks for the kind words, this is appreciated.
Regards.
Thank you so much. I really thought you guys were busy. As a forum owner i know how it goes. I had plans on doing a full Tutorial. But I know that it can be confusing. So I litterally had to edit this topic a 50 times lol :D.
I am pleased to know that you checked the files I had included. But yeh, Finally its gone. I will definitely be back and maybe post some Tutorials. Once again thank you for the kind welcome.
As a Part time Software Developer, and forum Owner I know how hard it is to keep up with the Forum and the Software Updates. I litterally Stopped Updating my old Programs.
I hope I can participate some more in the forums. Again a huge thanks!
-
Hi Miklo,
You are very welcome.
Thanks for your dedication on the tutorial.
I hope you will enjoy your stay on Adlice forum.
Regards.
-
Thank you very much Curson. Also keep up the awesome support! I know moderating forums is not an easy task. I am currently moderating and administrating arround 5-6 forums online, besides my own forum. So cheers on your work!
-
Hi Miklo,
You are very welcome again.
Regards.
-
Hmm, this is informative