Adlice forum

Software feedback => RogueKiller => Topic started by: edsyl on January 31, 2015, 02:45:56 AM

Title: Initial Scan
Post by: edsyl on January 31, 2015, 02:45:56 AM

Hello, my first post.

I found your program by accident, very useful.

I have a question or two about the initial scan.

When it first starts up to do the initial scan it lists a lot of tasks/processes in the first tab that are RED.
They seem to me to be just regular Windows processes and the like and then it proceeds to kill a lot of them( do not know why) and eventually I am left with a black screen and the program window only.
Is this normal or just what should occur? It seems odd to me to list these apparent normal win7 processes as RED(malware)?

Can you explain what is going on?
I cannot give you a screen shot as my screen capture program as well as everything else, as I stated above, is killed.

Thanks in advance and for your efforts poured into this program.

Regards
ED

Title: Re: Initial Scan
Post by: edsyl on February 01, 2015, 05:23:39 PM

I thought I would try running the program on my desktop. In this case the initial scan has a couple of RED, one orange. But in this case my desktop and other programs are accessible and I could take the screen shot. In the laptop case I posted earlier, everything seems to be killed like the first two entries on the attached. I am very puzzled as to the different behavior between the two initial scans and why on the laptop all the 'normal processes' are killed but NOT in the desktop. Both are running win7 x64. I will also attached the report for the desktop as well for comment. I will go back and attach the scan report for the laptop as well, as I can generate that.
Regards
Ed

Title: Re: Initial Scan
Post by: edsyl on February 01, 2015, 06:04:07 PM

Ok I have attached the laptop initial scan screenshot and the report for comparison.
Any ideas as to why the laptop scan seems to detect all the normal Win7 processes and kills them?

Regards
Ed

Title: Re: Initial Scan
Post by: Curson on February 02, 2015, 04:48:07 PM

Hi edsyl,

Welcome to Adlice.com Forum.

The [Proc.Injected] detection could be triggered by two things : 

• A real infection (like Zeus, Carberp, Poweliks, they are all using that thing)
• Your antivirus injecting your processes to protect you (in theory).

To determine what's going on, and possibly whitelist the cases where it's a legit injection, please do the following :

1. Process Dump

• Download Process Explorer (http://live.sysinternals.com/procexp.exe) and save it to your desktop.
  
• Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  
• Locate the process named smss.exe, right click select Create Dump > Create Full Dump...
  
• Save the dump on your desktop, compress it and upload it on Google Drive/Dropbox.
• Share the link in your next reply.

We will analyse what is really injected, and whitelist if needed.

Regards.

Title: Re: Initial Scan
Post by: edsyl on February 03, 2015, 04:08:49 AM

Here is the link:

https://www.dropbox.com/s/f5mtt4xk8xsfq37/smss.rar?dl=0


I cannot seem to open this file i get an Visual Studio 2010 shell licence invalid message. Any idea why?

regards
Ed

Title: Re: Initial Scan
Post by: Curson on February 03, 2015, 02:13:12 PM

Hi edsyl,

I'm not sure about the error you encountered with Visual Studio. Maybe the license you own is not compatible with memory dump debugging ?
The process dump will be analysed and we will get back to you as soon as possible.

Regards.

Title: Re: Initial Scan
Post by: Curson on February 11, 2015, 09:00:28 PM

Hi edsyl,

The injection was nothing malicious. This will be fixed in the next release of RogueKiller.
Your computer is clean.

Regards.