Adlice forum

Software feedback => RogueKiller => Topic started by: HackedPwned on April 20, 2016, 06:46:53 PM

Title: [Split]Proc.Injected
Post by: HackedPwned on April 20, 2016, 06:46:53 PM
Hello :) !

I think I have a false positive detection for the PRTG server process (Proc.Injected).
Please find below the log for the scan detection :).

Here (http://www.mediafire.com/download/42albq1br0abbdy/PRTG_Server.exe.dmp.7z) the requested dump file, as shown on the front page :).

I think I have another false positive : drmk.sys (File.Forged). Virustotal not found malicious modification.


Code: [Select]
RogueKiller V12.1.3.0 (x64) [Apr 18 2016] (Premium) par Adlice Software
email : http://www.adlice.com/contact/
Remontées : http://forum.adlice.com
Site web : http://www.adlice.com/fr/logiciels/roguekiller/
Blog : http://www.adlice.com

Système d'exploitation : Windows 10 (10.0.10586) 64 bits version
Démarré en  : Mode normal
Utilisateur : HackedPwned [Administrateur]
Démarré depuis : I:\Users\HackedPwned\Downloads\Tools\RogueKillerX64.exe
Mode : Scan -- Date : 04/20/2016 17:01:13

¤¤¤ Processus : 1 ¤¤¤
[Proc.Injected] PRTG Server.exe(2776) -- C:\Program Files (x86)\PRTG Network Monitor\64 bit\PRTG Server.exe[x] -> Trouvé(e)

¤¤¤ Registre : 26 ¤¤¤
[Hj.Name] (X64) HKEY_USERS\RK_Default_ON_I_90E5\Software\Microsoft\Windows\CurrentVersion\RunOnce | mctadmin : C:\Windows\System32\mctadmin.exe [x] -> Trouvé(e)
[Hj.Name] (X86) HKEY_USERS\RK_Default_ON_I_90E5\Software\Microsoft\Windows\CurrentVersion\RunOnce | mctadmin : C:\Windows\System32\mctadmin.exe [x] -> Trouvé(e)
[PUP] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_S_1DE6\ControlSet001\Services\MyWebFace_5aService (C:\PROGRA~2\MYWEBF~1\bar\1.bin\5abarsvc.exe) -> Trouvé(e)
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_S_1DE6\ControlSet001\Services\rowugoqo (C:\Users\home\AppData\Local\33444335-1455388700-5433-4243-A0D3C1527A4F\snse6E18.tmp) -> Trouvé(e)
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.HomePage] (X64) HKEY_USERS\RK_home_ON_S_EF3D\Software\Microsoft\Internet Explorer\Main | Start Page : http://home.tb.ask.com/index.jhtml?n=7829E693&p2=^GR^mni000^YYA&ptb=8127F99C-A03B-438A-9DCF-906602EA39CC  -> Trouvé(e)
[PUM.HomePage] (X86) HKEY_USERS\RK_home_ON_S_EF3D\Software\Microsoft\Internet Explorer\Main | Start Page : http://home.tb.ask.com/index.jhtml?n=7829E693&p2=^GR^mni000^YYA&ptb=8127F99C-A03B-438A-9DCF-906602EA39CC  -> Trouvé(e)
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Internet Explorer\Main | Start Page : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Internet Explorer\Main | Start Page : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.SearchPage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Internet Explorer\Main | Search Page : https://safesearch.avira.com/#web/result?source=art&q=  -> Trouvé(e)
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Internet Explorer\Main | Search Page : https://safesearch.avira.com/#web/result?source=art&q=  -> Trouvé(e)
[PUM.SearchPage] (X64) HKEY_USERS\RK_HackedPwned_ON_I_B1B6\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Trouvé(e)
[PUM.SearchPage] (X86) HKEY_USERS\RK_HackedPwned_ON_I_B1B6\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Trouvé(e)
[PUM.SearchPage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Search_URL : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Internet Explorer\Main | Default_Search_URL : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Internet Explorer\Main | Default_Search_URL : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{797f2ae7-8bcd-483a-b1b9-a1b0e8c2caef} | DhcpNameServer : 172.20.10.1 ([])  -> Trouvé(e)
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{797f2ae7-8bcd-483a-b1b9-a1b0e8c2caef} | DhcpNameServer : 172.20.10.1 ([])  -> Trouvé(e)
[PUM.StartMenu] (X64) HKEY_USERS\RK_Administrateur_ON_I_FD0C\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Trouvé(e)
[PUM.StartMenu] (X86) HKEY_USERS\RK_Administrateur_ON_I_FD0C\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Trouvé(e)
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Trouvé(e)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Trouvé(e)

¤¤¤ Tâches : 0 ¤¤¤

¤¤¤ Fichiers : 1 ¤¤¤
[File.Forged][Fichier] C:\Windows\System32\drivers\drmk.sys -> Trouvé(e)

¤¤¤ Fichier Hosts : 0 ¤¤¤

¤¤¤ Antirootkit : 1 (Driver: Chargé) ¤¤¤
[IAT:Inl(Hook.IEAT)] (explorer.exe) user32!GetAncestor : Unknown @ 0x7fff46a90028 (jmp 0xfffffffffaeccb68)

¤¤¤ Navigateurs web : 0 ¤¤¤

¤¤¤ Vérification MBR : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 840 EVO 120G SCSI Disk Device +++++
--- User ---
[MBR] f75628e1770769cd2267b90a3f275402
[BSP] 54ee229f897f6b2938dc6e67657d6e2a : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 102924 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: SAMSUNG HD502HJ SCSI Disk Device +++++
--- User ---
[MBR] a93e8416daa214812d79b652c190449c
[BSP] df26c6a7183131d0eefab50d7b285b18 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: WDC WD20EARS-00MVWB0 SCSI Disk Device +++++
--- User ---
[MBR] 1f2b74ea8cb7e33442085875b2cbef5c
[BSP] b2d2b4d3ad154532792d8e8d8e606a68 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 518605 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1062121408 | Size: 512000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2110700024 | Size: 512001 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 3159279616 | Size: 365111 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive3: ST1000DM 003-9YN162 USB Device +++++
--- User ---
[MBR] e83ba18959b82e6981de2c9b84d914a5
[BSP] df4007336cad0c923ee37fe0ba411fca : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953867 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([32] Cette demande n?est pas prise en charge. )

Best regards :) !

HackedPwned
Title: Re: [Split]Proc.Injected
Post by: Curson on April 20, 2016, 08:01:55 PM
Hi HackedPwned,

Welcome to Adlice.com Forum. :)
Yes, this is indeed a false positive. We will fix this as soon as possible.

I advice you to delete these entries, they are known malwares.
Quote
[PUP] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_S_1DE6\ControlSet001\Services\MyWebFace_5aService (C:\PROGRA~2\MYWEBF~1\bar\1.bin\5abarsvc.exe) -> Trouvé(e)
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_S_1DE6\ControlSet001\Services\rowugoqo (C:\Users\home\AppData\Local\33444335-1455388700-5433-4243-A0D3C1527A4F\snse6E18.tmp) -> Trouvé(e)

The forged file detection is bugging me.
Could you please attach RogueKiller JSON report in your next reply and follow the following process ?
Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\) in your next reply.

Regards.
Title: Re: [Split]Proc.Injected
Post by: HackedPwned on April 20, 2016, 11:23:53 PM
Quote from: Curson
Welcome to Adlice.com Forum. :)

Thank you :) !

Quote from: Curson
I advice you to delete these entries, they are known malwares.

Quote
[PUP] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_S_1DE6\ControlSet001\Services\MyWebFace_5aService (C:\PROGRA~2\MYWEBF~1\bar\1.bin\5abarsvc.exe) -> Trouvé(e)
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_S_1DE6\ControlSet001\Services\rowugoqo (C:\Users\home\AppData\Local\33444335-1455388700-5433-4243-A0D3C1527A4F\snse6E18.tmp) -> Trouvé(e)
I had already done after my first analysis ;) !

Quote from: Curson
Could you please attach RogueKiller JSON report in your next reply and follow the following process ?
[...]
Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\) in your next reply.
Of course ;) !

I forgot to mention that the scan was systematically crash the system, each time the MSI Afterburner service was analyzed. (complete freeze of system --> hard reset).
So I had to leave Afterburner to start the analysis.

Thank's for your help ;) !

Cordially !
Title: Re: [Split]Proc.Injected
Post by: Curson on April 21, 2016, 01:05:31 PM
Hi HackedPwned,

I have taken the liberty of creating a new thread containing our posts, since further investigations are needed.
Did RogueKiller asked you to upload a file to VirusTotal during the scan ?

Quote from: HackedPwned
I forgot to mention that the scan was systematically crash the system, each time the MSI Afterburner service was analyzed. (complete freeze of system --> hard reset).
So I had to leave Afterburner to start the analysis.
Would you agree to help us troubleshooting this issue ?

If so, please follow the following process :
1) Please restart the MSI Afterburner service and launch the Performance Monitor (Task Manager)
2) Download ProcDump (http://live.sysinternals.com/procdump.exe) and save it on your desktop.
3) Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :
Code: [Select]
"%USERPROFILE%\Desktop\procdump.exe" -e -h -ma -accepteula -x "I:\Users\HackedPwned\Downloads\Tools\RogueKillerX64.exe"
Do not close the command prompt !

4) RogueKiller will be launched. Please start a new scan and, using the Performance monitor, check the amount of memory used by RogueKiller. When the system hangs, please wait a few minutes before hard reseting the computer
5) A new file named RogueKiller.exe_<datetime>.dmp should has been created on your desktop. Please zip it, upload it on Google Drive/Dropbox and share the link here.

Did RogueKiller used all the available memory during the scan of the MSI Afterburner service ?

Regards.
Title: Re: [Split]Proc.Injected
Post by: HackedPwned on April 22, 2016, 01:41:55 AM
Hello !

Sorry for this late answer, but I have not been alerted a new reply has been posted, because the topic has been moved :).

Quote from: Curson
Did RogueKiller asked you to upload a file to VirusTotal during the scan ?
Nop :) !

Quote from: Curson
Would you agree to help us troubleshooting this issue ?
Yes, I want :).

Quote from: Curson
If so, please follow the following process :.......
Ok, the command seems not ok : it display the "command / usage list" of procdump.
I read the manual, and it seems that the dump path is missing. So I have modified the command by :

Code: [Select]
"%USERPROFILE%\Desktop\procdump.exe" -e -h -ma -accepteula -x c:\test\ I:\Users\HackedPwned\Downloads\Tools\RogueKillerX64.exe"
And the Roguekiller launched :). But maybe my command is'nt good, I don't know :(.

I lauched the scan, and the system freeze instantaneously when Roguekiller scan Msi Afterburner service, as expected.
Really instantaneously...
So no, the memory usage was very good until there...

I hard reseted my PC, and I have not found *.dmp file anywhere, either on the "test" folder or elsewhere.
I think the crash comes too suddenly for make a dump :/.

If you have suggestions... ;).
Title: Re: [Split]Proc.Injected
Post by: Curson on April 24, 2016, 11:25:47 PM
Hi HackedPwned,
Quote from: HackedPwned
Nop :) !
That will be the case in the next version of RogueKiller.

Quote from: HackedPwned
Yes, I want :).
Many thanks. That much appreciated. :)

Quote from: HackedPwned
Ok, the command seems not ok : it display the "command / usage list" of procdump.
I read the manual, and it seems that the dump path is missing.[...]
And the Roguekiller launched :). But maybe my command is'nt good, I don't know :(.
I'm really sorry about that. :(
Your command is perfectly correct.

Quote from: HackedPwned
I lauched the scan, and the system freeze instantaneously when Roguekiller scan Msi Afterburner service, as expected.
Really instantaneously...
So no, the memory usage was very good until there...
I hard reseted my PC, and I have not found *.dmp file anywhere, either on the "test" folder or elsewhere.
I think the crash comes too suddenly for make a dump :/.
Thanks for the information.
This is certainly the case.

Quote from: HackedPwned
If you have suggestions... ;).
That could be the case.
How many memory is installed on your computer ?

Regards.
Title: Re: [Split]Proc.Injected
Post by: HackedPwned on April 25, 2016, 12:11:25 AM
Hi Curson, how are you :) ?

Quote from: Curson
That will be the case in the next version of RogueKiller.
Good :) !

Quote from: Curson
Many thanks. That much appreciated. :)
You're welcome :) !

Quote from: Curson
How many memory is installed on your computer ?
I have 16 GB of memory installed.
The pagefile setting is manualy set to 2 GB :).

Best regards :) !
Title: Re: [Split]Proc.Injected
Post by: Curson on April 25, 2016, 04:23:25 PM
Hi HackedPwned,
Quote from: HackedPwned
how are you :) ?
I'm fine. What about you ? :)

A new version of RogueKiller has been released today.
Could you please update yours, redo a full scan (with the MSI service turned off) and attach the JSON report in your next reply ?

Quote from: HackedPwned
I have 16 GB of memory installed.
The pagefile setting is manualy set to 2 GB :).
Could you please give me the name and full path of the process displayed when the system hang ?

Regards.