Adlice forum
General Category => Malware removal help => Topic started by: simonik on August 13, 2016, 10:36:49 AM
-
Hello,
the RogueKiller find following, but another antivirus not detected problem.
In addition to I cannot find file C:\Windows\System32\hasplms.exe in direktory.
I found it c:\Windows\System32\DriverStore\FileRepository\akshhl.inf_amd64_75ae74b7b50926d5\hasplms.exe
Is PC infected?
Thanks
RogueKiller V12.4.3.0 (x64) [Aug 8 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Webová stránka : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com
Operační systém : Windows 10 (10.0.10586) 64 bits version
Spuštěno : Normální režim
Uživatel : simonik_2 [Práva správce]
Started from : C:\utility\Utility z VIR\RogueKillerX64 z domu.exe
Mód : Prohledat -- Datum : 08/13/2016 10:21:54
¤¤¤ Procesy : 5 ¤¤¤
[Proc.RunPE] hasplms.exe(2268) -- C:\Windows\System32\hasplms.exe[7] -> Nalezeno
[Proc.Injected] WmiPrvSE.exe(5144) -- C:\Windows\System32\wbem\WmiPrvSE.exe[-] -> Nalezeno
[Proc.Injected] AdobeARM.exe(7904) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[7] -> Nalezeno
[Proc.Injected] taskhostw.exe(8636) -- C:\Windows\System32\taskhostw.exe[7] -> Nalezeno
[Proc.Injected] notepad.exe(5988) -- C:\Windows\SysWOW64\notepad.exe[-] -> Nalezeno
¤¤¤ Registry : 2 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3757079080-4266798695-932415464-1011\Software\Microsoft\Internet Explorer\Main | Start Page : https://www.seznam.cz/ -> Nalezeno
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3757079080-4266798695-932415464-1011\Software\Microsoft\Internet Explorer\Main | Start Page : https://www.seznam.cz/ -> Nalezeno
¤¤¤ Úlohy : 0 ¤¤¤
¤¤¤ Soubory : 0 ¤¤¤
¤¤¤ Soubor HOSTS : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Nahrán) ¤¤¤
¤¤¤ Webové prohlížeče : 0 ¤¤¤
¤¤¤ Kontrola MBR : ¤¤¤
+++++ PhysicalDrive0: ST1000DM003-1CH162 +++++
--- User ---
[MBR] 6400366593af68616017f5dd5e0ff0cd
[BSP] 1044049367a9c4e23ea1c3a20fe826e7 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 953067 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 1952600064 | Size: 450 MB
User = LL1 ... OK
User = LL2 ... OK
-
Hi simonik,
Welcome to Adlice.com Forum.
The [Proc.Injected] detection could be triggered by two things :
- A real infection (like Zeus, Carberp, Poweliks, they are all using that thing)
- Your antivirus injecting your processes to protect you (in theory).
To determine what's going on, and possibly whitelist the cases where it's a legit injection, please do the following :
- Download Process Explorer (http://live.sysinternals.com/procexp.exe) and save it to your desktop.
- Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
- Locate the process named notepad.exe, right click select Create Dump > Create Full Dump...
- Save the dump on your desktop, compress it and upload it on Google Drive/Dropbox.
- Share the link in your next reply.
Please do the same with the process named hasplms.exe.
We will analyse what is really injected, and whitelist if needed.
Regards.
-
Hello,
thank you for your answer. I cannot create dump for hasplms - I createted it but size is 0B.
- About notaped.exe - I preventive deleted it. But It was not in memory as process, it was only as file on the disk. I controled it by virustotal.comm and result was 0.
-
Hi simonik,
You are welcome.
Could you please dump the process named WmiPrvSE.exe instead ?
Regards.
-
Hello,
I am sending you dump from my personal web.
http://www.petrsi.cz/RogueKiller/WmiPrvSE.zip
-
Hi simonik,
I was not able to detect any injection in the process.
So, we can conclude this was a false positive.
Regards.