Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - tch

Pages: [1]
1
RogueKiller / Re: ===> False Positives <===
« on: December 14, 2017, 04:08:38 AM »
Hi.  This Windows 7 PC presents no performance or usage issues but MsMpEng.exe is showing as high risk.  I am 99% certain this is simply a false positive as the Malwarebytes false positive earlier in this thread though would greatly appreciate confirmation. I will provide some details of what I have done and after that will follow the RK text file.

If all you need is the text file then you can simply proceed to it and do not need to read anything I have written below!  :)  It is all simply details surrounding this which you may not need.

The RogueKiller version I am using is "12.11.28.0 (up to date)", I have tried portable and non-portable modes.  The MsMpEng.exe (definition is 1.259.284.0 from 12/13/2017) shows as such within RogueKiller:

Detection: Root.Wajam | Adw.Elex
Type: Process
Path: [6380] MsMpEng.exe, c:\Program Files\Microsoft Security Client\MsMpEng.exe
(yes, the 6380 above is the proper MSE PID, or at least it's the PID of that specific file.)

I uploaded the copy of MsMpEng.exe to VirusTotal and it was found very clean.

Uninstalling and reinstalling MSE seemed to resolve this entry.  However, once I had re-downloaded the definitions for MSE, and then re-scanned with RogueKiller, the entry returned to RogueKiller.

I ran RKill, TDSS Killer (with verify digital signatures and also detect TDLFS), Malwarebytes, Malwarebytes Anti-Rootkit, AdwCleaner and system file checker (sfc /scannow), all of which found various PUP but nothing serious I could tell.

I tried also removing the process via RogueKiller, and this resulted in the MsMpEng.exe process being successfully killed.  MSE immediately threw up a message asking me to reactivate it.

I tested this on a different PC and the behavior was the same, without definitions MsMpEng.exe scanned fine and with definitions scanned dirty.  On Windows 10 it appears to not occur for what it is worth.


Here is the text file showing the MsMpEng.exe detection, any verification you can provide will be very much appreciated!


RogueKiller V12.11.28.0 (x64) [Dec 11 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : tch [Administrator]
Started from : C:\Users\tch\Downloads\RogueKiller_portable64.exe
Mode : Scan -- Date : 12/13/2017 19:17:08 (Duration : 00:13:24)

¤¤¤ Processes : 1 ¤¤¤
[Root.Wajam|Adw.Elex] MsMpEng.exe(6380) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe[7] -> Found


¤¤¤ Registry : 10 ¤¤¤
[PUP] (X64) HKEY_USERS\S-1-5-21-3702010971-1532561053-2380342961-1670\Software\Microsoft\Windows\CurrentVersion\RunOnce | Application Restart #1 : C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe --appletID=CCM_UI --workflow=CCM_workflow_launch --appletVersion=1.0 --mode=LBS --helperBridgeName={6D0FD104-A851-485A-813C-2090DC17FF87} --lbsWorkflowID={BC7B50A6-7824-4B06-A8C7-5E72FB2DC34A} --lbsInstallerWorkflowID={37D3BAE5-E140-4F2C-8805-9B2B87E0914B} --userGuid= /RestartByRestartManager:B5757D87-38D0-4d1e-BECC-8B5A6D1DD94B
  • -> Found
[PUP] (X86) HKEY_USERS\S-1-5-21-3702010971-1532561053-2380342961-1670\Software\Microsoft\Windows\CurrentVersion\RunOnce | Application Restart #1 : C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe --appletID=CCM_UI --workflow=CCM_workflow_launch --appletVersion=1.0 --mode=LBS --helperBridgeName={6D0FD104-A851-485A-813C-2090DC17FF87} --lbsWorkflowID={BC7B50A6-7824-4B06-A8C7-5E72FB2DC34A} --lbsInstallerWorkflowID={37D3BAE5-E140-4F2C-8805-9B2B87E0914B} --userGuid= /RestartByRestartManager:B5757D87-38D0-4d1e-BECC-8B5A6D1DD94B
  • -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.1.2 208.67.222.222 10.0.1.3 ([][-][])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.0.1.2 208.67.222.222 10.0.1.3 ([][-][])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{50FE4215-80B5-46E0-BD24-9105019A6FF4} | DhcpNameServer : 10.0.1.2 208.67.222.222 10.0.1.3 ([][-][])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F738259E-C6E0-414D-A129-E6EE5C8B6C3A} | DhcpNameServer : 10.0.1.2 208.67.222.222 10.0.1.3 ([][-][])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{50FE4215-80B5-46E0-BD24-9105019A6FF4} | DhcpNameServer : 10.0.1.2 208.67.222.222 10.0.1.3 ([][-][])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{F738259E-C6E0-414D-A129-E6EE5C8B6C3A} | DhcpNameServer : 10.0.1.2 208.67.222.222 10.0.1.3 ([][-][])  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3702010971-1532561053-2380342961-1670\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3702010971-1532561053-2380342961-1670\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[Hj.Shortcut][File] C:\Users\tch\Desktop\TimeStar PUNCH.lnk [LNK@] C:\PROGRA~1\INTERN~1\iexplore.exe https://www.timestaronline.com/site/clock.php -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ADATA XM11 256GB-V2 ATA Device +++++
--- User ---
[MBR] b7e62e8b0434274887588696af470fc6
[BSP] 647fd931d64e61570068ccad787e4ddb : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 130 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 270336 | Size: 244061 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


Pages: [1]