Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Mclaughlin

Pages: [1]

RogueKiller / False-Positives

« on: April 17, 2016, 05:42:18 AM »

Hi,

Wanted to alert you to several False-Positives, some of which have been previously noted, but which unfortunately still hit. Particularly strange is a (new) FP – in the C:\ProgramData\RogueKillerPE folder (!) [copyright info written to “CopyrightAdlice Software©2015”]… I’ll add the 2 complete logs at the very end.

In sum, the FP’s are as follows:

Today’s Scan Results:

¤¤¤ Processes : 1 ¤¤¤
[Suspicious.Path] RogueKillerPE.shell.dll(5860) -- C:\ProgramData\RogueKillerPE\RogueKillerPE.shell.dll -> Found
[Comment - RogueKillerPE?!]

¤¤¤ Files : 1 ¤¤¤
[PUP][Folder] C:\ProgramData\{BE4DD016-EE56-4AC8-9832-69281423A3D4} -> Found
[Comment - HP Support Assistant installer package (previously mentioned)]

¤¤¤ Antirootkit : 1 (Driver: Loaded) ¤¤¤
[IRP:Addr(Hook.IRP)] \Driver\kbdclass - IRP_MJ_READ[3] : C:\Windows\System32\drivers\hmpalert.sys @ 0xfffff800b4b1fa20
[Comment - HitmanPro.Alert (has returned a hit for some time now, but haven’t posted yet)]

Earlier Scan Results:

¤¤¤ Processes : 1 ¤¤¤
[Proc.Injected] a2emergencykit.exe(8148) -- C:\EEK\bin64\a2emergencykit.exe -> Found
[Comment - Emsisoft Emergency Kit Scanner (FP previously posted)]

Note:

The Emsisoft Emergency Kit (C:\EEK\bin64\a2emergencykit.exe was not detected this time, as I simply got tired of the FP appearing on every scan, and deleted the .exe file… That did the job (!). It would still be nice if you’d make sure this is addressed…

Note also, that scans with Bitdefender TS 2016, HitmanPro, MBAM, MBAR, TDSS, adwcleaner, JRT, ESET online Scanner, and Emsisoft – all came out clean – both earlier and today; and the PC is behaving normally.

Best regards

=========================================================

Today’s Scan:

=========================================================

RogueKiller V12.1.2.0 (x64) [Apr 11 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : [Name] [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 04/16/2016 18:27:35

¤¤¤ Processes : 1 ¤¤¤
[Suspicious.Path] RogueKillerPE.shell.dll(5860) -- C:\ProgramData\RogueKillerPE\RogueKillerPE.shell.dll

-> Found

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[PUP][Folder] C:\ProgramData\{BE4DD016-EE56-4AC8-9832-69281423A3D4} -> Found

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 1 (Driver: Loaded) ¤¤¤
[IRP:Addr(Hook.IRP)] \Driver\kbdclass - IRP_MJ_READ[3] : C:\Windows\System32\drivers\hmpalert.sys @ 0xfffff800b4b1fa20

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] anrq3nwj.default-1425684543997 : user_pref("browser.startup.homepage", "https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=http://mail.google.com/mail/&scc=1&ltmpl=default&ltmplcache=2"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST750LX003-1AC154 +++++
--- User ---
[MBR] 5563ee86216a1c21e78cfa8297c1cea8
[BSP] 6a3125a7f090a24988d63ba5cae1a61d : Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 260 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1353728 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1615872 | Size: 686234 MB
4 - [SYSTEM] Basic data partition | Offset (sectors): 1407023104 | Size: 28375 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: JetFlash Transcend 32GB USB Device +++++
--- User ---
[MBR] 7b1455697ab04b3a0bfb25a783aecb26
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 96 | Size: 30719 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

=========================================================

Earlier Scan:

=========================================================

RogueKiller V11.0.14.0 (x64) [Feb 29 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : [Name] [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 03/02/2016 13:04:39

¤¤¤ Processes : 1 ¤¤¤
[Proc.Injected] a2emergencykit.exe(8148) -- C:\EEK\bin64\a2emergencykit.exe

-> Found

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[PUP][Folder] C:\ProgramData\{BE4DD016-EE56-4AC8-9832-69281423A3D4} -> Found

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0x0]) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] anrq3nwj.default-1425684543997 : user_pref("browser.startup.homepage", "https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=http://mail.google.com/mail/&scc=1&ltmpl=default&ltmplcache=2"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST750LX003-1AC154 +++++
--- User ---
[MBR] 5563ee86216a1c21e78cfa8297c1cea8
[BSP] 6a3125a7f090a24988d63ba5cae1a61d : Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 260 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1353728 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1615872 | Size: 686234 MB
4 - [SYSTEM] Basic data partition | Offset (sectors): 1407023104 | Size: 28375 MB
User = LL1 ... OK
User = LL2 ... OK

RogueKiller / Re: Probable False-Positives

« on: March 04, 2016, 06:16:29 PM »

Hi Curser,

Can you instruct how to delete/mask all identifying information from the dump file Task Manager created? Also, will I be able to upload a file this size using "Adlice Software upload form"? (I I wouldn’t like to use my own google drive, etc., as you’d suggested earlier). Would it not be possible to simply recreate the detection on your end?

Regards

RogueKiller / Re: Probable False-Positives

« on: March 03, 2016, 10:23:18 PM »

BTW - FYI - Note that an earlier RogueKiller re-scan (before these latest ones following your last response) – while running Malwarebytes – produced another FP, identifying MBAM as Tr.Zeus. from the short log:

¤¤¤ Processes : 1 ¤¤¤
[Tr.Zeus] mbar.exe(6676) -- C:\Program Files (x86)\Malwarebytes Anti-Rootkit\mbar\mbar.exe

-> Found

Naturally, after confirming the process was running from the same location as MBAM – I ignored the find…

Best Regards

RogueKiller / Re: Probable False-Positives

« on: March 03, 2016, 10:15:09 PM »

Hi Curson,

Just to be sure I’m clear: a2emergencykit.exe does not seem to run unless Emsisoft Emergency Kit has been activated. (I’m assuming the process detected was a remnant of an “Emsisoft Emergency Kit” scan executed prior to RougueKiller). Just to be absolutely certain, I’ve now re-scanned RogueKiller with Process Explorer in the background, to verify that a2emergencykit.exe was not running unseen. It wasn’t.

After the RK scan completed, I opened Emsisoft, verified that upon loading, the process immediately appeared in Process Explorer, and then closed the program (while noting the process remained visible in Process Explorer)… I Re-scanned with RougeKiller yet again, to recreate the earlier FP detection scenario, and indeed it detected again as “Proc.Injected”. Unfortunately I was unable to produce a Dump (Full or Mini) using Process Explorer (“error opening process – access denied”)… I was however able to produce a “”regular”” Dump file with the Task Manager. Would you be interested? It’s 95.5MB after zipping (311 before). Note that Process Explorer would not dump even after the suspect process was released from RK, and RogueKiller was closed and confirmed not running. Also, rebooting and reopening Emsisoft did NOT resolve problem with creating a dump… Is there something else you’d like me to try?

SystemLook log follows below.

Best regards

-----------------------------
SystemLook 30.07.11 by jpshortstuff
Log created at 14:42 on 03/03/2016 by [Name]
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== dir ==========

C:\ProgramData\{BE4DD016-EE56-4AC8-9832-69281423A3D4} - Parameters: "/s /md5"

---Files---
0x0409.ini --a---- 21494 bytes [20:07 17/08/2012] [20:07 17/08/2012] 36AFFBD6FF77D1515CFC1C5E998FBAF9
HP Support Assistant.msi --a---- 46040576 bytes [20:07 17/08/2012] [20:07 17/08/2012] E120EA02EF2FB5E76DC8C4C5E7B6D320

No folders found.

========== file ==========

C:\ProgramData\{BE4DD016-EE56-4AC8-9832-69281423A3D4}\HP Support Assistant.msi - File found and opened.
MD5: E120EA02EF2FB5E76DC8C4C5E7B6D320
Created at 20:07 on 17/08/2012
Modified at 20:07 on 17/08/2012
Size: 46040576 bytes
Attributes: --a----
No version information available.

-= EOF =-

RogueKiller / Re: Probable False-Positives

« on: March 03, 2016, 03:39:45 AM »

Hi Curson,

I downloaded RogueKillerPE (64 bits version), ran as admin, found process (a2emergencykit.exe) – but received the following error upon trying to save to desktop: “An error occurred while dumping to file". What shall I do?

Also, the link you supplied to download “SystemLook” lead to a 404…

(BTW - this is Mclaughlin, not "sippysup"…

)

Best regards

RogueKiller / Probable False-Positives

« on: March 02, 2016, 07:52:02 PM »

Hi,

Wanted to alert you to 2 (probable) False-Positives recently detected on routine precautionary scan.

The first seems to be Emsisoft Emergency Kit (C:\EEK\bin64\a2emergencykit.exe - detected as Proc.Injected)

The second seems to be “HP Support Assistant” (C:\ProgramData\{BE4DD016-EE56-4AC8-9832-69281423A3D4} - detected as PUP. This one I’ve noticed on earlier scans prior to the latest RogueKiller update, but never got around to reporting).

P.S – previous scans with Bitdefender TS 2016, HitmanPro, MBAM, MBAR, TDSS, & Emisoft – all came out clean; and computer is behaving normally.
I’ve let these 2 items pass for the time being; kindly let me know if there is cause for concern…

(Log follows)

Thanks and regards

--------------------------------------------------

Log:

RogueKiller V11.0.14.0 (x64) [Feb 29 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : [Name] [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 03/02/2016 13:04:39

¤¤¤ Processes : 1 ¤¤¤
[Proc.Injected] a2emergencykit.exe(8148) -- C:\EEK\bin64\a2emergencykit.exe

-> Found

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[PUP][Folder] C:\ProgramData\{BE4DD016-EE56-4AC8-9832-69281423A3D4} -> Found

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0x0]) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] anrq3nwj.default-1425684543997 : user_pref("browser.startup.homepage", "https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=http://mail.google.com/mail/&scc=1&ltmpl=default&ltmplcache=2"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST750LX003-1AC154 +++++
--- User ---
[MBR] 5563ee86216a1c21e78cfa8297c1cea8
[BSP] 6a3125a7f090a24988d63ba5cae1a61d : Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 260 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1353728 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1615872 | Size: 686234 MB
4 - [SYSTEM] Basic data partition | Offset (sectors): 1407023104 | Size: 28375 MB
User = LL1 ... OK
User = LL2 ... OK

Pages: [1]