Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - GWRiver

Pages: [1]
1
RogueKiller / Re: Proc.Injected - false positive or threat?
« on: April 14, 2016, 02:23:39 PM »
Thank you very much! Because of the consistency of these results and no other AV tools finding a threat and/or malicious traffic, I was hopeful.

Thank you again!

2
RogueKiller / Re: Proc.Injected - false positive or threat?
« on: April 14, 2016, 01:09:43 PM »
Hello Curson,
Thank you for your reply!

Yes, we do use Trend Micro Integrated Data Loss Prevention (DLP) as well as the Trend Micro Officescan and its family of products, including Intrusion Defense Firewall.

Thank you,
GW

3
RogueKiller / Proc.Injected - false positive or threat?
« on: April 13, 2016, 03:06:46 PM »
Hello,
I have used RogueKiller on a couple of machines. I also used products such as Malwarebytes, Trend Micro Anti-Virus, ADWCleaner, and monitored the network traffic from the machine. At first I went with RogueKiller, but it found several Proc.Injected files processes so I ran the other products and monitored as a confirmation. Only RogueKiller is finding this so I was concerned that it was either a false positive or an infection not found by the other tools.

I used Process Hacker to generate DMP files.

I have linked to the files at Dropbox for two of the files because they are roughly 30MB each:
https://www.dropbox.com/s/oulcioye96lwpvi/armsvc.exe.dmp?dl=0
https://www.dropbox.com/s/r081tfemjks19b8/msid.exe.dmp?dl=0

Can these be reviewed for threats?

Thank you!



Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : x [Administrator]
Started from : C:\Users\x \Downloads\RogueKiller.exe
Mode : Scan -- Date : 04/13/2016 08:01:59

 Processes : 9
[Proc.Injected] msid.exe(1828) -- C:\Program Files (x86)\Cisco Systems\Media Services Interface\msid.exe
  • -> Found
[Proc.Injected] o2flash.exe(2004) -- C:\Windows\System32\o2flash.exe
  • -> Found
[Proc.Injected] msirest.exe(2216) -- C:\Program Files (x86)\Cisco Systems\Media Services Interface\msirest.exe
  • -> Found
[Proc.Injected] vmware-view-usbd.exe(2920) -- C:\Program Files (x86)\VMware\VMware Horizon View Client\bin\vmware-view-usbd.exe
  • -> Found
[Proc.Injected] mscorsvw.exe(4004) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  • -> Found
[Proc.Injected] WebcamDell2.exe(5176) -- C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
  • -> Found
[Proc.Injected] BusinessMessaging.exe(5464) -- C:\Program Files (x86)\Malwarebytes Anti-Malware\BusinessMessaging.exe
  • -> Found
[Proc.Injected] SCNotification.exe(2432) -- C:\Windows\CCM\SCNotification.exe
  • -> Found
[Proc.Injected] armsvc.exe(2276) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
  • -> Found


 Registry : 12
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-518456262-833873973-1715201200-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-518456262-833873973-1715201200-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer :
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer :
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer :
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9B72F825-D133-46A2-8B1A-67C7F434B4C3} | DhcpNameServer :
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9B72F825-D133-46A2-8B1A-67C7F434B4C3} | DhcpNameServer :
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{9B72F825-D133-46A2-8B1A-67C7F434B4C3} | DhcpNameServer :
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-518456262-833873973-1715201200-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-518456262-833873973-1715201200-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found

 Tasks : 0

 Files : 0

 Hosts File : 0

 Antirootkit : 0 (Driver: Not loaded [0xc000036b])

 Web browsers : 1
[PUM.HomePage][FIREFX:Config] 2ekqi8v2.default : user_pref("browser.startup.homepage", "http://www.corporate-site-is-ok"); -> Found

 MBR Check :
+++++ PhysicalDrive0: WDC WD3200BEKT-75PVMT1 +++++
--- User ---
[MBR] 8e0b22998e13ca105ee66ff31ec9cb5e
[BSP] 016c68e59f4670f4b8a164d3bee1b549 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 868 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1779712 | Size: 304375 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK



Pages: [1]