Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - JukkaG

Pages: [1]
1
RogueKiller / Re: ===> False Positives <===
« on: May 07, 2016, 12:25:12 am »
F-Secure Antivirus is again coming up as Zeus, as you can see in log attached.

2
RogueKiller / Re: ===> False Positives <===
« on: March 23, 2016, 03:12:06 pm »
F-Secure Antivirus component is getting tagged as Zeus again.

3
RogueKiller / Some PUM DNS entries detected, anything to worry about?
« on: January 31, 2016, 07:57:17 pm »
So I got some PUM DNS entries while doing regular scans (so there have been no symptoms or anything, I just scan regularly to be sure). Log attached, I guess that they are just some false positives but it still would be nice if you could comment on them just to be certain.

"registry": [
            {
                "scan_what": 1,
                "scan_how": [
                    11
                ],
                "scan_how_trigger": 11,
                "vendors": [
                    "PUM.Dns"
                ],
                "rule_name": "DNS",
                "view": 256,
                "value": "DhcpNameServer",
                "subkey": "",
                "value_old_data": "",
                "value_data": "172.20.10.1",
                "path": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{2f726e50-cd41-448e-81eb-c57027f22000}",
                "extra": "[X]",
                "files_status": "",
                "vtscore": -1,
                "files": [],
                "status_str": "Found",
                "status_choice": 1,
                "status_removed": 0
            },
            {
                "scan_what": 1,
                "scan_how": [
                    11
                ],
                "scan_how_trigger": 11,
                "vendors": [
                    "PUM.Dns"
                ],
                "rule_name": "DNS",
                "view": 256,
                "value": "DhcpNameServer",
                "subkey": "",
                "value_old_data": "",
                "value_data": "172.20.10.1",
                "path": "HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\Tcpip\\Parameters\\Interfaces\\{2f726e50-cd41-448e-81eb-c57027f22000}",
                "extra": "[X]",
                "files_status": "",
                "vtscore": -1,
                "files": [],
                "status_str": "Found",
                "status_choice": 1,
                "status_removed": 0

4
Million thanks to you, now I can keep on using my computer without paranoia ;D

And at least you can now eliminate some false positives that nobody else has to get spooked by the same thingy again!

5
In fact, I haven't received anything.
Could you please host the dump on DropBox/Onedrive and share the link here ?

Here it is: https://dl.dropboxusercontent.com/u/17953443/explorer.zip

6
Hi Jukka,

The hook is mostly related to your antivirus.
However, we are going to verify it.

Please follow the following process.
  • Download Process Explorer and save it to your desktop.
  • Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  • Locate the process named explorer.exe, right click select Create Dump > Create Full Dump...
  • Save the dump on your desktop and compress it.
  • Go to Adlice Software upload form, select the dumps as files to be uploaded and copy/paste a link to this thread in the "Comment" section.
Regards.

Hi, I posted the dump to you. Actually I posted it multiple times like an idiot because I thought that it was supposed to give me a confirmation about the completed upload and I thought that it didn't work at first, but then I realized that it just doesn't give a confirmation. So don't wonder if you have received that file something like 5 times...

Also, I found a possible explanation for anti-exploit like behavior: I just remembered F-Secure has a so-called Deepguard module that interjects processes and monitors them if it can't verify them as safe through the cloud. It sort of sounds like a thing that would create a hook like that.

7
Quote from: Jukka
But that isn't what I'm worrying about, I'm worried about that IAT hook that was detected:
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateUserProcess : Unknown @ 0x7ffb99622018 (jmp 0xffffffff8000bb88)
Do you use anti-exploit softwares on your computer ?

Mm, I don't think so, can't remember installing any anti-exploit software on this machine. Unless F-Secure or Malwarebytes Anti-Malware does something like that, but I find it unlikely. Does that mean that it has come from malicious sources, or is there any way to get more information about that?

Also noting that I don't have any visible symptoms of infection or anything, I'm just doing regular scans to be sure.

8
So, first off that F-Secure -related Zeus detection is false and happens with all computers that have F-secure, you should whitelist it.

But that isn't what I'm worrying about, I'm worried about that IAT hook that was detected:
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateUserProcess : Unknown @ 0x7ffb99622018 (jmp 0xffffffff8000bb88)

However Roguekiller is the only program that detects anything, full scans by TDDSkiller, aswMBR, Kaspersky Virus Removal Tool, HitmanPro, ESET Online Scanner, Malwarebytes Anti-Malware and F-Secure have found nothing. I know that it's most likely just a false positive too just because of that, but could someone with more knowledge tell me if that one looks suspicious?

9
RogueKiller / Roguekiller wanted to upload a file called Bootstrap.dmp
« on: September 13, 2015, 02:54:07 am »
When I was doing a scan with RogueKiller as part of my regular paranoia checks (so no real reason for it, no infection symptoms or anything), it wanted to upload a file called bootstrap.dmp to virustotal, but at the end results didn't show any infections or anything (neither Avast, Malwarebytes or HitmanPro found anything). Should I worry about it? The file was located in folder C:\Users\Jukka-Admin\AppData\Local\Temp, and when I uploaded to VirusTotal it didn't show up as malicious.

Virustotal link: https://www.virustotal.com/en/file/37ac6199a62553aeebb8afa8eef9c3726daa3d85109bd535e1771afbbc6cb39e/analysis/1442101214/

Of course, I realize that it's just a dump file and thus even if it was related to some virus, it's not the culprit itself. It would be really nice to know if it just completely harmless. Also linking the scan log.

Pages: [1]