Unsure of results in report

[BrewIT]

I'd like some advice what to do with these findings. Most look like system files to me in the processes but states known malware.
Please see attached report

Thank you
Bob

[Curson]

Hi BrewIT,

Welcome to Adlice.com Forum.

The [Proc.Injected] detection could be triggered by two things : 

• A real infection (like Zeus, Carberp, Poweliks, they are all using that thing)
• Your antivirus injecting your processes to protect you (in theory).

To determine what's going on, and possibly whitelist the cases where it's a legit injection, please do the following :

1. Process Dump

• Download Process Explorer and save it to your desktop.
  
• Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  
• Locate the process named smss.exe, right click select Create Dump > Create Full Dump...
  
• Save the dump on your desktop, compress it and upload it on Google Drive/Dropbox.
• Share the link in your next reply.

We will analyse what is really injected, and whitelist if needed.

2. MBR Dump

The MBR on your computer seems nonstandard.
Unknown MBRs are dumped into %programdata%/RogueKiller/debug/.

Please locate this folder and attach it on your next post (you need to zip it first).

3. TDSSKiller

• Please download TDSSKiller and save it to your Desktop.
  
• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  
  
  
  
• Check Loaded Modules and Detect TDLFS file system. 
  
• If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.
  
  
  
  
• Click Start Scan and allow the scan process to run.
  If threats are detected select Skip for all of them unless I instruct you otherwise.
  
• Click Continue
  
  
  
  
• Click Reboot computer
  

Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\) in your next reply.

Regards.

[BrewIT]

Curson
Thank you for your prompt response. The PC is located at a remote site so I will follow your instructions when I return to that site in a few days. I suspect they are Symantec AV protecting the system as you speculate.

Regards
Bob

[Curson]

Hi Bob,

You are welcome.
The analysis of the dump will bring confirmation.

Regards.

[BrewIT]

Hello again
Finally back at the remote site again.

SMSS link is https://drive.google.com/file/d/0B4BNZnNZ0SnvTm85c1VkdlVLdUk/view?pli=1

I've attached the MBR debug file but message is too big so attaching in separate post

TDSSKiller results are too big to attach. I have them zipped if I can share them with you or I'll try to attach in another post. FYI nothing was found.

Thank again for your assistance!
Have a great weekend
Bob

[BrewIT]

TDSSKiller results in attachment

Bob

[Curson]

Hi Bob,

Could you pleae download RogueKiller latest version and try to run the scan again ?
Numerous false positives have been fixed since V10.5.3.0.

Regards.

[BrewIT]

Curson
I just did run the latest version prior to your reply. I had already uninstalled and reinstalled Symantec Enterprise Protection before hand and most of the previously found items were no longer there.
Any more problems and I'm rebuilding the machine. Too many users have had their hands in the pie at this point to keep mucking with it. 

Thank you for your trouble and diligence!

Bob

[Curson]

Hi Bob,

You are very welcome. 

Regards.