Author Topic: Need help to see if I'm infected  (Read 8447 times)

0 Members and 1 Guest are viewing this topic.

December 18, 2015, 08:44:16 PM

sippysup

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Need help to see if I'm infected
« on: December 18, 2015, 08:44:16 PM »
I have a lot of "proc.injected" going on with my files.  Please help

RogueKiller V11.0.3.0 (x64) [Dec 14 2015] (Premium) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : David [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 12/18/2015 13:23:04

¤¤¤ Processes : 51 ¤¤¤
[Proc.Injected] wininit.exe(532) -- C:\Windows\System32\wininit.exe
  • -> [NoKill]
[Proc.Injected] lsass.exe(644) -- C:\Windows\System32\lsass.exe
  • -> [NoKill]
[Proc.Injected] svchost.exe(724) -- C:\Windows\System32\svchost.exe
  • -> [NoKill]
[Proc.Injected] svchost.exe(764) -- C:\Windows\System32\svchost.exe
  • -> [NoKill]
[Proc.Injected] svchost.exe(868) -- C:\Windows\System32\svchost.exe
  • -> [NoKill]
[Proc.Injected] svchost.exe(944) -- C:\Windows\System32\svchost.exe
  • -> [NoKill]
[Proc.Injected] svchost.exe(1008) -- C:\Windows\System32\svchost.exe
  • -> [NoKill]
[Proc.Injected] svchost.exe(480) -- C:\Windows\System32\svchost.exe
  • -> [NoKill]
[Proc.Injected] svchost.exe(688) -- C:\Windows\System32\svchost.exe
  • -> [NoKill]
[Proc.Injected] spoolsv.exe(1220) -- C:\Windows\System32\spoolsv.exe
  • -> [NoKill]
[Proc.Injected] svchost.exe(1248) -- C:\Windows\System32\svchost.exe
  • -> [NoKill]
[Proc.Injected] svchost.exe(1460) -- C:\Windows\System32\svchost.exe
  • -> [NoKill]
[Proc.Injected] dasHost.exe(1476) -- C:\Windows\System32\dasHost.exe[-] -> Killed [TermProc]
[Proc.Injected] dwservice.exe(1508) -- C:\Program Files\DrWeb\dwservice.exe[7] -> Killed [DrvNtTerm]
[Proc.Injected] mbae-svc.exe(1552) -- C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[7] -> Killed [DrvNtTerm]
[Proc.Injected] mbae64.exe(1592) -- C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[7] -> Killed [DrvNtTerm]
[Proc.Injected] creator-ws.exe(1692) -- C:\Program Files\PDF Architect 4\creator-ws.exe[7] -> Killed [TermProc]
[Proc.Injected] svchost.exe(1788) -- C:\Windows\System32\svchost.exe
  • -> [NoKill]
[Proc.Injected] VESMgr.exe(1836) -- C:\Program Files (x86)\Sony\VAIO Control Center\VESMgr.exe[7] -> Killed [TermProc]
[Proc.Injected] CodeMeter.exe(1944) -- C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[7] -> Killed [TermProc]
[Proc.Injected] VESMgrSub.exe(2012) -- C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe[7] -> Killed [TermProc]
[Proc.Injected] dllhost.exe(2068) -- C:\Windows\SysWOW64\dllhost.exe[7] -> Killed [TermProc]
[Proc.Injected] SUSSoundProxy.exe(2444) -- C:\Program Files (x86)\Sony\VAIO Control Center\SUSSoundProxy.exe[7] -> Killed [TermProc]
[Proc.Injected] dwengine.exe(2768) -- C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe[7] -> Killed [DrvNtTerm]
[Proc.Injected] dwarkdaemon.exe(2952) -- C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwarkdaemon.exe[7] -> Killed [DrvNtTerm]
[Proc.Injected] svchost.exe(3032) -- C:\Windows\System32\svchost.exe
  • -> [NoKill]
[Proc.Injected] WUDFHost.exe(3048) -- C:\Windows\System32\WUDFHost.exe[-] -> Killed [TermProc]
[Proc.Injected] svchost.exe(1392) -- C:\Windows\System32\svchost.exe
  • -> [NoKill]
[Proc.Injected] frwl_svc.exe(3552) -- C:\Program Files\DrWeb\frwl_svc.exe[7] -> Killed [DrvNtTerm]
[Proc.Injected] dwnetfilter.exe(3612) -- C:\Program Files\DrWeb\dwnetfilter.exe[7] -> Killed [DrvNtTerm]
[Proc.Injected] sua.exe(3016) -- C:\Program Files (x86)\Secunia\PSI\sua.exe[7] -> Killed [TermProc]
[Proc.Injected] SearchIndexer.exe(1764) -- C:\Windows\System32\SearchIndexer.exe
  • -> [NoKill]
[Proc.Injected] vim.exe(984) -- C:\Program Files (x86)\Sony\VAIO Control Center\vim.exe[7] -> Killed [TermProc]
[Proc.Injected] winlogon.exe(2668) -- C:\Windows\System32\winlogon.exe
  • -> [NoKill]
[Proc.Injected] dwm.exe(3240) -- C:\Windows\System32\dwm.exe
  • -> [NoKill]
[Proc.Injected] frwl_notify.exe(1756) -- C:\Program Files\DrWeb\frwl_notify.exe[7] -> Killed [DrvNtTerm]
[Proc.Injected] explorer.exe(1124) -- C:\Windows\explorer.exe[7] -> Killed [TermProc]
[Proc.Injected] taskhostex.exe(3948) -- C:\Windows\System32\taskhostex.exe[7] -> Killed [TermProc]
[Proc.Injected] SkyDrive.exe(1776) -- C:\Windows\System32\SkyDrive.exe[-] -> Killed [TermProc]
[Proc.Injected] TabTip.exe(4608) -- C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[7] -> Killed [TermProc]
[Proc.Injected] spideragent.exe(4552) -- C:\Program Files\DrWeb\spideragent.exe[7] -> Killed [DrvNtTerm]
[Proc.Injected] WinPatrol.exe(4788) -- C:\Program Files (x86)\Ruiware\WinPatrol\WinPatrol.exe[7] -> Killed [TermProc]
[Proc.Injected] CODEME~2.EXE(3004) -- C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[7] -> Killed [TermProc]
[Proc.Injected] mbae.exe(4584) -- C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe[7] -> Killed [DrvNtTerm]
[Proc.Injected] GWX.exe(4740) -- C:\Windows\System32\GWX\GWX.exe[-] -> Killed [TermProc]
[Proc.Injected] NFCConnectionUtility.exe(3368) -- C:\Program Files\Sony\NFC Connection Utility\NFCConnectionUtility.exe[7] -> Killed [TermProc]
[Proc.Injected] SettingSyncHost.exe(4300) -- C:\Windows\System32\SettingSyncHost.exe[-] -> Killed [TermProc]
[Proc.Injected] vim.exe(5744) -- C:\Program Files (x86)\Sony\VAIO Control Center\vim.exe[7] -> Killed [TermProc]
[Proc.Injected] chrome.exe(6012) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Killed [TermProc]
[Proc.Injected] WmiPrvSE.exe(5900) -- C:\Windows\System32\wbem\WmiPrvSE.exe[-] -> Killed [TermProc]
[Proc.Injected] WmiPrvSE.exe(3536) -- C:\Windows\System32\wbem\WmiPrvSE.exe[-] -> Killed [TermProc]

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 2 ¤¤¤
[Hidden.ADS][[[ADS]]] C:\Windows:CM_2415f16377cd72e710e53fa7b49a08a89bb2082dc630b9b840974029806dc440 -> Found
[Hidden.ADS][[[ADS]]] C:\Windows:CM_39543b5c7cf1a6cec586fa3cbf25062e9e925ec09308d745e407d3c756170fb4 -> Found

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG MZHPU256HCGL-00000 +++++
--- User ---
[MBR] d8493339862f6b2accd6ca8aa76a5ad4
[BSP] 4817c5537d47c76f3bd6e59e9f64e269 : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 260 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 534528 | Size: 1474 MB
2 - [MAN-MOUNT] EFI system partition | Offset (sectors): 3553280 | Size: 260 MB
3 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 4085760 | Size: 128 MB
4 - Basic data partition | Offset (sectors): 4347904 | Size: 223936 MB
5 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 462968832 | Size: 350 MB
6 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 463685632 | Size: 17789 MB
User = LL1 ... OK
User = LL2 ... OK


Reply #1December 21, 2015, 02:42:40 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Need help to see if I'm infected
« Reply #1 on: December 21, 2015, 02:42:40 PM »
Hi sippysup,

We need to investigate this injection.
Please follow the following process :
  • Download RogueKillerPE (64 bits version) and save it to your desktop.
  • Click on the setup file (RogueKillerPE64.exe) and select Run as Administrator to start the tool.
  • Locate the process named wininit.exe, do a right click on it and select Dump injected pages.
  • Give a name to the dump, save it on your desktop and compress it.
  • Go to Adlice Software upload form, select the dumps as files to be uploaded and copy/paste a link to this thread in the "Comment" section.
Regards.

Reply #2December 21, 2015, 07:02:35 PM

sippysup

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: Need help to see if I'm infected
« Reply #2 on: December 21, 2015, 07:02:35 PM »
I Tried running the file like you said but it is freezing up or when I do right click it to "dump injected processes" it doesn't give man option as to what to save it as (.txt, etc...).  then when I try and save it gives me an error message
here is a screenshot

Reply #3December 21, 2015, 08:00:08 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Need help to see if I'm infected
« Reply #3 on: December 21, 2015, 08:00:08 PM »
Hi sippysup,

The tool is not working as intended. We will use an alternative.
Please follow the following process :
  • Download Process Explorer and save it to your desktop.
  • Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  • Locate the process named wininit.exe, do a right click on it and select Create Dump > Create Full Dump...
  • Save the dump on your desktop and compress it.
  • Upload it to Dropbox, Google Drive or similar services and share the link in your next reply.

Regards.

Reply #4December 21, 2015, 08:11:57 PM

sippysup

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile

Reply #5December 21, 2015, 08:52:55 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Need help to see if I'm infected
« Reply #5 on: December 21, 2015, 08:52:55 PM »
Hi sippysup,

The injection is linked to Dr.Web antivirus.
We will whitelist it as soon as possible.

Regards.