===> False Positives <===

[randzonen]

Seems like Rogue Killer 12.7.1.0 thinks everything from Intel  is malware and marked is for instant deletion...

[Hidden.ADS][Stream] C:\Windows\System32\common_clang64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\difx64.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\DPTopologyApp.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\DPTopologyAppv2_0.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\GfxResources.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\GfxUIEx.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\Gfxv2_0.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\Gfxv4_0.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\ig75icd64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igc64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igd10idpp64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igd10iumd64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igd11dxva64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igd12umd64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igdail64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igdbcl64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igdde64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igdfcl64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igdmcl64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igdmd64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igdrcl64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igdumdim64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igdusc64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfx11cmrt64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxcmjit64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxcmrt64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxCoIn_v4463.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxCUIService.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxCUIServicePS.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxDH.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxDHLib.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxDHLibv2_0.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxDI.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxDILib.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxDILibv2_0.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxDTCM.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxEM.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxEMLib.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxEMLibv2_0.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxexps.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxext.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxHK.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxLHM.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxLHMLib.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxLHMLibv2_0.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxOSP.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxSDK.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxSDKLib.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxSDKLibv2_0.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\igfxTray.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\iglhcp64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\iglhsip64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\IntelCpHDCPSvc.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\IntelOpenCL64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\IntelWiDiMCComp64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\IntelWiDiUMS64.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\Intel_OpenCL_ICD64.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\MetroIntelGenericUIFramework.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\System32\OpenCL.DLL:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\common_clang32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\ig75icd32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igc32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igd10idpp32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igd10iumd32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igd11dxva32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igd12umd32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igdail32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igdbcl32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igdde32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igdfcl32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igdmcl32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igdmd32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igdrcl32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igdumdim32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igdusc32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igfx11cmrt32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igfxcmjit32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igfxcmrt32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\igfxexps32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\iglhcp32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\iglhsip32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\IntelCpHeciSvc.exe:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\IntelOpenCL32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\Intel_OpenCL_ICD32.dll:Zone.Identifier -> Gefunden
[Hidden.ADS][Stream] C:\Windows\SysWOW64\OpenCL.DLL:Zone.Identifier -> Gefunden

[Curson]

Hi randzonen,

Thanks for your feedback.
An emergency fix has been issued for this false positive.

Regards.

[coldi]

Hi there,
not sure if it's the case but I might have stumbled about something again.
The latest version shows [PUM.HomePage][Chrome:Config] Default : homepage [] -> Found but no additional information is given and as far as I can tell the browser is functioning as it should. I'll add the report but there doesn't seem to be anything more about it. The previous version doesn't detect it.
Regards

[Curson]

Hi coldi,

Thanks for your feedback. It seems like a bug on our end.
We will investigate this issue.

Regards.

[pparent516]

Please, fix this false positive. Weathereye.exe is a not PUP nor virus. Weathereye is an weather's application and it's not dangerous. Here the link for downloading : https://www.theweathernetwork.com/weather-apps

Here RogueKiller report :

RogueKiller V12.8.5.0 (x64) [Dec 12 2016] (Premium) par Adlice Software
email : http://www.adlice.com/contact/
Remontées : http://forum.adlice.com
Site web : http://www.adlice.com/fr/download/roguekiller/
Blog : http://www.adlice.com

Système d'exploitation : Windows 10 (10.0.14393) 64 bits version
Démarré en  : Mode normal
Utilisateur : Paulo [Administrateur]
Démarré depuis : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 12/18/2016 11:25:34 (Durée : 00:19:52)

¤¤¤ Processus : 0 ¤¤¤

¤¤¤ Registre : 6 ¤¤¤
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2824724146-1966662352-9585513-1001\Software\Microsoft\Windows\CurrentVersion\Run | WeatherEye : C:\Users\Paulo\AppData\Local\MétéoMédia\weathereye.exe [7] -> Trouvé(e)
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2824724146-1966662352-9585513-1001\Software\Microsoft\Windows\CurrentVersion\Run | WeatherEye : C:\Users\Paulo\AppData\Local\MétéoMédia\weathereye.exe [7] -> Trouvé(e)
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2824724146-1966662352-9585513-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12182016110228673\Software\Microsoft\Windows\CurrentVersion\Run | WeatherEye : C:\Users\Paulo\AppData\Local\MétéoMédia\weathereye.exe [7] -> Trouvé(e)
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2824724146-1966662352-9585513-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12182016110228673\Software\Microsoft\Windows\CurrentVersion\Run | WeatherEye : C:\Users\Paulo\AppData\Local\MétéoMédia\weathereye.exe [7] -> Trouvé(e)
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2824724146-1966662352-9585513-500-{637FE20B-9A5B-4F51-B1BE-D10045625B40}-12182016110029563\Software\Microsoft\Windows\CurrentVersion\Run | WeatherEye : C:\Users\XAdmin\AppData\Local\MétéoMédia\weathereye.exe [7] -> Trouvé(e)
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2824724146-1966662352-9585513-500-{637FE20B-9A5B-4F51-B1BE-D10045625B40}-12182016110029563\Software\Microsoft\Windows\CurrentVersion\Run | WeatherEye : C:\Users\XAdmin\AppData\Local\MétéoMédia\weathereye.exe [7] -> Trouvé(e)

¤¤¤ Tâches : 0 ¤¤¤

¤¤¤ Fichiers : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Fichier Hosts : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Chargé) ¤¤¤

¤¤¤ Navigateurs web : 0 ¤¤¤

¤¤¤ Vérification MBR : ¤¤¤
+++++ PhysicalDrive0: INTEL SSDSC2BW240H6 +++++
--- User ---
[MBR] ab29a7e42e94628b34d1970a7578900b
[BSP] 05c1135502c1387ca20f9f871e6b4971 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 184320 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 377491456 | Size: 44614 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

[Curson]

Hi pparent516,

Welcome to Adlice.com Forum and thanks for your feedback.
This false positive will be fixed as soon as possible.

Regards.

[Suario]

Hello, i recently do a scan with roguekiller and it shows MBAMService.exe as a Adw.Elex|PUP.Divcom so i was wondering if this is a false positive?

Here i add the report :

RogueKiller V12.9.6.0 (x64) [Jan 30 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Junito [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 02/03/2017 01:22:55 (Duration : 00:14:14)

¤¤¤ Processes : 2 ¤¤¤
[Adw.Elex|PUP.Divcom] MBAMService.exe(2696) -- Q:\Pgramas\Anti-Malware\mbamservice.exe[7] -> Found
[Suspicious.Path] (SVC) ALSysIO -- \??\C:\Users\JUNITO~1\AppData\Local\Temp\ALSysIO64.sys

• -> Found

¤¤¤ Registry : 3 ¤¤¤
[PUP.HackTool] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\NetCut_is1 -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALSysIO (\??\C:\Users\JUNITO~1\AppData\Local\Temp\ALSysIO64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ALSysIO (\??\C:\Users\JUNITO~1\AppData\Local\Temp\ALSysIO64.sys) -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 3 ¤¤¤
[PUP.Gen1][Folder] C:\Users\Junito\AppData\Roaming\Easeware -> Found
[PUP.Gen1][File] C:\Users\Junito\AppData\Roaming\Microsoft\Windows\Recent\client-stats.log.lnk [LNK@] C:\Users\JUNITO~1\AppData\Roaming\Easeware\DRIVER~1\CLIENT~1.LOG -> Found
[PUP.Gen1][File] C:\Users\Junito\AppData\Roaming\Microsoft\Windows\Recent\DriverEasy.lnk [LNK@] C:\Users\JUNITO~1\AppData\Roaming\Easeware\DRIVER~1 -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: HGST HTS545050A7E380 ATA Device +++++
--- User ---
[MBR] d8c3edb4bed2a3984bc767cd235ebc5e
[BSP] 403de67ba0e2f219f2b79355739651fe : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476937 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Maxtor 6L120M0 ATA Device +++++
--- User ---
[MBR] aa7415b7c5c1f25a0031f6eb43396297
[BSP] 8f89bcf184ff96be07bf6cdb6134749f : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 117244 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: KINGSTON SV300S37A240G ATA Device +++++
--- User ---
[MBR] c664ba19eded6725426e299ee13da4d1
[BSP] a27144b8b980601f0ab2ec1d08dde42b : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 228834 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

[Curson]

Hi Suario,

Welcome to Adlice.com Forum and thanks for your feedback.
Yes, it's a false positive. RogueKiller is detecting MalwareBytes malware database. This issue has been fixed when MBAM is installed on standard location.

Regards.

[counselorgene]

Hi there,

First I want to tell you I love your program.
I analyzed my system with RogueKiller. Please see my output below. I've got Dr. Web Security Space as well as MalwareBytes on the machine. I also have Sophos Virus Removal Tool installed on the system. I used to have Advanced System Care on this machine but recently removed it because it was likely helping to compromise my system. I received several Proc.Injected, Root.Necurs, and PUM.HomePage entrees. I ran in Safe Mode.
Please let me know if this is a true infection or false positive, based on what you see:

----------------------------------------------------------------------------------------------------

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Safe mode
User : [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 02/06/2017 21:36:42 (Duration : 00:18:59)

¤¤¤ Processes : 12 ¤¤¤
[Proc.Injected] wininit.exe(456) -- C:\Windows\System32\wininit.exe[-] -> Found
[Proc.Injected] winlogon.exe(520) -- C:\Windows\System32\winlogon.exe[-] -> Found
[Proc.Injected] lsass.exe(572) -- C:\Windows\System32\lsass.exe[7] -> Found
[Proc.Injected] svchost.exe(648) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(680) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] dwm.exe(772) -- C:\Windows\System32\dwm.exe[-] -> Found
[Proc.Injected] svchost.exe(808) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(840) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(880) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] explorer.exe(348) -- C:\Windows\explorer.exe[7] -> Found
[Proc.Injected] ctfmon.exe(468) -- C:\Windows\System32\ctfmon.exe[-] -> Found
[Proc.Injected] dllhost.exe(1224) -- C:\Windows\System32\dllhost.exe[7] -> Found

¤¤¤ Registry : 9 ¤¤¤
[Root.Necurs] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4F97855176CB095D -> Found
[Root.Necurs] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4F9785531D1ACAC5 -> Found
[Root.Necurs] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4F978556B1AA1B1D -> Found
[Root.Necurs] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4F978557637EA65F -> Found
[Root.Necurs] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4F97856826CFAA11 -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-693542642-1096459626-489246537-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://acer13.msn.com  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-693542642-1096459626-489246537-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://acer13.msn.com  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-693542642-1096459626-489246537-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://acer13.msn.com  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-693542642-1096459626-489246537-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://acer13.msn.com  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000DM003-1CH162 +++++
--- User ---
[MBR] 7aa2b29e011ab8ad378df2d386190073
[BSP] b3b0a7523e12b5fb1cc53299d026348e : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 300 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1435648 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1697792 | Size: 937229 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1921142784 | Size: 450 MB
5 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1922064384 | Size: 15361 MB
User = LL1 ... OK
User = LL2 ... OK
-------------------------------------------------------------------------------------------------------

Thank you!

[Curson]

Hi counselorgene,

Welcome to Adlice.com Forum and thanks for your feedback.
This is really suspicious. Could you please follow the following process :

• Download Process Explorer and save it to your desktop.
  
• Click on the setup file (procexp64.exe) and select Run as Administrator to start the tool.
  
• Locate the process named wininit.exe, right click select Create Dump > Create Full Dump...
  
• Save the dump on your desktop, compress it and upload it on Google Drive/Dropbox.
• Share the link in your next reply.

We will analyse what is really injected, and whitelist if needed.

Regards.

[counselorgene]

Hi Curson,

Thanks for getting back to me. I've done all this and here are links to the files on my google drive. I created a .ZIP and a .RAR just in case:

https://drive.google.com/file/d/0B5U9vVVDQn6iazYxa1V2anYyUGc/view (ZIP)
https://drive.google.com/file/d/0B5U9vVVDQn6idGRLMXA0a3VJWm8/view (RAR).

Let me know if you have any issues accessing or reading them.

Thanks for your help!

[Curson]

Hi counselorgene,

The injection is caused by Dr. Web. We will whitelist it as soon as possible.
However, I advice you to remove the [Root.Necurs] entries.
Could you please redo a scan in normal mode and attach RogueKiller report with your next reply ?

Regards.

[counselorgene]

Hi Curson,

Thanks for that info. I deleted the [Root.Necurs] entries. Here is what populates now. I believe this all related to Dr. Web, but maybe not. I ran the program in both Normal WIN operating conditions and Safe Mode. See the output below for both:

--------------------------------------------------------------------------------------------------------

Normal WIN Operating Conditions:

¤¤¤ Processes : 63 ¤¤¤
[Proc.Injected] wininit.exe(576) -- C:\Windows\System32\wininit.exe[-] -> Found
[Proc.Injected] winlogon.exe(636) -- C:\Windows\System32\winlogon.exe[-] -> Found
[Proc.Injected] lsass.exe(688) -- C:\Windows\System32\lsass.exe[7] -> Found
[Proc.Injected] svchost.exe(760) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(804) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] dwm.exe(896) -- C:\Windows\System32\dwm.exe[-] -> Found
[Proc.Injected] svchost.exe(932) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(976) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(1000) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] igfxCUIService.exe(504) -- C:\Windows\System32\igfxCUIService.exe[7] -> Found
[Proc.Injected] svchost.exe(652) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(884) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] spoolsv.exe(1228) -- C:\Windows\System32\spoolsv.exe[-] -> Found
[Proc.Injected] svchost.exe(1252) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] armsvc.exe(1456) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[7] -> Found
[Proc.Injected] taskhostex.exe(1480) -- C:\Windows\System32\taskhostex.exe[7] -> Found
[Proc.Injected] explorer.exe(1584) -- C:\Windows\explorer.exe[7] -> Found
[Proc.Injected] AdminService.exe(1636) -- C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AdminService.exe[-] -> Found
[Proc.Injected] officeclicktorun.exe(1656) -- C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[7] -> Found
[Proc.Injected] svchost.exe(1692) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] dasHost.exe(1708) -- C:\Windows\System32\dasHost.exe[-] -> Found
[Proc.Injected] dwservice.exe(1744) -- C:\Program Files\DrWeb\dwservice.exe[7] -> Found
[Proc.Injected] svchost.exe(1772) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] HeciServer.exe(1860) -- C:\Program Files\Intel\iCLS Client\HeciServer.exe[7] -> Found
[Proc.Injected] Jhi_service.exe(1940) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[7] -> Found
[Proc.Injected] HotkeyUtility.exe(1532) -- C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe[7] -> Found
[Proc.Injected] RosettaStoneDaemon.exe(2164) -- C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[7] -> Found
[Proc.Injected] svchost.exe(2272) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] dwengine.exe(2960) -- C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe[7] -> Found
[Proc.Injected] dwantispam.exe(2344) -- C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwantispam.exe[7] -> Found
[Proc.Injected] dwarkdaemon.exe(2436) -- C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwarkdaemon.exe[7] -> Found
[Proc.Injected] PresentationFontCache.exe(2520) -- C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[7] -> Found
[Proc.Injected] svchost.exe(3232) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] SearchIndexer.exe(3304) -- C:\Windows\System32\SearchIndexer.exe[-] -> Found
[Proc.Injected] igfxHK.exe(3496) -- C:\Windows\System32\igfxHK.exe[7] -> Found
[Proc.Injected] igfxTray.exe(3504) -- C:\Windows\System32\igfxTray.exe[7] -> Found
[Proc.Injected] igfxEM.exe(3676) -- C:\Windows\System32\igfxEM.exe[7] -> Found
[Proc.Injected] BtvStack.exe(3928) -- C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[-] -> Found
[Proc.Injected] RAVCpl64.exe(3960) -- C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[7] -> Found
[Proc.Injected] ActivateDesktop.exe(3976) -- C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[-] -> Found
[Proc.Injected] dwwatcher.exe(4008) -- C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwwatcher.exe[7] -> Found
[Proc.Injected] frwl_svc.exe(3936) -- C:\Program Files\DrWeb\frwl_svc.exe[7] -> Found
[Proc.Injected] dwnetfilter.exe(4128) -- C:\Program Files\DrWeb\dwnetfilter.exe[7] -> Found
[Proc.Injected] spideragent.exe(4136) -- C:\Program Files\DrWeb\spideragent.exe[7] -> Found
[Proc.Injected] ClassicStartMenu.exe(4336) -- C:\Program Files\Classic Shell\ClassicStartMenu.exe[-] -> Found
[Proc.Injected] netsession_win.exe(4360) -- C:\Users\Zoya\AppData\Local\Akamai\netsession_win.exe[7] -> Found
[Proc.Injected] netsession_win.exe(4456) -- C:\Users\Zoya\AppData\Local\Akamai\netsession_win.exe[7] -> Found
[Proc.Injected] CCleaner64.exe(4492) -- C:\Program Files\CCleaner\CCleaner64.exe[7] -> Found
[Proc.Injected] ArcServer.exe(4516) -- C:\Program Files (x86)\Acer Remote\ArcServer.exe[-] -> Found
[Proc.Injected] hpwuschd2.exe(4540) -- C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[7] -> Found
[Proc.Injected] wmplayer.exe(4636) -- C:\Program Files (x86)\Windows Media Player\wmplayer.exe[-] -> Found
[Proc.Injected] frwl_notify.exe(4648) -- C:\Program Files\DrWeb\frwl_notify.exe[7] -> Found
[Proc.Injected] firefox.exe(4444) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7] -> Found
[Proc.Injected] firefox.exe(4832) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7] -> Found
[Proc.Injected] DeviceDetector.exe(5368) -- C:\Program Files (x86)\CyberLink\MediaEspresso\DeviceDetector\DeviceDetector.exe[-] -> Found
[Proc.Injected] RIconMan.exe(588) -- C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe[-] -> Found
[Proc.Injected] IntuitUpdateService.exe(5496) -- C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe[7] -> Found
[Proc.Injected] LMS.exe(3792) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[7] -> Found
[Proc.Injected] NASvc.exe(5648) -- c:\Program Files (x86)\Nero\Update\NASvc.exe[7] -> Found
[Proc.Injected] UNS.exe(5624) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7] -> Found
[Proc.Injected] wmpnetwk.exe(2688) -- C:\Program Files\Windows Media Player\wmpnetwk.exe[-] -> Found
[Proc.Injected] drwupsrv.exe(6140) -- C:\Program Files\Common Files\Doctor Web\Updater\drwupsrv.exe[7] -> Found
[Proc.Injected] conhost.exe(2292) -- C:\Windows\System32\conhost.exe[-] -> Found

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000DM003-1CH162 +++++
--- User ---
[MBR] 7aa2b29e011ab8ad378df2d386190073
[BSP] b3b0a7523e12b5fb1cc53299d026348e : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 300 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1435648 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1697792 | Size: 937229 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1921142784 | Size: 450 MB
5 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1922064384 | Size: 15361 MB
User = LL1 ... OK
User = LL2 ... OK



SAFE MODE:

¤¤¤ Processes : 14 ¤¤¤
[Proc.Injected] wininit.exe(464) -- C:\Windows\System32\wininit.exe[-] -> Found
[Proc.Injected] winlogon.exe(516) -- C:\Windows\System32\winlogon.exe[-] -> Found
[Proc.Injected] lsass.exe(576) -- C:\Windows\System32\lsass.exe[7] -> Found
[Proc.Injected] svchost.exe(648) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(688) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] dwm.exe(784) -- C:\Windows\System32\dwm.exe[-] -> Found
[Proc.Injected] svchost.exe(832) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(908) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] svchost.exe(948) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] explorer.exe(384) -- C:\Windows\explorer.exe[7] -> Found
[Proc.Injected] ctfmon.exe(376) -- C:\Windows\System32\ctfmon.exe[-] -> Found
[Proc.Injected] dllhost.exe(1220) -- C:\Windows\System32\dllhost.exe[7] -> Found
[Proc.Injected] WmiPrvSE.exe(1320) -- C:\Windows\System32\wbem\WmiPrvSE.exe[-] -> Found
[Proc.Injected] WmiPrvSE.exe(1800) -- C:\Windows\System32\wbem\WmiPrvSE.exe[-] -> Found

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000DM003-1CH162 +++++
--- User ---
[MBR] 7aa2b29e011ab8ad378df2d386190073
[BSP] b3b0a7523e12b5fb1cc53299d026348e : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 300 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1435648 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1697792 | Size: 937229 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1921142784 | Size: 450 MB
5 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1922064384 | Size: 15361 MB
User = LL1 ... OK
User = LL2 ... OK



--------------------------------------------------------------------------------------------------------

Let me know what you think. Thank you!

[Curson]

Hi counselorgene,

Thanks for your feedback.
All these injections are made by Dr. Web software, so no need to worry about them.

Regards.

[counselorgene]

Thank you, Curson!

I will strongly consider buying the premium version of your software. While some entries were false positives, I appreciate that it did find some entrees that were viral.

Thanks again!