Proc.injected problem

[Dacynic]

Hi, i encounter some process problems. Roguekiller is the only one to find them and seems unable to remove them (if i suppress them they'll be back on reboot)
Kapersky internet security updated don't find anything / same for adw cleaner (ESET was running during the scan) but chrome is still detected without.
Seems to have a Kernel Filter too, don't know what to do.

Do you have any idea if this could be dangerous  ?


RogueKiller V10.0.6.0 (x64) [Nov 13 2014] par Adlice Software
email : http://www.adlice.com/contact/
Remontées : http://forum.adlice.com
Site web : http://www.adlice.com/fr/logiciels/roguekiller/
Blog : http://www.adlice.com

Système d'exploitation : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Démarré en  : Mode normal
Utilisateur : User [Administrateur]
Mode : Scan -- Date : 11/13/2014  15:26:52

¤¤¤ Processus : 14 ¤¤¤
[Proc.Injected] chrome.exe -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] chrome.exe -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] chrome.exe -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] chrome.exe -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] chrome.exe -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] chrome.exe -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] chrome.exe -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] chrome.exe -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] chrome.exe -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] chrome.exe -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] OnlineScannerApp.exe -- C:\Program Files (x86)\ESET\ESET Online Scanner\OnlineScannerApp.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] OnlineCmdLineScanner.exe -- C:\Program Files (x86)\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] chrome.exe -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] chrome.exe -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Tué(e) [TermProc]

¤¤¤ Registre : 11 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ALSysIO (\??\C:\Users\User\AppData\Local\Temp\ALSysIO64.sys) -> Trouvé(e)
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALSysIO (\??\C:\Users\User\AppData\Local\Temp\ALSysIO64.sys) -> Trouvé(e)
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ALSysIO (\??\C:\Users\User\AppData\Local\Temp\ALSysIO64.sys) -> Trouvé(e)
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-3008633674-1782314241-3082565000-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Trouvé(e)
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-3008633674-1782314241-3082565000-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Trouvé(e)
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-3008633674-1782314241-3082565000-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Trouvé(e)
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-3008633674-1782314241-3082565000-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Trouvé(e)
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-3008633674-1782314241-3082565000-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Trouvé(e)
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-3008633674-1782314241-3082565000-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Trouvé(e)
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-3008633674-1782314241-3082565000-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Trouvé(e)
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-3008633674-1782314241-3082565000-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Trouvé(e)

¤¤¤ Tâches : 0 ¤¤¤

¤¤¤ Fichiers : 0 ¤¤¤

¤¤¤ Fichier Hosts : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 activation.guitar-pro.com

¤¤¤ Antirootkit : 2 (Driver: Chargé) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\Ide\IdeDeviceP1T0L0-1 : \Driver\Disk @ \Device\Harddisk1\DR1 (\SystemRoot\System32\Drivers\TPkd.sys)
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\Ide\IdeDeviceP0T0L0-0 : \Driver\Disk @ \Device\Harddisk0\DR0 (\SystemRoot\System32\Drivers\TPkd.sys)

¤¤¤ Navigateurs web : 0 ¤¤¤

¤¤¤ Vérification MBR : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 840 EVO 250GB ATA Device +++++
--- User ---
[MBR] a85e6aebf444ad6fdb07f8e853f7de93
[BSP] 1dc3e42febfdab50dae4996149c3a840 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 238373 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: ST2000DM001-1CH164 ATA Device +++++
--- User ---
[MBR] 0a0d7cceed47d57883d2076fb663cb67
[BSP] 4fc3fa4cff3dcde110648bedb6f9c574 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: WIKO Mass Storage USB Device +++++
Error reading User MBR! ([15] Le périphérique n?est pas prêt. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] Cette demande n?est pas prise en charge. )

+++++ PhysicalDrive3: WIKO Mass Storage USB Device +++++
Error reading User MBR! ([15] Le périphérique n?est pas prêt. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] Cette demande n?est pas prise en charge. )


============================================
RKreport_DEL_08152014_121129.log - RKreport_DEL_08152014_121241.log - RKreport_DEL_10272014_153725.log - RKreport_DEL_11132014_003222.log
RKreport_DEL_11132014_003343.log - RKreport_DEL_11132014_135512.log - RKreport_DEL_11132014_141616.log - RKreport_DEL_11132014_141617.log
RKreport_DEL_11132014_141618.log - RKreport_DEL_11132014_151154.log - RKreport_SCN_08152014_121113.log - RKreport_SCN_08152014_121222.log
RKreport_SCN_10272014_153604.log - RKreport_SCN_11132014_003050.log - RKreport_SCN_11132014_003333.log - RKreport_SCN_11132014_135339.log
RKreport_SCN_11132014_141543.log - RKreport_SCN_11132014_143032.log - RKreport_SCN_11132014_151027.log

didn't find any andwer on the forum, i hope you can help me !

Thanks

[Tigzy]

Hello,
that's something we are working on.

[Tigzy]

Ok, can't reproduce.
Could you please make a dump of

C:\Program Files (x86)\ESET\ESET Online Scanner\OnlineScannerApp.exe[7]
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

with Process Hacker, and zip them into an archive?
Then host it somewhere (google drive?) and put the link here

[Dacynic]

Here you go

https://www.dropbox.com/s/6eb9fyksyug9lrp/Chrome%20and%20OnlineScannerAPP_dump.rar?dl=0

Might be a false positive or something harmfull ?
What about the Kernel filter ?

Thanks again !

[Tigzy]

Can be anything... I suspect your antivirus that injecting its code in Chrome :p
Kernel filter is probably a false positive, looks related to Adobe: http://www.fichier.net/processus/tpkd.sys.html

[Dacynic]

Hmmmm more problem now : steamwebhelper and spotifywebhelper present the same problem.

¤¤¤ Processus : 18 ¤¤¤
[Proc.Injected] chrome.exe -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] chrome.exe -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] chrome.exe -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] chrome.exe -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] steamwebhelper.exe -- C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] chrome.exe -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] chrome.exe -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] chrome.exe -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] chrome.exe -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] SpotifyHelper.exe -- C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] SpotifyHelper.exe -- C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] SpotifyHelper.exe -- C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] chrome.exe -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] chrome.exe -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] uTorrent.exe -- C:\Users\User\AppData\Roaming\uTorrent\uTorrent.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] chrome.exe -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] chrome.exe -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Tué(e) [TermProc]
[Proc.Injected] chrome.exe -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Tué(e) [TermProc]


I'm using Kapersky internet security 14.0.0.4651 (h) signature 7916663
I can upload make a dump if you need.

Not all process seems to been detected as proc.injected (ableton / games)

Thanks again for your amazing work.

[Tigzy]

I think they are injected with the same stuff. I'll take a look tomorrow.

[Dacynic]

anything new ?

[Tigzy]

Sorry, yes that's fixed, waiting to be in the next version.
It's Kaspersky