Author Topic: ==> Proc.Injected <==  (Read 101796 times)

0 Members and 2 Guests are viewing this topic.

November 14, 2014, 09:51:58 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
==> Proc.Injected <==
« on: November 14, 2014, 09:51:58 AM »
Hello,
If you encounter this detection, this can mean several things:

- A real infection (like Zeus, Carberp, Poweliks, they are all using that thing)
- Your antivirus injecting your processes to protect you (in theory).

To know what's going on, and possibly whitelist the cases where it's a legit injection, please do the following:
Let's say you have [Proc.Injected] some_process.exe -- C:/path_to_parent_some_process.exe

- Download Process Hacker: http://processhacker.sourceforge.net/downloads.php
- Install it, launch it
- Find the process above
- Right click on it => Create dump (on the desktop)
- Zip the file (winzip, winrar, 7zip)
- Host it anywhere you want (Google Drive, Dropbox, ...) Make sure it's public.
- Put the link here.

We will analyse what is really injected, and whitelist if needed.


« Last Edit: November 16, 2014, 11:35:19 PM by Tigzy »

Reply #1November 15, 2014, 02:01:30 AM

schmidtrg

  • Guest
Re: ==> Proc.Injected <==
« Reply #1 on: November 15, 2014, 02:01:30 AM »
And you might try booting into safe mode and try running it.

Reply #2December 09, 2014, 03:34:34 PM

Ourko

  • Guest
Re: ==> Proc.Injected <==
« Reply #2 on: December 09, 2014, 03:34:34 PM »
Hi,

We have an infection with Proc.injected in svchost.exe and explorer.exe.
Roguekiller only found something, but processus came back at each logon.

https://drive.google.com/file/d/0B43o-k4ki3t4cVlUaUhrb0xraG8/view?usp=sharing

https://drive.google.com/file/d/0B43o-k4ki3t4ZFItYi13WE5LMlE/view?usp=sharing

I have the rapport too, if you need it : to see the hook.IEAT in explorer.exe.

Best regards.

Reply #3December 09, 2014, 05:40:30 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: ==> Proc.Injected <==
« Reply #3 on: December 09, 2014, 05:40:30 PM »
Hello
I'd like the report as well please :)

@Ourko, I don't have access to some memory segments, are you sure you took a full dump?
« Last Edit: December 09, 2014, 05:52:48 PM by Tigzy »

Reply #4December 09, 2014, 11:25:42 PM

Ourko

  • Guest
Re: ==> Proc.Injected <==
« Reply #4 on: December 09, 2014, 11:25:42 PM »
I redo the "Create dump file" from the exe but with the administrator, and not a user with admin rights.

I join 2 reports too.
Thanks.

https://drive.google.com/file/d/0B43o-k4ki3t4YjU1UGZOaXJkRW8/view?usp=sharing
https://drive.google.com/file/d/0B43o-k4ki3t4UUJSMkRvTmRzcjg/view?usp=sharing
https://drive.google.com/file/d/0B43o-k4ki3t4QkpFempNSW5BY1E/view?usp=sharing
https://drive.google.com/file/d/0B43o-k4ki3t4bmNfU3VZbkgyYnM/view?usp=sharing

PS: je viens de voir qu'on pouvait parler en français :-)
Est ce que je dois ouvrir un post pour de l'aide au "nettoyage" ?
« Last Edit: December 10, 2014, 09:16:46 AM by Ourko »

Reply #5February 11, 2015, 04:17:00 AM

k9le

  • Newbie

  • Offline
  • *

  • 1
  • Reputation:
    0
    • View Profile
Re: ==> Proc.Injected <==
« Reply #5 on: February 11, 2015, 04:17:00 AM »
Hi

RogueKiller has detected a Proc.injected  infection in DVDFab.exe

I have created dump file and report is below.
Could this be checked if it is a real infection?
Thankyou

https://drive.google.com/file/d/0B9TNFYkJVdqjOFZsdEpSU3hOWTA/view?usp=sharing
https://drive.google.com/file/d/0B9TNFYkJVdqjQXlVQ0ZIVWx5bTg/view?usp=sharing

Reply #6February 11, 2015, 09:01:47 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ==> Proc.Injected <==
« Reply #6 on: February 11, 2015, 09:01:47 PM »
Hi k9le,

Welcome to Adlice.com Forum.
The injection is not malicious. This will be fixed in the next release of RogueKiller.

Regards.

Reply #7March 06, 2015, 09:19:41 PM

zylicyde

  • Newbie

  • Offline
  • *

  • 1
  • Reputation:
    0
    • View Profile
Re: ==> Proc.Injected <==
« Reply #7 on: March 06, 2015, 09:19:41 PM »
Hello,

Please advise if the injection in ekrn.exe (ESET Endpoint Antivirus) is malicious or not. The dump file is below.

https://dl.dropboxusercontent.com/u/2700674/ekrn.exe.zip

Thanks!

Reply #8March 12, 2015, 04:36:10 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ==> Proc.Injected <==
« Reply #8 on: March 12, 2015, 04:36:10 PM »
Hi zylicyde,

Welcome to Adlice.com Forum.
The injection is not malicious. This will be fixed in the next release of RogueKiller.

Regards.

Reply #9August 07, 2015, 06:59:04 AM

dimitri33

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: ==> Proc.Injected <==
« Reply #9 on: August 07, 2015, 06:59:04 AM »
hello
my computer is infected proc.injected
every time i reboot my computer they come back almost all the frequently used processes
the sharing folder contain the roguekiller report and explorer.exe dump
https://drive.google.com/open?id=0Bx3bbqeWRXLYflVyMklkUzhXZTFrZFFCZmpFQkE4cVFzNFNvd0lRMlNOdnBVdGR0M3Y4TW8

Reply #10August 07, 2015, 01:54:12 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ==> Proc.Injected <==
« Reply #10 on: August 07, 2015, 01:54:12 PM »
Hi dimitri33,

Welcome to Adlice.com Forum.
The dump you provided will be analyzed as soon as possible. I will keep you informed of the results.

Regards.

Reply #11August 07, 2015, 10:07:39 PM

dimitri33

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: ==> Proc.Injected <==
« Reply #11 on: August 07, 2015, 10:07:39 PM »
thanks "curson" iam waiting
can you give me a short explanation about the proc.injected ....is that mean iam under a hacker control? how could do that by a file or open port ?
i want to trace the hacker if its possible
thanks

Reply #12August 10, 2015, 02:07:30 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ==> Proc.Injected <==
« Reply #12 on: August 10, 2015, 02:07:30 PM »
Hi dimitri33,

The [Proc.Injected] detection means that the specified process running context has been altered in such a way such process could execute external code.
It is frequently used by antivirus softwares for protection purposes.

At first sight, the injection on your computer doesn't seem to be malware related. Please be patient.

Regards.

Reply #13August 11, 2015, 06:09:27 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ==> Proc.Injected <==
« Reply #13 on: August 11, 2015, 06:09:27 PM »
Hi dimitri33,

The injection on your system is caused by SpyShelter Anti-Keylogger.
We will withelist it as soon as possible.

Regards.

Reply #14August 12, 2015, 07:31:01 PM

dimitri33

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: ==> Proc.Injected <==
« Reply #14 on: August 12, 2015, 07:31:01 PM »
thanks curson
thats mean iam not hacked by someone ?
is there a way to be sure of that?
what is the best way to detect if someone spy on me or have acces on my computer?
do you propose any training or formation in this forum or by videos?