Author Topic: ==> Proc.Injected <==  (Read 101795 times)

0 Members and 2 Guests are viewing this topic.

Reply #30March 28, 2016, 03:12:37 PM

Driver

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Re: ==> Proc.Injected <==
« Reply #30 on: March 28, 2016, 03:12:37 PM »
Here is the log.

Reply #31March 28, 2016, 03:32:17 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ==> Proc.Injected <==
« Reply #31 on: March 28, 2016, 03:32:17 PM »
Hi Driver,

You are using an outdated version of RogueKiller.
Could you please download latest version, redo a scan and attach the generated report in your next reply ?

Regards.

Reply #32March 28, 2016, 05:58:07 PM

Driver

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Re: ==> Proc.Injected <==
« Reply #32 on: March 28, 2016, 05:58:07 PM »
New log.

Reply #33March 28, 2016, 06:09:13 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ==> Proc.Injected <==
« Reply #33 on: March 28, 2016, 06:09:13 PM »
Hi Driver,

The injection is caused by Crypto-Pro, which is legit.
We will whitelist it as soon as possible.

Did you know the following files :
Quote
C:\Users\Moa\AppData\Roaming\javaupd.exe
C:\Users\Moa\AppData\Local\Temp\agpiikow.sys
C:\Program Files (x86)\mIRC\mirc.exe
If not, I advice you to open a new thread in the Malware Removal section of the forum.

Regards.

Reply #34March 30, 2016, 06:19:21 PM

Driver

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Re: ==> Proc.Injected <==
« Reply #34 on: March 30, 2016, 06:19:21 PM »
I see, thanks.

Yes, I know these files, except agpiikow.sys, but it's not present in my system anymore.

Reply #35March 31, 2016, 03:20:00 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ==> Proc.Injected <==
« Reply #35 on: March 31, 2016, 03:20:00 PM »
Hi Driver,

You are welcome.
Thanks for the feedback.

Regards.

Reply #36April 08, 2016, 05:06:26 PM

DaggerDave

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: ==> Proc.Injected <==
« Reply #36 on: April 08, 2016, 05:06:26 PM »
Hello.

Roguekiller is reporting Proc.Injected for Clipmate.exe.  Should I be concerned?

Link to zip containing dmp and log: https://www.dropbox.com/s/p74pwptzffr37gz/ClipMate.dmp.zip?dl=0

Thank you.

Reply #37April 11, 2016, 01:57:22 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ==> Proc.Injected <==
« Reply #37 on: April 11, 2016, 01:57:22 PM »
Hi DaggerDave,

Welcome to Adlice.com Forum.
Could you please copy/paste RogueKiller full report as well ?

Regards.

Reply #38April 11, 2016, 03:22:57 PM

DaggerDave

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: ==> Proc.Injected <==
« Reply #38 on: April 11, 2016, 03:22:57 PM »
Hi Curson,

Thanks for your help. 

Here are the contents of the text export of the report.  If am not sure whether the .json export of the report that I included in the zip archive might provide you with more details.

Quote
RogueKiller V12.1.1.0 (x64) [Apr  4 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.10586) 64 bits version
Started in : Normal mode
User : David [Administrator]
Started from : F:\Users\David\Downloads\Programs\RogueKillerX64.exe
Mode : Scan -- Date : 04/08/2016 10:03:13

¤¤¤ Processes : 1 ¤¤¤
[Proc.Injected] ClipMate.exe(10364) -- O:\Program Files (x86)\ClipMate7\ClipMate.exe
  • -> Found


¤¤¤ Registry : 18 ¤¤¤
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\AppSafe -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\ExpressFiles -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Lightspark Team -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\PIP -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\SlimWare Utilities, Inc. -> Found
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WUDFRd (\SystemRoot\system32\DRIVERS\WUDFRd.sys) -> Found
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-960806728-1607608830-987004840-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : proxy-nl.privateinternetaccess.com  -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-960806728-1607608830-987004840-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : proxy-nl.privateinternetaccess.com  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 162.248.221.182 70.38.99.32 ([X][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 162.248.221.182 70.38.99.32 ([X][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{36939f71-5de6-4be9-bbcb-7353241f72c7} | DhcpNameServer : 172.27.35.1 ([X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8d862535-ff56-4dcc-adf7-e596795860d4} | DhcpNameServer : 162.248.221.182 70.38.99.32 ([X][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b0b3febb-ac5c-4c9f-afe2-b1f3b287dce8} | NameServer : 162.248.221.182,70.38.99.32 ([X][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{df46461e-aaf3-4a0a-9a83-4ac6d1f4caea} | NameServer : 162.248.221.182,70.38.99.32 ([X][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{36939f71-5de6-4be9-bbcb-7353241f72c7} | DhcpNameServer : 172.27.35.1 ([X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8d862535-ff56-4dcc-adf7-e596795860d4} | DhcpNameServer : 162.248.221.182 70.38.99.32 ([X][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b0b3febb-ac5c-4c9f-afe2-b1f3b287dce8} | NameServer : 162.248.221.182,70.38.99.32 ([X][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{df46461e-aaf3-4a0a-9a83-4ac6d1f4caea} | NameServer : 162.248.221.182,70.38.99.32 ([X][-])  -> Found

¤¤¤ Tasks : 3 ¤¤¤
[Suspicious.Path] %WINDIR%\Tasks\AppCloudUpdater.job -- C:\Users\David\AppData\Roaming\AppCloudUpdater\UpdateProc\UpdateTask.exe (/Check) -> Found
[Suspicious.Path] \AppCloudUpdater -- C:\Users\David\AppData\Roaming\AppCloudUpdater\UpdateProc\UpdateTask.exe (/Check) -> Found
[Suspicious.Path] \DelayedItemsByChemtableSoftware\Send to OneNote -- "C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk" (/tsr) -> Found

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 7 ¤¤¤
[PUP][CHROME:Addon] Default : EditThisCookie [fngmhnnpilhplaeedifhccceomclgfbg] -> Found
[PUP][CHROME:Addon] Default : Chromium browser automation [jmbmjnojfkcohdpkpjmeeijckfbebbon] -> Found
[PUP][CHROME:Addon] Default : Awesome Dictionary Widget [ANTP] [kdigjjbkpjljoknifbgaijaemafihhga] -> Found
[PUP][CHROME:Addon] Default : Awesome New Tab Page [mgmiemnjjchgkmgbeljfocdjjnpjnmcg] -> Found
[PUP][CHROME:Addon] Default : Click&Clean App [pdabfienifkbhoihedcgeogidfmibmhp] -> Found
[PUM.Proxy][FIREFX:Config] 0fpo3x59.default : user_pref("network.proxy.http", "209.240.134.74"); -> Found
[PUM.Proxy][FIREFX:Config] 0fpo3x59.default : user_pref("network.proxy.http_port", 80); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST3000DM001-1CH166 +++++
--- User ---
[MBR] a7e800f69b4cb2500665500759a0a577
[BSP] e897dd8278912e0e2e18aad99cb66889 : Empty|VT.Unknown MBR Code
Partition table:
0 - Basic data partition | Offset (sectors): 16065 | Size: 664124 MB
1 - Basic data partition | Offset (sectors): 1360143288 | Size: 404833 MB
2 - Basic data partition | Offset (sectors): 2189241810 | Size: 1136700 MB
3 - Basic data partition | Offset (sectors): 4517204902 | Size: 142310 MB
4 - Basic data partition | Offset (sectors): 4808656896 | Size: 513608 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD40E31X-00HY4A0 +++++
--- User ---
[MBR] 29c4d127450b4c0343ff25ed8f29e666
[BSP] 5d38ebc157718a81a78a39db4bd81b69 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 1883100 MB
2 - Basic data partition | Offset (sectors): 3856855040 | Size: 1668139 MB
3 - Basic data partition | Offset (sectors): 7273205760 | Size: 264075 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: ST3000DM001-1CH166 +++++
--- User ---
[MBR] 9e3cc1b6227003de1a2076ae3c805e83
[BSP] dd84239348de550d8f702fb1123363d6 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 228585 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive3: ADATA SX900 +++++
--- User ---
[MBR] e3854da19d52a76bcb4108a8de60e198
[BSP] 1535218b785a463a7343d6643ab38b68 : Empty|VT.Unknown MBR Code
Partition table:
0 -  | Offset (sectors): 40 | Size: 244198 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive4: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive5: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive6: Generic- SM/xD Picture USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive7: Generic- MS/MS-Pro USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive8: TRUSTED Mass Storage USB Device +++++
--- User ---
[MBR] 1bb36fb0db2124e6ef43a147496e1e5d
[BSP] 6bb52253c0292faa1444fc34eb5cf779 : Windows XP|VT.Unknown MBR Code
Partition table:
0 - DROBO GPT PARTITION | Offset (sectors): 40 | Size: 16777088 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive9: Microsoft Virtual Disk +++++
--- User ---
[MBR] 0086f36f0b7bc8b257f89fc226376c3d
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 102270 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )


Reply #39April 11, 2016, 05:10:06 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ==> Proc.Injected <==
« Reply #39 on: April 11, 2016, 05:10:06 PM »
Hi DaggerDave,

The injection is a false positive. We will whitelist it as soon as possible.

Quote
[PUM.Proxy][FIREFX:Config] 0fpo3x59.default : user_pref("network.proxy.http", "209.240.134.74"); -> Found
[PUM.Proxy][FIREFX:Config] 0fpo3x59.default : user_pref("network.proxy.http_port", 80); -> Found
Did you set this proxy yourself ? if not, you can delete these entries.

Quote
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\AppSafe -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\ExpressFiles -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Lightspark Team -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\PIP -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\SlimWare Utilities, Inc. -> Found
[Suspicious.Path] %WINDIR%\Tasks\AppCloudUpdater.job -- C:\Users\David\AppData\Roaming\AppCloudUpdater\UpdateProc\UpdateTask.exe (/Check) -> Found
[Suspicious.Path] \AppCloudUpdater -- C:\Users\David\AppData\Roaming\AppCloudUpdater\UpdateProc\UpdateTask.exe (/Check) -> Found
Those entries are PUPs. I advice you to delete them.

Regards.

Reply #40November 08, 2016, 02:56:27 AM

planetboris

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Re: ==> Proc.Injected <==
« Reply #40 on: November 08, 2016, 02:56:27 AM »
Hi Tigzy,  I have zipped .dmp file from ProcessHacker regarding my repeated Proc.Injected detections by Rogue Killer here is link:
 
http://www.filedropper.com/processhackerexe

Looking forward to your analysis.

Here is report from most recent RK scan ( no longer detects the Proc.Injected processes )

RogueKiller V12.8.0.0 (x64) [Nov  7 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.14393) 64 bits version
Started in : Normal mode
User : Client [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 11/07/2016 21:01:16 (Duration : 00:22:47)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 2 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 135.19.0.18 70.80.0.66 24.200.0.1 ([Canada][Canada][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f5360646-7351-40e3-9350-ddd70472812e} | DhcpNameServer : 135.19.0.18 70.80.0.66 24.200.0.1 ([Canada][Canada][-])  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD1002FAEX-00Z3A SCSI Disk Device +++++
--- User ---
[MBR] aa4fbfb426fcf5267b120e2e5d8e11d8
[BSP] 143fdc32b0aa50c7e931aecb7d91ff29 : Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 927815 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 1900167168 | Size: 450 MB
2 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 1901090816 | Size: 25599 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD3202ABYS-01B7A0 +++++
--- User ---
[MBR] 96c730a9420de6f531c48a026eb3890c
[BSP] 6a4cdbb4432ea14b8cbaef9136369d0b : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 304207 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
User = LL2 ... OK


Best regards
DD

« Last Edit: November 08, 2016, 03:29:03 AM by planetboris »

Reply #41November 08, 2016, 03:10:05 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ==> Proc.Injected <==
« Reply #41 on: November 08, 2016, 03:10:05 PM »
Hi planetboris,

Welcome to Adlice.com Forum.
Since the [Proc.Injected] element is no longer detected in the lastest version of RogueKiller, that means it was a false positive which is now fixed.
Don't hesistate to post a new log, if the detection shows up again.

Regards.

Reply #42November 02, 2017, 10:59:30 AM

BrokenPerson

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Re: ==> Proc.Injected <==
« Reply #42 on: November 02, 2017, 10:59:30 AM »
I hope I did this right.  Dump is massive - sorry. I can just put it up. However, I "zipped it" because it was so big
 
https://drive.google.com/file/d/0B_nYg3QQRwsDaW1oeEozSm1RMGM/view?usp=sharing
From RKlogue: ¤¤¤ Processes : 1 ¤¤¤
[Proc.Injected|Proc.RunPE] Wow-64.exe(4756) -- C:\Program Files (x86)\World of Warcraft\Wow-64.exe[7] -> Found

System: Win 10 x64; 8 MB Ram

I've had a problem with my computer as a whole, I just posted in another thread.  It runs sluggish/slow - like something is eating resources.  It is random though over the last 6+ months more frequent.  I am 50% confident this problem is magnified (more common) when I run the above game.  The taskmanager disk usage goes up to 100% when I load a new process/program and "hangs"/stays there like something is going on - but it is not all I am doing is playing a game, working or on the net.  While playing the above game the disk usage frequently spikes too (It happens with WOW more frequently; when initially loaded or during play).  I contacted Microsoft directly as this 100% disk usage is a known issue.  One of their technicians "took over" my computer for about an hour. they said hardware was fine. The MS tech assured me the problem was fixed.  It still exists.  My computer is essentially useless when this happens and it is happening fairly frequently.  My computer is lagging/just like something else is using it too.  I do not know if these 2 issues are correlated.  Though, I am confident the problem is more frequent when playing this game.

I know on this site, they talk about injections: http://www.blizzhackers.cc

If the two are not related RKs finding & the computer running slow, I still need help. My computer after a long time is becoming unusable.  Not sure what to
« Last Edit: November 02, 2017, 11:04:21 AM by BrokenPerson »

Reply #43November 02, 2017, 02:14:29 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ==> Proc.Injected <==
« Reply #43 on: November 02, 2017, 02:14:29 PM »
Hi BrokenPerson,

Thanks for your feedback.
Let's continue on your thread.

Regards.

Reply #44November 13, 2017, 01:54:52 AM

BoxDirty

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Re: ==> Proc.Injected <==
« Reply #44 on: November 13, 2017, 01:54:52 AM »
Hey,

Roguekiller is giving a Proc.Injection for 3 processes Regasm, vbc.exe and notepad.exe

in this google drive you can find all 3 dumps created with processhacker. https://drive.google.com/drive/folders/1xg5bB5N04wjLh7kL2QVZJeDmUbSrnWd_

Thanks alot