==> Proc.Injected <==

[Curson]

Hi BoxDirty,

Welcome to Adlice.com Forum.
Could you please attach RogueKiller report ? Are you doing active developement on your computer (VB or C#, especially) ?

Regards.

[BoxDirty]

Hey Curson,

Thanks alot and I uploaded the rogue killer report into the same google drive link. https://drive.google.com/drive/folders/1xg5bB5N04wjLh7kL2QVZJeDmUbSrnWd_
I wasnt sure what you wanted exactly so i added anything i could   and no no develpment is being done on that computer.

[Curson]

Hi BoxDirty,

These are not legit injections. Your computer is infected.
Please open a new theard in the Malware removal section of the forum. I will then help you to get rid of it.

Regards.

[Curson]

Hi tienchien1,

Welcome to Adlice.com Forum.
Could you please attach RogueKiller report with your next reply ?

Regards.

[Curson]

I tienchien1,

PUMs detections are not not necessary malicious. Here, they match the MSN search engine and so, are legit.
The [Proc.Injected] detection is not present in your report. Could you please restart your computer, redo a scan and post the report with your next reply ?

Regards.

[Curson]

Hi tienchien1,

The injected executable is Battlefield 1 main executable. Since it's a very large file, it will be difficult.
Did you install any mod or hacking software ? If that's not the case, I think it's Origin anticheat feature being detected.

Regards.

[Curson]

Hi tienchien1,

Yes, if it's an infection a full system reformat will get rid of it.
However, since this is the only injected process, I really doubt there is an infection.

Regards.

[Booky Banton]

https://www.dropbox.com/s/xgli7yradirjh2p/rundll32.exe.7z?dl=0
https://www.dropbox.com/s/b4hwub0cn6mtxk4/rundll32.exe1.7z?dl=0
https://www.dropbox.com/s/52txx407m3deq7u/rundll32.exe2.7z?dl=0

Screenshot: https://www.dropbox.com/s/slzted9yavafryd/Screenshot%202018-03-05%2002.08.24.png?dl=0

Report: https://www.dropbox.com/s/iwdiptckdcnyovn/report.html?dl=0

[Curson]

Hi Booky Banton,

Welcome to Adlice.com Forum.
These injections are legit, we will whitelist them as soon as possible.

Regards.

[Siddharth Kumar]

Hi!
Today I ran a scan with Roguekiller and it found explorer.exe as Proc.Infected.
I'm giving link to the rogurkiller log and explorer.exe dmp file. Kindly analyse it asap and let me know
https://www.sendspace.com/file/0lc8zj
https://www.sendspace.com/file/py4l6w

Regards,
Siddharth

[Curson]

Hi Siddharth,

Welcome to Adlice.com Forum.
Could you please relaunch RogueKiller, delete the [Adw.Butler] et [Adw.FastDataX] entries, then reboot your computer and check if explorer.exe is still injected ?

Regards.

[Siddharth Kumar]

After rebooting, I ran a scan with Roguekiller and it did not detected explorer as Proj.infected. So can you tell that removing the other entries can remove Proj.Infected ?

[Curson]

Hi Siddharth,

In this case, Adw.Butler implemented a driver which was responsible for the injection on explorer.exe.
Since RogueKiller removed the driver, explorer.exe is no longer injected.

Regards.

[Miklo]

NEW UPDATES: Regarding the Warning/Virus: [Proc.Injected] within [svchost.exe] File!



This is a re-edited Topic. I Created a Topic earler and needed help regarding this type of Virus. I was not sure if my Computer was Infected or not....

Hello Everyone.  I was finally able to get rid of the Virus/Warning [Proc.Injected] within [svchost.exe] File by Replacing the Windows System Files with a fresh set of files from My Windows Installations CD. Incase someone else had the same problem, then this is how I fixed mine.

Please know that I DO NOT recommend using this method. Mainly because your Windows might fail to Restart, As mine did. There are probably better ways to replace your Windows System Files. In my case I had no other choice.

1. So based on the main topic, I used "Process Hacker" Software to detect the Process above the Infected filename svchost.exe . Such as:[/b]

- The Process above the infected svchost.exe file was called services.exe
- And Process above the services.exe was called:  winini.exe

I suspected that one of the the following files seen below were causing the Infection:

C:\Windows\System32\wininit.exe
C:\Windows\System32\services.exe
C:\Windows\System32\svchost.exe

2. I basicly replaced all 3 files using a fresh set from my Windows Installation CD, and through the Command Line. But this did not come easy. After Replacing the files. My Windows failed to restart. .

3. I had to use the Windows "Startup Repair" Option from the Installations CD.  After the Repair was Complete my windows started totally fine.

4. I then ran a Final Scan using "RogueKiller". And finally the "Proj.Inected" svchost.exe virus was completely gone. 

I really hope that this could help someone else. But as I mentioned above. Please DO NOT attempt using this method for Replacing your Windows System Files. Please use a different way. Thank you.

Ps, I wanna send a huge thanks to the Adlice Team for their hard work and support within the forums. If it wasn't for this Topic and RogueKiller. I probably had been infected for very long time. So Thank you again!

[Curson]

Hi Miklo,

Welcome to Adlice.com Forum and thanks for your extented feedback.
There was indeed an odd injection into svchost.exe. The method you used to get rid of it is quite convulsed but thanks to your detailed explanations, I'm sure it can benefict some users.

Using the dumps you gave us, we will be able to analyse the injection in depth.
Also, thanks for the kind words, this is appreciated.

Regards.