« previous next »
Pages: [1]

Author Topic: Are these false positives or malware?  (Read 8508 times)

0 Members and 1 Guest are viewing this topic.

January 27, 2015, 07:15:54 PM

fingerbang

  • Newbie
  • Offline
  • *
  • 2
  • Reputation:
    0
    • View Profile
Are these false positives or malware?
« on: January 27, 2015, 07:15:54 PM »
There's a number of injected system processes showing up in the scan, but no abnormal system behavior.


Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User :  [Administrator]
Mode : Scan -- Date : 01/23/2015  08:36:48

¤¤¤ Processes : 40 ¤¤¤
[Proc.Injected] smss.exe(300) -- C:\Windows\System32\smss.exe
  • -> [NoKill]
[Proc.Injected] services.exe(536) -- C:\Windows\system32\services.exe
  • -> [NoKill]
[Proc.Injected] winlogon.exe(572) -- C:\Windows\system32\winlogon.exe
  • -> [NoKill]
[Proc.Injected] lsm.exe(592) -- C:\Windows\system32\lsm.exe
  • -> [NoKill]
[Proc.Injected] svchost.exe(724) -- C:\Windows\system32\svchost.exe
  • -> [NoKill]
[Proc.Injected] svchost.exe(800) -- C:\Windows\system32\svchost.exe
  • -> [NoKill]
[Proc.Injected] MsMpEng.exe(876) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe[7] -> Killed [TermThr]
[Proc.Injected] svchost.exe(1000) -- C:\Windows\System32\svchost.exe
  • -> [NoKill]
[Proc.Injected] svchost.exe(420) -- C:\Windows\system32\svchost.exe
  • -> [NoKill]
[Proc.Injected] svchost.exe(440) -- C:\Windows\system32\svchost.exe
  • -> [NoKill]
[Proc.Injected] svchost.exe(1044) -- C:\Windows\system32\svchost.exe
  • -> [NoKill]
[Proc.Injected] svchost.exe(1264) -- C:\Windows\system32\svchost.exe
  • -> [NoKill]
[Proc.Injected] spoolsv.exe(1400) -- C:\Windows\System32\spoolsv.exe
  • -> [NoKill]
[Proc.Injected] svchost.exe(1524) -- C:\Windows\system32\svchost.exe
  • -> [NoKill]
[Proc.Injected] armsvc.exe(1720) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[7] -> Killed [TermProc]
[Proc.Injected] remoting_host.exe(1764) -- C:\Program Files (x86)\Google\Chrome Remote Desktop\40.0.2214.44\remoting_host.exe[7] -> Killed [TermProc]
[Proc.Injected] remoting_host.exe(1828) -- C:\Program Files (x86)\Google\Chrome Remote Desktop\40.0.2214.44\remoting_host.exe[7] -> Killed [TermProc]
[Proc.Injected] ccSvcHst.exe(1896) -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\ccSvcHst.exe[7] -> Killed [DrvNtTerm]
[Proc.Injected] svchost.exe(1984) -- C:\Windows\system32\svchost.exe
  • -> [NoKill]
[Proc.Injected] Smc.exe(2008) -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin64\Smc.exe[7] -> Killed [DrvNtTerm]
[Proc.Injected] svchost.exe(2384) -- C:\Windows\system32\svchost.exe
  • -> [NoKill]
[Proc.Injected] WmiPrvSE.exe(2476) -- C:\Windows\system32\wbem\wmiprvse.exe[7] -> Killed [TermProc]
[Proc.Injected] unsecapp.exe(2728) -- C:\Windows\system32\wbem\unsecapp.exe[7] -> Killed [TermProc]
[Proc.Injected] taskhost.exe(1824) -- C:\Windows\system32\taskhost.exe[7] -> Killed [TermProc]
[Proc.Injected] explorer.exe(3112) -- C:\Windows\Explorer.EXE[7] -> Killed [TermProc]
[Proc.Injected] NisSrv.exe(3216) -- c:\Program Files\Microsoft Security Client\NisSrv.exe[7] -> Killed [TermThr]
[Proc.Injected] igfxtray.exe(4068) -- C:\Windows\System32\igfxtray.exe[7] -> Killed [TermProc]
[Proc.Injected] hkcmd.exe(4076) -- C:\Windows\System32\hkcmd.exe[7] -> Killed [TermProc]
[Proc.Injected] igfxsrvc.exe(3104) -- C:\Windows\system32\igfxsrvc.exe[7] -> Killed [TermProc]
[Proc.Injected] igfxpers.exe(208) -- C:\Windows\System32\igfxpers.exe[7] -> Killed [TermProc]
[Proc.Injected] RAVCpl64.exe(160) -- C:\Windows\RAVCpl64.exe[7] -> Killed [TermProc]
[Proc.Injected] msseces.exe(1668) -- C:\Program Files\Microsoft Security Client\msseces.exe[7] -> Killed [TermProc]
[Proc.Injected] chrome.exe(3380) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Killed [TermProc]
[Proc.Injected] chrome.exe(3416) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Killed [TermProc]
[Proc.Injected] SearchIndexer.exe(1244) -- C:\Windows\system32\SearchIndexer.exe
  • -> [NoKill]
[Proc.Injected] svchost.exe(1120) -- C:\Windows\system32\svchost.exe
  • -> [NoKill]
[Proc.Injected] OUTLOOK.EXE(4408) -- C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[7] -> Killed [TermProc]
[Proc.Injected] OSPPSVC.EXE(512) -- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[7] -> Killed [TermProc]
[Proc.Injected] taskmgr.exe(5188) -- C:\Windows\system32\taskmgr.exe[7] -> Killed [TermProc]
[Proc.Injected] svchost.exe(2432) -- C:\Windows\System32\svchost.exe
  • -> [NoKill]


¤¤¤ Registry : 24 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 169.80.16.2 192.168.204.106 [UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 169.80.16.2 192.168.204.106 [UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 169.80.16.2 192.168.204.106 [UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F74B6C16-5CF2-4318-A2A2-2FEF8EDB38F8} | DhcpNameServer : 169.80.16.2 192.168.204.106 [UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F74B6C16-5CF2-4318-A2A2-2FEF8EDB38F8} | DhcpNameServer : 169.80.16.2 192.168.204.106 [UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{F74B6C16-5CF2-4318-A2A2-2FEF8EDB38F8} | DhcpNameServer : 169.80.16.2 192.168.204.106 [UNITED STATES (US)]  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-4149722265-3032864532-656172690-1277\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-4149722265-3032864532-656172690-1277\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyComputer : 2  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-4149722265-3032864532-656172690-1277\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowControlPanel : 2  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-4149722265-3032864532-656172690-1277\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-4149722265-3032864532-656172690-1277\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-4149722265-3032864532-656172690-1277\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-4149722265-3032864532-656172690-1277\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-4149722265-3032864532-656172690-1277\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-4149722265-3032864532-656172690-1277\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyComputer : 2  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-4149722265-3032864532-656172690-1277\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowControlPanel : 2  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-4149722265-3032864532-656172690-1277\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-4149722265-3032864532-656172690-1277\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-4149722265-3032864532-656172690-1277\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-4149722265-3032864532-656172690-1277\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1   localhost

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST3160815AS ATA Device +++++
--- User ---
[MBR] 49c5b8eac8fb27b3e29d485e56e4ca1f
[BSP] ae1559bf7f2f38fd050f58bade7ecb20 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 152485 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_01222015_152611.log - RKreport_DEL_01232015_073132.log - RKreport_SCN_01222015_152435.log - RKreport_SCN_01222015_153007.log
RKreport_SCN_01232015_073016.log - RKreport_SCN_09292014_084708.log - RKreport_SCN_11052014_073753.log
Logged
Reply #1January 28, 2015, 08:19:18 PM

Curson

  • Global Moderator
  • Hero Member
  • Offline
  • *****
  • 2809
  • Reputation:
    100
    • View Profile
Re: Are these false positives or malware?
« Reply #1 on: January 28, 2015, 08:19:18 PM »
Hi fingerbang,

Welcome to Adlice.com Forum.

The [Proc.Injected] detection could be triggered by two things : 
  • A real infection (like Zeus, Carberp, Poweliks, they are all using that thing)
  • Your antivirus injecting your processes to protect you (in theory).
To determine what's going on, and possibly whitelist the cases where it's a legit injection, please do the following :

1. Process Dump
  • Download Process Explorer and save it to your desktop.
  • Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  • Locate the process named smss.exe, right click select Create Dump > Create Full Dump...
  • Save the dump on your desktop, compress it and upload it on Google Drive/Dropbox.
  • Share the link in your next reply.
We will analyse what is really injected, and whitelist if needed.

Regards.
Logged
Reply #2January 29, 2015, 01:19:07 PM

fingerbang

  • Newbie
  • Offline
  • *
  • 2
  • Reputation:
    0
    • View Profile
Re: Are these false positives or malware?
« Reply #2 on: January 29, 2015, 01:19:07 PM »
Logged
Reply #3January 29, 2015, 05:33:43 PM

Curson

  • Global Moderator
  • Hero Member
  • Offline
  • *****
  • 2809
  • Reputation:
    100
    • View Profile
Re: Are these false positives or malware?
« Reply #3 on: January 29, 2015, 05:33:43 PM »
Hi fingerbang,

The process dump will be analysed and we will get back to you as soon as possible.

Regards.
Logged
Reply #4February 11, 2015, 08:59:20 PM

Curson

  • Global Moderator
  • Hero Member
  • Offline
  • *****
  • 2809
  • Reputation:
    100
    • View Profile
Re: Are these false positives or malware?
« Reply #4 on: February 11, 2015, 08:59:20 PM »
Hi fingerbang,

The injection was nothing malicious. This will be fixed in the next release of RogueKiller.
Your computer is clean.

Regards.
Logged
Pages: [1]
« previous next »