Login
▼
Register
Home
Help
Search
Login
Register
Adlice.com
Adlice forum
»
Software feedback
»
RogueKiller
»
Unsure of results in report
« previous
next »
Print
Pages: [
1
]
Author
Topic: Unsure of results in report (Read 8364 times)
0 Members and 2 Guests are viewing this topic.
March 11, 2015, 04:52:18 PM
BrewIT
Newbie
Offline
5
Reputation:
0
Unsure of results in report
«
on:
March 11, 2015, 04:52:18 PM »
I'd like some advice what to do with these findings. Most look like system files to me in the processes but states known malware.
Please see attached report
Thank you
Bob
«
Last Edit: March 11, 2015, 09:04:53 PM by BrewIT
»
Logged
Reply #1
March 11, 2015, 11:19:38 PM
Curson
Global Moderator
Hero Member
Offline
2809
Reputation:
100
Re: Unsure of results in report
«
Reply #1 on:
March 11, 2015, 11:19:38 PM »
Hi BrewIT,
Welcome to Adlice.com Forum.
The [Proc.Injected] detection could be triggered by two things :
A real infection (like Zeus, Carberp, Poweliks, they are all using that thing)
Your antivirus injecting your processes to protect you (in theory).
To determine what's going on, and possibly whitelist the cases where it's a legit injection, please do the following :
1. Process Dump
Download
Process Explorer
and save it to your desktop.
Click on the setup file (procexp.exe) and select
Run as Administrator
to start the tool.
Locate the process named
smss.exe
, right click select
Create Dump > Create Full Dump...
Save the dump on your desktop, compress it and upload it on Google Drive/Dropbox.
Share the link in your next reply.
We will analyse what is really injected, and whitelist if needed.
2. MBR Dump
The MBR on your computer seems nonstandard.
Unknown MBRs are dumped into %programdata%/RogueKiller/
debug
/.
Please locate this folder and attach it on your next post (you need to zip it first).
3. TDSSKiller
Please download
TDSSKiller
and save it to your Desktop.
Doubleclick on TDSSKiller.exe to run the application, then click on
Change parameters
.
Check
Loaded Modules
and
Detect TDLFS file system
.
If you are asked to reboot because an "Extended Monitoring Driver is required" please click
Reboot now
.
Click
Start Scan
and allow the scan process to run.
If threats are detected select
Skip
for all of them unless I instruct you otherwise.
Click
Continue
Click
Reboot computer
Please post the contents of
TDSSKiller.[Version]_[Date]_[Time]_log.txt
found in your root directory (typically C:\) in your next reply.
Regards.
Logged
Reply #2
March 12, 2015, 02:31:25 PM
BrewIT
Newbie
Offline
5
Reputation:
0
Re: Unsure of results in report
«
Reply #2 on:
March 12, 2015, 02:31:25 PM »
Curson
Thank you for your prompt response. The PC is located at a remote site so I will follow your instructions when I return to that site in a few days. I suspect they are Symantec AV protecting the system as you speculate.
Regards
Bob
Logged
Reply #3
March 12, 2015, 04:43:07 PM
Curson
Global Moderator
Hero Member
Offline
2809
Reputation:
100
Re: Unsure of results in report
«
Reply #3 on:
March 12, 2015, 04:43:07 PM »
Hi Bob,
You are welcome.
The analysis of the dump will bring confirmation.
Regards.
Logged
Reply #4
March 27, 2015, 10:04:01 PM
BrewIT
Newbie
Offline
5
Reputation:
0
Re: Unsure of results in report
«
Reply #4 on:
March 27, 2015, 10:04:01 PM »
Hello again
Finally back at the remote site again.
SMSS link is
https://drive.google.com/file/d/0B4BNZnNZ0SnvTm85c1VkdlVLdUk/view?pli=1
I've attached the MBR debug file but message is too big so attaching in separate post
TDSSKiller results are too big to attach. I have them zipped if I can share them with you or I'll try to attach in another post. FYI nothing was found.
Thank again for your assistance!
Have a great weekend
Bob
Logged
Reply #5
March 27, 2015, 10:06:15 PM
BrewIT
Newbie
Offline
5
Reputation:
0
Re: Unsure of results in report
«
Reply #5 on:
March 27, 2015, 10:06:15 PM »
TDSSKiller results in attachment
Bob
Logged
Reply #6
March 31, 2015, 09:52:43 PM
Curson
Global Moderator
Hero Member
Offline
2809
Reputation:
100
Re: Unsure of results in report
«
Reply #6 on:
March 31, 2015, 09:52:43 PM »
Hi Bob,
Could you pleae download RogueKiller latest version and try to run the scan again ?
Numerous false positives have been fixed since V10.5.3.0.
Regards.
Logged
Reply #7
March 31, 2015, 10:15:50 PM
BrewIT
Newbie
Offline
5
Reputation:
0
Re: Unsure of results in report
«
Reply #7 on:
March 31, 2015, 10:15:50 PM »
Curson
I just did run the latest version prior to your reply. I had already uninstalled and reinstalled Symantec Enterprise Protection before hand and most of the previously found items were no longer there.
Any more problems and I'm rebuilding the machine. Too many users have had their hands in the pie at this point to keep mucking with it.
Thank you for your trouble and diligence!
Bob
Logged
Reply #8
April 01, 2015, 12:20:40 AM
Curson
Global Moderator
Hero Member
Offline
2809
Reputation:
100
Re: Unsure of results in report
«
Reply #8 on:
April 01, 2015, 12:20:40 AM »
Hi Bob,
You are very welcome.
Regards.
Logged
Print
Pages: [
1
]
« previous
next »
Adlice forum
»
Software feedback
»
RogueKiller
»
Unsure of results in report