« previous next »
Pages: [1]

Author Topic: Potential Hidden Hook or Process service driver HELP !!!  (Read 4394 times)

0 Members and 1 Guest are viewing this topic.

January 04, 2016, 05:37:19 AM

crown

  • Newbie
  • Offline
  • *
  • 1
  • Reputation:
    0
    • View Profile
Potential Hidden Hook or Process service driver HELP !!!
« on: January 04, 2016, 05:37:19 AM »
RogueKiller V11.0.5.0 (x64) [Dec 28 2015] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Safe mode with network support
User : AWA12e_BASE_RESCUE [Administrator]
Started from : D:\Downloads\RogueKillerX64.exe
Mode : Scan -- Date : 01/03/2016 20:13:53

¤¤¤ Processes : 28 ¤¤¤
[Proc.Injected] smss.exe(320) -- C:\Windows\System32\smss.exe
  • -> [NoKill]
[Proc.Injected] csrss.exe(448) -- C:\Windows\System32\csrss.exe
  • -> [NoKill]
[Proc.Injected] wininit.exe(476) -- C:\Windows\System32\wininit.exe
  • -> [NoKill]
[Proc.Injected] csrss.exe(500) -- C:\Windows\System32\csrss.exe
  • -> [NoKill]
[Proc.Injected] services.exe(556) -- C:\Windows\System32\services.exe
  • -> [NoKill]
[Proc.Injected] lsass.exe(564) -- C:\Windows\System32\lsass.exe
  • -> [NoKill]
[Proc.Injected] lsm.exe(572) -- C:\Windows\System32\lsm.exe
  • -> [NoKill]
[Proc.Injected] winlogon.exe(596) -- C:\Windows\System32\winlogon.exe
  • -> [NoKill]
[Proc.Injected] svchost.exe(704) -- C:\Windows\System32\svchost.exe
  • -> [NoKill]
[Proc.Injected] svchost.exe(776) -- C:\Windows\System32\svchost.exe
  • -> [NoKill]
[Proc.Injected] svchost.exe(868) -- C:\Windows\System32\svchost.exe
  • -> [NoKill]
[Proc.Injected] svchost.exe(916) -- C:\Windows\System32\svchost.exe
  • -> [NoKill]
[Proc.Injected] svchost.exe(944) -- C:\Windows\System32\svchost.exe
  • -> [NoKill]
[Proc.Injected] svchost.exe(368) -- C:\Windows\System32\svchost.exe
  • -> [NoKill]
[Proc.Injected] svchost.exe(792) -- C:\Windows\System32\svchost.exe
  • -> [NoKill]
[Proc.Injected] svchost.exe(1036) -- C:\Windows\System32\svchost.exe
  • -> [NoKill]
[Proc.Injected] SASCore64.exe(1132) -- C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[7] -> Killed [TermProc]
[Proc.Injected] msiexec.exe(1156) -- C:\Windows\System32\msiexec.exe[7] -> Killed [TermProc]
[Proc.Injected] svchost.exe(1188) -- C:\Windows\System32\svchost.exe
  • -> [NoKill]
[Proc.Injected] svchost.exe(1216) -- C:\Windows\System32\svchost.exe
  • -> [NoKill]
[Proc.Injected] vds.exe(1244) -- C:\Windows\System32\vds.exe[7] -> Killed [TermProc]
[Proc.Injected] VSSVC.exe(1280) -- C:\Windows\System32\VSSVC.exe[7] -> Killed [TermProc]
[Proc.Injected] svchost.exe(1332) -- C:\Windows\System32\svchost.exe
  • -> [NoKill]
[Proc.Injected] explorer.exe(1800) -- C:\Windows\explorer.exe[7] -> Killed [TermProc]
[Proc.Injected] ctfmon.exe(1844) -- C:\Windows\System32\ctfmon.exe[7] -> Killed [TermProc]
[Proc.Injected] dllhost.exe(1988) -- C:\Windows\System32\dllhost.exe[7] -> Killed [TermProc]
[Proc.Injected] opera.exe(1472) -- C:\Program Files (x86)\Opera\34.0.2036.42\opera.exe[7] -> Killed [TermProc]
[Proc.Injected] WmiPrvSE.exe(2892) -- C:\Windows\System32\wbem\WmiPrvSE.exe[7] -> Killed [TermProc]

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[Hidden.ADS][[[ADS]]] C:\Windows\System32\services.exe:$CmdTcID -> Found

¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST350041 8AS SCSI Disk Device +++++
--- User ---
[MBR] 578d94704a873725d87bb0b291c458bb
[BSP] 709d96ce5b9368214caaf3be347d884e : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Unknown Bootstrap | Unknown Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 208845 | Size: 104296 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 213809089 | Size: 372530 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

Scan Log in : SAFEMODE  Win7x64bit SP1

What is this PROCESS INJECTED? ??  I just now started to pulling my data drives OFFLINE yet I may have alr3eady been infected or corrupted !

here is a link to the compress Dump File from process explorer  https://www.dropbox.com/s/d43zd1wsb31qvja/smss.zip?dl=0 , can you shed some some more light on this or is this some type of left over infection points?

Could this be Anti-Execution Katina from Dr.Web that injects all code to prevent protect it from the real nasties ? , More or less set up inplace as a form of dummy silent mod ?


Thank you for having a look at this issue or false positivity  I just hope it is the latter, Regards , Crown :(
Logged
Reply #1January 04, 2016, 02:32:15 PM

Curson

  • Global Moderator
  • Hero Member
  • Offline
  • *****
  • 2809
  • Reputation:
    100
    • View Profile
Re: Potential Hidden Hook or Process service driver HELP !!!
« Reply #1 on: January 04, 2016, 02:32:15 PM »
Hi crown,

Welcome to Adlice.com Forum.

The injection is indeed linked to Dr.Web protection features and, therefore, is perfectly legit.
It will be whitelisted in RogueKiller next version.

Regards.
Logged
Pages: [1]
« previous next »