Author Topic: Probable False-Positives  (Read 7172 times)

0 Members and 1 Guest are viewing this topic.

March 02, 2016, 07:52:02 PM

Mclaughlin

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Probable False-Positives
« on: March 02, 2016, 07:52:02 PM »

Hi,


Wanted to alert you to 2 (probable) False-Positives recently detected on routine precautionary scan.

The first seems to be Emsisoft Emergency Kit (C:\EEK\bin64\a2emergencykit.exe  -  detected as Proc.Injected)

The second seems to be “HP Support Assistant” (C:\ProgramData\{BE4DD016-EE56-4AC8-9832-69281423A3D4}  -  detected as PUP. This one I’ve noticed on earlier scans prior to the latest RogueKiller update, but never got around to reporting).

P.S – previous scans with Bitdefender TS 2016, HitmanPro, MBAM, MBAR, TDSS, & Emisoft – all came out clean; and computer is behaving normally.
I’ve let these 2 items pass for the time being; kindly let me know if there is cause for concern…

(Log follows)


Thanks and regards  :)
--------------------------------------------------

Log:

RogueKiller V11.0.14.0 (x64) [Feb 29 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : [Name] [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 03/02/2016 13:04:39

¤¤¤ Processes : 1 ¤¤¤
[Proc.Injected] a2emergencykit.exe(8148) -- C:\EEK\bin64\a2emergencykit.exe
  • -> Found


¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[PUP][Folder] C:\ProgramData\{BE4DD016-EE56-4AC8-9832-69281423A3D4} -> Found

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0x0]) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] anrq3nwj.default-1425684543997 : user_pref("browser.startup.homepage", "https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=http://mail.google.com/mail/&scc=1&ltmpl=default&ltmplcache=2"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST750LX003-1AC154 +++++
--- User ---
[MBR] 5563ee86216a1c21e78cfa8297c1cea8
[BSP] 6a3125a7f090a24988d63ba5cae1a61d : Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 260 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1353728 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1615872 | Size: 686234 MB
4 - [SYSTEM] Basic data partition | Offset (sectors): 1407023104 | Size: 28375 MB
User = LL1 ... OK
User = LL2 ... OK


Reply #1March 02, 2016, 11:56:04 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Probable False-Positives
« Reply #1 on: March 02, 2016, 11:56:04 PM »
Hi sippysup,

We need to investigate this injection.
Please follow the following process :
  • Download RogueKillerPE (64 bits version) and save it to your desktop.
  • Click on the setup file (RogueKillerPE64.exe) and select Run as Administrator to start the tool.
  • Locate the process named a2emergencykit.exe, do a right click on it and select Dump injected pages.
  • Give a name to the dump, save it on your desktop and compress it.
  • Go to Adlice Software upload form, select the dumps as files to be uploaded and copy/paste a link to this thread in the "Comment" section.
Please download SystemLook and save it to your desktop.
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
Code: [Select]
:dir
C:\ProgramData\{BE4DD016-EE56-4AC8-9832-69281423A3D4} /s /md5
:file
C:\ProgramData\{BE4DD016-EE56-4AC8-9832-69281423A3D4}\HP Support Assistant.msi
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please attach this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Regards.

Reply #2March 03, 2016, 03:39:45 AM

Mclaughlin

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: Probable False-Positives
« Reply #2 on: March 03, 2016, 03:39:45 AM »
Hi Curson,  :)

I downloaded RogueKillerPE (64 bits version), ran as admin, found process (a2emergencykit.exe) – but received the following error upon trying to save to desktop: “An error occurred while dumping to file". What shall I do?

Also, the link you supplied to download “SystemLook” lead to a 404…

(BTW - this is Mclaughlin, not "sippysup"…  ;))

Best regards

Reply #3March 03, 2016, 06:27:58 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Probable False-Positives
« Reply #3 on: March 03, 2016, 06:27:58 PM »
Hi Mclaughlin,

I'm really sorry about the confusion.
Here is another process :
  • Download Process Explorer and save it to your desktop.
  • Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  • When RogueKiller hangs, locate the process named a2emergencykit.exe, do a right click on it and select Create Dump > Create Full Dump...
  • Save the dump on your desktop and compress it.
  • Upload it to Dropbox, Google Drive or similar services and share the link in your next reply.
Please dowload SystemLook : HERE

Regards.

Reply #4March 03, 2016, 10:15:09 PM

Mclaughlin

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: Probable False-Positives
« Reply #4 on: March 03, 2016, 10:15:09 PM »
Hi Curson,


Just to be sure I’m clear: a2emergencykit.exe does not seem to run unless Emsisoft Emergency Kit has been activated. (I’m assuming the process detected was a remnant of an “Emsisoft Emergency Kit” scan executed prior to RougueKiller). Just to be absolutely certain, I’ve now re-scanned RogueKiller with Process Explorer in the background, to verify that a2emergencykit.exe was not running unseen. It wasn’t.

After the RK scan completed, I opened Emsisoft, verified that upon loading, the process immediately appeared in Process Explorer, and then closed the program (while noting the process remained visible in Process Explorer)… I Re-scanned with RougeKiller yet again, to recreate the earlier FP detection scenario, and indeed it detected again as “Proc.Injected”. Unfortunately I was unable to produce a Dump (Full or Mini) using Process Explorer (“error opening process – access denied”)… I was however able to produce a “”regular”” Dump file with the Task Manager. Would you be interested? It’s 95.5MB after zipping (311 before). Note that Process Explorer would not dump even after the suspect process was released from RK, and RogueKiller was closed and confirmed not running. Also, rebooting and reopening Emsisoft did NOT resolve problem with creating a dump… Is there something else you’d like me to try?

SystemLook log follows below.


Best regards

-----------------------------
SystemLook 30.07.11 by jpshortstuff
Log created at 14:42 on 03/03/2016 by [Name]
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== dir ==========

C:\ProgramData\{BE4DD016-EE56-4AC8-9832-69281423A3D4} - Parameters: "/s /md5"

---Files---
0x0409.ini   --a---- 21494 bytes   [20:07 17/08/2012]   [20:07 17/08/2012] 36AFFBD6FF77D1515CFC1C5E998FBAF9
HP Support Assistant.msi   --a---- 46040576 bytes   [20:07 17/08/2012]   [20:07 17/08/2012] E120EA02EF2FB5E76DC8C4C5E7B6D320

No folders found.

========== file ==========

C:\ProgramData\{BE4DD016-EE56-4AC8-9832-69281423A3D4}\HP Support Assistant.msi - File found and opened.
MD5: E120EA02EF2FB5E76DC8C4C5E7B6D320
Created at 20:07 on 17/08/2012
Modified at 20:07 on 17/08/2012
Size: 46040576 bytes
Attributes: --a----
No version information available.

-= EOF =-


Reply #5March 03, 2016, 10:23:18 PM

Mclaughlin

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: Probable False-Positives
« Reply #5 on: March 03, 2016, 10:23:18 PM »
BTW - FYI - Note that an earlier RogueKiller re-scan (before these latest ones following your last response) – while running Malwarebytes – produced another FP, identifying MBAM as Tr.Zeus. from the short log:

¤¤¤ Processes : 1 ¤¤¤
[Tr.Zeus] mbar.exe(6676) -- C:\Program Files (x86)\Malwarebytes Anti-Rootkit\mbar\mbar.exe
  • -> Found

Naturally, after confirming the process was running from the same location as MBAM – I ignored the find…


Best Regards

Reply #6March 04, 2016, 02:29:46 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Probable False-Positives
« Reply #6 on: March 04, 2016, 02:29:46 PM »
Hi Mclaughlin,

Quote from: Mclaughlin
Unfortunately I was unable to produce a Dump (Full or Mini) using Process Explorer (“error opening process – access denied”)… I was however able to produce a “”regular”” Dump file with the Task Manager. Would you be interested? It’s 95.5MB after zipping (311 before). Note that Process Explorer would not dump even after the suspect process was released from RK, and RogueKiller was closed and confirmed not running. Also, rebooting and reopening Emsisoft did NOT resolve problem with creating a dump… Is there something else you’d like me to try?
The process is likely protected.
Yes, please upload this dump. We will try to use it.

Quote from: Mclaughlin
FYI - Note that an earlier RogueKiller re-scan (before these latest ones following your last response) – while running Malwarebytes – produced another FP, identifying MBAM as Tr.Zeus. from the short log:
This is indeed a false positive. It will be whitelisted as soon as possible.

Regards.

Reply #7March 04, 2016, 06:16:29 PM

Mclaughlin

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: Probable False-Positives
« Reply #7 on: March 04, 2016, 06:16:29 PM »
Hi Curser,

Can you instruct how to delete/mask all identifying information from the dump file Task Manager created? Also, will I be able to upload a file this size using "Adlice Software upload form"? (I I wouldn’t like to use my own google drive, etc., as you’d suggested earlier). Would it not be possible to simply recreate the detection on your end?

Regards

Reply #8March 04, 2016, 07:19:18 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Probable False-Positives
« Reply #8 on: March 04, 2016, 07:19:18 PM »
Hi Mclaughlin,

Quote from: Mclaughlin
Can you instruct how to delete/mask all identifying information from the dump file Task Manager created?
The dump doesn't contain any private information, only memory contexts.

Quote from: Mclaughlin
Also, will I be able to upload a file this size using "Adlice Software upload form"? (I I wouldn’t like to use my own google drive, etc., as you’d suggested earlier).
Yes, it's also possible.
Go to Adlice Software upload form, select the dump as file to be uploaded and copy/paste a link to this thread in the "Comment" section.

Quote from: Mclaughlin
Would it not be possible to simply recreate the detection on your end?
Since a process injection might depends of specific conditions, it's not always easy to reproduce.

Regards.