Proc.Injected - false positive or threat?

[GWRiver]

Hello,
I have used RogueKiller on a couple of machines. I also used products such as Malwarebytes, Trend Micro Anti-Virus, ADWCleaner, and monitored the network traffic from the machine. At first I went with RogueKiller, but it found several Proc.Injected files processes so I ran the other products and monitored as a confirmation. Only RogueKiller is finding this so I was concerned that it was either a false positive or an infection not found by the other tools.

I used Process Hacker to generate DMP files.

I have linked to the files at Dropbox for two of the files because they are roughly 30MB each:
https://www.dropbox.com/s/oulcioye96lwpvi/armsvc.exe.dmp?dl=0
https://www.dropbox.com/s/r081tfemjks19b8/msid.exe.dmp?dl=0

Can these be reviewed for threats?

Thank you!



Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : x [Administrator]
Started from : C:\Users\x \Downloads\RogueKiller.exe
Mode : Scan -- Date : 04/13/2016 08:01:59

 Processes : 9
[Proc.Injected] msid.exe(1828) -- C:\Program Files (x86)\Cisco Systems\Media Services Interface\msid.exe

• -> Found

[Proc.Injected] o2flash.exe(2004) -- C:\Windows\System32\o2flash.exe

• -> Found

[Proc.Injected] msirest.exe(2216) -- C:\Program Files (x86)\Cisco Systems\Media Services Interface\msirest.exe

• -> Found

[Proc.Injected] vmware-view-usbd.exe(2920) -- C:\Program Files (x86)\VMware\VMware Horizon View Client\bin\vmware-view-usbd.exe

• -> Found

[Proc.Injected] mscorsvw.exe(4004) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

• -> Found

[Proc.Injected] WebcamDell2.exe(5176) -- C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe

• -> Found

[Proc.Injected] BusinessMessaging.exe(5464) -- C:\Program Files (x86)\Malwarebytes Anti-Malware\BusinessMessaging.exe

• -> Found

[Proc.Injected] SCNotification.exe(2432) -- C:\Windows\CCM\SCNotification.exe

• -> Found

[Proc.Injected] armsvc.exe(2276) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

• -> Found

 Registry : 12
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-518456262-833873973-1715201200-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-518456262-833873973-1715201200-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer :
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer :
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer :
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9B72F825-D133-46A2-8B1A-67C7F434B4C3} | DhcpNameServer :
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9B72F825-D133-46A2-8B1A-67C7F434B4C3} | DhcpNameServer :
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{9B72F825-D133-46A2-8B1A-67C7F434B4C3} | DhcpNameServer :
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-518456262-833873973-1715201200-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-518456262-833873973-1715201200-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found

 Tasks : 0

 Files : 0

 Hosts File : 0

 Antirootkit : 0 (Driver: Not loaded [0xc000036b])

 Web browsers : 1
[PUM.HomePage][FIREFX:Config] 2ekqi8v2.default : user_pref("browser.startup.homepage", "http://www.corporate-site-is-ok"); -> Found

 MBR Check :
+++++ PhysicalDrive0: WDC WD3200BEKT-75PVMT1 +++++
--- User ---
[MBR] 8e0b22998e13ca105ee66ff31ec9cb5e
[BSP] 016c68e59f4670f4b8a164d3bee1b549 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 868 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1779712 | Size: 304375 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

[Curson]

Hi GWRiver,

Welcome to Adlice.com Forum.
Do you use Trend Micro Integrated Data Loss Prevention (DLP) or any other Trend Micro products ?

Regards.

[GWRiver]

Hello Curson,
Thank you for your reply!

Yes, we do use Trend Micro Integrated Data Loss Prevention (DLP) as well as the Trend Micro Officescan and its family of products, including Intrusion Defense Firewall.

Thank you,
GW

[Curson]

Hi GWRiver,

Thanks for the confirmation.
I can now assert that the injections are linked to Trend Micro DLP.
We will whitelist it as soon as possible.

Regards.

[GWRiver]

Thank you very much! Because of the consistency of these results and no other AV tools finding a threat and/or malicious traffic, I was hopeful.

Thank you again!

[Curson]

Hi GWRiver,

You are very welcome.
I'm glad I was able to help you.

Regards.