Author Topic: Proc.Injected - false positive or threat?  (Read 6721 times)

0 Members and 1 Guest are viewing this topic.

April 13, 2016, 03:06:46 PM

GWRiver

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Proc.Injected - false positive or threat?
« on: April 13, 2016, 03:06:46 PM »
Hello,
I have used RogueKiller on a couple of machines. I also used products such as Malwarebytes, Trend Micro Anti-Virus, ADWCleaner, and monitored the network traffic from the machine. At first I went with RogueKiller, but it found several Proc.Injected files processes so I ran the other products and monitored as a confirmation. Only RogueKiller is finding this so I was concerned that it was either a false positive or an infection not found by the other tools.

I used Process Hacker to generate DMP files.

I have linked to the files at Dropbox for two of the files because they are roughly 30MB each:
https://www.dropbox.com/s/oulcioye96lwpvi/armsvc.exe.dmp?dl=0
https://www.dropbox.com/s/r081tfemjks19b8/msid.exe.dmp?dl=0

Can these be reviewed for threats?

Thank you!



Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : x [Administrator]
Started from : C:\Users\x \Downloads\RogueKiller.exe
Mode : Scan -- Date : 04/13/2016 08:01:59

 Processes : 9
[Proc.Injected] msid.exe(1828) -- C:\Program Files (x86)\Cisco Systems\Media Services Interface\msid.exe
  • -> Found
[Proc.Injected] o2flash.exe(2004) -- C:\Windows\System32\o2flash.exe
  • -> Found
[Proc.Injected] msirest.exe(2216) -- C:\Program Files (x86)\Cisco Systems\Media Services Interface\msirest.exe
  • -> Found
[Proc.Injected] vmware-view-usbd.exe(2920) -- C:\Program Files (x86)\VMware\VMware Horizon View Client\bin\vmware-view-usbd.exe
  • -> Found
[Proc.Injected] mscorsvw.exe(4004) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  • -> Found
[Proc.Injected] WebcamDell2.exe(5176) -- C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
  • -> Found
[Proc.Injected] BusinessMessaging.exe(5464) -- C:\Program Files (x86)\Malwarebytes Anti-Malware\BusinessMessaging.exe
  • -> Found
[Proc.Injected] SCNotification.exe(2432) -- C:\Windows\CCM\SCNotification.exe
  • -> Found
[Proc.Injected] armsvc.exe(2276) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
  • -> Found


 Registry : 12
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-518456262-833873973-1715201200-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-518456262-833873973-1715201200-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer :
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer :
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer :
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9B72F825-D133-46A2-8B1A-67C7F434B4C3} | DhcpNameServer :
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9B72F825-D133-46A2-8B1A-67C7F434B4C3} | DhcpNameServer :
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{9B72F825-D133-46A2-8B1A-67C7F434B4C3} | DhcpNameServer :
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-518456262-833873973-1715201200-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-518456262-833873973-1715201200-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found

 Tasks : 0

 Files : 0

 Hosts File : 0

 Antirootkit : 0 (Driver: Not loaded [0xc000036b])

 Web browsers : 1
[PUM.HomePage][FIREFX:Config] 2ekqi8v2.default : user_pref("browser.startup.homepage", "http://www.corporate-site-is-ok"); -> Found

 MBR Check :
+++++ PhysicalDrive0: WDC WD3200BEKT-75PVMT1 +++++
--- User ---
[MBR] 8e0b22998e13ca105ee66ff31ec9cb5e
[BSP] 016c68e59f4670f4b8a164d3bee1b549 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 868 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1779712 | Size: 304375 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


« Last Edit: April 13, 2016, 04:04:20 PM by GWRiver »

Reply #1April 13, 2016, 10:33:48 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Proc.Injected - false positive or threat?
« Reply #1 on: April 13, 2016, 10:33:48 PM »
Hi GWRiver,

Welcome to Adlice.com Forum.
Do you use Trend Micro Integrated Data Loss Prevention (DLP) or any other Trend Micro products ?

Regards.

Reply #2April 14, 2016, 01:09:43 PM

GWRiver

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: Proc.Injected - false positive or threat?
« Reply #2 on: April 14, 2016, 01:09:43 PM »
Hello Curson,
Thank you for your reply!

Yes, we do use Trend Micro Integrated Data Loss Prevention (DLP) as well as the Trend Micro Officescan and its family of products, including Intrusion Defense Firewall.

Thank you,
GW

Reply #3April 14, 2016, 02:09:22 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Proc.Injected - false positive or threat?
« Reply #3 on: April 14, 2016, 02:09:22 PM »
Hi GWRiver,

Thanks for the confirmation.
I can now assert that the injections are linked to Trend Micro DLP.
We will whitelist it as soon as possible.

Regards.

Reply #4April 14, 2016, 02:23:39 PM

GWRiver

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: Proc.Injected - false positive or threat?
« Reply #4 on: April 14, 2016, 02:23:39 PM »
Thank you very much! Because of the consistency of these results and no other AV tools finding a threat and/or malicious traffic, I was hopeful.

Thank you again!

Reply #5April 14, 2016, 03:11:31 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Proc.Injected - false positive or threat?
« Reply #5 on: April 14, 2016, 03:11:31 PM »
Hi GWRiver,

You are very welcome. :)
I'm glad I was able to help you.

Regards.