Author Topic: [Split]Proc.Injected  (Read 9817 times)

0 Members and 2 Guests are viewing this topic.

April 20, 2016, 06:46:53 PM

HackedPwned

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
[Split]Proc.Injected
« on: April 20, 2016, 06:46:53 PM »
Hello :) !

I think I have a false positive detection for the PRTG server process (Proc.Injected).
Please find below the log for the scan detection :).

Here the requested dump file, as shown on the front page :).

I think I have another false positive : drmk.sys (File.Forged). Virustotal not found malicious modification.


Code: [Select]
RogueKiller V12.1.3.0 (x64) [Apr 18 2016] (Premium) par Adlice Software
email : http://www.adlice.com/contact/
Remontées : http://forum.adlice.com
Site web : http://www.adlice.com/fr/logiciels/roguekiller/
Blog : http://www.adlice.com

Système d'exploitation : Windows 10 (10.0.10586) 64 bits version
Démarré en  : Mode normal
Utilisateur : HackedPwned [Administrateur]
Démarré depuis : I:\Users\HackedPwned\Downloads\Tools\RogueKillerX64.exe
Mode : Scan -- Date : 04/20/2016 17:01:13

¤¤¤ Processus : 1 ¤¤¤
[Proc.Injected] PRTG Server.exe(2776) -- C:\Program Files (x86)\PRTG Network Monitor\64 bit\PRTG Server.exe[x] -> Trouvé(e)

¤¤¤ Registre : 26 ¤¤¤
[Hj.Name] (X64) HKEY_USERS\RK_Default_ON_I_90E5\Software\Microsoft\Windows\CurrentVersion\RunOnce | mctadmin : C:\Windows\System32\mctadmin.exe [x] -> Trouvé(e)
[Hj.Name] (X86) HKEY_USERS\RK_Default_ON_I_90E5\Software\Microsoft\Windows\CurrentVersion\RunOnce | mctadmin : C:\Windows\System32\mctadmin.exe [x] -> Trouvé(e)
[PUP] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_S_1DE6\ControlSet001\Services\MyWebFace_5aService (C:\PROGRA~2\MYWEBF~1\bar\1.bin\5abarsvc.exe) -> Trouvé(e)
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_S_1DE6\ControlSet001\Services\rowugoqo (C:\Users\home\AppData\Local\33444335-1455388700-5433-4243-A0D3C1527A4F\snse6E18.tmp) -> Trouvé(e)
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.HomePage] (X64) HKEY_USERS\RK_home_ON_S_EF3D\Software\Microsoft\Internet Explorer\Main | Start Page : http://home.tb.ask.com/index.jhtml?n=7829E693&p2=^GR^mni000^YYA&ptb=8127F99C-A03B-438A-9DCF-906602EA39CC  -> Trouvé(e)
[PUM.HomePage] (X86) HKEY_USERS\RK_home_ON_S_EF3D\Software\Microsoft\Internet Explorer\Main | Start Page : http://home.tb.ask.com/index.jhtml?n=7829E693&p2=^GR^mni000^YYA&ptb=8127F99C-A03B-438A-9DCF-906602EA39CC  -> Trouvé(e)
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Internet Explorer\Main | Start Page : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Internet Explorer\Main | Start Page : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.SearchPage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Internet Explorer\Main | Search Page : https://safesearch.avira.com/#web/result?source=art&q=  -> Trouvé(e)
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Internet Explorer\Main | Search Page : https://safesearch.avira.com/#web/result?source=art&q=  -> Trouvé(e)
[PUM.SearchPage] (X64) HKEY_USERS\RK_HackedPwned_ON_I_B1B6\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Trouvé(e)
[PUM.SearchPage] (X86) HKEY_USERS\RK_HackedPwned_ON_I_B1B6\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Trouvé(e)
[PUM.SearchPage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Search_URL : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Internet Explorer\Main | Default_Search_URL : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Internet Explorer\Main | Default_Search_URL : https://search.avira.net/#web/result?source=art&q=  -> Trouvé(e)
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{797f2ae7-8bcd-483a-b1b9-a1b0e8c2caef} | DhcpNameServer : 172.20.10.1 ([])  -> Trouvé(e)
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{797f2ae7-8bcd-483a-b1b9-a1b0e8c2caef} | DhcpNameServer : 172.20.10.1 ([])  -> Trouvé(e)
[PUM.StartMenu] (X64) HKEY_USERS\RK_Administrateur_ON_I_FD0C\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Trouvé(e)
[PUM.StartMenu] (X86) HKEY_USERS\RK_Administrateur_ON_I_FD0C\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Trouvé(e)
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Trouvé(e)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2633910887-2051593935-3201852360-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Trouvé(e)

¤¤¤ Tâches : 0 ¤¤¤

¤¤¤ Fichiers : 1 ¤¤¤
[File.Forged][Fichier] C:\Windows\System32\drivers\drmk.sys -> Trouvé(e)

¤¤¤ Fichier Hosts : 0 ¤¤¤

¤¤¤ Antirootkit : 1 (Driver: Chargé) ¤¤¤
[IAT:Inl(Hook.IEAT)] (explorer.exe) user32!GetAncestor : Unknown @ 0x7fff46a90028 (jmp 0xfffffffffaeccb68)

¤¤¤ Navigateurs web : 0 ¤¤¤

¤¤¤ Vérification MBR : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 840 EVO 120G SCSI Disk Device +++++
--- User ---
[MBR] f75628e1770769cd2267b90a3f275402
[BSP] 54ee229f897f6b2938dc6e67657d6e2a : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 102924 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: SAMSUNG HD502HJ SCSI Disk Device +++++
--- User ---
[MBR] a93e8416daa214812d79b652c190449c
[BSP] df26c6a7183131d0eefab50d7b285b18 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: WDC WD20EARS-00MVWB0 SCSI Disk Device +++++
--- User ---
[MBR] 1f2b74ea8cb7e33442085875b2cbef5c
[BSP] b2d2b4d3ad154532792d8e8d8e606a68 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 518605 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1062121408 | Size: 512000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2110700024 | Size: 512001 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 3159279616 | Size: 365111 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive3: ST1000DM 003-9YN162 USB Device +++++
--- User ---
[MBR] e83ba18959b82e6981de2c9b84d914a5
[BSP] df4007336cad0c923ee37fe0ba411fca : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953867 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([32] Cette demande n?est pas prise en charge. )

Best regards :) !

HackedPwned
« Last Edit: April 20, 2016, 06:48:44 PM by HackedPwned »

Reply #1April 20, 2016, 08:01:55 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: [Split]Proc.Injected
« Reply #1 on: April 20, 2016, 08:01:55 PM »
Hi HackedPwned,

Welcome to Adlice.com Forum. :)
Yes, this is indeed a false positive. We will fix this as soon as possible.

I advice you to delete these entries, they are known malwares.
Quote
[PUP] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_S_1DE6\ControlSet001\Services\MyWebFace_5aService (C:\PROGRA~2\MYWEBF~1\bar\1.bin\5abarsvc.exe) -> Trouvé(e)
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_S_1DE6\ControlSet001\Services\rowugoqo (C:\Users\home\AppData\Local\33444335-1455388700-5433-4243-A0D3C1527A4F\snse6E18.tmp) -> Trouvé(e)

The forged file detection is bugging me.
Could you please attach RogueKiller JSON report in your next reply and follow the following process ?
  • Please download TDSSKiller and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.



  • Check Loaded Modules and Detect TDLFS file system
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.



  • Click Start Scan and allow the scan process to run.
    If threats are detected select Skip for all of them unless I instruct you otherwise.
  • Click Continue



  • Click Reboot computer
Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\) in your next reply.

Regards.

Reply #2April 20, 2016, 11:23:53 PM

HackedPwned

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Re: [Split]Proc.Injected
« Reply #2 on: April 20, 2016, 11:23:53 PM »
Quote from: Curson
Welcome to Adlice.com Forum. :)

Thank you :) !

Quote from: Curson
I advice you to delete these entries, they are known malwares.

Quote
[PUP] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_S_1DE6\ControlSet001\Services\MyWebFace_5aService (C:\PROGRA~2\MYWEBF~1\bar\1.bin\5abarsvc.exe) -> Trouvé(e)
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_S_1DE6\ControlSet001\Services\rowugoqo (C:\Users\home\AppData\Local\33444335-1455388700-5433-4243-A0D3C1527A4F\snse6E18.tmp) -> Trouvé(e)
I had already done after my first analysis ;) !

Quote from: Curson
Could you please attach RogueKiller JSON report in your next reply and follow the following process ?
[...]
Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\) in your next reply.
Of course ;) !

I forgot to mention that the scan was systematically crash the system, each time the MSI Afterburner service was analyzed. (complete freeze of system --> hard reset).
So I had to leave Afterburner to start the analysis.

Thank's for your help ;) !

Cordially !

Reply #3April 21, 2016, 01:05:31 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: [Split]Proc.Injected
« Reply #3 on: April 21, 2016, 01:05:31 PM »
Hi HackedPwned,

I have taken the liberty of creating a new thread containing our posts, since further investigations are needed.
Did RogueKiller asked you to upload a file to VirusTotal during the scan ?

Quote from: HackedPwned
I forgot to mention that the scan was systematically crash the system, each time the MSI Afterburner service was analyzed. (complete freeze of system --> hard reset).
So I had to leave Afterburner to start the analysis.
Would you agree to help us troubleshooting this issue ?

If so, please follow the following process :
1) Please restart the MSI Afterburner service and launch the Performance Monitor (Task Manager)
2) Download ProcDump and save it on your desktop.
3) Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :
Code: [Select]
"%USERPROFILE%\Desktop\procdump.exe" -e -h -ma -accepteula -x "I:\Users\HackedPwned\Downloads\Tools\RogueKillerX64.exe"
Do not close the command prompt !

4) RogueKiller will be launched. Please start a new scan and, using the Performance monitor, check the amount of memory used by RogueKiller. When the system hangs, please wait a few minutes before hard reseting the computer
5) A new file named RogueKiller.exe_<datetime>.dmp should has been created on your desktop. Please zip it, upload it on Google Drive/Dropbox and share the link here.

Did RogueKiller used all the available memory during the scan of the MSI Afterburner service ?

Regards.

Reply #4April 22, 2016, 01:41:55 AM

HackedPwned

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Re: [Split]Proc.Injected
« Reply #4 on: April 22, 2016, 01:41:55 AM »
Hello !

Sorry for this late answer, but I have not been alerted a new reply has been posted, because the topic has been moved :).

Quote from: Curson
Did RogueKiller asked you to upload a file to VirusTotal during the scan ?
Nop :) !

Quote from: Curson
Would you agree to help us troubleshooting this issue ?
Yes, I want :).

Quote from: Curson
If so, please follow the following process :.......
Ok, the command seems not ok : it display the "command / usage list" of procdump.
I read the manual, and it seems that the dump path is missing. So I have modified the command by :

Code: [Select]
"%USERPROFILE%\Desktop\procdump.exe" -e -h -ma -accepteula -x c:\test\ I:\Users\HackedPwned\Downloads\Tools\RogueKillerX64.exe"
And the Roguekiller launched :). But maybe my command is'nt good, I don't know :(.

I lauched the scan, and the system freeze instantaneously when Roguekiller scan Msi Afterburner service, as expected.
Really instantaneously...
So no, the memory usage was very good until there...

I hard reseted my PC, and I have not found *.dmp file anywhere, either on the "test" folder or elsewhere.
I think the crash comes too suddenly for make a dump :/.

If you have suggestions... ;).
« Last Edit: April 22, 2016, 01:45:56 AM by HackedPwned »

Reply #5April 24, 2016, 11:25:47 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: [Split]Proc.Injected
« Reply #5 on: April 24, 2016, 11:25:47 PM »
Hi HackedPwned,
Quote from: HackedPwned
Nop :) !
That will be the case in the next version of RogueKiller.

Quote from: HackedPwned
Yes, I want :).
Many thanks. That much appreciated. :)

Quote from: HackedPwned
Ok, the command seems not ok : it display the "command / usage list" of procdump.
I read the manual, and it seems that the dump path is missing.[...]
And the Roguekiller launched :). But maybe my command is'nt good, I don't know :(.
I'm really sorry about that. :(
Your command is perfectly correct.

Quote from: HackedPwned
I lauched the scan, and the system freeze instantaneously when Roguekiller scan Msi Afterburner service, as expected.
Really instantaneously...
So no, the memory usage was very good until there...
I hard reseted my PC, and I have not found *.dmp file anywhere, either on the "test" folder or elsewhere.
I think the crash comes too suddenly for make a dump :/.
Thanks for the information.
This is certainly the case.

Quote from: HackedPwned
If you have suggestions... ;).
That could be the case.
How many memory is installed on your computer ?

Regards.

Reply #6April 25, 2016, 12:11:25 AM

HackedPwned

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Re: [Split]Proc.Injected
« Reply #6 on: April 25, 2016, 12:11:25 AM »
Hi Curson, how are you :) ?

Quote from: Curson
That will be the case in the next version of RogueKiller.
Good :) !

Quote from: Curson
Many thanks. That much appreciated. :)
You're welcome :) !

Quote from: Curson
How many memory is installed on your computer ?
I have 16 GB of memory installed.
The pagefile setting is manualy set to 2 GB :).

Best regards :) !

Reply #7April 25, 2016, 04:23:25 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: [Split]Proc.Injected
« Reply #7 on: April 25, 2016, 04:23:25 PM »
Hi HackedPwned,
Quote from: HackedPwned
how are you :) ?
I'm fine. What about you ? :)

A new version of RogueKiller has been released today.
Could you please update yours, redo a full scan (with the MSI service turned off) and attach the JSON report in your next reply ?

Quote from: HackedPwned
I have 16 GB of memory installed.
The pagefile setting is manualy set to 2 GB :).
Could you please give me the name and full path of the process displayed when the system hang ?

Regards.