False detection?

[simonik]

Hello,
the RogueKiller find following, but another antivirus not detected problem.
In addition to I cannot find file C:\Windows\System32\hasplms.exe in direktory.
I found it c:\Windows\System32\DriverStore\FileRepository\akshhl.inf_amd64_75ae74b7b50926d5\hasplms.exe
 Is PC infected?

Thanks



RogueKiller V12.4.3.0 (x64) [Aug  8 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Webová stránka : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operační systém : Windows 10 (10.0.10586) 64 bits version
Spuštěno : Normální režim
Uživatel : simonik_2 [Práva správce]
Started from : C:\utility\Utility z VIR\RogueKillerX64 z domu.exe
Mód : Prohledat -- Datum : 08/13/2016 10:21:54

¤¤¤ Procesy : 5 ¤¤¤
[Proc.RunPE] hasplms.exe(2268) -- C:\Windows\System32\hasplms.exe[7] -> Nalezeno
[Proc.Injected] WmiPrvSE.exe(5144) -- C:\Windows\System32\wbem\WmiPrvSE.exe[-] -> Nalezeno
[Proc.Injected] AdobeARM.exe(7904) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[7] -> Nalezeno
[Proc.Injected] taskhostw.exe(8636) -- C:\Windows\System32\taskhostw.exe[7] -> Nalezeno
[Proc.Injected] notepad.exe(5988) -- C:\Windows\SysWOW64\notepad.exe[-] -> Nalezeno

¤¤¤ Registry : 2 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3757079080-4266798695-932415464-1011\Software\Microsoft\Internet Explorer\Main | Start Page : https://www.seznam.cz/  -> Nalezeno
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3757079080-4266798695-932415464-1011\Software\Microsoft\Internet Explorer\Main | Start Page : https://www.seznam.cz/  -> Nalezeno

¤¤¤ Úlohy : 0 ¤¤¤

¤¤¤ Soubory : 0 ¤¤¤

¤¤¤ Soubor HOSTS : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Nahrán) ¤¤¤

¤¤¤ Webové prohlížeče : 0 ¤¤¤

¤¤¤ Kontrola MBR : ¤¤¤
+++++ PhysicalDrive0: ST1000DM003-1CH162 +++++
--- User ---
[MBR] 6400366593af68616017f5dd5e0ff0cd
[BSP] 1044049367a9c4e23ea1c3a20fe826e7 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 953067 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 1952600064 | Size: 450 MB
User = LL1 ... OK
User = LL2 ... OK

[Curson]

Hi simonik,

Welcome to Adlice.com Forum.
The [Proc.Injected] detection could be triggered by two things : 

• A real infection (like Zeus, Carberp, Poweliks, they are all using that thing)
• Your antivirus injecting your processes to protect you (in theory).

To determine what's going on, and possibly whitelist the cases where it's a legit injection, please do the following :

• Download Process Explorer and save it to your desktop.
  
• Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  
• Locate the process named notepad.exe, right click select Create Dump > Create Full Dump...
  
• Save the dump on your desktop, compress it and upload it on Google Drive/Dropbox.
• Share the link in your next reply.

Please do the same with the process named hasplms.exe.
We will analyse what is really injected, and whitelist if needed.

Regards.

[simonik]

Hello,
thank you for your answer. I cannot create dump for hasplms - I createted it but size is 0B.

- About notaped.exe - I preventive deleted it. But It was not in memory as process, it was only as file on the disk. I controled it by virustotal.comm and result was 0.

[Curson]

Hi simonik,

You are welcome.
Could you please dump the process named WmiPrvSE.exe instead ?

Regards.

[simonik]

Hello,
I am sending you dump from my personal web.

http://www.petrsi.cz/RogueKiller/WmiPrvSE.zip

[Curson]

Hi simonik,

I was not able to detect any injection in the process.
So, we can conclude this was a false positive.

Regards.