Author Topic: False detection?  (Read 3975 times)

0 Members and 1 Guest are viewing this topic.

August 13, 2016, 10:36:49 am

simonik

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
False detection?
« on: August 13, 2016, 10:36:49 am »
Hello,
the RogueKiller find following, but another antivirus not detected problem.
In addition to I cannot find file C:\Windows\System32\hasplms.exe in direktory.
I found it c:\Windows\System32\DriverStore\FileRepository\akshhl.inf_amd64_75ae74b7b50926d5\hasplms.exe
 Is PC infected?

Thanks



RogueKiller V12.4.3.0 (x64) [Aug  8 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Webová stránka : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operační systém : Windows 10 (10.0.10586) 64 bits version
Spuštěno : Normální režim
Uživatel : simonik_2 [Práva správce]
Started from : C:\utility\Utility z VIR\RogueKillerX64 z domu.exe
Mód : Prohledat -- Datum : 08/13/2016 10:21:54

¤¤¤ Procesy : 5 ¤¤¤
[Proc.RunPE] hasplms.exe(2268) -- C:\Windows\System32\hasplms.exe[7] -> Nalezeno
[Proc.Injected] WmiPrvSE.exe(5144) -- C:\Windows\System32\wbem\WmiPrvSE.exe[-] -> Nalezeno
[Proc.Injected] AdobeARM.exe(7904) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[7] -> Nalezeno
[Proc.Injected] taskhostw.exe(8636) -- C:\Windows\System32\taskhostw.exe[7] -> Nalezeno
[Proc.Injected] notepad.exe(5988) -- C:\Windows\SysWOW64\notepad.exe[-] -> Nalezeno

¤¤¤ Registry : 2 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3757079080-4266798695-932415464-1011\Software\Microsoft\Internet Explorer\Main | Start Page : https://www.seznam.cz/  -> Nalezeno
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3757079080-4266798695-932415464-1011\Software\Microsoft\Internet Explorer\Main | Start Page : https://www.seznam.cz/  -> Nalezeno

¤¤¤ Úlohy : 0 ¤¤¤

¤¤¤ Soubory : 0 ¤¤¤

¤¤¤ Soubor HOSTS : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Nahrán) ¤¤¤

¤¤¤ Webové prohlížeče : 0 ¤¤¤

¤¤¤ Kontrola MBR : ¤¤¤
+++++ PhysicalDrive0: ST1000DM003-1CH162 +++++
--- User ---
[MBR] 6400366593af68616017f5dd5e0ff0cd
[BSP] 1044049367a9c4e23ea1c3a20fe826e7 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 953067 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 1952600064 | Size: 450 MB
User = LL1 ... OK
User = LL2 ... OK


Reply #1August 14, 2016, 11:26:51 am

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2310
  • Reputation:
    82
    • View Profile
Re: False detection?
« Reply #1 on: August 14, 2016, 11:26:51 am »
Hi simonik,

Welcome to Adlice.com Forum.
The [Proc.Injected] detection could be triggered by two things : 
  • A real infection (like Zeus, Carberp, Poweliks, they are all using that thing)
  • Your antivirus injecting your processes to protect you (in theory).
To determine what's going on, and possibly whitelist the cases where it's a legit injection, please do the following :
  • Download Process Explorer and save it to your desktop.
  • Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  • Locate the process named notepad.exe, right click select Create Dump > Create Full Dump...
  • Save the dump on your desktop, compress it and upload it on Google Drive/Dropbox.
  • Share the link in your next reply.
Please do the same with the process named hasplms.exe.
We will analyse what is really injected, and whitelist if needed.

Regards.

Reply #2August 15, 2016, 07:03:41 am

simonik

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: False detection?
« Reply #2 on: August 15, 2016, 07:03:41 am »
Hello,
thank you for your answer. I cannot create dump for hasplms - I createted it but size is 0B.

- About notaped.exe - I preventive deleted it. But It was not in memory as process, it was only as file on the disk. I controled it by virustotal.comm and result was 0.

Reply #3August 18, 2016, 01:22:50 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2310
  • Reputation:
    82
    • View Profile
Re: False detection?
« Reply #3 on: August 18, 2016, 01:22:50 pm »
Hi simonik,

You are welcome.
Could you please dump the process named WmiPrvSE.exe instead ?

Regards.

Reply #4August 19, 2016, 09:28:18 am

simonik

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: False detection?
« Reply #4 on: August 19, 2016, 09:28:18 am »
Hello,
I am sending you dump from my personal web.

http://www.petrsi.cz/RogueKiller/WmiPrvSE.zip

Reply #5August 19, 2016, 10:36:13 am

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2310
  • Reputation:
    82
    • View Profile
Re: False detection?
« Reply #5 on: August 19, 2016, 10:36:13 am »
Hi simonik,

I was not able to detect any injection in the process.
So, we can conclude this was a false positive.

Regards.