Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Proc.injected detection


  • Please log in to reply
7 replies to this topic

#1 doogie_doogie

doogie_doogie

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 07 November 2016 - 12:01 PM

Using Windows 10

 

My friend received a link from Skype messaging  that appeared to come from me, although I didn't send anything. Seems to be part of a scam going on recently.

 

I also received the same link from 3 of my Skype contacts.....   ( messages contained a URL to Baidu with  Skype username at the end )

 

I performed a scan with Rogue Killer and and came up with 8 Proc.Innjected process detections, some referencing skype.  I killed off those proc.injected processes.

 

I proceeded to run Rogue killer again and it detected 3 more proc.injected processes. I killed those of but after another scan of Rogue killer they show up again.

 

Would appreciate any advice.  Thanks!

 

Proc.Innjected    [5660] svchost.exe, C:\Windows\System32\svchost.exe

 

Proc.Innjected    [6708] explorer.exe, C:\Windows\explorer.exe

 

Proc.Innjected    [7188] firefox.exe, C:\Program Files (x86)\Mozilla Firefox\firefox.exe



BC AdBot (Login to Remove)

 


#2 doogie_doogie

doogie_doogie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 07 November 2016 - 12:06 PM

just a quick update I wasn't able to kill the Proc.Innjected process:   [5660] svchost.exe, C:\Windows\System32\svchost.exe

report from Rogue killer "not killed"

 

RogueKiller V12.8.0.0 (x64) [Nov  7 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.14393) 64 bits version
Started in : Normal mode
User : Client [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 11/07/2016 11:24:33 (Duration : 00:25:01)

¤¤¤ Processes : 3 ¤¤¤
[Proc.Injected] svchost.exe(5660) -- C:\Windows\System32\svchost.exe[7] -> [NoKill]
[Proc.Injected] explorer.exe(6708) -- C:\Windows\explorer.exe[7] -> Killed [TermProc]
[Proc.Injected] firefox.exe(7188) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7] -> Killed [TermProc]

¤¤¤ Registry : 2 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 135.19.0.18 70.80.0.66 24.200.0.1 ([Canada][Canada][-])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f5360646-7351-40e3-9350-ddd70472812e} | DhcpNameServer : 135.19.0.18 70.80.0.66 24.200.0.1 ([Canada][Canada][-])  -> Not selected

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD1002FAEX-00Z3A SCSI Disk Device +++++
--- User ---
[MBR] aa4fbfb426fcf5267b120e2e5d8e11d8
[BSP] 143fdc32b0aa50c7e931aecb7d91ff29 : Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 927815 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 1900167168 | Size: 450 MB
2 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 1901090816 | Size: 25599 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD3202ABYS-01B7A0 +++++
--- User ---
[MBR] 96c730a9420de6f531c48a026eb3890c
[BSP] 6a4cdbb4432ea14b8cbaef9136369d0b : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 304207 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: WD 2500BEA External USB Device +++++
--- User ---
[MBR] 27046bfed13eaece99dd9ad462b0a665
[BSP] d0ec2211ba2260ee6d54a28c5292c11f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 63 | Size: 238472 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )
 



#3 doogie_doogie

doogie_doogie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 07 November 2016 - 12:37 PM

Latest scan report.   3 additional Proc.Injected detections seem to come from applications that I used prior to the scan, google talk plug and notepad.

 

RogueKiller V12.8.0.0 (x64) [Nov  7 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.14393) 64 bits version
Started in : Normal mode
User : Client [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 11/07/2016 12:08:30 (Duration : 00:24:30)

¤¤¤ Processes : 6 ¤¤¤
[Proc.Injected] explorer.exe(2420) -- C:\Windows\explorer.exe[7] -> Killed [TermProc]
[Proc.Injected] smartscreen.exe(4220) -- C:\Windows\System32\smartscreen.exe[-] -> Killed [TermThr]
[Proc.Injected] firefox.exe(7088) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7] -> Killed [TermProc]
[Proc.Injected] notepad.exe(5900) -- C:\Windows\System32\notepad.exe[-] -> Killed [TermThr]
[Proc.Injected] plugin-container.exe(6832) -- C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7] -> Killed [TermProc]
[Suspicious.Path|Proc.Injected] googletalkplugin.exe(8852) -- C:\Users\Client\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe[7] -> Killed [TermProc]

¤¤¤ Registry : 2 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 135.19.0.18 70.80.0.66 24.200.0.1 ([Canada][Canada][-])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f5360646-7351-40e3-9350-ddd70472812e} | DhcpNameServer : 135.19.0.18 70.80.0.66 24.200.0.1 ([Canada][Canada][-])  -> Not selected

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD1002FAEX-00Z3A SCSI Disk Device +++++
--- User ---
[MBR] aa4fbfb426fcf5267b120e2e5d8e11d8
[BSP] 143fdc32b0aa50c7e931aecb7d91ff29 : Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 927815 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 1900167168 | Size: 450 MB
2 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 1901090816 | Size: 25599 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD3202ABYS-01B7A0 +++++
--- User ---
[MBR] 96c730a9420de6f531c48a026eb3890c
[BSP] 6a4cdbb4432ea14b8cbaef9136369d0b : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 304207 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: WD 2500BEA External USB Device +++++
--- User ---
[MBR] 27046bfed13eaece99dd9ad462b0a665
[BSP] d0ec2211ba2260ee6d54a28c5292c11f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 63 | Size: 238472 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )
 



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:10 PM

Posted 07 November 2016 - 04:47 PM

According to Tigzy, the developer of RogueKiller,...a "Proc.Injected" detection can be a related to a malware infection or a legitimate program (i.e. anti-virus) injecting certain processes to protect your system. If you encounter such a detection, further investigation is needed...please read and follow these instructions.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 doogie_doogie

doogie_doogie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 07 November 2016 - 05:47 PM

Excellent, thanks very much for quick reply, I have zipped .dmp file from ProcessHacker and hosted as requested, here is link:

 

http://www.filedropper.com/processhackerexe

 

Looking forward to your analysis.

 

Best regards



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:10 PM

Posted 07 November 2016 - 07:13 PM

You have to ask and submit the link for the .dmp file to Tigzy so he can look at it...post in the same topic as those instructions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 doogie_doogie

doogie_doogie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 07 November 2016 - 09:08 PM

ok thanks, just submitted to Tigzy, will keep you posted

 

(FYI: my last scan using Rogue Killer (after re-boot) no longer detects the Proc.Injected processes)

 

thanks again!



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:10 PM

Posted 07 November 2016 - 09:12 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users