Author Topic: IEAT HooK ? (Not sure if legit or not)  (Read 7712 times)

0 Members and 1 Guest are viewing this topic.

October 11, 2015, 05:19:26 PM

hayasa

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
IEAT HooK ? (Not sure if legit or not)
« on: October 11, 2015, 05:19:26 PM »
Hey, With the last version when running the program my wifi stops working and i had to disconnect and reconnect. Which made me worry.
Then I did a scan and something came out as hook. I've passed Malwarebytes, hitman pro, avast, junkware removal tool and minitoolbox. But everything came out negative and I'm kind of worried.

I attach the log of the RK scan. Should I be worried?

Edit: The previous version also let the wifi without connection, but doesn't show those hooks.


Thanks!
« Last Edit: October 12, 2015, 10:51:50 AM by hayasa »

Reply #1October 12, 2015, 02:15:09 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2812
  • Reputation:
    100
    • View Profile
Re: IEAT HooK ? (Not sure if legit or not)
« Reply #1 on: October 12, 2015, 02:15:09 PM »
Hi hayasa,

Welcome to Adlice.com Forum.

RogueKiller version 10.11 is out.
Could you please give it a try ?

Regards.

Reply #2October 12, 2015, 02:48:20 PM

hayasa

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
Re: IEAT HooK ? (Not sure if legit or not)
« Reply #2 on: October 12, 2015, 02:48:20 PM »
Thanks, Curson.

I passed the 10.11 version and looks like the wifi is not disconnecting anymore.
But the Hooks are still there.
Are they legit or should I be worry?

Thanks again!

Reply #3October 12, 2015, 03:07:06 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2812
  • Reputation:
    100
    • View Profile
Re: IEAT HooK ? (Not sure if legit or not)
« Reply #3 on: October 12, 2015, 03:07:06 PM »
Hi hayasa,

Please follow the following process.
  • Download Process Explorer and save it to your desktop.
  • Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  • Locate the process named explorer.exe, right click select Create Dump > Create Full Dump...
  • Save the dump on your desktop and compress it.
  • Locate the process named chrome.exe, right click select Create Dump > Create Full Dump...
  • Save the dump on your desktop and compress it.
  • Go to Adlice Software upload form, select the dumps as files to be uploaded and copy/paste a link to this thread in the "Comment" section.
We will analyse what  is behind those hooks.

Regards.

Reply #4October 12, 2015, 03:38:23 PM

hayasa

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
Re: IEAT HooK ? (Not sure if legit or not)
« Reply #4 on: October 12, 2015, 03:38:23 PM »
Hi Curson,

Thanks for taking time with me.
I have uploaded the files with the link to this post in the comment.

I was kind of hoping you answered me with a "nah, it's fine", now I'm really worried :S.

Thanks again for your time.


Reply #5October 12, 2015, 04:05:23 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2812
  • Reputation:
    100
    • View Profile
Re: IEAT HooK ? (Not sure if legit or not)
« Reply #5 on: October 12, 2015, 04:05:23 PM »
Hi hayasa,

Thanks for uploading the dumps.
These hooks are certainly harmless but we hope the dumps will help use to improve RogueKiller IAT/IEAT detection
capabilities. ;)

Regards.

Reply #6October 12, 2015, 04:37:06 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 954
  • Reputation:
    90
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: IEAT HooK ? (Not sure if legit or not)
« Reply #6 on: October 12, 2015, 04:37:06 PM »
Hi hayasa, I'm looking at your dumps right now :)

Could you navigate to %Programdata%/RogueKiller/Logs and attach the json logs as well?
They contain much more information about those hooks.

Thanks!

Reply #7October 12, 2015, 05:23:31 PM

hayasa

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
Re: IEAT HooK ? (Not sure if legit or not)
« Reply #7 on: October 12, 2015, 05:23:31 PM »
Sure thing!

I attach the .json log here.

Thanks a lot!!

Edit: I just passed Rkill and MBAM with no issues. RogueKiller keeps showing those hooks :S.
« Last Edit: October 12, 2015, 09:04:14 PM by hayasa »

Reply #8October 13, 2015, 10:55:09 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 954
  • Reputation:
    90
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: IEAT HooK ? (Not sure if legit or not)
« Reply #8 on: October 13, 2015, 10:55:09 AM »
RKill and MBAM don't detect hooks ;)
Looking at your file

EDIT: For explorer, it seems legit. The hooks are going back into the initial place after some filtering.
It's all dynamic so hard to trace, I think it's Avast. We'll whitelist the hook signature

For Chrome, it really looks like sandbox hooks. We are currently building a new beta with fixes for chrome sandbox, I'll tell you when it's ready for testing.
« Last Edit: October 14, 2015, 08:33:33 AM by Tigzy »

Reply #9October 13, 2015, 12:02:11 PM

hayasa

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
Re: IEAT HooK ? (Not sure if legit or not)
« Reply #9 on: October 13, 2015, 12:02:11 PM »
Thank you so much for taking your time with my issue.

Then I guess I can put my paranoid thoughts at rest xDD. I thought that using the rootkit scan on MBAM would check for hook. Thanks for the info :D

You guys are doing an amazing job.