Adlice forum

Software feedback => RogueKiller => Topic started by: speedgamer on September 18, 2014, 06:54:50 PM

Title: IAT (Hook.IEAT) explorer.exe
Post by: speedgamer on September 18, 2014, 06:54:50 PM

Hello is this a Rootkit or trojan? i can not delete it its impossible to delete?
(http://www11.pic-upload.de/18.09.14/97xllevf4m7t.png)] (http://[URL=http://www.pic-upload.de/view-24648043/Unbenannt.png.html)

Title: Re: IAT (Hook.IEAT) explorer.exe
Post by: Tigzy on September 18, 2014, 09:40:36 PM

Can you please paste the report instead?

Title: Re: IAT (Hook.IEAT) explorer.exe
Post by: speedgamer on September 18, 2014, 10:16:50 PM

Code: [Select]

¤¤¤ Böswillige Prozesse : 0 ¤¤¤

¤¤¤ Registry-Einträge : 12 ¤¤¤
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-1699051446-431908364-875039872-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> GEFUNDEN
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-1699051446-431908364-875039872-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> GEFUNDEN
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-1699051446-431908364-875039872-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : 127.0.0.1:80  -> GEFUNDEN
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-1699051446-431908364-875039872-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : 127.0.0.1:80  -> GEFUNDEN
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{831DD731-FEDB-42C5-8289-8FD787277935} | DhcpNameServer : 198.18.16.1  -> GEFUNDEN
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{831DD731-FEDB-42C5-8289-8FD787277935} | DhcpNameServer : 198.18.16.1  -> GEFUNDEN
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1699051446-431908364-875039872-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> GEFUNDEN
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1699051446-431908364-875039872-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> GEFUNDEN
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> GEFUNDEN
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> GEFUNDEN
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> GEFUNDEN
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> GEFUNDEN

¤¤¤ Geplante Tasks : 0 ¤¤¤

¤¤¤ Dateien : 0 ¤¤¤

¤¤¤ Hosts-Datei : 0 ¤¤¤

¤¤¤ Antirootkit : 3 (Driver: NICHT GELADEN [0xc000035f]) ¤¤¤
[IAT:Addr] (explorer.exe) dwmapi.dll -  : Unknown @ 0x8df0000
[IAT:Addr] (explorer.exe) dwmapi.dll -  : Unknown @ 0x8df0020
[IAT:Addr] (explorer.exe) dwmapi.dll -  : Unknown @ 0x8df0040

¤¤¤ Web-Browsern : 0 ¤¤¤

¤¤¤ MBR überprüfen : ¤¤¤
+++++ PhysicalDrive0: SanDisk SDSSDP256G +++++
--- User ---
[MBR] 0086f36f0b7bc8b257f89fc226376c3d
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097152 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD10EZEX-00KUWA0 +++++
--- User ---
[MBR] 0086f36f0b7bc8b257f89fc226376c3d
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097152 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_09182014_220622.log

Title: Re: IAT (Hook.IEAT) explorer.exe
Post by: Tigzy on September 19, 2014, 09:25:13 AM

The hook points to unknown place, sometimes that happens  :-X
That's not necessary malicious, sometimes it's just a legit shellcode

Title: Re: IAT (Hook.IEAT) explorer.exe
Post by: mijsoot on September 23, 2014, 10:19:40 AM

Hello everyone,
I have almost the same error :

Code: [Select]

RogueKiller V9.2.11.0 (x64) [Sep  9 2014] par Adlice Software
Mail : http://www.adlice.com/contact/
Remontées : http://forum.adlice.com
Site Web : https://www.surlatoile.org/RogueKiller/
Blog : http://www.adlice.com

Système d'exploitation : Windows 8.1 (6.3.9600 ) 64 bits version
Démarrage : Mode sans echec avec prise en charge reseau
Utilisateur : mijsoot [Droits d'admin]
Mode : Suppression -- Date : 09/22/2014  19:25:48

¤¤¤ Processus malicieux : 0 ¤¤¤

¤¤¤ Entrées de registre : 2 ¤¤¤
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2441846524-2952021072-3889132545-1001\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01  -> NON SELECTIONNÉ
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2441846524-2952021072-3889132545-1001\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01  -> NON SELECTIONNÉ

¤¤¤ Tâches planifiées : 0 ¤¤¤

¤¤¤ Fichiers : 0 ¤¤¤

¤¤¤ Fichier HOSTS : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 activate.adobe.com

¤¤¤ Antirootkit : 8 (Driver: NON CHARGE [0xc000035f]) ¤¤¤
[IAT:Addr] (explorer.exe) dwmapi.dll -  : Unknown @ 0x9790000
[IAT:Addr] (explorer.exe) dwmapi.dll -  : Unknown @ 0x9790020
[IAT:Addr] (explorer.exe) dwmapi.dll -  : Unknown @ 0x9790040
[EAT:Addr] (explorer.exe) framedynos.dll - DllCanUnloadNow : C:\Windows\System32\msxml3.dll @ 0x7ff8a5ec2a60
[EAT:Addr] (explorer.exe) framedynos.dll - DllGetClassObject : C:\Windows\System32\msxml3.dll @ 0x7ff8a5ea9730
[EAT:Addr] (explorer.exe) framedynos.dll - DllMain : C:\Windows\System32\msxml3.dll @ 0x7ff8a5ea1010
[EAT:Addr] (explorer.exe) framedynos.dll - DllRegisterServer : C:\Windows\System32\msxml3.dll @ 0x7ff8a5ebbca0
[EAT:Addr] (explorer.exe) framedynos.dll - DllUnregisterServer : C:\Windows\System32\msxml3.dll @ 0x7ff8a5ebbca0

¤¤¤ Navigateurs web : 0 ¤¤¤

¤¤¤ MBR Verif : ¤¤¤
+++++ PhysicalDrive0: ST2000DM001-1CH164 +++++
--- User ---
[MBR] 4e55908add7d04010cd8fc0002385328
[BSP] 0e92158ffbad9dcf88dd79602c2bb31c : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097152 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WD Ext HDD 1021 USB Device +++++
--- User ---
[MBR] 2e89242accb914d6ca945df3a7d3be23
[BSP] b294ee742e130d7155876c16da1215e1 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 2048 | Size: 32768 MB
1 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 67119570 | Size: 1874953 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] Cette demande n?est pas prise en charge. )


============================================
RKreport_DEL_07312014_073932.log - RKreport_DEL_09222014_170024.log - RKreport_DEL_09222014_171344.log - RKreport_SCN_07302014_233402.log
RKreport_SCN_09222014_163110.log - RKreport_SCN_09222014_171240.log - RKreport_SCN_09222014_192443.log

But I have checked them with VirusTotal :

• https://www.virustotal.com/fr/file/d1a31a5ec5fd3b4f26471e5dd17ce9386a7a23ecb8a57901b1de11cf7998727c/analysis/1411459532/ (https://www.virustotal.com/fr/file/d1a31a5ec5fd3b4f26471e5dd17ce9386a7a23ecb8a57901b1de11cf7998727c/analysis/1411459532/)
  https://www.virustotal.com/fr/file/9ae609879871302c430f0772814749ab08cb2629fec48153b7b51022cf339f98/analysis/1411459619/ (https://www.virustotal.com/fr/file/9ae609879871302c430f0772814749ab08cb2629fec48153b7b51022cf339f98/analysis/1411459619/)

Can you tell me please if there is a problem as malware for example?
The reason is that my PC freeze from time to time , but I do not know if this is a problem of micro disconnects, or other things.

Thank you in advance, and thank you very much for this software !!!!

Title: Re: IAT (Hook.IEAT) explorer.exe
Post by: Tigzy on September 23, 2014, 01:23:00 PM

Nothing malware here.