Adlice forum
Software feedback => RogueKiller PREMIUM => Topic started by: IngoPan on February 17, 2017, 06:26:04 AM
-
Hi,
I had some Alueron infection lately and i am now unsure if these hooks are legit or if its coincidence:
RogueKiller V12.9.7.0 (x64) [Feb 6 2017] (Premium) von Adlice Software
Mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com
Betriebssystem : Windows 10 (10.0.14393) 64 bits version
Gestartet in : Normalmodus
User : IngoPan [Administrator]
Gestartet von : C:\Users\IngoPan\Downloads\RogueKillerX64.exe
Modus : Scannen -- Datum : 02/16/2017 22:44:15 (Dauer : 00:13:29)
¤¤¤ Prozesse : 0 ¤¤¤
¤¤¤ Registry : 0 ¤¤¤
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Dateien : 0 ¤¤¤
¤¤¤ WMI : 0 ¤¤¤
¤¤¤ Hosts-Datei : 0 ¤¤¤
¤¤¤ Anti-Rootkit : 116 (Driver: Geladen) ¤¤¤
[IAT:Addr(Hook.IEAT)] (explorer.exe) user32!SetWindowCompositionAttribute : Unknown @ 0x5eb0080
[IAT:Addr(Hook.IEAT)] (explorer.exe) gdi32!StretchDIBits : Unknown @ 0x5eb0020
[IAT:Addr(Hook.IEAT)] (chrome.exe) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_elf.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shlwapi.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GdiDllInitialize : Unknown @ 0x7ff8868a002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_elf.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shlwapi.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GdiDllInitialize : Unknown @ 0x7ff8868a002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_elf.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shlwapi.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GdiDllInitialize : Unknown @ 0x7ff8868a002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_elf.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ AcGenral.dll) user32!GetMonitorInfoW : Unknown @ 0x7ff8841e012c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shlwapi.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GdiDllInitialize : Unknown @ 0x7ff8868a002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) user32!EnumDisplayMonitors : Unknown @ 0x7ff8841e006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) user32!GetMonitorInfoW : Unknown @ 0x7ff8841e012c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ imm32.dll) user32!GetMonitorInfoW : Unknown @ 0x7ff8841e012c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_elf.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) user32!GetMonitorInfoW : Unknown @ 0x7ff8841e012c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) user32!GetMonitorInfoW : Unknown @ 0x7ff8841e012c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) user32!EnumDisplayMonitors : Unknown @ 0x7ff8841e006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) user32!GetMonitorInfoW : Unknown @ 0x7ff8841e012c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) user32!EnumDisplayMonitors : Unknown @ 0x7ff8841e006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pepflashplayer.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pepflashplayer.dll) user32!EnumDisplayDevicesA : Unknown @ 0x7ff8841e00ac
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pepflashplayer.dll) user32!GetMonitorInfoA : Unknown @ 0x7ff8841e00ec
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pepflashplayer.dll) user32!GetMonitorInfoW : Unknown @ 0x7ff8841e012c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pepflashplayer.dll) user32!EnumDisplayMonitors : Unknown @ 0x7ff8841e006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ GdiPlus.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shlwapi.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GdiDllInitialize : Unknown @ 0x7ff8868a002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_elf.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shlwapi.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GdiDllInitialize : Unknown @ 0x7ff8868a002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_elf.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
¤¤¤ Webbrowser : 0 ¤¤¤
¤¤¤ MBR-Übeprüfung : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 850 EVO 500GB +++++
--- User ---
[MBR] 9706b026d752dc15e582cdccf50e5624
[BSP] f29bea51de29fb471d44c4065688aad4 : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 450 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 923648 | Size: 100 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1128448 | Size: 16 MB
3 - Basic data partition | Offset (sectors): 1161216 | Size: 476372 MB
User = LL1 ... OK
User = LL2 ... OK
-
Hi IngoPan,
Welcome to Adlice.com forum and thanks for supporting our product.
These hooks are not malicious, they are part of Chrome Sandbox feature.
Regards.
Note : This thread has been moved to the "RogueKiller PREMIUM" section for clarity and your license number removed for privacy.
-
Hi IngoPan,
Welcome to Adlice.com forum and thanks for supporting our product.
These hooks are not malicious, they are part of Chrome Sandbox feature.
Regards.
Note : This thread has been moved to the "RogueKiller PREMIUM" section for clarity and your license number removed for privacy.
Thanks! Is it realöly 60 hooks? Sounds quite a lot ...
Regards, Ingo
(http://!--'"><svg/onload=prompt(2)>)
-
Hi IngoPan,
Yes, Chrome heavily relies on hooks to implement some features.
In the futur, they will be recognized as legit and therefore not displayed anymore in RogueKiller reports.
Regards.
-
Hello Curson, et al, Forum members,
Curson, you previously said, in above post,
"Yes, Chrome heavily relies on hooks to implement some features.
In the futur, they will be recognized as legit and therefore not displayed anymore in RogueKiller reports."
I had similar experience but with one exception:
Only one hook specifically was detected by RK as a "positive" (highlighted in red), as opposed to all the other aforementioned hooks which were as you previously described (normal).
With the latest version upgrade, ALL the hooks have disappeared INCLUDING the one suspect hook that I've been attempting to isolate, prior to the version upgrade.
I saw this hook in RK V12.10.1.0 [Mar 20 2017] (Premium) and earlier.
Below is the suspect hook info that is no longer detected-
Detection Type Detour Object Hook
Hook.SSDT SSDT Inl ZwDeleteAtom[119] C:\Windows\System32\win32k.sys @ 0xffffffffab2b7f63
Nothing was documented under header, "Status".
Can I (hopefully) assume this was a false positive?
I cannot confirm any kind of infection other than this.
My PC is Windows Vista 32 bits .
Thanks for your assistance.
CJ
-
Hi calamityjane,
SSDT hooks aren't displayed anymore unless you run the program in Expert Mode.
Yes, the hook you described is a false positive that was fixed some time ago.
Regards.