Adlice forum

Software feedback => RogueKiller => Topic started by: hayasa on October 11, 2015, 05:19:26 PM

Title: IEAT HooK ? (Not sure if legit or not)
Post by: hayasa on October 11, 2015, 05:19:26 PM

Hey, With the last version when running the program my wifi stops working and i had to disconnect and reconnect. Which made me worry.
Then I did a scan and something came out as hook. I've passed Malwarebytes, hitman pro, avast, junkware removal tool and minitoolbox. But everything came out negative and I'm kind of worried.

I attach the log of the RK scan. Should I be worried?

Edit: The previous version also let the wifi without connection, but doesn't show those hooks.

Thanks!

Title: Re: IEAT HooK ? (Not sure if legit or not)
Post by: Curson on October 12, 2015, 02:15:09 PM

Hi hayasa,

Welcome to Adlice.com Forum.

RogueKiller version 10.11 is out.
Could you please give it a try ?

Regards.

Title: Re: IEAT HooK ? (Not sure if legit or not)
Post by: hayasa on October 12, 2015, 02:48:20 PM

Thanks, Curson.

I passed the 10.11 version and looks like the wifi is not disconnecting anymore.
But the Hooks are still there.
Are they legit or should I be worry?

Thanks again!

Title: Re: IEAT HooK ? (Not sure if legit or not)
Post by: Curson on October 12, 2015, 03:07:06 PM

Hi hayasa,

Please follow the following process.

Download Process Explorer (http://live.sysinternals.com/procexp.exe) and save it to your desktop.
Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
Locate the process named explorer.exe, right click select Create Dump > Create Full Dump...
Save the dump on your desktop and compress it.
Locate the process named chrome.exe, right click select Create Dump > Create Full Dump...
Save the dump on your desktop and compress it.
Go to Adlice Software upload form (https://upload.adlice.com/), select the dumps as files to be uploaded and copy/paste a link to this thread in the "Comment" section.

We will analyse what is behind those hooks.

Regards.

Title: Re: IEAT HooK ? (Not sure if legit or not)
Post by: hayasa on October 12, 2015, 03:38:23 PM

Hi Curson,

Thanks for taking time with me.
I have uploaded the files with the link to this post in the comment.

I was kind of hoping you answered me with a "nah, it's fine", now I'm really worried :S.

Thanks again for your time.

Title: Re: IEAT HooK ? (Not sure if legit or not)
Post by: Curson on October 12, 2015, 04:05:23 PM

Hi hayasa,

Thanks for uploading the dumps.
These hooks are certainly harmless but we hope the dumps will help use to improve RogueKiller IAT/IEAT detection
capabilities. ;)

Regards.

Title: Re: IEAT HooK ? (Not sure if legit or not)
Post by: Tigzy on October 12, 2015, 04:37:06 PM

Hi hayasa, I'm looking at your dumps right now :)

Could you navigate to %Programdata%/RogueKiller/Logs and attach the json logs as well?
They contain much more information about those hooks.

Thanks!

Title: Re: IEAT HooK ? (Not sure if legit or not)
Post by: hayasa on October 12, 2015, 05:23:31 PM

Sure thing!

I attach the .json log here.

Thanks a lot!!

Edit: I just passed Rkill and MBAM with no issues. RogueKiller keeps showing those hooks :S.

Title: Re: IEAT HooK ? (Not sure if legit or not)
Post by: Tigzy on October 13, 2015, 10:55:09 AM

RKill and MBAM don't detect hooks ;)
Looking at your file

EDIT: For explorer, it seems legit. The hooks are going back into the initial place after some filtering.
It's all dynamic so hard to trace, I think it's Avast. We'll whitelist the hook signature

For Chrome, it really looks like sandbox hooks. We are currently building a new beta with fixes for chrome sandbox, I'll tell you when it's ready for testing.

Title: Re: IEAT HooK ? (Not sure if legit or not)
Post by: hayasa on October 13, 2015, 12:02:11 PM

Thank you so much for taking your time with my issue.

Then I guess I can put my paranoid thoughts at rest xDD. I thought that using the rootkit scan on MBAM would check for hook. Thanks for the info :D

You guys are doing an amazing job.