Adlice forum

General Category => Malware removal help => Topic started by: computerwiz64 on November 19, 2015, 12:29:17 AM

Title: Found something
Post by: computerwiz64 on November 19, 2015, 12:29:17 AM

Hi, I removed avast and restarted my computer. I ran a scan and found this in the report:

¤¤¤ Antirootkit : 2 (Driver: Loaded) ¤¤¤
[IAT:Addr(Hook.IEAT)] (chrome.exe) kernel32!CreateNamedPipeW : Unknown @ 0xb6f20030
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32!CreateNamedPipeW : Unknown @ 0xb6f20030



Are they legit?  I found out recently that my Aol account was accessed by someone else.

I feel as if I have a rat installed on my computer.

I would appreciate any help.

Title: Re: Found something
Post by: Curson on November 19, 2015, 01:52:18 PM

Hi computerwiz64,

These hooks are legit.

Quote from: computerwiz64

I found out recently that my Aol account was accessed by someone else.
I feel as if I have a rat installed on my computer.

Could you please expain this more precisely ?

Regards.

Title: Re: Found something
Post by: computerwiz64 on November 22, 2015, 04:04:09 AM

How can you guy's tell?  I ran it again  with chrome running and another time when it was closed. I now get 8 of the same stuff found. I shows it at times. I mean it found the first 2 but now when I  run it. It shows the same names but with the same hex addresses founded. This is when chrome is running and not running. Is that normal?

I am running RougeKiller Ver 10.11.6.0

I run the same version on my laptops and other computers. I don't get these listings on my other computers. Well just mine and another computer. I have 5 computers. 2 show these responses. The rest shows nothing.

Why is that? Is it plugins or extensions thats giving the false positives?

I was told this was fixed in  version 10.11.5.0

Title: Re: Found something
Post by: Curson on November 23, 2015, 11:52:06 AM

Hi computerwiz64,

Chrome is using hooks for sandboxing purposes.
Their number may change depending of which modules are loaded at the time of the scan. ;)

For the ones you reported :

Code: [Select]

// Interception of CreateNamedPipeW in kernel32.dll
SANDBOX_INTERCEPT HANDLE WINAPI TargetCreateNamedPipeW(
    CreateNamedPipeWFunction orig_CreateNamedPipeW, LPCWSTR pipe_name,
    DWORD open_mode, DWORD pipe_mode, DWORD max_instance, DWORD out_buffer_size,
    DWORD in_buffer_size, DWORD default_timeout,
    LPSECURITY_ATTRIBUTES security_attributes);
This should be fixed in RogueKiller next release.

Regards.