Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Trying2FigureThingsOut

Pages: [1]
1
Malware removal help / Re: Worried I may have something - IAT: Inl (Hook.IEAT) showing up.
« on: October 22, 2015, 10:55:19 PM »
Hello, and thank you so much for getting back to me! I ran Malware Bytes while I was gone today, and nothing showed up on C: Drive. (Which is were my browsers are installed, and where my downloads go.) I'm running Malware again to double-check. My computer seems to be running like usual, though. I've also attached the fixlog.txt.

I've run several things (and can again if you'd like me to get reports from each) like; Avast, Adware Cleaner, Malware-Bytes Junkware Removal Tool, TDSS Rootkit Removal Tool, ESET Online Scanner, FRSTx64, Malware-Bytes Malware Removal, and of course, RogueKiller. After that one initial thing that Malware found last night (which I believe to be a program that I know about. I play a text based game and the program is an editor for the game, but it edits the hex file of the game. So I think that's what Malware found, as I think I had it up while I did the scan. I'm not 100%, but just what I think is possible. I can send the file if you'd like.), RogueKiller is the only program to find anything, for what it's worth.

Any questions you have I'll try my best to answer! I'll also post what I find from another Malwarebytes scan.

Edit: I just got done doing a MalwareBytes scan (one in which I made sure to check the box to scan for rootkits), and it came back clean. I'm attaching the results as well.

Edit 2: I think I'm an idiot and misread what you said - when you said the hooks are legit, did you mean that they are ok? (Like not malicious or anything.) I completely misread things I think the first time around.

2
Malware removal help / Worried I may have something - IAT: Inl (Hook.IEAT) showing up.
« on: October 22, 2015, 03:45:21 PM »
Hello, everyone. The other day I had a malware that I used Malware-Bytes to remove, and I've done 10 or so scans since then and they've all come back fine. (Though, I think it was from this game related thing I've used before.) I've used AVAST/ESET Online Scanner/Adwcleaner/JRT a lot as well. When I ran Rogue killer it came up with some stuff that said they may be harmful - but they could also be legit modules, so I thought I'd post here and someone could tell me either way.

This was a new scan done with RogueKiller 10.11.2.0 (x64). I also ran Farbar, and I'm attaching those reports as well. Any help on this matter is greatly appreciated!

RogueKiller V10.11.2.0 (x64) [Oct 20 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Drew [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Scan -- Date : 10/22/2015 08:13:17

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 8 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\getbus (\??\C:\Users\Drew\AppData\Local\Temp\getbus.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\getbus (\??\C:\Users\Drew\AppData\Local\Temp\getbus.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\getbus (\??\C:\Users\Drew\AppData\Local\Temp\getbus.sys) -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-4250517510-2311720374-384281186-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-4250517510-2311720374-384281186-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4D162359-83F8-4FC5-A917-3CFFCB367215} | DhcpNameServer : 10.143.0.1 ([(Private Address) (XX)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{4D162359-83F8-4FC5-A917-3CFFCB367215} | DhcpNameServer : 10.143.0.1 ([(Private Address) (XX)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{4D162359-83F8-4FC5-A917-3CFFCB367215} | DhcpNameServer : 10.143.0.1 ([(Private Address) (XX)])  -> Found

¤¤¤ Tasks : 2 ¤¤¤
[Suspicious.Path] %WINDIR%\Tasks\0615avtUpdateInfo.job -- C:\ProgramData\Avg_Update_0615avt\0615avt_AVG-Secure-Search-Update.exe ( /SETINFO /CMPID=0615avt /INFORETRY=3) -> Found
[Suspicious.Path] \0615avtUpdateInfo -- C:\ProgramData\Avg_Update_0615avt\0615avt_AVG-Secure-Search-Update.exe (/SETINFO /CMPID=0615avt /INFORETRY=3) -> Found

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 35 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 media.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 api.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 api.recommendedsw.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.betterinstaller.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.filebulldog.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 inno.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 nsis.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.file2desktop.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.goateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.guttastatdk.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.inskinmedia.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.oibundles2.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.playbryte.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.llogetfastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.montiera.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.msdwnld.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.mypcbackup.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.ppdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.riceateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.shyapotato.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.solimba.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.tuto4pc.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.appround.biz
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bigspeedpro.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bispd.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.cdndp.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.download.sweetpacks.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.dpdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.visualbee.net

¤¤¤ Antirootkit : 74 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (explorer.exe) ntdll!NtSetSystemInformation : Unknown @ 0x779201f0 (jmp 0x161150|jmp 0xfffffffffffffe09|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtWriteVirtualMemory : Unknown @ 0x779203b0 (jmp 0x162660|jmp 0xfffffffffffffc49|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtDuplicateObject : Unknown @ 0x77920390 (jmp 0x162620|jmp 0xfffffffffffffc69|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateEvent : Unknown @ 0x779202d0 (jmp 0x1624a0|jmp 0xfffffffffffffd29|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtNotifyChangeKey : Unknown @ 0x77920490 (jmp 0x161c00|jmp 0xfffffffffffffb69|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtTerminateProcess : Unknown @ 0x779203e0 (jmp 0x162770|jmp 0xfffffffffffffc19|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtOpenEvent : Unknown @ 0x779202e0 (jmp 0x162530|jmp 0xfffffffffffffd19|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtAssignProcessToJobObject : Unknown @ 0x779203a0 (jmp 0x162170|jmp 0xfffffffffffffc59|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtSetContextThread : Unknown @ 0x77920400 (jmp 0x161520|jmp 0xfffffffffffffbf9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateSection : Unknown @ 0x77920310 (jmp 0x1624c0|jmp 0xfffffffffffffce9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtOpenProcess : Unknown @ 0x77920370 (jmp 0x162760|jmp 0xfffffffffffffc89|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtNotifyChangeMultipleKeys : Unknown @ 0x779204a0 (jmp 0x161c00|jmp 0xfffffffffffffb59|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtQueryObject : Unknown @ 0x77920450 (jmp 0x1629a0|jmp 0xfffffffffffffba9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateIoCompletion : Unknown @ 0x77920350 (jmp 0x162030|jmp 0xfffffffffffffca9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenSection : Unknown @ 0x77920320 (jmp 0x162600|jmp 0xfffffffffffffcd9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateSemaphore : Unknown @ 0x779202b0 (jmp 0x161ea0|jmp 0xfffffffffffffd49|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenSemaphore : Unknown @ 0x779202c0 (jmp 0x161930|jmp 0xfffffffffffffd39|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateMutant : Unknown @ 0x77920290 (jmp 0x161f10|jmp 0xfffffffffffffd69|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenMutant : Unknown @ 0x779202a0 (jmp 0x161960|jmp 0xfffffffffffffd59|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateTimer : Unknown @ 0x77920330 (jmp 0x161ef0|jmp 0xfffffffffffffcc9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenTimer : Unknown @ 0x77920340 (jmp 0x161970|jmp 0xfffffffffffffcb9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateThreadEx : Unknown @ 0x779203d0 (jmp 0x161fa0|jmp 0xfffffffffffffc29|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtTerminateThread : Unknown @ 0x779203f0 (jmp 0x162510|jmp 0xfffffffffffffc09|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenThread : Unknown @ 0x77920380 (jmp 0x1619c0|jmp 0xfffffffffffffc79|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtSuspendThread : Unknown @ 0x77920430 (jmp 0x1612a0|jmp 0xfffffffffffffbc9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ rpcrt4.dll) ntdll!NtAlpcSendWaitReceivePort : Unknown @ 0x77920480 (jmp 0x162280|jmp 0xfffffffffffffb79|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ rpcrt4.dll) ntdll!NtQueueApcThreadEx : Unknown @ 0x77920440 (jmp 0x161780|jmp 0xfffffffffffffbb9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ gdi32.dll) ntdll!NtVdmControl : Unknown @ 0x77920280 (jmp 0x161000|jmp 0xfffffffffffffd79|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ ntmarta.dll) ntdll!NtOpenEventPair : Unknown @ 0x77920300 (jmp 0x161a30|jmp 0xfffffffffffffcf9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ ws2_32.dll) ntdll!NtLoadDriver : Unknown @ 0x779201e0 (jmp 0x161a40|jmp 0xfffffffffffffe19|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtCreateSection : Unknown @ 0x180310 (jmp 0xffffffff889c24c0|jmp 0xfffffffffffffce9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtTerminateThread : Unknown @ 0x1803f0 (jmp 0xffffffff889c2510|jmp 0xfffffffffffffc09|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtQueryObject : Unknown @ 0x180450 (jmp 0xffffffff889c29a0|jmp 0xfffffffffffffba9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtOpenProcess : Unknown @ 0x180370 (jmp 0xffffffff889c2760|jmp 0xfffffffffffffc89|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtOpenThread : Unknown @ 0x180380 (jmp 0xffffffff889c19c0|jmp 0xfffffffffffffc79|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtWriteVirtualMemory : Unknown @ 0x1803b0 (jmp 0xffffffff889c2660|jmp 0xfffffffffffffc49|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtTerminateProcess : Unknown @ 0x1803e0 (jmp 0xffffffff889c2770|jmp 0xfffffffffffffc19|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtCreateThreadEx : Unknown @ 0x1803d0 (jmp 0xffffffff889c1fa0|jmp 0xfffffffffffffc29|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtCreateThread : Unknown @ 0x1803c0 (jmp 0xffffffff889c2530|jmp 0xfffffffffffffc39|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtSuspendThread : Unknown @ 0x180430 (jmp 0xffffffff889c12a0|jmp 0xfffffffffffffbc9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtSetContextThread : Unknown @ 0x180400 (jmp 0xffffffff889c1520|jmp 0xfffffffffffffbf9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtSetBootOptions : Unknown @ 0x180270 (jmp 0xffffffff889c13a0|jmp 0xfffffffffffffd89|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtOpenTimer : Unknown @ 0x180340 (jmp 0xffffffff889c1970|jmp 0xfffffffffffffcb9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtNotifyChangeMultipleKeys : Unknown @ 0x1804a0 (jmp 0xffffffff889c1c00|jmp 0xfffffffffffffb59|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtSuspendProcess : Unknown @ 0x180420 (jmp 0xffffffff889c12a0|jmp 0xfffffffffffffbd9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtCreateTimer : Unknown @ 0x180330 (jmp 0xffffffff889c1ef0|jmp 0xfffffffffffffcc9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtSetSystemInformation : Unknown @ 0x1801f0 (jmp 0xffffffff889c1150|jmp 0xfffffffffffffe09|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtCreateIoCompletion : Unknown @ 0x180350 (jmp 0xffffffff889c2030|jmp 0xfffffffffffffca9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtModifyBootEntry : Unknown @ 0x180250 (jmp 0xffffffff889c19f0|jmp 0xfffffffffffffda9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtOpenMutant : Unknown @ 0x1802a0 (jmp 0xffffffff889c1960|jmp 0xfffffffffffffd59|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtSetSystemPowerState : Unknown @ 0x180210 (jmp 0xffffffff889c1160|jmp 0xfffffffffffffde9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtReplyWaitReceivePortEx : Unknown @ 0x180470 (jmp 0xffffffff889c2810|jmp 0xfffffffffffffb89|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtShutdownSystem : Unknown @ 0x180200 (jmp 0xffffffff889c10e0|jmp 0xfffffffffffffdf9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtOpenIoCompletion : Unknown @ 0x180360 (jmp 0xffffffff889c1a80|jmp 0xfffffffffffffc99|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtAddBootEntry : Unknown @ 0x180230 (jmp 0xffffffff889c21f0|jmp 0xfffffffffffffdc9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtReplyWaitReceivePort : Unknown @ 0x180460 (jmp 0xffffffff889c2a00|jmp 0xfffffffffffffb99|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtDeleteBootEntry : Unknown @ 0x180240 (jmp 0xffffffff889c1d60|jmp 0xfffffffffffffdb9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtSetBootEntryOrder : Unknown @ 0x180260 (jmp 0xffffffff889c13a0|jmp 0xfffffffffffffd99|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtOpenSection : Unknown @ 0x180320 (jmp 0xffffffff889c2600|jmp 0xfffffffffffffcd9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtDebugActiveProcess : Unknown @ 0x180410 (jmp 0xffffffff889c1f60|jmp 0xfffffffffffffbe9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtAssignProcessToJobObject : Unknown @ 0x1803a0 (jmp 0xffffffff889c2170|jmp 0xfffffffffffffc59|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtOpenEvent : Unknown @ 0x1802e0 (jmp 0xffffffff889c2530|jmp 0xfffffffffffffd19|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtAlpcSendWaitReceivePort : Unknown @ 0x180480 (jmp 0xffffffff889c2280|jmp 0xfffffffffffffb79|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtNotifyChangeKey : Unknown @ 0x180490 (jmp 0xffffffff889c1c00|jmp 0xfffffffffffffb69|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtOpenEventPair : Unknown @ 0x180300 (jmp 0xffffffff889c1a30|jmp 0xfffffffffffffcf9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtCreateEvent : Unknown @ 0x1802d0 (jmp 0xffffffff889c24a0|jmp 0xfffffffffffffd29|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtCreateSemaphore : Unknown @ 0x1802b0 (jmp 0xffffffff889c1ea0|jmp 0xfffffffffffffd49|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtSystemDebugControl : Unknown @ 0x180220 (jmp 0xffffffff889c1080|jmp 0xfffffffffffffdd9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtCreateMutant : Unknown @ 0x180290 (jmp 0xffffffff889c1f10|jmp 0xfffffffffffffd69|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtLoadDriver : Unknown @ 0x1801e0 (jmp 0xffffffff889c1a40|jmp 0xfffffffffffffe19|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtCreateEventPair : Unknown @ 0x1802f0 (jmp 0xffffffff889c1fe0|jmp 0xfffffffffffffd09|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtQueueApcThreadEx : Unknown @ 0x180440 (jmp 0xffffffff889c1780|jmp 0xfffffffffffffbb9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtDuplicateObject : Unknown @ 0x180390 (jmp 0xffffffff889c2620|jmp 0xfffffffffffffc69|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtOpenSemaphore : Unknown @ 0x1802c0 (jmp 0xffffffff889c1930|jmp 0xfffffffffffffd39|jmp 0xfffffffffffffff0|jmp 0xb1)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST3000DM001-1CH166 ATA Device +++++
--- User ---
[MBR] 8ca307ff0e4dec9235eb94ffbab86fa4
[BSP] 580634c26c006d9ccfa5aec40b0f3f07 : Empty|VT.Unknown MBR Code
Partition table:
0 - Basic data partition | Offset (sectors): 2048 | Size: 2861587 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: INTEL SSDSC2CT240A4 ATA Device +++++
--- User ---
[MBR] 8290e994a131049465c7a76800423f1d
[BSP] 5d091fae0155debbbba00c65133dec1e : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 228834 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

3
RogueKiller / Hook.IEAT - Not sure if I should worry or false positive?
« on: August 28, 2015, 07:07:27 PM »
Hello, everyone. The other day I had a malware that I used Malware-Bytes to remove, and I've done 10 or so scans since then and they've all come back fine. I've been AVAST/ESET Online Scanner/Adwcleaner/JRT a lot as well. When I ran Rogue killer it came up with some stuff that said they may be harmful - but they could also be legit modules, so I thought I'd post here and someone could tell me either way.

RogueKiller V10.10.2.0 (x64) [Aug 24 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Drew [Administrator]
Started from : C:\Users\Drew\Downloads\RogueKillerX64.exe
Mode : Scan -- Date : 08/28/2015 11:29:18

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 8 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\getbus (\??\C:\Users\Drew\AppData\Local\Temp\getbus.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\getbus (\??\C:\Users\Drew\AppData\Local\Temp\getbus.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\getbus (\??\C:\Users\Drew\AppData\Local\Temp\getbus.sys) -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-4250517510-2311720374-384281186-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-4250517510-2311720374-384281186-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4D162359-83F8-4FC5-A917-3CFFCB367215} | DhcpNameServer : 10.143.0.1 ([(Private Address) (XX)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{4D162359-83F8-4FC5-A917-3CFFCB367215} | DhcpNameServer : 10.143.0.1 ([(Private Address) (XX)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{4D162359-83F8-4FC5-A917-3CFFCB367215} | DhcpNameServer : 10.146.0.1 ([(Private Address) (XX)])  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[Suspicious.Path][File] C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DS4Windows.lnk [LNK@] C:\Users\Drew\AppData\Local\Temp\7zO61A3.tmp\DS4Windows.exe -m -> Found

¤¤¤ Hosts File : 34 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 media.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 api.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.betterinstaller.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.filebulldog.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 inno.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 nsis.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.file2desktop.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.goateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.guttastatdk.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.inskinmedia.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.oibundles2.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.playbryte.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.llogetfastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.montiera.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.msdwnld.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.mypcbackup.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.ppdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.riceateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.shyapotato.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.solimba.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.tuto4pc.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.appround.biz
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bigspeedpro.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bispd.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.cdndp.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.download.sweetpacks.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.dpdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.visualbee.net

¤¤¤ Antirootkit : 6 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll.dll - RtlCaptureContext : Unknown @ 0x3df13c05 (jmp 0x3c003c05)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) wow64win.dll - sdwhwin32 : Unknown @ 0x3df13c05 (jmp 0x3c003c05)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) wow64cpu.dll - CpuNotifyAffinityChange : Unknown @ 0x3df13c05 (jmp 0x3c003c05)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64win.dll) wow64.dll - Wow64KiUserCallbackDispatcher : Unknown @ 0x3df13c05 (jmp 0x3c003c05)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ USER32.dll) ntdll.dll - NlsAnsiCodePage : Unknown @ 0xdc726ea6 (repe call 0x650b6e91)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ USER32.dll) ntdll.dll - NlsAnsiCodePage : Unknown @ 0xdc726ea6 (jmp 0x650b6e90)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST3000DM001-1CH166 ATA Device +++++
--- User ---
[MBR] 8ca307ff0e4dec9235eb94ffbab86fa4
[BSP] 580634c26c006d9ccfa5aec40b0f3f07 : Empty|VT.Unknown MBR Code
Partition table:
0 - Basic data partition | Offset (sectors): 2048 | Size: 2861587 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: INTEL SSDSC2CT240A4 ATA Device +++++
--- User ---
[MBR] 8290e994a131049465c7a76800423f1d
[BSP] 5d091fae0155debbbba00c65133dec1e : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 228834 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Thanks!

Pages: [1]