1
Malware removal help / IAT hooks that are persistent
« on: January 27, 2018, 09:03:23 PM »
I have reinstalled Windows several times and these hooks go away. But then they soon return. Help, please!
RogueKiller V12.12.1.0 (x64) [Jan 22 2018] (Premium) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 10 (10.0.16299) 64 bits version
Started in : Normal mode
User : Bruce [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 01/27/2018 07:36:01 (Duration : 00:25:33)
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 0 ¤¤¤
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ WMI : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 2 (Driver: Loaded) ¤¤¤
[IAT:Addr(Hook.IEAT)] (explorer.exe) gdi32!StretchDIBits : Unknown @ 0x8e60000
[IAT:Addr(Hook.IEAT)] (explorer.exe) user32!SetWindowCompositionAttribute : Unknown @ 0x8e60060
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SanDisk SDSSDXPS480G +++++
--- User ---
[MBR] a393c33377ad2895c16b140b06de7303
[BSP] 57836dc1a89ecc99d5b22b6a9c720b2d : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 499 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 1024000 | Size: 100 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1228800 | Size: 16 MB
3 - Basic data partition | Offset (sectors): 1261568 | Size: 457246 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: +++++
Error reading User MBR! ([2] The system cannot find the file specified. )
Error reading LL1 MBR! ([37] The specified network resource or device is no longer available. )
Error reading LL2 MBR! NOT VALID!
+++++ PhysicalDrive2: ST3000DM001-1ER166 +++++
--- User ---
[MBR] c04a40d3a6a527a8f4dbc5de124b09e2
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 2861459 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive3: ST3000DM008-2DM166 +++++
--- User ---
[MBR] c04a40d3a6a527a8f4dbc5de124b09e2
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 2861459 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive4: WDC WD30EZRX-00DC0B0 +++++
--- User ---
[MBR] c04a40d3a6a527a8f4dbc5de124b09e2
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 2861459 MB
User = LL1 ... OK
User = LL2 ... OK
RogueKiller V12.12.1.0 (x64) [Jan 22 2018] (Premium) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 10 (10.0.16299) 64 bits version
Started in : Normal mode
User : Bruce [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 01/27/2018 07:36:01 (Duration : 00:25:33)
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 0 ¤¤¤
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ WMI : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 2 (Driver: Loaded) ¤¤¤
[IAT:Addr(Hook.IEAT)] (explorer.exe) gdi32!StretchDIBits : Unknown @ 0x8e60000
[IAT:Addr(Hook.IEAT)] (explorer.exe) user32!SetWindowCompositionAttribute : Unknown @ 0x8e60060
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SanDisk SDSSDXPS480G +++++
--- User ---
[MBR] a393c33377ad2895c16b140b06de7303
[BSP] 57836dc1a89ecc99d5b22b6a9c720b2d : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 499 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 1024000 | Size: 100 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1228800 | Size: 16 MB
3 - Basic data partition | Offset (sectors): 1261568 | Size: 457246 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: +++++
Error reading User MBR! ([2] The system cannot find the file specified. )
Error reading LL1 MBR! ([37] The specified network resource or device is no longer available. )
Error reading LL2 MBR! NOT VALID!
+++++ PhysicalDrive2: ST3000DM001-1ER166 +++++
--- User ---
[MBR] c04a40d3a6a527a8f4dbc5de124b09e2
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 2861459 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive3: ST3000DM008-2DM166 +++++
--- User ---
[MBR] c04a40d3a6a527a8f4dbc5de124b09e2
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 2861459 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive4: WDC WD30EZRX-00DC0B0 +++++
--- User ---
[MBR] c04a40d3a6a527a8f4dbc5de124b09e2
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 2861459 MB
User = LL1 ... OK
User = LL2 ... OK