Author Topic: Found something  (Read 6113 times)

0 Members and 1 Guest are viewing this topic.

November 19, 2015, 12:29:17 AM

computerwiz64

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Found something
« on: November 19, 2015, 12:29:17 AM »
Hi, I removed avast and restarted my computer. I ran a scan and found this in the report:

¤¤¤ Antirootkit : 2 (Driver: Loaded) ¤¤¤
[IAT:Addr(Hook.IEAT)] (chrome.exe) kernel32!CreateNamedPipeW : Unknown @ 0xb6f20030
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32!CreateNamedPipeW : Unknown @ 0xb6f20030



Are they legit?  I found out recently that my Aol account was accessed by someone else.

I feel as if I have a rat installed on my computer.

I would appreciate any help.

Reply #1November 19, 2015, 01:52:18 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Found something
« Reply #1 on: November 19, 2015, 01:52:18 PM »
Hi computerwiz64,

These hooks are legit.

Quote from: computerwiz64
I found out recently that my Aol account was accessed by someone else.
I feel as if I have a rat installed on my computer.
Could you please expain this more precisely ?

Regards.

Reply #2November 22, 2015, 04:04:09 AM

computerwiz64

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Re: Found something
« Reply #2 on: November 22, 2015, 04:04:09 AM »
How can you guy's tell?  I ran it again  with chrome running and another time when it was closed. I now get 8 of the same stuff found. I shows it at times. I mean it found the first 2 but now when I  run it. It shows the same names but with the same hex addresses founded. This is when chrome is running and not running. Is that normal?

I am running RougeKiller Ver 10.11.6.0

I run the same version on my laptops and other computers. I don't get these listings on my other computers. Well just mine and another computer. I have 5 computers. 2 show these responses. The rest shows nothing.

Why is that? Is it plugins or extensions thats giving the false positives?

I was told this was fixed in  version 10.11.5.0
« Last Edit: November 22, 2015, 04:08:28 AM by computerwiz64 »

Reply #3November 23, 2015, 11:52:06 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Found something
« Reply #3 on: November 23, 2015, 11:52:06 AM »
Hi computerwiz64,

Chrome is using hooks for sandboxing purposes.
Their number may change depending of which modules are loaded at the time of the scan. ;)

For the ones you reported :
Code: [Select]
// Interception of CreateNamedPipeW in kernel32.dll
SANDBOX_INTERCEPT HANDLE WINAPI TargetCreateNamedPipeW(
    CreateNamedPipeWFunction orig_CreateNamedPipeW, LPCWSTR pipe_name,
    DWORD open_mode, DWORD pipe_mode, DWORD max_instance, DWORD out_buffer_size,
    DWORD in_buffer_size, DWORD default_timeout,
    LPSECURITY_ATTRIBUTES security_attributes);

This should be fixed in RogueKiller next release.

Regards.