Author Topic: How to remove the "IAT" from the laptop.  (Read 11359 times)

0 Members and 1 Guest are viewing this topic.

November 25, 2015, 03:13:48 PM

willH

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
How to remove the "IAT" from the laptop.
« on: November 25, 2015, 03:13:48 PM »
Hello all,
when I checked the laptop so RogueKiller (Local 64bit) he found "PUP" and rootkit "IAT" who can not be removed. According of paint is it serious problem. After clicking on the "Delete" button and a reset laptop "PUP" erased, but remained rootkit "IAT".
Is it possible to remove the rootkit ? Please help!!!
I apologize for mistakes in English. I am not English, but I live in England.
Add part of the results of the control program RogueKiller.

RogueKiller V10.11.7.0 (x64) [Nov 23 2015] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : new [Administrator]
Started from : C:\Users\new\Desktop\RogueKillerX64 (1).exe
Mode : Scan -- Date : 11/24/2015 19:28:12

.......

¤¤¤ Hosts File : 2 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1       localhost
[C:\WINDOWS\System32\drivers\etc\hosts] ::1             localhost

¤¤¤ Antirootkit : 30 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (explorer.exe) ntdll!NtSetSystemInformation : Unknown @ 0x775101e0 (jmp 0x147f90|jmp 0xfffffffffffffe19|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtOpenProcess : Unknown @ 0x77510360 (jmp 0x149520|jmp 0xfffffffffffffc99|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtQueryObject : Unknown @ 0x77510440 (jmp 0x149760|jmp 0xfffffffffffffbb9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateSection : Unknown @ 0x77510300 (jmp 0x149280|jmp 0xfffffffffffffcf9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateIoCompletion : Unknown @ 0x77510340 (jmp 0x148de0|jmp 0xfffffffffffffcb9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtOpenSection : Unknown @ 0x77510310 (jmp 0x1493c0|jmp 0xfffffffffffffce9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtDuplicateObject : Unknown @ 0x77510380 (jmp 0x1493e0|jmp 0xfffffffffffffc79|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateEvent : Unknown @ 0x775102c0 (jmp 0x149260|jmp 0xfffffffffffffd39|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtWriteVirtualMemory : Unknown @ 0x775103a0 (jmp 0x149420|jmp 0xfffffffffffffc59|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtTerminateProcess : Unknown @ 0x775103d0 (jmp 0x149530|jmp 0xfffffffffffffc29|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtAssignProcessToJobObject : Unknown @ 0x77510390 (jmp 0x148f30|jmp 0xfffffffffffffc69|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtOpenEvent : Unknown @ 0x775102d0 (jmp 0x1492f0|jmp 0xfffffffffffffd29|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateSemaphore : Unknown @ 0x775102a0 (jmp 0x148c60|jmp 0xfffffffffffffd59|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtOpenSemaphore : Unknown @ 0x775102b0 (jmp 0x148750|jmp 0xfffffffffffffd49|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateMutant : Unknown @ 0x77510280 (jmp 0x148cc0|jmp 0xfffffffffffffd79|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtOpenMutant : Unknown @ 0x77510290 (jmp 0x148780|jmp 0xfffffffffffffd69|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateTimer : Unknown @ 0x77510320 (jmp 0x148cb0|jmp 0xfffffffffffffcd9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtOpenTimer : Unknown @ 0x77510330 (jmp 0x148790|jmp 0xfffffffffffffcc9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateThreadEx : Unknown @ 0x775103c0 (jmp 0x148d60|jmp 0xfffffffffffffc39|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtTerminateThread : Unknown @ 0x775103e0 (jmp 0x1492d0|jmp 0xfffffffffffffc19|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtOpenThread : Unknown @ 0x77510370 (jmp 0x1487e0|jmp 0xfffffffffffffc89|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtSetContextThread : Unknown @ 0x775103f0 (jmp 0x148350|jmp 0xfffffffffffffc09|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtSuspendThread : Unknown @ 0x77510420 (jmp 0x1480f0|jmp 0xfffffffffffffbd9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtQueueApcThread : Unknown @ 0x77510430 (jmp 0x149400|jmp 0xfffffffffffffbc9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ advapi32.dll) ntdll!NtNotifyChangeKey : Unknown @ 0x77510480 (jmp 0x1489f0|jmp 0xfffffffffffffb79|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ advapi32.dll) ntdll!NtNotifyChangeMultipleKeys : Unknown @ 0x77510490 (jmp 0x1489f0|jmp 0xfffffffffffffb69|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ rpcrt4.dll) ntdll!NtAlpcSendWaitReceivePort : Unknown @ 0x77510470 (jmp 0x149040|jmp 0xfffffffffffffb89|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ gdi32.dll) ntdll!NtVdmControl : Unknown @ 0x77510270 (jmp 0x147e60|jmp 0xfffffffffffffd89|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ ntmarta.dll) ntdll!NtOpenEventPair : Unknown @ 0x775102f0 (jmp 0x148830|jmp 0xfffffffffffffd09|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ ws2_32.dll) ntdll!NtLoadDriver : Unknown @ 0x775101d0 (jmp 0x148830|jmp 0xfffffffffffffe29|jmp 0x19b)

Thank you all for help!!

Reply #1November 25, 2015, 04:40:25 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: How to remove the "IAT" from the laptop.
« Reply #1 on: November 25, 2015, 04:40:25 PM »
Hi willH,

Welcome to Adlice.com Forum.
We are going to investigate those hooks.

Please follow the following process.
  • Download Process Explorer and save it to your desktop.
  • Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  • When Roguekiller hang, locate the process named explorer.exe, right click select Create Dump > Create Full Dump...
  • Save the dump on your desktop and compress it.
  • Go to Adlice Software upload form, select the dumps as files to be uploaded and copy/paste a link to this thread in the "Comment" section.
Regards.

Reply #2November 26, 2015, 01:23:47 PM

willH

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: How to remove the "IAT" from the laptop.
« Reply #2 on: November 26, 2015, 01:23:47 PM »
I do not understand this part:
When Roguekiller hang, locate the process named explorer.exe, right click select Create Dump > Create Full Dump...

I have also enable control involving RogueKiller or what should I do?

Reply #3November 26, 2015, 01:58:40 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: How to remove the "IAT" from the laptop.
« Reply #3 on: November 26, 2015, 01:58:40 PM »
Hi willH,

I'm sorry, I made a mistake. :-[
Here are the instructions again :
  • Download Process Explorer and save it to your desktop.
  • Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  • Locate the process named explorer.exe, do a right click on it and select Create Dump > Create Full Dump...
  • Save the dump on your desktop and compress it.
  • Go to Adlice Software upload form, select the dumps as files to be uploaded and copy/paste a link to this thread in the "Comment" section.
Regards.

Reply #4November 27, 2015, 10:48:19 AM

willH

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: How to remove the "IAT" from the laptop.
« Reply #4 on: November 27, 2015, 10:48:19 AM »
I sent according to the instructions explorer.rar

Reply #5November 27, 2015, 12:48:59 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: How to remove the "IAT" from the laptop.
« Reply #5 on: November 27, 2015, 12:48:59 PM »
Hi willH,

I received the dump you uploaded. It will be analysed as soon as possible.
Thanks for your patience.

Regards.

Reply #6November 27, 2015, 01:00:27 PM

willH

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: How to remove the "IAT" from the laptop.
« Reply #6 on: November 27, 2015, 01:00:27 PM »
Ok, I'll wait.
I believe that I help solve the problem.

Reply #7November 27, 2015, 01:56:50 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 956
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: How to remove the "IAT" from the laptop.
« Reply #7 on: November 27, 2015, 01:56:50 PM »
Hey :)
I'm in charge of looking at the dump.

Could you get the JSON report please? It contains much more information.
You'll find it in %programdata%/RogueKiller/Logs

Thanks.

Reply #8November 27, 2015, 02:43:40 PM

willH

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: How to remove the "IAT" from the laptop.
« Reply #8 on: November 27, 2015, 02:43:40 PM »
I have not installed RogueKiller. I use a portable RogueKiller.
On cleaning I use ADWcleaner and this me shows no rootkit.
 Send you in an attachment RKreport from last cleaning

Reply #9November 27, 2015, 03:07:23 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 956
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: How to remove the "IAT" from the laptop.
« Reply #9 on: November 27, 2015, 03:07:23 PM »
Thanks for the log.
Adwcleaner doesn't scan for rootkits.

EDIT: the hook doesn't show any malicious activity.
We will whitelist it.

EDIT2: The signature was already in the database under the name "Avast", so it's very probable it is (since I can see the avast module loaded).
I've changed it a little bit to include your hooks as well.
« Last Edit: November 27, 2015, 03:16:20 PM by Tigzy »

Reply #10November 27, 2015, 03:16:07 PM

willH

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: How to remove the "IAT" from the laptop.
« Reply #10 on: November 27, 2015, 03:16:07 PM »
Do not understand the last message.
What should I do next?

Reply #11November 29, 2015, 11:05:26 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: How to remove the "IAT" from the laptop.
« Reply #11 on: November 29, 2015, 11:05:26 PM »
Hi willH,

The hooks are created by Avast and are perfectly legit.
We slightly modified RogueKiller so, starting its next release, it won't show them anymore.

You don't have to do anything. Thanks for your patience.

Regards.