« previous next »
Pages: [1]

Author Topic: IAT Hook detection  (Read 9809 times)

0 Members and 1 Guest are viewing this topic.

February 18, 2016, 12:17:29 AM

Edu Alonso Carrasco

  • Newbie
  • Offline
  • *
  • 3
  • Reputation:
    0
    • View Profile
IAT Hook detection
« on: February 18, 2016, 12:17:29 AM »
Greetings,
I've been getting a constant detection by Windows Defender of Dynamer!AC, so I lookd for help on the net till I bumped into several tutorials for its removal advising the use of your software.
Here's what it found:

RogueKiller V11.0.12.0 (x64) [Feb 15 2016] (Free) by Adlice Software
correo : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Sitio web : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Sistema Operativo : Windows 8 (6.2.9200) 64 bits version
Iniciado en : Modo Normal
Usuario : Edu Alonso [Administrador]
Started from : C:\Users\Edu Alonso\Desktop\RogueKillerX64.exe
Modo : Borrar -- Fecha : 02/17/2016 19:52:11

¤¤¤ Procesos : 1 ¤¤¤
[Suspicious.Path|Proc.Injected|Proc.RunPE] dgsl32.exe(5916) -- C:\Users\Edu Alonso\AppData\Local\Eflrtion\dgsl32.exe[-] -> Eliminado [TermProc]

¤¤¤ Registro : 8 ¤¤¤
[Suspicious.Path|VT.Unknown] (X64) HKEY_USERS\S-1-5-21-3972373143-2646392049-199530508-1001\Software\Microsoft\Windows\CurrentVersion\Run | YmrbPack : regsvr32.exe "C:\Users\Edu Alonso\AppData\Local\YmrbPack\CdWIhid8.dll" [-][-] -> Borrado
[Suspicious.Path|VT.Unknown] (X64) HKEY_USERS\S-1-5-21-3972373143-2646392049-199530508-1001\Software\Microsoft\Windows\CurrentVersion\Run | Ubcvmedia : C:\Windows\SysWOW64\regsvr32.exe "C:\Users\Edu Alonso\AppData\Local\Eflrtion\EventCrtlog54.dll" [-][-] -> Borrado
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3972373143-2646392049-199530508-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://samsung13.msn.com  -> Reemplazado (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3972373143-2646392049-199530508-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://samsung13.msn.com  -> Reemplazado (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3972373143-2646392049-199530508-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://samsung13.msn.com  -> Reemplazado (http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3972373143-2646392049-199530508-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://samsung13.msn.com  -> Reemplazado (http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome)
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-3972373143-2646392049-199530508-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Reemplazado (http://search.msn.com/spbasic.htm)
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-3972373143-2646392049-199530508-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Reemplazado (http://search.msn.com/spbasic.htm)

¤¤¤ Tareas : 1 ¤¤¤
[Suspicious.Path|VT.UDS:DangerousObject.Multi.Generic] \RegIdleBackup -- "C:\windows\icm32.exe" -> ERROR


¤¤¤ Archivos : 7 ¤¤¤
[PUP][Carpeta] C:\ProgramData\{30FA7941-4170-4C83-A9A8-FDF01C431704} -> ERROR [3]
[PUP][Archivo] C:\ProgramData\{30FA7941-4170-4C83-A9A8-FDF01C431704}\Controller Editor Setup PC.dat -> Borrado
[PUP][Archivo] C:\ProgramData\{30FA7941-4170-4C83-A9A8-FDF01C431704}\Controller Editor Setup PC.exe -> Borrado
[PUP][Archivo] C:\ProgramData\{30FA7941-4170-4C83-A9A8-FDF01C431704}\Controller Editor Setup PC.msi -> Borrado
[PUP][Archivo] C:\ProgramData\{30FA7941-4170-4C83-A9A8-FDF01C431704}\Controller Editor Setup PC.par -> Borrado
[PUP][Archivo] C:\ProgramData\{30FA7941-4170-4C83-A9A8-FDF01C431704}\Controller Editor Setup PC.res -> Borrado
[PUP][Archivo] C:\ProgramData\{30FA7941-4170-4C83-A9A8-FDF01C431704}\instance.dat -> Borrado
[PUP][Archivo] C:\ProgramData\{30FA7941-4170-4C83-A9A8-FDF01C431704}\mia.lib -> Borrado
[PUP][Carpeta] C:\ProgramData\{5A23829C-A66E-47B0-AD50-21A3FFE6C325} -> ERROR [3]
[PUP][Archivo] C:\ProgramData\{5A23829C-A66E-47B0-AD50-21A3FFE6C325}\instance.dat -> Borrado
[PUP][Archivo] C:\ProgramData\{5A23829C-A66E-47B0-AD50-21A3FFE6C325}\mia.lib -> Borrado
[PUP][Archivo] C:\ProgramData\{5A23829C-A66E-47B0-AD50-21A3FFE6C325}\Rig Kontrol 3 Setup PC.dat -> Borrado
[PUP][Archivo] C:\ProgramData\{5A23829C-A66E-47B0-AD50-21A3FFE6C325}\Rig Kontrol 3 Setup PC.exe -> Borrado
[PUP][Archivo] C:\ProgramData\{5A23829C-A66E-47B0-AD50-21A3FFE6C325}\Rig Kontrol 3 Setup PC.msi -> Borrado
[PUP][Archivo] C:\ProgramData\{5A23829C-A66E-47B0-AD50-21A3FFE6C325}\Rig Kontrol 3 Setup PC.par -> Borrado
[PUP][Archivo] C:\ProgramData\{5A23829C-A66E-47B0-AD50-21A3FFE6C325}\Rig Kontrol 3 Setup PC.res -> Borrado
[PUP][Carpeta] C:\ProgramData\{95B4F0ED-951F-4D36-B068-5EC1C4C19C14} -> ERROR [3]
[PUP][Archivo] C:\ProgramData\{95B4F0ED-951F-4D36-B068-5EC1C4C19C14}\instance.dat -> Borrado
[PUP][Archivo] C:\ProgramData\{95B4F0ED-951F-4D36-B068-5EC1C4C19C14}\mia.lib -> Borrado
[PUP][Archivo] C:\ProgramData\{95B4F0ED-951F-4D36-B068-5EC1C4C19C14}\Service Center Setup PC.dat -> Borrado
[PUP][Archivo] C:\ProgramData\{95B4F0ED-951F-4D36-B068-5EC1C4C19C14}\Service Center Setup PC.exe -> Borrado
[PUP][Archivo] C:\ProgramData\{95B4F0ED-951F-4D36-B068-5EC1C4C19C14}\Service Center Setup PC.msi -> Borrado
[PUP][Archivo] C:\ProgramData\{95B4F0ED-951F-4D36-B068-5EC1C4C19C14}\Service Center Setup PC.par -> Borrado
[PUP][Archivo] C:\ProgramData\{95B4F0ED-951F-4D36-B068-5EC1C4C19C14}\Service Center Setup PC.res -> Borrado
[PUP][Carpeta] C:\ProgramData\{B0CAD5CC-867E-473E-B55F-339F9635A45D} -> ERROR [3]
[PUP][Archivo] C:\ProgramData\{B0CAD5CC-867E-473E-B55F-339F9635A45D}\Guitar Rig Mobile IO Setup PC.dat -> Borrado
[PUP][Archivo] C:\ProgramData\{B0CAD5CC-867E-473E-B55F-339F9635A45D}\Guitar Rig Mobile IO Setup PC.exe -> Borrado
[PUP][Archivo] C:\ProgramData\{B0CAD5CC-867E-473E-B55F-339F9635A45D}\Guitar Rig Mobile IO Setup PC.msi -> Borrado
[PUP][Archivo] C:\ProgramData\{B0CAD5CC-867E-473E-B55F-339F9635A45D}\Guitar Rig Mobile IO Setup PC.par -> Borrado
[PUP][Archivo] C:\ProgramData\{B0CAD5CC-867E-473E-B55F-339F9635A45D}\Guitar Rig Mobile IO Setup PC.res -> Borrado
[PUP][Archivo] C:\ProgramData\{B0CAD5CC-867E-473E-B55F-339F9635A45D}\instance.dat -> Borrado
[PUP][Archivo] C:\ProgramData\{B0CAD5CC-867E-473E-B55F-339F9635A45D}\mia.lib -> Borrado
[PUP][Carpeta] C:\ProgramData\{B7072B15-6E80-42FF-A9AE-4E62AF2B2418} -> ERROR [3]
[PUP][Archivo] C:\ProgramData\{B7072B15-6E80-42FF-A9AE-4E62AF2B2418}\Guitar Rig 5 Setup PC.dat -> Borrado
[PUP][Archivo] C:\ProgramData\{B7072B15-6E80-42FF-A9AE-4E62AF2B2418}\Guitar Rig 5 Setup PC.exe -> Borrado
[PUP][Archivo] C:\ProgramData\{B7072B15-6E80-42FF-A9AE-4E62AF2B2418}\Guitar Rig 5 Setup PC.msi -> Borrado
[PUP][Archivo] C:\ProgramData\{B7072B15-6E80-42FF-A9AE-4E62AF2B2418}\Guitar Rig 5 Setup PC.par -> Borrado
[PUP][Archivo] C:\ProgramData\{B7072B15-6E80-42FF-A9AE-4E62AF2B2418}\Guitar Rig 5 Setup PC.res -> Borrado
[PUP][Archivo] C:\ProgramData\{B7072B15-6E80-42FF-A9AE-4E62AF2B2418}\instance.dat -> Borrado
[PUP][Archivo] C:\ProgramData\{B7072B15-6E80-42FF-A9AE-4E62AF2B2418}\mia.lib -> Borrado
[PUP][Carpeta] C:\ProgramData\{CB28D9D3-6B5D-4AFA-BA37-B4AFAAAF71B9} -> ERROR [3]
[PUP][Archivo] C:\ProgramData\{CB28D9D3-6B5D-4AFA-BA37-B4AFAAAF71B9}\Guitar Rig Session IO Setup PC.dat -> Borrado
[PUP][Archivo] C:\ProgramData\{CB28D9D3-6B5D-4AFA-BA37-B4AFAAAF71B9}\Guitar Rig Session IO Setup PC.exe -> Borrado
[PUP][Archivo] C:\ProgramData\{CB28D9D3-6B5D-4AFA-BA37-B4AFAAAF71B9}\Guitar Rig Session IO Setup PC.msi -> Borrado
[PUP][Archivo] C:\ProgramData\{CB28D9D3-6B5D-4AFA-BA37-B4AFAAAF71B9}\Guitar Rig Session IO Setup PC.par -> Borrado
[PUP][Archivo] C:\ProgramData\{CB28D9D3-6B5D-4AFA-BA37-B4AFAAAF71B9}\Guitar Rig Session IO Setup PC.res -> Borrado
[PUP][Archivo] C:\ProgramData\{CB28D9D3-6B5D-4AFA-BA37-B4AFAAAF71B9}\instance.dat -> Borrado
[PUP][Archivo] C:\ProgramData\{CB28D9D3-6B5D-4AFA-BA37-B4AFAAAF71B9}\mia.lib -> Borrado
[PUP][Carpeta] C:\ProgramData\{D3CD7CDD-9759-4CF4-BE92-BA89914360B5} -> ERROR [3]
[PUP][Archivo] C:\ProgramData\{D3CD7CDD-9759-4CF4-BE92-BA89914360B5}\instance.dat -> Borrado
[PUP][Archivo] C:\ProgramData\{D3CD7CDD-9759-4CF4-BE92-BA89914360B5}\Kontakt 5 Setup PC.dat -> Borrado
[PUP][Archivo] C:\ProgramData\{D3CD7CDD-9759-4CF4-BE92-BA89914360B5}\Kontakt 5 Setup PC.exe -> Borrado
[PUP][Archivo] C:\ProgramData\{D3CD7CDD-9759-4CF4-BE92-BA89914360B5}\Kontakt 5 Setup PC.msi -> Borrado
[PUP][Archivo] C:\ProgramData\{D3CD7CDD-9759-4CF4-BE92-BA89914360B5}\Kontakt 5 Setup PC.par -> Borrado
[PUP][Archivo] C:\ProgramData\{D3CD7CDD-9759-4CF4-BE92-BA89914360B5}\Kontakt 5 Setup PC.res -> Borrado
[PUP][Archivo] C:\ProgramData\{D3CD7CDD-9759-4CF4-BE92-BA89914360B5}\mia.lib -> Borrado

¤¤¤ Archivo de hosts : 0 ¤¤¤

¤¤¤ Antirootkit : 18 (Driver: Cargado) ¤¤¤
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ user32.dll) gdi32!GetDeviceCaps : Unknown @ 0x364269c (ret)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ gdi32.dll) user32!MessageBeep : Unknown @ 0x3653334 (ret)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ gdi32.dll) user32!GetSystemMetrics : Unknown @ 0x3640ffc (ret)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ imm32.dll) user32!DrawTextExW : Unknown @ 0x361adc4 (ret)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ imm32.dll) user32!SystemParametersInfoW : Unknown @ 0x3641b4c (ret)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ imm32.dll) user32!GetForegroundWindow : Unknown @ 0x36404ac (ret)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ msctf.dll) user32!IsWindowVisible : Unknown @ 0x36431ec (ret)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ ieframe.dll) user32!DrawTextW : Unknown @ 0x36177a4 (ret)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ urlmon.dll) wininet!HttpOpenRequestW : Unknown @ 0x364588c (ret)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ user32.dll) gdi32!GetDeviceCaps : Unknown @ 0x31b0c84 (ret)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ gdi32.dll) user32!MessageBeep : Unknown @ 0x31b9fbc (ret)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ gdi32.dll) user32!GetSystemMetrics : Unknown @ 0x31af5e4 (ret)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ imm32.dll) user32!DrawTextExW : Unknown @ 0x31adf44 (ret)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ imm32.dll) user32!SystemParametersInfoW : Unknown @ 0x31b0134 (ret)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ imm32.dll) user32!GetForegroundWindow : Unknown @ 0x31aea94 (ret)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ msctf.dll) user32!IsWindowVisible : Unknown @ 0x31b1fd4 (ret)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ ieframe.dll) user32!DrawTextW : Unknown @ 0x31ab3f4 (ret)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ urlmon.dll) wininet!HttpOpenRequestW : Unknown @ 0x31b46a4 (ret)

¤¤¤ Navegadores Web : 0 ¤¤¤

¤¤¤ Chequeo MBR : ¤¤¤
+++++ PhysicalDrive0: ST1000LM024 HN-M101MBB +++++
--- User ---
[MBR] 51ed59d4652a1eb11861219d6c9ec368
[BSP] 4c777cabeb935f3db9c51a87027f515c : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 499 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 1024000 | Size: 300 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1638400 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1900544 | Size: 930580 MB
4 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1907728385 | Size: 21337 MB
5 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1951426561 | Size: 1024 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: HP Photosmart C4400 USB Device +++++
Error reading User MBR! ([15] El dispositivo no está listo. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] Solicitud no compatible. )

My questions are
Is my computer infected by malware? If it is so, what can I do to fix it?
Are those IAT hooks found actually malware or are they product of other programs?
What do the error codes (0-8) mean in the results?

I will attach the log on .txt and .json format in case you find it easier to analyze.

Thanks for your help.
Logged
Reply #1February 18, 2016, 01:57:06 AM

Curson

  • Global Moderator
  • Hero Member
  • Offline
  • *****
  • 2809
  • Reputation:
    100
    • View Profile
Re: IAT Hook detection
« Reply #1 on: February 18, 2016, 01:57:06 AM »
Hi Edu Alonso Carrasco,

Welcome to Adlice.com Forum.
Your computer is infected.

Please download Farbar Recovery Scan Tool (x64) and save it to your Desktop.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also paste that along with the FRST.txt into your reply.
Regards.
Logged
Reply #2February 18, 2016, 06:33:24 PM

Edu Alonso Carrasco

  • Newbie
  • Offline
  • *
  • 3
  • Reputation:
    0
    • View Profile
Re: IAT Hook detection
« Reply #2 on: February 18, 2016, 06:33:24 PM »
Here are both logs.

In the FRST log there're a few whitelisted Registry entries that have been detected by some malware scans as infected:
 
Quote
HKU\S-1-5-21-3972373143-2646392049-199530508-1001\...\Run: [Ubcvmedia] => C:\Windows\SysWOW64\regsvr32.exe "C:\Users\Edu Alonso\AppData\Local\Eflrtion\WlxCryptPpm24.dll"
HKU\S-1-5-21-3972373143-2646392049-199530508-1001\...\Run: [YmrbPack] => regsvr32.exe "C:\Users\Edu Alonso\AppData\Local\YmrbPack\WlxCryptPpm24.dll" <===== ATTENTION

And the same for modules loaded in the Addition Log:

Quote
2016-02-17 20:43 - 2016-02-17 20:43 - 00043008 _____ () C:\Users\Edu Alonso\AppData\Local\YmrbPack\WlxCryptPpm24.dll
2016-02-17 20:43 - 2016-02-17 20:43 - 00043008 _____ () C:\Users\Edu Alonso\AppData\Local\Eflrtion\WlxCryptPpm24.dll
Logged
Reply #3February 18, 2016, 08:11:39 PM

Curson

  • Global Moderator
  • Hero Member
  • Offline
  • *****
  • 2809
  • Reputation:
    100
    • View Profile
Re: IAT Hook detection
« Reply #3 on: February 18, 2016, 08:11:39 PM »
Hi Edu Alonso Carrasco,

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

How is the computer running now ?

Regards.
Logged
Reply #4February 18, 2016, 08:35:12 PM

Edu Alonso Carrasco

  • Newbie
  • Offline
  • *
  • 3
  • Reputation:
    0
    • View Profile
Re: IAT Hook detection
« Reply #4 on: February 18, 2016, 08:35:12 PM »
I'll wait a few days and see if it goes well. In the meantime, here's the Fix Log.

Thanks for your help :)
Logged
Reply #5February 18, 2016, 09:02:06 PM

Curson

  • Global Moderator
  • Hero Member
  • Offline
  • *****
  • 2809
  • Reputation:
    100
    • View Profile
Re: IAT Hook detection
« Reply #5 on: February 18, 2016, 09:02:06 PM »
Hi Edu Alonso Carrasco,

You are welcome. :)
You could now delete FRST and the files linked to it.

Regards.
Logged
Pages: [1]
« previous next »