Author Topic: Hook.IEAT - Not sure if I should worry or false positive?  (Read 5009 times)

0 Members and 1 Guest are viewing this topic.

August 28, 2015, 07:07:27 PM

Trying2FigureThingsOut

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Hook.IEAT - Not sure if I should worry or false positive?
« on: August 28, 2015, 07:07:27 PM »
Hello, everyone. The other day I had a malware that I used Malware-Bytes to remove, and I've done 10 or so scans since then and they've all come back fine. I've been AVAST/ESET Online Scanner/Adwcleaner/JRT a lot as well. When I ran Rogue killer it came up with some stuff that said they may be harmful - but they could also be legit modules, so I thought I'd post here and someone could tell me either way.

RogueKiller V10.10.2.0 (x64) [Aug 24 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Drew [Administrator]
Started from : C:\Users\Drew\Downloads\RogueKillerX64.exe
Mode : Scan -- Date : 08/28/2015 11:29:18

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 8 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\getbus (\??\C:\Users\Drew\AppData\Local\Temp\getbus.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\getbus (\??\C:\Users\Drew\AppData\Local\Temp\getbus.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\getbus (\??\C:\Users\Drew\AppData\Local\Temp\getbus.sys) -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-4250517510-2311720374-384281186-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-4250517510-2311720374-384281186-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4D162359-83F8-4FC5-A917-3CFFCB367215} | DhcpNameServer : 10.143.0.1 ([(Private Address) (XX)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{4D162359-83F8-4FC5-A917-3CFFCB367215} | DhcpNameServer : 10.143.0.1 ([(Private Address) (XX)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{4D162359-83F8-4FC5-A917-3CFFCB367215} | DhcpNameServer : 10.146.0.1 ([(Private Address) (XX)])  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[Suspicious.Path][File] C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DS4Windows.lnk [LNK@] C:\Users\Drew\AppData\Local\Temp\7zO61A3.tmp\DS4Windows.exe -m -> Found

¤¤¤ Hosts File : 34 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 media.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 api.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.betterinstaller.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.filebulldog.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 inno.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 nsis.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.file2desktop.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.goateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.guttastatdk.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.inskinmedia.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.oibundles2.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.playbryte.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.llogetfastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.montiera.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.msdwnld.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.mypcbackup.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.ppdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.riceateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.shyapotato.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.solimba.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.tuto4pc.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.appround.biz
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bigspeedpro.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bispd.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.cdndp.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.download.sweetpacks.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.dpdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.visualbee.net

¤¤¤ Antirootkit : 6 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll.dll - RtlCaptureContext : Unknown @ 0x3df13c05 (jmp 0x3c003c05)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) wow64win.dll - sdwhwin32 : Unknown @ 0x3df13c05 (jmp 0x3c003c05)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) wow64cpu.dll - CpuNotifyAffinityChange : Unknown @ 0x3df13c05 (jmp 0x3c003c05)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64win.dll) wow64.dll - Wow64KiUserCallbackDispatcher : Unknown @ 0x3df13c05 (jmp 0x3c003c05)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ USER32.dll) ntdll.dll - NlsAnsiCodePage : Unknown @ 0xdc726ea6 (repe call 0x650b6e91)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ USER32.dll) ntdll.dll - NlsAnsiCodePage : Unknown @ 0xdc726ea6 (jmp 0x650b6e90)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST3000DM001-1CH166 ATA Device +++++
--- User ---
[MBR] 8ca307ff0e4dec9235eb94ffbab86fa4
[BSP] 580634c26c006d9ccfa5aec40b0f3f07 : Empty|VT.Unknown MBR Code
Partition table:
0 - Basic data partition | Offset (sectors): 2048 | Size: 2861587 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: INTEL SSDSC2CT240A4 ATA Device +++++
--- User ---
[MBR] 8290e994a131049465c7a76800423f1d
[BSP] 5d091fae0155debbbba00c65133dec1e : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 228834 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Thanks!

Reply #1August 31, 2015, 01:12:18 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Hook.IEAT - Not sure if I should worry or false positive?
« Reply #1 on: August 31, 2015, 01:12:18 PM »
Hi Trying2FigureThingsOut,

Welcome to Adlice.com Forum.
Your report is clean.

Regards.

Note : This thread has been moved to the "RogueKiller" section for clarity.