« previous next »
Pages: [1]

Author Topic: Worried I may have something - IAT: Inl (Hook.IEAT) showing up.  (Read 7195 times)

0 Members and 1 Guest are viewing this topic.

October 22, 2015, 03:45:21 PM

Trying2FigureThingsOut

  • Newbie
  • Offline
  • *
  • 3
  • Reputation:
    0
    • View Profile
Worried I may have something - IAT: Inl (Hook.IEAT) showing up.
« on: October 22, 2015, 03:45:21 PM »
Hello, everyone. The other day I had a malware that I used Malware-Bytes to remove, and I've done 10 or so scans since then and they've all come back fine. (Though, I think it was from this game related thing I've used before.) I've used AVAST/ESET Online Scanner/Adwcleaner/JRT a lot as well. When I ran Rogue killer it came up with some stuff that said they may be harmful - but they could also be legit modules, so I thought I'd post here and someone could tell me either way.

This was a new scan done with RogueKiller 10.11.2.0 (x64). I also ran Farbar, and I'm attaching those reports as well. Any help on this matter is greatly appreciated!

RogueKiller V10.11.2.0 (x64) [Oct 20 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Drew [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Scan -- Date : 10/22/2015 08:13:17

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 8 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\getbus (\??\C:\Users\Drew\AppData\Local\Temp\getbus.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\getbus (\??\C:\Users\Drew\AppData\Local\Temp\getbus.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\getbus (\??\C:\Users\Drew\AppData\Local\Temp\getbus.sys) -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-4250517510-2311720374-384281186-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-4250517510-2311720374-384281186-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4D162359-83F8-4FC5-A917-3CFFCB367215} | DhcpNameServer : 10.143.0.1 ([(Private Address) (XX)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{4D162359-83F8-4FC5-A917-3CFFCB367215} | DhcpNameServer : 10.143.0.1 ([(Private Address) (XX)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{4D162359-83F8-4FC5-A917-3CFFCB367215} | DhcpNameServer : 10.143.0.1 ([(Private Address) (XX)])  -> Found

¤¤¤ Tasks : 2 ¤¤¤
[Suspicious.Path] %WINDIR%\Tasks\0615avtUpdateInfo.job -- C:\ProgramData\Avg_Update_0615avt\0615avt_AVG-Secure-Search-Update.exe ( /SETINFO /CMPID=0615avt /INFORETRY=3) -> Found
[Suspicious.Path] \0615avtUpdateInfo -- C:\ProgramData\Avg_Update_0615avt\0615avt_AVG-Secure-Search-Update.exe (/SETINFO /CMPID=0615avt /INFORETRY=3) -> Found

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 35 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 media.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 api.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 api.recommendedsw.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.betterinstaller.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.filebulldog.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 inno.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 nsis.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.file2desktop.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.goateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.guttastatdk.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.inskinmedia.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.oibundles2.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.playbryte.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.llogetfastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.montiera.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.msdwnld.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.mypcbackup.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.ppdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.riceateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.shyapotato.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.solimba.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.tuto4pc.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.appround.biz
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bigspeedpro.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bispd.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.cdndp.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.download.sweetpacks.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.dpdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.visualbee.net

¤¤¤ Antirootkit : 74 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (explorer.exe) ntdll!NtSetSystemInformation : Unknown @ 0x779201f0 (jmp 0x161150|jmp 0xfffffffffffffe09|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtWriteVirtualMemory : Unknown @ 0x779203b0 (jmp 0x162660|jmp 0xfffffffffffffc49|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtDuplicateObject : Unknown @ 0x77920390 (jmp 0x162620|jmp 0xfffffffffffffc69|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateEvent : Unknown @ 0x779202d0 (jmp 0x1624a0|jmp 0xfffffffffffffd29|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtNotifyChangeKey : Unknown @ 0x77920490 (jmp 0x161c00|jmp 0xfffffffffffffb69|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtTerminateProcess : Unknown @ 0x779203e0 (jmp 0x162770|jmp 0xfffffffffffffc19|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtOpenEvent : Unknown @ 0x779202e0 (jmp 0x162530|jmp 0xfffffffffffffd19|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtAssignProcessToJobObject : Unknown @ 0x779203a0 (jmp 0x162170|jmp 0xfffffffffffffc59|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtSetContextThread : Unknown @ 0x77920400 (jmp 0x161520|jmp 0xfffffffffffffbf9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateSection : Unknown @ 0x77920310 (jmp 0x1624c0|jmp 0xfffffffffffffce9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtOpenProcess : Unknown @ 0x77920370 (jmp 0x162760|jmp 0xfffffffffffffc89|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtNotifyChangeMultipleKeys : Unknown @ 0x779204a0 (jmp 0x161c00|jmp 0xfffffffffffffb59|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtQueryObject : Unknown @ 0x77920450 (jmp 0x1629a0|jmp 0xfffffffffffffba9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateIoCompletion : Unknown @ 0x77920350 (jmp 0x162030|jmp 0xfffffffffffffca9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenSection : Unknown @ 0x77920320 (jmp 0x162600|jmp 0xfffffffffffffcd9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateSemaphore : Unknown @ 0x779202b0 (jmp 0x161ea0|jmp 0xfffffffffffffd49|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenSemaphore : Unknown @ 0x779202c0 (jmp 0x161930|jmp 0xfffffffffffffd39|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateMutant : Unknown @ 0x77920290 (jmp 0x161f10|jmp 0xfffffffffffffd69|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenMutant : Unknown @ 0x779202a0 (jmp 0x161960|jmp 0xfffffffffffffd59|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateTimer : Unknown @ 0x77920330 (jmp 0x161ef0|jmp 0xfffffffffffffcc9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenTimer : Unknown @ 0x77920340 (jmp 0x161970|jmp 0xfffffffffffffcb9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateThreadEx : Unknown @ 0x779203d0 (jmp 0x161fa0|jmp 0xfffffffffffffc29|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtTerminateThread : Unknown @ 0x779203f0 (jmp 0x162510|jmp 0xfffffffffffffc09|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenThread : Unknown @ 0x77920380 (jmp 0x1619c0|jmp 0xfffffffffffffc79|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtSuspendThread : Unknown @ 0x77920430 (jmp 0x1612a0|jmp 0xfffffffffffffbc9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ rpcrt4.dll) ntdll!NtAlpcSendWaitReceivePort : Unknown @ 0x77920480 (jmp 0x162280|jmp 0xfffffffffffffb79|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ rpcrt4.dll) ntdll!NtQueueApcThreadEx : Unknown @ 0x77920440 (jmp 0x161780|jmp 0xfffffffffffffbb9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ gdi32.dll) ntdll!NtVdmControl : Unknown @ 0x77920280 (jmp 0x161000|jmp 0xfffffffffffffd79|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ ntmarta.dll) ntdll!NtOpenEventPair : Unknown @ 0x77920300 (jmp 0x161a30|jmp 0xfffffffffffffcf9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ ws2_32.dll) ntdll!NtLoadDriver : Unknown @ 0x779201e0 (jmp 0x161a40|jmp 0xfffffffffffffe19|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtCreateSection : Unknown @ 0x180310 (jmp 0xffffffff889c24c0|jmp 0xfffffffffffffce9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtTerminateThread : Unknown @ 0x1803f0 (jmp 0xffffffff889c2510|jmp 0xfffffffffffffc09|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtQueryObject : Unknown @ 0x180450 (jmp 0xffffffff889c29a0|jmp 0xfffffffffffffba9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtOpenProcess : Unknown @ 0x180370 (jmp 0xffffffff889c2760|jmp 0xfffffffffffffc89|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtOpenThread : Unknown @ 0x180380 (jmp 0xffffffff889c19c0|jmp 0xfffffffffffffc79|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtWriteVirtualMemory : Unknown @ 0x1803b0 (jmp 0xffffffff889c2660|jmp 0xfffffffffffffc49|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtTerminateProcess : Unknown @ 0x1803e0 (jmp 0xffffffff889c2770|jmp 0xfffffffffffffc19|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtCreateThreadEx : Unknown @ 0x1803d0 (jmp 0xffffffff889c1fa0|jmp 0xfffffffffffffc29|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtCreateThread : Unknown @ 0x1803c0 (jmp 0xffffffff889c2530|jmp 0xfffffffffffffc39|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtSuspendThread : Unknown @ 0x180430 (jmp 0xffffffff889c12a0|jmp 0xfffffffffffffbc9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtSetContextThread : Unknown @ 0x180400 (jmp 0xffffffff889c1520|jmp 0xfffffffffffffbf9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtSetBootOptions : Unknown @ 0x180270 (jmp 0xffffffff889c13a0|jmp 0xfffffffffffffd89|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtOpenTimer : Unknown @ 0x180340 (jmp 0xffffffff889c1970|jmp 0xfffffffffffffcb9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtNotifyChangeMultipleKeys : Unknown @ 0x1804a0 (jmp 0xffffffff889c1c00|jmp 0xfffffffffffffb59|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtSuspendProcess : Unknown @ 0x180420 (jmp 0xffffffff889c12a0|jmp 0xfffffffffffffbd9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtCreateTimer : Unknown @ 0x180330 (jmp 0xffffffff889c1ef0|jmp 0xfffffffffffffcc9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtSetSystemInformation : Unknown @ 0x1801f0 (jmp 0xffffffff889c1150|jmp 0xfffffffffffffe09|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtCreateIoCompletion : Unknown @ 0x180350 (jmp 0xffffffff889c2030|jmp 0xfffffffffffffca9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtModifyBootEntry : Unknown @ 0x180250 (jmp 0xffffffff889c19f0|jmp 0xfffffffffffffda9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtOpenMutant : Unknown @ 0x1802a0 (jmp 0xffffffff889c1960|jmp 0xfffffffffffffd59|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtSetSystemPowerState : Unknown @ 0x180210 (jmp 0xffffffff889c1160|jmp 0xfffffffffffffde9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtReplyWaitReceivePortEx : Unknown @ 0x180470 (jmp 0xffffffff889c2810|jmp 0xfffffffffffffb89|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtShutdownSystem : Unknown @ 0x180200 (jmp 0xffffffff889c10e0|jmp 0xfffffffffffffdf9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtOpenIoCompletion : Unknown @ 0x180360 (jmp 0xffffffff889c1a80|jmp 0xfffffffffffffc99|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtAddBootEntry : Unknown @ 0x180230 (jmp 0xffffffff889c21f0|jmp 0xfffffffffffffdc9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtReplyWaitReceivePort : Unknown @ 0x180460 (jmp 0xffffffff889c2a00|jmp 0xfffffffffffffb99|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtDeleteBootEntry : Unknown @ 0x180240 (jmp 0xffffffff889c1d60|jmp 0xfffffffffffffdb9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtSetBootEntryOrder : Unknown @ 0x180260 (jmp 0xffffffff889c13a0|jmp 0xfffffffffffffd99|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtOpenSection : Unknown @ 0x180320 (jmp 0xffffffff889c2600|jmp 0xfffffffffffffcd9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtDebugActiveProcess : Unknown @ 0x180410 (jmp 0xffffffff889c1f60|jmp 0xfffffffffffffbe9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtAssignProcessToJobObject : Unknown @ 0x1803a0 (jmp 0xffffffff889c2170|jmp 0xfffffffffffffc59|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtOpenEvent : Unknown @ 0x1802e0 (jmp 0xffffffff889c2530|jmp 0xfffffffffffffd19|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtAlpcSendWaitReceivePort : Unknown @ 0x180480 (jmp 0xffffffff889c2280|jmp 0xfffffffffffffb79|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtNotifyChangeKey : Unknown @ 0x180490 (jmp 0xffffffff889c1c00|jmp 0xfffffffffffffb69|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtOpenEventPair : Unknown @ 0x180300 (jmp 0xffffffff889c1a30|jmp 0xfffffffffffffcf9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtCreateEvent : Unknown @ 0x1802d0 (jmp 0xffffffff889c24a0|jmp 0xfffffffffffffd29|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtCreateSemaphore : Unknown @ 0x1802b0 (jmp 0xffffffff889c1ea0|jmp 0xfffffffffffffd49|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtSystemDebugControl : Unknown @ 0x180220 (jmp 0xffffffff889c1080|jmp 0xfffffffffffffdd9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtCreateMutant : Unknown @ 0x180290 (jmp 0xffffffff889c1f10|jmp 0xfffffffffffffd69|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtLoadDriver : Unknown @ 0x1801e0 (jmp 0xffffffff889c1a40|jmp 0xfffffffffffffe19|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtCreateEventPair : Unknown @ 0x1802f0 (jmp 0xffffffff889c1fe0|jmp 0xfffffffffffffd09|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtQueueApcThreadEx : Unknown @ 0x180440 (jmp 0xffffffff889c1780|jmp 0xfffffffffffffbb9|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtDuplicateObject : Unknown @ 0x180390 (jmp 0xffffffff889c2620|jmp 0xfffffffffffffc69|jmp 0xfffffffffffffff0|jmp 0xb1)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ wow64.dll) ntdll!NtOpenSemaphore : Unknown @ 0x1802c0 (jmp 0xffffffff889c1930|jmp 0xfffffffffffffd39|jmp 0xfffffffffffffff0|jmp 0xb1)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST3000DM001-1CH166 ATA Device +++++
--- User ---
[MBR] 8ca307ff0e4dec9235eb94ffbab86fa4
[BSP] 580634c26c006d9ccfa5aec40b0f3f07 : Empty|VT.Unknown MBR Code
Partition table:
0 - Basic data partition | Offset (sectors): 2048 | Size: 2861587 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: INTEL SSDSC2CT240A4 ATA Device +++++
--- User ---
[MBR] 8290e994a131049465c7a76800423f1d
[BSP] 5d091fae0155debbbba00c65133dec1e : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 228834 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
Logged
Reply #1October 22, 2015, 04:25:05 PM

Curson

  • Global Moderator
  • Hero Member
  • Offline
  • *****
  • 2809
  • Reputation:
    100
    • View Profile
Re: Worried I may have something - IAT: Inl (Hook.IEAT) showing up.
« Reply #1 on: October 22, 2015, 04:25:05 PM »
Hi Trying2FigureThingsOut,

Welcome to Adlice.com Forum.
Could you please copy/paste MBAM report in your next reply ?

The hooks are legit but there is some adware that must be removed.
Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

How is the computer running ?

Regards.
Logged
Reply #2October 22, 2015, 10:55:19 PM

Trying2FigureThingsOut

  • Newbie
  • Offline
  • *
  • 3
  • Reputation:
    0
    • View Profile
Re: Worried I may have something - IAT: Inl (Hook.IEAT) showing up.
« Reply #2 on: October 22, 2015, 10:55:19 PM »
Hello, and thank you so much for getting back to me! I ran Malware Bytes while I was gone today, and nothing showed up on C: Drive. (Which is were my browsers are installed, and where my downloads go.) I'm running Malware again to double-check. My computer seems to be running like usual, though. I've also attached the fixlog.txt.

I've run several things (and can again if you'd like me to get reports from each) like; Avast, Adware Cleaner, Malware-Bytes Junkware Removal Tool, TDSS Rootkit Removal Tool, ESET Online Scanner, FRSTx64, Malware-Bytes Malware Removal, and of course, RogueKiller. After that one initial thing that Malware found last night (which I believe to be a program that I know about. I play a text based game and the program is an editor for the game, but it edits the hex file of the game. So I think that's what Malware found, as I think I had it up while I did the scan. I'm not 100%, but just what I think is possible. I can send the file if you'd like.), RogueKiller is the only program to find anything, for what it's worth.

Any questions you have I'll try my best to answer! I'll also post what I find from another Malwarebytes scan.

Edit: I just got done doing a MalwareBytes scan (one in which I made sure to check the box to scan for rootkits), and it came back clean. I'm attaching the results as well.

Edit 2: I think I'm an idiot and misread what you said - when you said the hooks are legit, did you mean that they are ok? (Like not malicious or anything.) I completely misread things I think the first time around.
« Last Edit: October 23, 2015, 12:35:06 AM by Trying2FigureThingsOut »
Logged
Reply #3October 23, 2015, 02:41:27 PM

Curson

  • Global Moderator
  • Hero Member
  • Offline
  • *****
  • 2809
  • Reputation:
    100
    • View Profile
Re: Worried I may have something - IAT: Inl (Hook.IEAT) showing up.
« Reply #3 on: October 23, 2015, 02:41:27 PM »
Hi Trying2FigureThingsOut,

Quote from: Trying2FigureThingsOut
when you said the hooks are legit, did you mean that they are ok?
Yes.

According to the reports, your computer is perfectly clean.
How is the system running now ?

Regards.
Logged
Pages: [1]
« previous next »