IAT Hook EAT Help

[tonyirl]

Hi, I was getting the "Windows Command Processor" popup after upgrading to Windows 10 and I finally realised it was virus related (I'm ashamed to say I fell for it and entered my admin password  ). I ran RK version 10.9.10.0 [X64] and it turned up the attached hooks.
Please note that I then ran version 11.0.0.0 beta5 [x64] after doing a delete and these hooks did not appear. (I then re ran the old version and the hooks were still there).
Any help would be GREATLY appreciated.
Thanks in advance.

[tonyirl]

I guess I should insert the RK log file rather than attach.... Here it is again:

RogueKiller V10.10.9.0 (x64) [Oct  5 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.10240) 64 bits version
Started in : Normal mode
User : Admin [Administrator]
Started from : C:\Users\Public\Documents\Virus Stuff\xoldRogueKillerX64.exe
Mode : Scan -- Date : 10/17/2015 18:04:27

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 2 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aswVmm (\??\C:\Users\Admin\AppData\Local\Temp\aswVmm.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aswVmm (\??\C:\Users\Admin\AppData\Local\Temp\aswVmm.sys) -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 29 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (explorer.exe) ntdll.dll - NtSetSystemInformation : Unknown @ 0x7ffea81601e0 (jmp 0xffffffff8014b410|jmp 0xfffffffffffffe19|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNEL32.DLL) ntdll.dll - NtAssignProcessToJobObject : Unknown @ 0x7ffea8160390 (jmp 0xffffffff8014c5f0|jmp 0xfffffffffffffc69|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNEL32.DLL) ntdll.dll - NtTerminateProcess : Unknown @ 0x7ffea81603d0 (jmp 0xffffffff8014cc20|jmp 0xfffffffffffffc29|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNEL32.DLL) ntdll.dll - NtCreateEvent : Unknown @ 0x7ffea81602c0 (jmp 0xffffffff8014c950|jmp 0xfffffffffffffd39|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNEL32.DLL) ntdll.dll - NtCreateSection : Unknown @ 0x7ffea8160300 (jmp 0xffffffff8014c970|jmp 0xfffffffffffffcf9|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenMutant : Unknown @ 0x7ffea8160290 (jmp 0xffffffff8014bca0|jmp 0xfffffffffffffd69|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtNotifyChangeKey : Unknown @ 0x7ffea8160480 (jmp 0xffffffff8014bf40|jmp 0xfffffffffffffb79|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtDuplicateObject : Unknown @ 0x7ffea8160380 (jmp 0xffffffff8014cad0|jmp 0xfffffffffffffc79|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtWriteVirtualMemory : Unknown @ 0x7ffea81603a0 (jmp 0xffffffff8014cb10|jmp 0xfffffffffffffc59|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenEvent : Unknown @ 0x7ffea81602d0 (jmp 0xffffffff8014c9e0|jmp 0xfffffffffffffd29|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateThreadEx : Unknown @ 0x7ffea81603c0 (jmp 0xffffffff8014c3a0|jmp 0xfffffffffffffc39|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtTerminateThread : Unknown @ 0x7ffea81603e0 (jmp 0xffffffff8014c9c0|jmp 0xfffffffffffffc19|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenThread : Unknown @ 0x7ffea8160370 (jmp 0xffffffff8014bcf0|jmp 0xfffffffffffffc89|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtSuspendThread : Unknown @ 0x7ffea8160420 (jmp 0xffffffff8014b530|jmp 0xfffffffffffffbd9|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtSetContextThread : Unknown @ 0x7ffea81603f0 (jmp 0xffffffff8014b810|jmp 0xfffffffffffffc09|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtQueryObject : Unknown @ 0x7ffea8160440 (jmp 0xffffffff8014ce50|jmp 0xfffffffffffffbb9|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateSemaphore : Unknown @ 0x7ffea81602a0 (jmp 0xffffffff8014c2a0|jmp 0xfffffffffffffd59|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenSemaphore : Unknown @ 0x7ffea81602b0 (jmp 0xffffffff8014bc60|jmp 0xfffffffffffffd49|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateMutant : Unknown @ 0x7ffea8160280 (jmp 0xffffffff8014c320|jmp 0xfffffffffffffd79|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateTimer : Unknown @ 0x7ffea8160320 (jmp 0xffffffff8014c2f0|jmp 0xfffffffffffffcd9|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenTimer : Unknown @ 0x7ffea8160330 (jmp 0xffffffff8014bca0|jmp 0xfffffffffffffcc9|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenProcess : Unknown @ 0x7ffea8160360 (jmp 0xffffffff8014cc10|jmp 0xfffffffffffffc99|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenSection : Unknown @ 0x7ffea8160310 (jmp 0xffffffff8014cab0|jmp 0xfffffffffffffce9|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateIoCompletion : Unknown @ 0x7ffea8160340 (jmp 0xffffffff8014c450|jmp 0xfffffffffffffcb9|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtNotifyChangeMultipleKeys : Unknown @ 0x7ffea8160490 (jmp 0xffffffff8014bf40|jmp 0xfffffffffffffb69|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ RPCRT4.dll) ntdll.dll - NtAlpcSendWaitReceivePort : Unknown @ 0x7ffea8160470 (jmp 0xffffffff8014c700|jmp 0xfffffffffffffb89|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ RPCRT4.dll) ntdll.dll - NtQueueApcThreadEx : Unknown @ 0x7ffea8160430 (jmp 0xffffffff8014ba90|jmp 0xfffffffffffffbc9|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ USER32.dll) ntdll.dll - NtVdmControl : Unknown @ 0x7ffea8160270 (jmp 0xffffffff8014b260|jmp 0xfffffffffffffd89|call 0x5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ WS2_32.dll) ntdll.dll - NtLoadDriver : Unknown @ 0x7ffea81601d0 (jmp 0xffffffff8014bd90|jmp 0xfffffffffffffe29|call 0x5)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MQ01ABD075 +++++
--- User ---
[MBR] 20b3af1b91de5eba19692fca84758d64
[BSP] 8c0caf45c70d33322ac6d926739d1b54 : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 499 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 1024000 | Size: 300 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1638400 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1900544 | Size: 686295 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1407434752 | Size: 809 MB
5 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1409091584 | Size: 449 MB
6 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1410012879 | Size: 25898 MB
7 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1463051983 | Size: 1024 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Kingston DataTraveler 2.0 USB Device +++++
--- User ---
[MBR] a25f67183dd413d9f5621cf927e116bc
[BSP] a83a24340e59ea8cbbf2d8eaa19e98b0 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 64 | Size: 14910 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

[Curson]

Hi tonyirl,

Welcome to Adlice.com Forum.

RogueKiller version 10.11.1 is out.
Could you please give it a try ?

Regards.

[tonyirl]

Thanks for getting back to me Curzon,
I ran 10.11.1 as you suggested and also just now, 10.11.2. Both of them came back completely clear. Which is great except now I'm wondering:

1) Why those Hook.IEAT's were flagged in version 10.10.9 above? Is code such as  'NtCreateMutant' something to be freaked out about or is it just a regular programming command?!

2) I'm still getting the 'Windows Command Processor' pop up and I've tried different antivirus programs, such as adwcleaner, aswmbr, tdsskiller, mbam, mbar, mbae, GMER, FIXZEROACCESS etc

Or do you think I can I just relax and stop worrying?! I'm just afraid I really messed things up when I stupidly entered my admin password in a moment of weakness.

In any case, thanks for your help, much appreciated 

[Curson]

Hi tonyirl,

1) Why those Hook.IEAT's were flagged in version 10.10.9 above? Is code such as  'NtCreateMutant' something to be freaked out about or is it just a regular programming command?!

These hooks are whitelisted since RogueKiller 10.11.
NtCreateMutant is a legit programming function of ntdll.dll.

2) I'm still getting the 'Windows Command Processor' pop up and I've tried different antivirus programs, such as adwcleaner, aswmbr, tdsskiller, mbam, mbar, mbae, GMER, FIXZEROACCESS etc

Please download Farbar Recovery Scan Tool (x64) and save it to your Desktop.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will produce a log called FRST.txt in the same directory the tool is run from.
  
• Please attach log back here.
• The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST64.exe). Please also attach that along with the FRST.txt into your reply.
  

Or do you think I can I just relax and stop worrying?! I'm just afraid I really messed things up when I stupidly entered my admin password in a moment of weakness.

Please change your admin password.

Regards.