Author Topic: IAT hook user32.dll!TrackPopupMenuEx module unknown  (Read 5424 times)

0 Members and 1 Guest are viewing this topic.

December 11, 2015, 04:43:28 PM

lucyhc

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
IAT hook user32.dll!TrackPopupMenuEx module unknown
« on: December 11, 2015, 04:43:28 PM »
Hello, I got this and some other malware which I successfully removed. This remains (comes back after reboot). It is described on the microsoft developer network website as a Visual Studio item, CMenu, floating popup menu...etc. Also, the index looks ok.

But, it has never appeared before and i did have a number of other malware, which I believe came from an outlook email for AmericanGreetingsCard that I should't have clicked on. I would like to get rid of this.

I did download updates to outlook yesterday, that is the only legitamate change that i made. I doubt this is associated with it, although I do get a message box asking me to log into the cloud when i am in outlook.

It is identified by RogueKiller as:  Detection
IAT:Inl hook.(IEAT); Index iexplore.exe[4544] @msctf.dll; Name user32.dll!TrackPopupMenuEx; Module unknown; Path unknown; Address 0x772397170

Thank you.

Also, I read that the msctf.dll is a module to extend the functionalities of the Microsoft Windows Text Services for text input, etc.  So maybe this is the little log-on box that now appears with Outlook cloud version.  However, it has not shown up in a RogueKiller scan before, and I had that cloud function before the updates that I installed yesterday.
« Last Edit: December 11, 2015, 06:10:28 PM by lucyhc »

Reply #1December 14, 2015, 03:54:25 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: IAT hook user32.dll!TrackPopupMenuEx module unknown
« Reply #1 on: December 14, 2015, 03:54:25 PM »
Hi lucyhc,

Welcome to Adlice.com Forum.
Could you please attach the JSON report in your next reply ?

We are going to perform an extended analysis on the hooks.
Please follow the following process :
  • Download Process Explorer and save it to your desktop.
  • Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  • Locate the process named iexplore.exe, do a right click on it and select Create Dump > Create Full Dump...
  • Save the dump on your desktop and compress it.
  • Upload it to Dropbox, Google Drive or similar services and share the link in your next reply.

Regards.

Note : This thread has been moved to the "RogueKiller" section for clarity.
« Last Edit: December 14, 2015, 03:59:34 PM by Curson »

Reply #2December 17, 2015, 09:06:33 PM

lucyhc

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: IAT hook user32.dll!TrackPopupMenuEx module unknown
« Reply #2 on: December 17, 2015, 09:06:33 PM »
Hello, sorry for delay in responding to your kind offer to help. I ran RogueKiller again, using the old version I had when the issue was detected, and it did not reappear. Then I opened Outlook and closed it and re-ran the scan, it was not detected. So finally, I opened Outlook and kept it open while I ran RogueKiller a third time; no IAT detected, even though the reminder box was running. I surmise that the previous item was actually a remnant of the malware I had removed and RK successfully deleted it.  I had used a professional to run various programs to clean the computer. RK was the final scan we ran, since it was the scan that I had first run which indicated the malware.

Hope this helps you in your ongoing excellent work. Thank you so much for offering your time.

Reply #3December 18, 2015, 02:41:02 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: IAT hook user32.dll!TrackPopupMenuEx module unknown
« Reply #3 on: December 18, 2015, 02:41:02 PM »
Hi lucyhc,

Thanks for your feedback.
I'm glad your issue is now solved.

Regards.