« previous next »
Pages: [1]

Author Topic: IAT hooks false posetive or the real deal?  (Read 9162 times)

0 Members and 1 Guest are viewing this topic.

January 31, 2016, 12:49:49 PM

Yoloswag420

  • Newbie
  • Offline
  • *
  • 7
  • Reputation:
    0
    • View Profile
IAT hooks false posetive or the real deal?
« on: January 31, 2016, 12:49:49 PM »
Ok so 8 days ago i got my browser (crome) opening techbrowsing.com all by itself when chrome wasnt open from time to time. The virus spread to my second pc via google sync (i think) and both pc's have troble finding the virus. Rougekiller detects malwarebytes anti-rootkit as Tr.Zeus. but more worryingly IE11 is getting hooked when used, same with chrome. Explorer.exe got hooked but after uninstalling virtualbox it hasent yet. If it is real then may i have help tracking this log back so i can fight the virus and id be happy to provode any other logs/info needed to do so. Here is the RougeKiller log:


¤¤¤ Processes : 1 ¤¤¤
[Tr.Zeus] mbar.exe(3852) -- C:\Users\USER(censored)\Desktop\mbar\mbar.exe[7] -> Killed [DrvNtTerm]
 
¤¤¤ Registry : 0 ¤¤¤
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 [Too big!] ¤¤¤
 
¤¤¤ Antirootkit : 48 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ kernel32.dll) ntdll!LdrUnloadDll : Unknown @ 0x2a075c (jmp 0xffffffff890fd50b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ kernel32.dll) ntdll!LdrLoadDll : Unknown @ 0x2a03a4 (jmp 0xffffffff890f95e3)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ kernel32.dll) ntdll!LdrUnloadDll : Unknown @ 0x303fc (jmp 0x88c8c870|jmp 0x6af3d334)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtCreateSection : Unknown @ 0x77330300 (jmp 0x1624b0|jmp 0xfffffcf9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtTerminateThread : Unknown @ 0x773303e0 (jmp 0x162500|jmp 0xfffffc19|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtQueryObject : Unknown @ 0x77330440 (jmp 0x162990|jmp 0xfffffbb9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtOpenProcess : Unknown @ 0x77330360 (jmp 0x162750|jmp 0xfffffc99|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtOpenThread : Unknown @ 0x77330370 (jmp 0x1619b0|jmp 0xfffffc89|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtWriteVirtualMemory : Unknown @ 0x773303a0 (jmp 0x162650|jmp 0xfffffc59|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtTerminateProcess : Unknown @ 0x773303d0 (jmp 0x162760|jmp 0xfffffc29|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtCreateThreadEx : Unknown @ 0x773303c0 (jmp 0x161f90|jmp 0xfffffc39|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtCreateThread : Unknown @ 0x773303b0 (jmp 0x162520|jmp 0xfffffc49|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtSuspendThread : Unknown @ 0x77330420 (jmp 0x161290|jmp 0xfffffbd9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtSetContextThread : Unknown @ 0x773303f0 (jmp 0x161510|jmp 0xfffffc09|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtSetBootOptions : Unknown @ 0x77330260 (jmp 0x161390|jmp 0xfffffd99|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtOpenTimer : Unknown @ 0x77330330 (jmp 0x161960|jmp 0xfffffcc9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtNotifyChangeMultipleKeys : Unknown @ 0x77330490 (jmp 0x161bf0|jmp 0xfffffb69|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtSuspendProcess : Unknown @ 0x77330410 (jmp 0x161290|jmp 0xfffffbe9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtCreateTimer : Unknown @ 0x77330320 (jmp 0x161ee0|jmp 0xfffffcd9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtSetSystemInformation : Unknown @ 0x773301e0 (jmp 0x161140|jmp 0xfffffe19|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtCreateIoCompletion : Unknown @ 0x77330340 (jmp 0x162020|jmp 0xfffffcb9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtModifyBootEntry : Unknown @ 0x77330240 (jmp 0x1619e0|jmp 0xfffffdb9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtOpenMutant : Unknown @ 0x77330290 (jmp 0x161950|jmp 0xfffffd69|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtSetSystemPowerState : Unknown @ 0x77330200 (jmp 0x161150|jmp 0xfffffdf9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtReplyWaitReceivePortEx : Unknown @ 0x77330460 (jmp 0x162800|jmp 0xfffffb99|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtShutdownSystem : Unknown @ 0x773301f0 (jmp 0x1610d0|jmp 0xfffffe09|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtOpenIoCompletion : Unknown @ 0x77330350 (jmp 0x161a70|jmp 0xfffffca9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtAddBootEntry : Unknown @ 0x77330220 (jmp 0x1621e0|jmp 0xfffffdd9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtReplyWaitReceivePort : Unknown @ 0x77330450 (jmp 0x1629f0|jmp 0xfffffba9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtDeleteBootEntry : Unknown @ 0x77330230 (jmp 0x161d50|jmp 0xfffffdc9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtSetBootEntryOrder : Unknown @ 0x77330250 (jmp 0x161390|jmp 0xfffffda9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtOpenSection : Unknown @ 0x77330310 (jmp 0x1625f0|jmp 0xfffffce9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtDebugActiveProcess : Unknown @ 0x77330400 (jmp 0x161f50|jmp 0xfffffbf9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtAssignProcessToJobObject : Unknown @ 0x77330390 (jmp 0x162160|jmp 0xfffffc69|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtOpenEvent : Unknown @ 0x773302d0 (jmp 0x162520|jmp 0xfffffd29|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtAlpcSendWaitReceivePort : Unknown @ 0x77330470 (jmp 0x162270|jmp 0xfffffb89|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtNotifyChangeKey : Unknown @ 0x77330480 (jmp 0x161bf0|jmp 0xfffffb79|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtOpenEventPair : Unknown @ 0x773302f0 (jmp 0x161a20|jmp 0xfffffd09|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtCreateEvent : Unknown @ 0x773302c0 (jmp 0x162490|jmp 0xfffffd39|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtCreateSemaphore : Unknown @ 0x773302a0 (jmp 0x161e90|jmp 0xfffffd59|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtSystemDebugControl : Unknown @ 0x77330210 (jmp 0x161070|jmp 0xfffffde9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtCreateMutant : Unknown @ 0x77330280 (jmp 0x161f00|jmp 0xfffffd79|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtLoadDriver : Unknown @ 0x773301d0 (jmp 0x161a30|jmp 0xfffffe29|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtCreateEventPair : Unknown @ 0x773302e0 (jmp 0x161fd0|jmp 0xfffffd19|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtQueueApcThreadEx : Unknown @ 0x77330430 (jmp 0x161770|jmp 0xfffffbc9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtDuplicateObject : Unknown @ 0x77330380 (jmp 0x162610|jmp 0xfffffc79|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtOpenSemaphore : Unknown @ 0x773302b0 (jmp 0x161920|jmp 0xfffffd49|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ kernel32.dll) ntdll!LdrUnloadDll : Unknown @ 0x303fc (jmp 0x88c8c870|jmp 0x6af3d334)
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK5061GSYN +++++
--- User ---
[MBR] d421203d0903e2d8c6a6260b3a75309c
[BSP] 252cff8cd1aa7d86493b889cb6cf90e5 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 300 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 616448 | Size: 408970 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 838187008 | Size: 5120 MB
3 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 848689152 | Size: 60495 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
« Last Edit: January 31, 2016, 12:52:12 PM by Yoloswag420 »
Logged
Reply #1February 02, 2016, 12:00:07 AM

Curson

  • Global Moderator
  • Hero Member
  • Offline
  • *****
  • 2809
  • Reputation:
    100
    • View Profile
Re: IAT hooks false posetive or the real deal?
« Reply #1 on: February 02, 2016, 12:00:07 AM »
Hi Yoloswag420,

Welcome to Adlice.com Forum.
Could you please post RogueKiller full report in your next reply ?

Regards.
Logged
Reply #2February 02, 2016, 06:27:14 AM

Yoloswag420

  • Newbie
  • Offline
  • *
  • 7
  • Reputation:
    0
    • View Profile
Re: IAT hooks false posetive or the real deal?
« Reply #2 on: February 02, 2016, 06:27:14 AM »
Other log was full other than some unneeded info on OS

Here is a full log just ran it again, but this time i used Chrome instead of IE so that you can see the hooks for both through both posts. Also replaced my username with USER(censored) as its personal, hope thats ok.

RogueKiller V11.0.9.0 (x64) [Jan 24 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : USER(censored) [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 02/02/2016 18:18:59

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 8 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (chrome.exe @ kernel32.dll) ntdll!LdrUnloadDll : Unknown @ 0x303fc (jmp 0x8825c870|jmp 0x6f89d334)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ kernel32.dll) ntdll!LdrUnloadDll : Unknown @ 0x5703fc (jmp 0x8879c870|jmp 0x6f35d334)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ kernel32.dll) ntdll!LdrUnloadDll : Unknown @ 0xa403fc (jmp 0x88c6c870|jmp 0x6ee8d334)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ kernel32.dll) ntdll!LdrUnloadDll : Unknown @ 0x8303fc (jmp 0x88a5c870|jmp 0x6f09d334)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ kernel32.dll) ntdll!LdrUnloadDll : Unknown @ 0x4c03fc (jmp 0x886ec870|jmp 0x6f40d334)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ kernel32.dll) ntdll!LdrUnloadDll : Unknown @ 0x5b03fc (jmp 0x887dc870|jmp 0x6f31d334)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ kernel32.dll) ntdll!LdrUnloadDll : Unknown @ 0x11003fc (jmp 0x8932c870|jmp 0x6e7cd334)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ kernel32.dll) ntdll!LdrUnloadDll : Unknown @ 0xd603fc (jmp 0x88f8c870|jmp 0x6eb6d334)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK5061GSYN +++++
--- User ---
[MBR] d421203d0903e2d8c6a6260b3a75309c
[BSP] 252cff8cd1aa7d86493b889cb6cf90e5 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 300 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 616448 | Size: 408970 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 838187008 | Size: 5120 MB
3 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 848689152 | Size: 60495 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Logged
Reply #3February 02, 2016, 08:06:10 PM

Curson

  • Global Moderator
  • Hero Member
  • Offline
  • *****
  • 2809
  • Reputation:
    100
    • View Profile
Re: IAT hooks false posetive or the real deal?
« Reply #3 on: February 02, 2016, 08:06:10 PM »
Hi Yoloswag420,

You are using an old version of RogueKiller.
Please download latest RogueKiller (64 bits version), redo a full scan and post the report obtained in your next reply.

Regards.
Logged
Reply #4February 04, 2016, 09:49:43 AM

Yoloswag420

  • Newbie
  • Offline
  • *
  • 7
  • Reputation:
    0
    • View Profile
Re: IAT hooks false posetive or the real deal?
« Reply #4 on: February 04, 2016, 09:49:43 AM »
Sprry for the late reply, will re-run it tomorrow as cant get onto my problematic computers today
Logged
Reply #5February 04, 2016, 06:41:22 PM

Curson

  • Global Moderator
  • Hero Member
  • Offline
  • *****
  • 2809
  • Reputation:
    100
    • View Profile
Re: IAT hooks false posetive or the real deal?
« Reply #5 on: February 04, 2016, 06:41:22 PM »
Hi Yoloswag420,

Don't worry about that.
I'm looking forward your feedback.

Regards.
Logged
Reply #6February 05, 2016, 10:25:20 AM

Yoloswag420

  • Newbie
  • Offline
  • *
  • 7
  • Reputation:
    0
    • View Profile
Re: IAT hooks false posetive or the real deal?
« Reply #6 on: February 05, 2016, 10:25:20 AM »
Annnnd again -_-
Personal issues, may take a few days to get round to this so please dont lock the thread thanks :D
Logged
Reply #7February 05, 2016, 12:29:11 PM

Curson

  • Global Moderator
  • Hero Member
  • Offline
  • *****
  • 2809
  • Reputation:
    100
    • View Profile
Re: IAT hooks false posetive or the real deal?
« Reply #7 on: February 05, 2016, 12:29:11 PM »
Hi Yoloswag420,

Please take your time.
The thread won't be closed. :)

Regards.
Logged
Reply #8February 08, 2016, 04:10:24 AM

Yoloswag420

  • Newbie
  • Offline
  • *
  • 7
  • Reputation:
    0
    • View Profile
Re: IAT hooks false posetive or the real deal?
« Reply #8 on: February 08, 2016, 04:10:24 AM »
Ok im running the new one on the problematic laptop now. Erlier i ran it on the desktop that had the same behavior and issues. It came back with the same ones as the laptop usually does but the MJ ones on the top are new. So this is the desktops log, the new log for the laptop that you asked for will be posted once its finished.

RogueKiller V11.0.10.0 (x64) [Feb  1 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Gamer [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 02/08/2016 14:57:00
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 2 ¤¤¤
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-657907023-3029220830-3103070258-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-657907023-3029220830-3103070258-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 66 (Driver: Loaded) ¤¤¤
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_CREATE[0] : Unknown @ 0xfffffa80031362c0
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_CLOSE[2] : Unknown @ 0xfffffa80031362c0
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_DEVICE_CONTROL[14] : Unknown @ 0xfffffa80031362c0
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_INTERNAL_DEVICE_CONTROL[15] : Unknown @ 0xfffffa80031362c0
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_POWER[22] : Unknown @ 0xfffffa80031362c0
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_SYSTEM_CONTROL[23] : Unknown @ 0xfffffa80031362c0
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_PNP[27] : Unknown @ 0xfffffa80031362c0
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtTerminateProcess : Unknown @ 0x775d03d0 (jmp 0x162760|jmp 0xfffffffffffffc29|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtTerminateThread : Unknown @ 0x775d03e0 (jmp 0x162500|jmp 0xfffffffffffffc19|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ rpcrt4.dll) ntdll!NtAlpcSendWaitReceivePort : Unknown @ 0x775d0470 (jmp 0x162270|jmp 0xfffffffffffffb89|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ kernel32.dll) ntdll!NtTerminateProcess : Unknown @ 0x775d03d0 (jmp 0x162760|jmp 0xfffffffffffffc29|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ kernel32.dll) ntdll!LdrUnloadDll : Unknown @ 0x1c075c (jmp 0xffffffff88d7d50b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ kernel32.dll) ntdll!LdrLoadDll : Unknown @ 0x1c03a4 (jmp 0xffffffff88d795e3)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ KERNELBASE.dll) ntdll!NtTerminateThread : Unknown @ 0x775d03e0 (jmp 0x162500|jmp 0xfffffffffffffc19|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ rpcrt4.dll) ntdll!NtAlpcSendWaitReceivePort : Unknown @ 0x775d0470 (jmp 0x162270|jmp 0xfffffffffffffb89|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ kernel32.dll) ntdll!LdrUnloadDll : Unknown @ 0x303fc (jmp 0x889ec870|jmp 0x66abd334)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtCreateSection : Unknown @ 0x230300 (jmp 0x88dc24b0|jmp 0xfffffcf9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtTerminateThread : Unknown @ 0x2303e0 (jmp 0x88dc2500|jmp 0xfffffc19|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtQueryObject : Unknown @ 0x230440 (jmp 0x88dc2990|jmp 0xfffffbb9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtOpenProcess : Unknown @ 0x230360 (jmp 0x88dc2750|jmp 0xfffffc99|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtOpenThread : Unknown @ 0x230370 (jmp 0x88dc19b0|jmp 0xfffffc89|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtWriteVirtualMemory : Unknown @ 0x2303a0 (jmp 0x88dc2650|jmp 0xfffffc59|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtTerminateProcess : Unknown @ 0x2303d0 (jmp 0x88dc2760|jmp 0xfffffc29|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtCreateThreadEx : Unknown @ 0x2303c0 (jmp 0x88dc1f90|jmp 0xfffffc39|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtCreateThread : Unknown @ 0x2303b0 (jmp 0x88dc2520|jmp 0xfffffc49|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtSuspendThread : Unknown @ 0x230420 (jmp 0x88dc1290|jmp 0xfffffbd9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtSetContextThread : Unknown @ 0x2303f0 (jmp 0x88dc1510|jmp 0xfffffc09|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtSetBootOptions : Unknown @ 0x230260 (jmp 0x88dc1390|jmp 0xfffffd99|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtOpenTimer : Unknown @ 0x230330 (jmp 0x88dc1960|jmp 0xfffffcc9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtNotifyChangeMultipleKeys : Unknown @ 0x230490 (jmp 0x88dc1bf0|jmp 0xfffffb69|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtSuspendProcess : Unknown @ 0x230410 (jmp 0x88dc1290|jmp 0xfffffbe9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtCreateTimer : Unknown @ 0x230320 (jmp 0x88dc1ee0|jmp 0xfffffcd9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtSetSystemInformation : Unknown @ 0x2301e0 (jmp 0x88dc1140|jmp 0xfffffe19|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtCreateIoCompletion : Unknown @ 0x230340 (jmp 0x88dc2020|jmp 0xfffffcb9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtModifyBootEntry : Unknown @ 0x230240 (jmp 0x88dc19e0|jmp 0xfffffdb9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtOpenMutant : Unknown @ 0x230290 (jmp 0x88dc1950|jmp 0xfffffd69|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtSetSystemPowerState : Unknown @ 0x230200 (jmp 0x88dc1150|jmp 0xfffffdf9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtReplyWaitReceivePortEx : Unknown @ 0x230460 (jmp 0x88dc2800|jmp 0xfffffb99|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtShutdownSystem : Unknown @ 0x2301f0 (jmp 0x88dc10d0|jmp 0xfffffe09|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtOpenIoCompletion : Unknown @ 0x230350 (jmp 0x88dc1a70|jmp 0xfffffca9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtAddBootEntry : Unknown @ 0x230220 (jmp 0x88dc21e0|jmp 0xfffffdd9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtReplyWaitReceivePort : Unknown @ 0x230450 (jmp 0x88dc29f0|jmp 0xfffffba9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtDeleteBootEntry : Unknown @ 0x230230 (jmp 0x88dc1d50|jmp 0xfffffdc9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtSetBootEntryOrder : Unknown @ 0x230250 (jmp 0x88dc1390|jmp 0xfffffda9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtOpenSection : Unknown @ 0x230310 (jmp 0x88dc25f0|jmp 0xfffffce9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtDebugActiveProcess : Unknown @ 0x230400 (jmp 0x88dc1f50|jmp 0xfffffbf9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtAssignProcessToJobObject : Unknown @ 0x230390 (jmp 0x88dc2160|jmp 0xfffffc69|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtOpenEvent : Unknown @ 0x2302d0 (jmp 0x88dc2520|jmp 0xfffffd29|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtAlpcSendWaitReceivePort : Unknown @ 0x230470 (jmp 0x88dc2270|jmp 0xfffffb89|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtNotifyChangeKey : Unknown @ 0x230480 (jmp 0x88dc1bf0|jmp 0xfffffb79|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtOpenEventPair : Unknown @ 0x2302f0 (jmp 0x88dc1a20|jmp 0xfffffd09|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtCreateEvent : Unknown @ 0x2302c0 (jmp 0x88dc2490|jmp 0xfffffd39|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtCreateSemaphore : Unknown @ 0x2302a0 (jmp 0x88dc1e90|jmp 0xfffffd59|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtSystemDebugControl : Unknown @ 0x230210 (jmp 0x88dc1070|jmp 0xfffffde9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtCreateMutant : Unknown @ 0x230280 (jmp 0x88dc1f00|jmp 0xfffffd79|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtLoadDriver : Unknown @ 0x2301d0 (jmp 0x88dc1a30|jmp 0xfffffe29|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtCreateEventPair : Unknown @ 0x2302e0 (jmp 0x88dc1fd0|jmp 0xfffffd19|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtQueueApcThreadEx : Unknown @ 0x230430 (jmp 0x88dc1770|jmp 0xfffffbc9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtDuplicateObject : Unknown @ 0x230380 (jmp 0x88dc2610|jmp 0xfffffc79|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ wow64.dll) ntdll!NtOpenSemaphore : Unknown @ 0x2302b0 (jmp 0x88dc1920|jmp 0xfffffd49|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ kernel32.dll) ntdll!NtTerminateProcess : Unknown @ 0x775d03d0 (jmp 0x162760|jmp 0xfffffffffffffc29|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ kernel32.dll) ntdll!LdrUnloadDll : Unknown @ 0x21075c (jmp 0xffffffff88dcd50b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ kernel32.dll) ntdll!LdrLoadDll : Unknown @ 0x2103a4 (jmp 0xffffffff88dc95e3)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ KERNELBASE.dll) ntdll!NtTerminateThread : Unknown @ 0x775d03e0 (jmp 0x162500|jmp 0xfffffffffffffc19|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ rpcrt4.dll) ntdll!NtAlpcSendWaitReceivePort : Unknown @ 0x775d0470 (jmp 0x162270|jmp 0xfffffffffffffb89|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ kernel32.dll) ntdll!LdrUnloadDll : Unknown @ 0x303fc (jmp 0x889ec870|jmp 0x66abd334)
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000AAKS-00TMA0 ATA Device +++++
--- User ---
[MBR] 318109287bf4e56f6acd71d2947900e9
[BSP] ab31d1196dec9cb8678d79a76f375704 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1: Generic USB SD Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
 
+++++ PhysicalDrive2: Generic USB CF Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
 
+++++ PhysicalDrive3: Generic USB SM Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
 
+++++ PhysicalDrive4: Generic USB MS Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
Logged
Reply #9February 08, 2016, 06:46:41 AM

Yoloswag420

  • Newbie
  • Offline
  • *
  • 7
  • Reputation:
    0
    • View Profile
Re: IAT hooks false posetive or the real deal?
« Reply #9 on: February 08, 2016, 06:46:41 AM »
Ok so please read the above unusual log for my desktop witch has the same issue. Ok i ran the new version on my laptop like you asked:

RogueKiller V11.0.10.0 (x64) [Feb  1 2016] (Premium) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : USER(censored) [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 02/08/2016 18:38:48

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 3 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (chrome.exe @ kernel32.dll) ntdll!LdrUnloadDll : Unknown @ 0x160603fc (jmp 0x9e53c870|jmp 0x4518d564)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ kernel32.dll) ntdll!LdrUnloadDll : Unknown @ 0x26ed03fc (jmp 0xaf3ac870|jmp 0x3431d564)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ kernel32.dll) ntdll!LdrUnloadDll : Unknown @ 0x3b5303fc (jmp 0xc3a0c870|jmp 0x1fcbd564)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK5061GSYN +++++
--- User ---
[MBR] d421203d0903e2d8c6a6260b3a75309c
[BSP] 252cff8cd1aa7d86493b889cb6cf90e5 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 300 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 616448 | Size: 408970 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 838187008 | Size: 5120 MB
3 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 848689152 | Size: 60495 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Logged
Reply #10February 08, 2016, 01:31:18 PM

Curson

  • Global Moderator
  • Hero Member
  • Offline
  • *****
  • 2809
  • Reputation:
    100
    • View Profile
Re: IAT hooks false posetive or the real deal?
« Reply #10 on: February 08, 2016, 01:31:18 PM »
Hi Yoloswag420,

Do you use CD/DVD drive emulator, like DAEMON Tools or similar or your desktop computer ?
The hooks on your laptop are legit.

Regards.
Logged
Reply #11February 09, 2016, 03:15:43 AM

Yoloswag420

  • Newbie
  • Offline
  • *
  • 7
  • Reputation:
    0
    • View Profile
Re: IAT hooks false posetive or the real deal?
« Reply #11 on: February 09, 2016, 03:15:43 AM »
Yes i will check at home later but i think DT is on there. Also are those MJ hooks to do with DT, or what are they for 0.o
« Last Edit: February 09, 2016, 03:17:36 AM by Yoloswag420 »
Logged
Reply #12February 09, 2016, 06:26:56 PM

Curson

  • Global Moderator
  • Hero Member
  • Offline
  • *****
  • 2809
  • Reputation:
    100
    • View Profile
Re: IAT hooks false posetive or the real deal?
« Reply #12 on: February 09, 2016, 06:26:56 PM »
Hi Yoloswag420,

Yes, DAEMON Tools is known to create such hooks.

Regards.
Logged
Pages: [1]
« previous next »