Author Topic: iat hook (Read 6315 times)

sirpercival · « **on:** November 07, 2014, 09:26:27 PM »

hello guys, first post so be gentle. just done a scan with rogue killer and it came up with iat hook found. not really sure what to do next or if even if they are false positives. recently reinstalled win7 pro on a new hdd and also have winxp on vmplayer virtual machine. not sure if that makes any difference. any help would be greatly appreciated.

RogueKiller V10.0.4.0 (x64) [Oct 29 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : alex [Administrator]
Mode : Scan -- Date : 11/07/2014 18:33:25

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 90 (Driver: Loaded) ¤¤¤
[IAT:Inl] (explorer.exe) ntdll.dll - NtSetSystemInformation : Unknown @ 0x778001f0 (jmp 0x15d850)
[IAT:Inl] (explorer.exe @ kernel32.dll) ntdll.dll - NtWriteVirtualMemory : Unknown @ 0x778003b0 (jmp 0x15ed60)
[IAT:Inl] (explorer.exe @ kernel32.dll) ntdll.dll - NtDuplicateObject : Unknown @ 0x77800390 (jmp 0x15ed20)
[IAT:Inl] (explorer.exe @ kernel32.dll) ntdll.dll - NtCreateEvent : Unknown @ 0x778002d0 (jmp 0x15eba0)
[IAT:Inl] (explorer.exe @ kernel32.dll) ntdll.dll - NtNotifyChangeKey : Unknown @ 0x77800490 (jmp 0x15e300)
[IAT:Inl] (explorer.exe @ kernel32.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x778003e0 (jmp 0x15ee70)
[IAT:Inl] (explorer.exe @ kernel32.dll) ntdll.dll - NtOpenEvent : Unknown @ 0x778002e0 (jmp 0x15ec30)
[IAT:Inl] (explorer.exe @ kernel32.dll) ntdll.dll - NtAssignProcessToJobObject : Unknown @ 0x778003a0 (jmp 0x15e870)
[IAT:Inl] (explorer.exe @ kernel32.dll) ntdll.dll - NtSetContextThread : Unknown @ 0x77800400 (jmp 0x15dc20)
[IAT:Inl] (explorer.exe @ kernel32.dll) ntdll.dll - NtCreateSection : Unknown @ 0x77800310 (jmp 0x15ebc0)
[IAT:Inl] (explorer.exe @ kernel32.dll) ntdll.dll - NtOpenProcess : Unknown @ 0x77800370 (jmp 0x15ee60)
[IAT:Inl] (explorer.exe @ kernel32.dll) ntdll.dll - NtSetSystemInformation : Unknown @ 0x778001f0 (jmp 0x15d850)
[IAT:Inl] (explorer.exe @ kernel32.dll) ntdll.dll - NtNotifyChangeMultipleKeys : Unknown @ 0x778004a0 (jmp 0x15e300)
[IAT:Inl] (explorer.exe @ kernel32.dll) ntdll.dll - NtQueryObject : Unknown @ 0x77800450 (jmp 0x15f0a0)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateIoCompletion : Unknown @ 0x77800350 (jmp 0x15e730)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateEvent : Unknown @ 0x778002d0 (jmp 0x15eba0)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtDuplicateObject : Unknown @ 0x77800390 (jmp 0x15ed20)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtQueryObject : Unknown @ 0x77800450 (jmp 0x15f0a0)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateSection : Unknown @ 0x77800310 (jmp 0x15ebc0)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenSection : Unknown @ 0x77800320 (jmp 0x15ed00)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtWriteVirtualMemory : Unknown @ 0x778003b0 (jmp 0x15ed60)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenProcess : Unknown @ 0x77800370 (jmp 0x15ee60)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x778003e0 (jmp 0x15ee70)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenEvent : Unknown @ 0x778002e0 (jmp 0x15ec30)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateSemaphore : Unknown @ 0x778002b0 (jmp 0x15e5a0)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenSemaphore : Unknown @ 0x778002c0 (jmp 0x15e030)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateMutant : Unknown @ 0x77800290 (jmp 0x15e610)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenMutant : Unknown @ 0x778002a0 (jmp 0x15e060)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateTimer : Unknown @ 0x77800330 (jmp 0x15e5f0)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenTimer : Unknown @ 0x77800340 (jmp 0x15e070)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtCreateThreadEx : Unknown @ 0x778003d0 (jmp 0x15e6a0)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtTerminateThread : Unknown @ 0x778003f0 (jmp 0x15ec10)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtOpenThread : Unknown @ 0x77800380 (jmp 0x15e0c0)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtSuspendThread : Unknown @ 0x77800430 (jmp 0x15d9a0)
[IAT:Inl] (explorer.exe @ KERNELBASE.dll) ntdll.dll - NtNotifyChangeKey : Unknown @ 0x77800490 (jmp 0x15e300)
[IAT:Inl] (explorer.exe @ ADVAPI32.dll) ntdll.dll - NtTerminateThread : Unknown @ 0x778003f0 (jmp 0x15ec10)
[IAT:Inl] (explorer.exe @ ADVAPI32.dll) ntdll.dll - NtCreateEvent : Unknown @ 0x778002d0 (jmp 0x15eba0)
[IAT:Inl] (explorer.exe @ ADVAPI32.dll) ntdll.dll - NtDuplicateObject : Unknown @ 0x77800390 (jmp 0x15ed20)
[IAT:Inl] (explorer.exe @ ADVAPI32.dll) ntdll.dll - NtSetSystemInformation : Unknown @ 0x778001f0 (jmp 0x15d850)
[IAT:Inl] (explorer.exe @ ADVAPI32.dll) ntdll.dll - NtQueryObject : Unknown @ 0x77800450 (jmp 0x15f0a0)
[IAT:Inl] (explorer.exe @ sechost.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x778003e0 (jmp 0x15ee70)
[IAT:Inl] (explorer.exe @ RPCRT4.dll) ntdll.dll - NtAlpcSendWaitReceivePort : Unknown @ 0x77800480 (jmp 0x15e980)
[IAT:Inl] (explorer.exe @ RPCRT4.dll) ntdll.dll - NtCreateSection : Unknown @ 0x77800310 (jmp 0x15ebc0)
[IAT:Inl] (explorer.exe @ RPCRT4.dll) ntdll.dll - NtQueueApcThreadEx : Unknown @ 0x77800440 (jmp 0x15de80)
[IAT:Inl] (explorer.exe @ GDI32.dll) ntdll.dll - NtVdmControl : Unknown @ 0x77800280 (jmp 0x15d700)
[IAT:Inl] (explorer.exe @ GDI32.dll) ntdll.dll - NtCreateSection : Unknown @ 0x77800310 (jmp 0x15ebc0)
[IAT:Inl] (explorer.exe @ USER32.dll) ntdll.dll - NtVdmControl : Unknown @ 0x77800280 (jmp 0x15d700)
[IAT:Inl] (explorer.exe @ SHELL32.dll) ntdll.dll - NtQueryObject : Unknown @ 0x77800450 (jmp 0x15f0a0)
[IAT:Inl] (explorer.exe @ ole32.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x778003e0 (jmp 0x15ee70)
[IAT:Inl] (explorer.exe @ ole32.dll) ntdll.dll - NtQueryObject : Unknown @ 0x77800450 (jmp 0x15f0a0)
[IAT:Inl] (explorer.exe @ MSCTF.dll) ntdll.dll - NtAlpcSendWaitReceivePort : Unknown @ 0x77800480 (jmp 0x15e980)
[IAT:Inl] (explorer.exe @ UxTheme.dll) ntdll.dll - NtOpenEvent : Unknown @ 0x778002e0 (jmp 0x15ec30)
[IAT:Inl] (explorer.exe @ SETUPAPI.dll) ntdll.dll - NtQueryObject : Unknown @ 0x77800450 (jmp 0x15f0a0)
[IAT:Inl] (explorer.exe @ dwmapi.dll) ntdll.dll - NtCreateSection : Unknown @ 0x77800310 (jmp 0x15ebc0)
[IAT:Inl] (explorer.exe @ Secur32.dll) ntdll.dll - NtOpenSection : Unknown @ 0x77800320 (jmp 0x15ed00)
[IAT:Inl] (explorer.exe @ SSPICLI.DLL) ntdll.dll - NtDuplicateObject : Unknown @ 0x77800390 (jmp 0x15ed20)
[IAT:Inl] (explorer.exe @ SSPICLI.DLL) ntdll.dll - NtOpenEvent : Unknown @ 0x778002e0 (jmp 0x15ec30)
[IAT:Inl] (explorer.exe @ apphelp.dll) ntdll.dll - NtCreateSection : Unknown @ 0x77800310 (jmp 0x15ebc0)
[IAT:Inl] (explorer.exe @ apphelp.dll) ntdll.dll - NtQueryObject : Unknown @ 0x77800450 (jmp 0x15f0a0)
[IAT:Inl] (explorer.exe @ CLBCatQ.DLL) ntdll.dll - NtOpenEvent : Unknown @ 0x778002e0 (jmp 0x15ec30)
[IAT:Inl] (explorer.exe @ dbghelp.dll) ntdll.dll - NtQueryObject : Unknown @ 0x77800450 (jmp 0x15f0a0)
[IAT:Inl] (explorer.exe @ CSCDLL.dll) ntdll.dll - NtCreateEvent : Unknown @ 0x778002d0 (jmp 0x15eba0)
[IAT:Inl] (explorer.exe @ CSCAPI.dll) ntdll.dll - NtCreateEvent : Unknown @ 0x778002d0 (jmp 0x15eba0)
[IAT:Inl] (explorer.exe @ ntmarta.dll) ntdll.dll - NtOpenTimer : Unknown @ 0x77800340 (jmp 0x15e070)
[IAT:Inl] (explorer.exe @ ntmarta.dll) ntdll.dll - NtOpenThread : Unknown @ 0x77800380 (jmp 0x15e0c0)
[IAT:Inl] (explorer.exe @ ntmarta.dll) ntdll.dll - NtOpenSemaphore : Unknown @ 0x778002c0 (jmp 0x15e030)
[IAT:Inl] (explorer.exe @ ntmarta.dll) ntdll.dll - NtOpenSection : Unknown @ 0x77800320 (jmp 0x15ed00)
[IAT:Inl] (explorer.exe @ ntmarta.dll) ntdll.dll - NtOpenProcess : Unknown @ 0x77800370 (jmp 0x15ee60)
[IAT:Inl] (explorer.exe @ ntmarta.dll) ntdll.dll - NtOpenMutant : Unknown @ 0x778002a0 (jmp 0x15e060)
[IAT:Inl] (explorer.exe @ ntmarta.dll) ntdll.dll - NtOpenEventPair : Unknown @ 0x77800300 (jmp 0x15e130)
[IAT:Inl] (explorer.exe @ ntmarta.dll) ntdll.dll - NtOpenEvent : Unknown @ 0x778002e0 (jmp 0x15ec30)
[IAT:Inl] (explorer.exe @ ntmarta.dll) ntdll.dll - NtQueryObject : Unknown @ 0x77800450 (jmp 0x15f0a0)
[IAT:Inl] (explorer.exe @ tiptsf.dll) ntdll.dll - NtAlpcSendWaitReceivePort : Unknown @ 0x77800480 (jmp 0x15e980)
[IAT:Inl] (explorer.exe @ gameux.dll) ntdll.dll - NtCreateSection : Unknown @ 0x77800310 (jmp 0x15ebc0)
[IAT:Inl] (explorer.exe @ CRYPT32.dll) ntdll.dll - NtQueryObject : Unknown @ 0x77800450 (jmp 0x15f0a0)
[IAT:Inl] (explorer.exe @ wer.dll) ntdll.dll - NtOpenEvent : Unknown @ 0x778002e0 (jmp 0x15ec30)
[IAT:Inl] (explorer.exe @ wer.dll) ntdll.dll - NtAlpcSendWaitReceivePort : Unknown @ 0x77800480 (jmp 0x15e980)
[IAT:Inl] (explorer.exe @ authui.dll) ntdll.dll - NtOpenProcess : Unknown @ 0x77800370 (jmp 0x15ee60)
[IAT:Inl] (explorer.exe @ authui.dll) ntdll.dll - NtSetSystemInformation : Unknown @ 0x778001f0 (jmp 0x15d850)
[IAT:Inl] (explorer.exe @ WINSTA.dll) ntdll.dll - NtOpenProcess : Unknown @ 0x77800370 (jmp 0x15ee60)
[IAT:Inl] (explorer.exe @ WINSTA.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x778003e0 (jmp 0x15ee70)
[IAT:Inl] (explorer.exe @ es.dll) ntdll.dll - NtOpenEvent : Unknown @ 0x778002e0 (jmp 0x15ec30)
[IAT:Inl] (explorer.exe @ WS2_32.dll) ntdll.dll - NtLoadDriver : Unknown @ 0x778001e0 (jmp 0x15e140)
[IAT:Inl] (explorer.exe @ AUDIOSES.DLL) ntdll.dll - NtAlpcSendWaitReceivePort : Unknown @ 0x77800480 (jmp 0x15e980)
[IAT:Inl] (explorer.exe @ ncrypt.dll) ntdll.dll - NtOpenProcess : Unknown @ 0x77800370 (jmp 0x15ee60)
[IAT:Inl] (explorer.exe @ bcrypt.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x778003e0 (jmp 0x15ee70)
[IAT:Inl] (explorer.exe @ bcryptprimitives.dll) ntdll.dll - NtTerminateProcess : Unknown @ 0x778003e0 (jmp 0x15ee70)
[IAT:Inl] (explorer.exe @ mswsock.dll) ntdll.dll - NtLoadDriver : Unknown @ 0x778001e0 (jmp 0x15e140)
[IAT:Inl] (explorer.exe @ mswsock.dll) ntdll.dll - NtCreateIoCompletion : Unknown @ 0x77800350 (jmp 0x15e730)
[IAT:Inl] (explorer.exe @ mswsock.dll) ntdll.dll - NtCreateEvent : Unknown @ 0x778002d0 (jmp 0x15eba0)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10EZEX-60M2NA0 ATA Device +++++
--- User ---
[MBR] 8db19856bfe93fd14c4fe5bc331a24a7
[BSP] 04b248a91d6dbe90cd064b53f12b5621 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 953767 MB
User = LL1 ... OK
User = LL2 ... OK

============================================
RKreport_DEL_11072014_182709.log - RKreport_SCN_11072014_182037.log

Tigzy · « **Reply #1 on:** November 10, 2014, 09:52:53 AM »

Hello
Hard to tell because they point outside of any module :/
Maybe another scan with Xuetr could help, but well if your pc is ok don't try too much things...

sirpercival · « **Reply #2 on:** November 17, 2014, 10:59:02 PM »

Thanks for the reply. Well I had both vmplayer and virtualbox installed so I decided to delete both from my pc and rescan guess what? No iat hook found. The main culprit was actually virtualbox and not vmplayer because I reinstalled vmplayer and scanned again and found everything was clean. Bit tricky fully uninstalling virtualbox as the basic uninstall left virtual net adapter on my system and had to go into services to fully delete it. Thanks.

Tigzy · « **Reply #3 on:** November 18, 2014, 09:26:04 AM »

I note that for further investigation, it's good to know

Author Topic: iat hook (Read 6315 times)

sirpercival

iat hook

Tigzy

Re: iat hook

sirpercival

Re: iat hook

Tigzy

Re: iat hook