Author Topic: IAT hooks that are persistent  (Read 5614 times)

0 Members and 1 Guest are viewing this topic.

January 27, 2018, 09:03:23 PM

advocate512

  • Newbie

  • Offline
  • *

  • 1
  • Reputation:
    0
    • View Profile
IAT hooks that are persistent
« on: January 27, 2018, 09:03:23 PM »
I have reinstalled Windows several times and these hooks go away. But then they soon return. Help, please!

RogueKiller V12.12.1.0 (x64) [Jan 22 2018] (Premium) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.16299) 64 bits version
Started in : Normal mode
User : Bruce [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 01/27/2018 07:36:01 (Duration : 00:25:33)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 2 (Driver: Loaded) ¤¤¤
[IAT:Addr(Hook.IEAT)] (explorer.exe) gdi32!StretchDIBits : Unknown @ 0x8e60000
[IAT:Addr(Hook.IEAT)] (explorer.exe) user32!SetWindowCompositionAttribute : Unknown @ 0x8e60060

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SanDisk SDSSDXPS480G +++++
--- User ---
[MBR] a393c33377ad2895c16b140b06de7303
[BSP] 57836dc1a89ecc99d5b22b6a9c720b2d : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 499 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 1024000 | Size: 100 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1228800 | Size: 16 MB
3 - Basic data partition | Offset (sectors): 1261568 | Size: 457246 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1:  +++++
Error reading User MBR! ([2] The system cannot find the file specified. )
Error reading LL1 MBR! ([37] The specified network resource or device is no longer available. )
Error reading LL2 MBR! NOT VALID!

+++++ PhysicalDrive2: ST3000DM001-1ER166 +++++
--- User ---
[MBR] c04a40d3a6a527a8f4dbc5de124b09e2
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 2861459 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive3: ST3000DM008-2DM166 +++++
--- User ---
[MBR] c04a40d3a6a527a8f4dbc5de124b09e2
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 2861459 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive4: WDC WD30EZRX-00DC0B0 +++++
--- User ---
[MBR] c04a40d3a6a527a8f4dbc5de124b09e2
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 2861459 MB
User = LL1 ... OK
User = LL2 ... OK


Reply #1January 28, 2018, 02:18:00 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: IAT hooks that are persistent
« Reply #1 on: January 28, 2018, 02:18:00 PM »
Hi advocate512,

Welcome to Adlice.com Forum.

These hooks look legit.
Could you please uncheck the "Expert Mode" option, redo a scan and tell me if they are still detected ?

Regards.