Author Topic: Hook IEAT, Infection?, frozen scanners  (Read 7423 times)

0 Members and 1 Guest are viewing this topic.

October 18, 2015, 06:36:33 AM

Sami Cuevas

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Hook IEAT, Infection?, frozen scanners
« on: October 18, 2015, 06:36:33 AM »
Hi, Rougekiller detect the following stuff, and i was wondering, should i worry?,
And when i run Panda Cloud Cleaner, my computer suddenly reboot, and with TDSS, the progam freezes, y put two, rkill and after that malwarebytes, and before it could analyse something, it throw a BSOD

Thanks for the help

RogueKiller V10.11.0.0 (x64) [Oct 12 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.10240) 64 bits version
Started in : Normal mode
User : samuel [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Scan -- Date : 10/17/2015 22:28:45

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 6 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 200.94.160.248 200.94.160.246 ([MEXICO (MX)][MEXICO (MX)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 200.94.160.248 200.94.160.246 ([MEXICO (MX)][MEXICO (MX)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3537d7f4-1f29-47b9-9801-8bd42a42697e} | DhcpNameServer : 200.94.160.248 200.94.160.246 ([MEXICO (MX)][MEXICO (MX)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d9405bd9-59c5-4299-b4b3-13dcab48d6b1} | DhcpNameServer : 192.168.1.254 0.0.0.0 ([-][(Private Address) (XX)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3537d7f4-1f29-47b9-9801-8bd42a42697e} | DhcpNameServer : 200.94.160.248 200.94.160.246 ([MEXICO (MX)][MEXICO (MX)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{d9405bd9-59c5-4299-b4b3-13dcab48d6b1} | DhcpNameServer : 192.168.1.254 0.0.0.0 ([-][(Private Address) (XX)])  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 25 (Driver: Loaded) ¤¤¤
[IAT:Addr(Hook.IEAT)] (explorer.exe) gdi32!DeleteDC : Unknown @ 0x7ffc13250000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ user32.dll) gdi32!DeleteDC : Unknown @ 0x7ffc13250000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ ole32.dll) gdi32!DeleteDC : Unknown @ 0x7ffc13250000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ shlwapi.dll) gdi32!DeleteDC : Unknown @ 0x7ffc13250000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ msctf.dll) gdi32!DeleteDC : Unknown @ 0x7ffc13250000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ shell32.dll) gdi32!DeleteDC : Unknown @ 0x7ffc13250000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ uxtheme.dll) gdi32!DeleteDC : Unknown @ 0x7ffc13250000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ dwmapi.dll) gdi32!DeleteDC : Unknown @ 0x7ffc13250000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ comctl32.dll) gdi32!DeleteDC : Unknown @ 0x7ffc13250000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ explorerframe.dll) gdi32!DeleteDC : Unknown @ 0x7ffc13250000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ twinui.dll) gdi32!DeleteDC : Unknown @ 0x7ffc13250000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ ApplicationFrame.dll) gdi32!DeleteDC : Unknown @ 0x7ffc13250000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ ntshrui.dll) gdi32!DeleteDC : Unknown @ 0x7ffc13250000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ GdiPlus.dll) gdi32!DeleteDC : Unknown @ 0x7ffc13250000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ grooveex.dll) gdi32!DeleteDC : Unknown @ 0x7ffc13250000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ stobject.dll) gdi32!DeleteDC : Unknown @ 0x7ffc13250000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ batmeter.dll) gdi32!DeleteDC : Unknown @ 0x7ffc13250000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ InputSwitch.dll) gdi32!DeleteDC : Unknown @ 0x7ffc13250000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ prnfldr.dll) gdi32!DeleteDC : Unknown @ 0x7ffc13250000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ authui.dll) gdi32!DeleteDC : Unknown @ 0x7ffc13250000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ dui70.dll) gdi32!DeleteDC : Unknown @ 0x7ffc13250000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ duser.dll) gdi32!DeleteDC : Unknown @ 0x7ffc13250000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ hgcpl.dll) gdi32!DeleteDC : Unknown @ 0x7ffc13250000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ werconcpl.dll) gdi32!DeleteDC : Unknown @ 0x7ffc13250000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ NPSMDesktopProvider.dll) gdi32!DeleteDC : Unknown @ 0x7ffc13250000

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 7566e601fc37fb011a6524949b91cc9c
[BSP] eefd9bcaf155d5eba732930c97cdddcb : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 100 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 206848 | Size: 900 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2050048 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2312192 | Size: 454538 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 933208064 | Size: 782 MB
5 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 934809600 | Size: 20490 MB
User = LL1 ... OK
User = LL2 ... OK

 
« Last Edit: October 18, 2015, 07:29:34 AM by Sami Cuevas »

Reply #1October 19, 2015, 01:22:07 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Hook IEAT, Infection?, frozen scanners
« Reply #1 on: October 19, 2015, 01:22:07 PM »
Hi Samuel,

Welcome to Adlice.com Forum.
Your report is clean.

BSOD are not always related to malwares. We will check.
Please download BlueScreenView (x64) and unzip the archive.
  • Double click on BlueScreenView.exe to run the program.
  • When scanning is done, go to EDIT - Select All.
  • Go to FILE - SAVE Selected Items, and save the report as BSOD.txt.
  • Open BSOD.txt in Notepad, copy all of the content, and paste it into your next reply.

Regards.

Reply #2October 20, 2015, 04:22:32 AM

Sami Cuevas

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: Hook IEAT, Infection?, frozen scanners
« Reply #2 on: October 20, 2015, 04:22:32 AM »
Thanks for the answer, here is the log


==================================================
Dump File         : 101715-18968-01.dmp
Crash Time        : 10/17/2015 11:22:11 PM
Bug Check String  : PAGE_FAULT_IN_NONPAGED_AREA
Bug Check Code    : 0x00000050
Parameter 1       : fffff6fb`40000000
Parameter 2       : 00000000`00000000
Parameter 3       : fffff802`65edaa86
Parameter 4       : 00000000`00000002
Caused By Driver  : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+14e2e0
File Description  : NT Kernel & System
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 10.0.10240.16545 (th1.150930-1750)
Processor         : x64
Crash Address     : ntoskrnl.exe+14e2e0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\WINDOWS\Minidump\101715-18968-01.dmp
Processors Count  : 4
Major Version     : 15
Minor Version     : 10240
Dump File Size    : 135,177
Dump File Time    : 10/17/2015 11:22:46 PM
==================================================

==================================================
Dump File         : 101715-30015-01.dmp
Crash Time        : 10/17/2015 9:54:54 PM
Bug Check String  : PAGE_FAULT_IN_NONPAGED_AREA
Bug Check Code    : 0x00000050
Parameter 1       : fffff6fb`40000000
Parameter 2       : 00000000`00000000
Parameter 3       : fffff800`c1540a86
Parameter 4       : 00000000`00000002
Caused By Driver  : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+14e2e0
File Description  : NT Kernel & System
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 10.0.10240.16545 (th1.150930-1750)
Processor         : x64
Crash Address     : ntoskrnl.exe+14e2e0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\WINDOWS\Minidump\101715-30015-01.dmp
Processors Count  : 4
Major Version     : 15
Minor Version     : 10240
Dump File Size    : 144,457
Dump File Time    : 10/17/2015 9:55:30 PM
==================================================

==================================================
Dump File         : 101315-22781-01.dmp
Crash Time        : 10/13/2015 10:02:04 PM
Bug Check String  :
Bug Check Code    : 0x00000116
Parameter 1       : ffffe001`c60f74c0
Parameter 2       : fffff801`04c66550
Parameter 3       : 00000000`00000000
Parameter 4       : 00000000`0000000d
Caused By Driver  : dxgkrnl.sys
Caused By Address : dxgkrnl.sys+14160c
File Description  : DirectX Graphics Kernel
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 10.0.10240.16515 (th1.150916-2039)
Processor         : x64
Crash Address     : ntoskrnl.exe+14e2e0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\WINDOWS\Minidump\101315-22781-01.dmp
Processors Count  : 4
Major Version     : 15
Minor Version     : 10240
Dump File Size    : 762,336
Dump File Time    : 10/13/2015 10:02:42 PM
==================================================

==================================================
Dump File         : 101115-21234-01.dmp
Crash Time        : 10/11/2015 9:36:02 AM
Bug Check String  :
Bug Check Code    : 0x00000116
Parameter 1       : ffffe001`d3aa3010
Parameter 2       : fffff800`dac76550
Parameter 3       : 00000000`00000000
Parameter 4       : 00000000`0000000d
Caused By Driver  : dxgkrnl.sys
Caused By Address : dxgkrnl.sys+14160c
File Description  : DirectX Graphics Kernel
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 10.0.10240.16515 (th1.150916-2039)
Processor         : x64
Crash Address     : ntoskrnl.exe+14e240
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\WINDOWS\Minidump\101115-21234-01.dmp
Processors Count  : 4
Major Version     : 15
Minor Version     : 10240
Dump File Size    : 825,518
Dump File Time    : 10/11/2015 9:36:42 AM
==================================================

==================================================
Dump File         : 100415-17796-01.dmp
Crash Time        : 10/4/2015 8:02:37 PM
Bug Check String  :
Bug Check Code    : 0x00000116
Parameter 1       : ffffe001`f3701010
Parameter 2       : fffff801`b2616550
Parameter 3       : 00000000`00000000
Parameter 4       : 00000000`0000000d
Caused By Driver  : dxgkrnl.sys
Caused By Address : dxgkrnl.sys+14160c
File Description  : DirectX Graphics Kernel
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 10.0.10240.16515 (th1.150916-2039)
Processor         : x64
Crash Address     : ntoskrnl.exe+14e240
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\WINDOWS\Minidump\100415-17796-01.dmp
Processors Count  : 4
Major Version     : 15
Minor Version     : 10240
Dump File Size    : 829,142
Dump File Time    : 10/4/2015 8:03:13 PM
==================================================

==================================================
Dump File         : 100415-18687-01.dmp
Crash Time        : 10/4/2015 1:45:20 PM
Bug Check String  :
Bug Check Code    : 0x00000116
Parameter 1       : ffffe000`b3bbb4c0
Parameter 2       : fffff801`d0856550
Parameter 3       : 00000000`00000000
Parameter 4       : 00000000`0000000d
Caused By Driver  : dxgkrnl.sys
Caused By Address : dxgkrnl.sys+14160c
File Description  : DirectX Graphics Kernel
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 10.0.10240.16515 (th1.150916-2039)
Processor         : x64
Crash Address     : ntoskrnl.exe+14e240
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\WINDOWS\Minidump\100415-18687-01.dmp
Processors Count  : 4
Major Version     : 15
Minor Version     : 10240
Dump File Size    : 828,625
Dump File Time    : 10/4/2015 1:45:55 PM
==================================================

==================================================
Dump File         : 100315-17734-01.dmp
Crash Time        : 10/3/2015 2:53:45 PM
Bug Check String  :
Bug Check Code    : 0x00000119
Parameter 1       : 00000000`00000001
Parameter 2       : 00000000`0023ec31
Parameter 3       : 00000000`0023ec32
Parameter 4       : ffffe000`2429f010
Caused By Driver  : watchdog.sys
Caused By Address : watchdog.sys+3c3d
File Description  : Watchdog Driver
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 10.0.10240.16384 (th1.150709-1700)
Processor         : x64
Crash Address     : ntoskrnl.exe+14e240
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\WINDOWS\Minidump\100315-17734-01.dmp
Processors Count  : 4
Major Version     : 15
Minor Version     : 10240
Dump File Size    : 151,177
Dump File Time    : 10/3/2015 2:54:23 PM
==================================================

==================================================
Dump File         : 100215-22656-01.dmp
Crash Time        : 10/2/2015 4:30:04 PM
Bug Check String  :
Bug Check Code    : 0x00000116
Parameter 1       : ffffe000`fcfb4010
Parameter 2       : fffff800`d70b6550
Parameter 3       : 00000000`00000000
Parameter 4       : 00000000`0000000d
Caused By Driver  : dxgkrnl.sys
Caused By Address : dxgkrnl.sys+14160c
File Description  : DirectX Graphics Kernel
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 10.0.10240.16515 (th1.150916-2039)
Processor         : x64
Crash Address     : ntoskrnl.exe+14e240
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\WINDOWS\Minidump\100215-22656-01.dmp
Processors Count  : 4
Major Version     : 15
Minor Version     : 10240
Dump File Size    : 763,648
Dump File Time    : 10/2/2015 4:30:41 PM
==================================================

==================================================
Dump File         : 092915-22734-01.dmp
Crash Time        : 9/29/2015 10:16:31 PM
Bug Check String  :
Bug Check Code    : 0x00000116
Parameter 1       : ffffe000`9d5562f0
Parameter 2       : fffff801`b2446550
Parameter 3       : 00000000`00000000
Parameter 4       : 00000000`0000000d
Caused By Driver  : dxgkrnl.sys
Caused By Address : dxgkrnl.sys+142a8c
File Description  : DirectX Graphics Kernel
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 10.0.10240.16515 (th1.150916-2039)
Processor         : x64
Crash Address     : ntoskrnl.exe+14e240
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\WINDOWS\Minidump\092915-22734-01.dmp
Processors Count  : 4
Major Version     : 15
Minor Version     : 10240
Dump File Size    : 827,155
Dump File Time    : 9/29/2015 10:17:15 PM
==================================================

==================================================
Dump File         : 092715-19984-01.dmp
Crash Time        : 9/27/2015 3:57:58 PM
Bug Check String  :
Bug Check Code    : 0x00000116
Parameter 1       : ffffe000`d462b440
Parameter 2       : fffff800`300a6550
Parameter 3       : 00000000`00000000
Parameter 4       : 00000000`0000000d
Caused By Driver  : dxgkrnl.sys
Caused By Address : dxgkrnl.sys+142a8c
File Description  : DirectX Graphics Kernel
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 10.0.10240.16515 (th1.150916-2039)
Processor         : x64
Crash Address     : ntoskrnl.exe+14e240
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\WINDOWS\Minidump\092715-19984-01.dmp
Processors Count  : 4
Major Version     : 15
Minor Version     : 10240
Dump File Size    : 764,258
Dump File Time    : 9/27/2015 3:58:36 PM
==================================================

Reply #3October 20, 2015, 03:15:18 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Hook IEAT, Infection?, frozen scanners
« Reply #3 on: October 20, 2015, 03:15:18 PM »
Hi Sami,

The BSODs don't seem to be malware related.
Did you install/connect some new hardwares, update any drivers or install a new application ?

Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :
Code: [Select]
chkdsk C: /f /v /x
Please allow chkdsk to run on next reboot and restart the computer to perform the analysis.

Regards.

Reply #4October 20, 2015, 10:06:03 PM

Sami Cuevas

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: Hook IEAT, Infection?, frozen scanners
« Reply #4 on: October 20, 2015, 10:06:03 PM »
yes, i update the drivers a time ago, but i think the problem start after i install windows 10, because after that, every time i close my laptop, when i want to open it, throw a BSOD, and restart the computer, and lately, i put TDSS Killer and it freezes, with panda cloud cleaner throw a BSOD, and after use rkill, malwarebytes, it freezes completely, and the other day, my password with which i put before windows starts, change alone, were other password that i use for other accounts, it was very weird

I already run the chkdsk
« Last Edit: October 21, 2015, 05:48:03 AM by Sami Cuevas »

Reply #5October 21, 2015, 09:35:37 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Hook IEAT, Infection?, frozen scanners
« Reply #5 on: October 21, 2015, 09:35:37 PM »
Hi Sami,

It's certainly a driver issue.
I will advice you to update them and see if this help.

Regards.