Can someone comment on this IAT hook detection, false positive?

[JukkaG]

So, first off that F-Secure -related Zeus detection is false and happens with all computers that have F-secure, you should whitelist it.

But that isn't what I'm worrying about, I'm worried about that IAT hook that was detected:
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateUserProcess : Unknown @ 0x7ffb99622018 (jmp 0xffffffff8000bb88)

However Roguekiller is the only program that detects anything, full scans by TDDSkiller, aswMBR, Kaspersky Virus Removal Tool, HitmanPro, ESET Online Scanner, Malwarebytes Anti-Malware and F-Secure have found nothing. I know that it's most likely just a false positive too just because of that, but could someone with more knowledge tell me if that one looks suspicious?

[Curson]

Hi Jukka,

So, first off that F-Secure -related Zeus detection is false and happens with all computers that have F-secure, you should whitelist it.

Thanks for reporting it. This will be fixed in RogueKiller next release.

But that isn't what I'm worrying about, I'm worried about that IAT hook that was detected:
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateUserProcess : Unknown @ 0x7ffb99622018 (jmp 0xffffffff8000bb88)

Do you use anti-exploit softwares on your computer ?

Regards.

[JukkaG]

But that isn't what I'm worrying about, I'm worried about that IAT hook that was detected:
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateUserProcess : Unknown @ 0x7ffb99622018 (jmp 0xffffffff8000bb88)

Do you use anti-exploit softwares on your computer ?

Mm, I don't think so, can't remember installing any anti-exploit software on this machine. Unless F-Secure or Malwarebytes Anti-Malware does something like that, but I find it unlikely. Does that mean that it has come from malicious sources, or is there any way to get more information about that?

Also noting that I don't have any visible symptoms of infection or anything, I'm just doing regular scans to be sure.

[Curson]

Hi Jukka,

The hook is mostly related to your antivirus.
However, we are going to verify it.

Please follow the following process.

• Download Process Explorer and save it to your desktop.
  
• Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  
• Locate the process named explorer.exe, right click select Create Dump > Create Full Dump...
  
• Save the dump on your desktop and compress it.
• Go to Adlice Software upload form, select the dumps as files to be uploaded and copy/paste a link to this thread in the "Comment" section.
  

Regards.

[JukkaG]

Hi Jukka,

The hook is mostly related to your antivirus.
However, we are going to verify it.

Please follow the following process.

• Download Process Explorer and save it to your desktop.
  
• Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  
• Locate the process named explorer.exe, right click select Create Dump > Create Full Dump...
  
• Save the dump on your desktop and compress it.
• Go to Adlice Software upload form, select the dumps as files to be uploaded and copy/paste a link to this thread in the "Comment" section.
  

Regards.

Hi, I posted the dump to you. Actually I posted it multiple times like an idiot because I thought that it was supposed to give me a confirmation about the completed upload and I thought that it didn't work at first, but then I realized that it just doesn't give a confirmation. So don't wonder if you have received that file something like 5 times...

Also, I found a possible explanation for anti-exploit like behavior: I just remembered F-Secure has a so-called Deepguard module that interjects processes and monitors them if it can't verify them as safe through the cloud. It sort of sounds like a thing that would create a hook like that.

[Curson]

Hi Jukka,

Hi, I posted the dump to you. Actually I posted it multiple times like an idiot because I thought that it was supposed to give me a confirmation about the completed upload and I thought that it didn't work at first, but then I realized that it just doesn't give a confirmation. So don't wonder if you have received that file something like 5 times...

In fact, I haven't received anything.
Could you please host the dump on DropBox/Onedrive and share the link here ?

Also, I found a possible explanation for anti-exploit like behavior: I just remembered F-Secure has a so-called Deepguard module that interjects processes and monitors them if it can't verify them as safe through the cloud. It sort of sounds like a thing that would create a hook like that.

That's highly possible.

Regards.

[JukkaG]

In fact, I haven't received anything.
Could you please host the dump on DropBox/Onedrive and share the link here ?

Here it is: https://dl.dropboxusercontent.com/u/17953443/explorer.zip

[Curson]

Hi Jukka,

Thanks.
We will analyze the dump as soon as possible.

EDIT : The hook was confirmed to belong to F-Secure.

Regards.

[JukkaG]

Million thanks to you, now I can keep on using my computer without paranoia

And at least you can now eliminate some false positives that nobody else has to get spooked by the same thingy again!

[Curson]

Hi Jukka,

Million thanks to you, now I can keep on using my computer without paranoia

You are very welcome.

And at least you can now eliminate some false positives that nobody else has to get spooked by the same thingy again!

Indeed. It should be fixed in RogueKiller next release.

Regards.