Author Topic: Do I need to worry about these AIT hooks,my browsers have been freezing up sys  (Read 3882 times)

0 Members and 1 Guest are viewing this topic.

February 02, 2016, 01:54:51 pm

cynindesign

  • Newbie

  • Offline
  • *

  • 1
  • Reputation:
    0
    • View Profile
Do I need to worry about these, if so how do I remove them...because right now I can't touch them, TIA, Cyn

Antirootkit : 29 (Driver: Loaded)
[IAT:Inl(Hook.IEAT)] (explorer.exe) ntdll!NtSetSystemInformation : Unknown @ 0x7ffbab5c01e0 (jmp 0xffffffff80138200|jmp 0xfffffffffffffe19|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtAssignProcessToJobObject : Unknown @ 0x7ffbab5c0390 (jmp 0xffffffff8013a470|jmp 0xfffffffffffffc69|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateEvent : Unknown @ 0x7ffbab5c02c0 (jmp 0xffffffff8013abf0|jmp 0xfffffffffffffd39|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateSection : Unknown @ 0x7ffbab5c0300 (jmp 0xffffffff8013abf0|jmp 0xfffffffffffffcf9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtTerminateProcess : Unknown @ 0x7ffbab5c03d0 (jmp 0xffffffff8013b080|jmp 0xfffffffffffffc29|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenMutant : Unknown @ 0x7ffbab5c0290 (jmp 0xffffffff80139270|jmp 0xfffffffffffffd69|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtNotifyChangeKey : Unknown @ 0x7ffbab5c0480 (jmp 0xffffffff801395c0|jmp 0xfffffffffffffb79|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtDuplicateObject : Unknown @ 0x7ffbab5c0380 (jmp 0xffffffff8013ae30|jmp 0xfffffffffffffc79|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtWriteVirtualMemory : Unknown @ 0x7ffbab5c03a0 (jmp 0xffffffff8013ae90|jmp 0xfffffffffffffc59|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenEvent : Unknown @ 0x7ffbab5c02d0 (jmp 0xffffffff8013ad00|jmp 0xfffffffffffffd29|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtQueryObject : Unknown @ 0x7ffbab5c0440 (jmp 0xffffffff8013b470|jmp 0xfffffffffffffbb9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateSemaphore : Unknown @ 0x7ffbab5c02a0 (jmp 0xffffffff80139ea0|jmp 0xfffffffffffffd59|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenSemaphore : Unknown @ 0x7ffbab5c02b0 (jmp 0xffffffff801391d0|jmp 0xfffffffffffffd49|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateMutant : Unknown @ 0x7ffbab5c0280 (jmp 0xffffffff80139fc0|jmp 0xfffffffffffffd79|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateTimer : Unknown @ 0x7ffbab5c0320 (jmp 0xffffffff80139ec0|jmp 0xfffffffffffffcd9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenTimer : Unknown @ 0x7ffbab5c0330 (jmp 0xffffffff801391d0|jmp 0xfffffffffffffcc9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenProcess : Unknown @ 0x7ffbab5c0360 (jmp 0xffffffff8013b0d0|jmp 0xfffffffffffffc99|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateThreadEx : Unknown @ 0x7ffbab5c03c0 (jmp 0xffffffff80139f80|jmp 0xfffffffffffffc39|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtTerminateThread : Unknown @ 0x7ffbab5c03e0 (jmp 0xffffffff8013abb0|jmp 0xfffffffffffffc19|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenThread : Unknown @ 0x7ffbab5c0370 (jmp 0xffffffff80139230|jmp 0xfffffffffffffc89|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtSuspendThread : Unknown @ 0x7ffbab5c0420 (jmp 0xffffffff80138200|jmp 0xfffffffffffffbd9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtSetContextThread : Unknown @ 0x7ffbab5c03f0 (jmp 0xffffffff801387f0|jmp 0xfffffffffffffc09|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenSection : Unknown @ 0x7ffbab5c0310 (jmp 0xffffffff8013ae60|jmp 0xfffffffffffffce9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateIoCompletion : Unknown @ 0x7ffbab5c0340 (jmp 0xffffffff8013a160|jmp 0xfffffffffffffcb9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtNotifyChangeMultipleKeys : Unknown @ 0x7ffbab5c0490 (jmp 0xffffffff801395b0|jmp 0xfffffffffffffb69|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ rpcrt4.dll) ntdll!NtAlpcSendWaitReceivePort : Unknown @ 0x7ffbab5c0470 (jmp 0xffffffff8013a5b0|jmp 0xfffffffffffffb89|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ rpcrt4.dll) ntdll!NtQueueApcThreadEx : Unknown @ 0x7ffbab5c0430 (jmp 0xffffffff80138cb0|jmp 0xfffffffffffffbc9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ user32.dll) ntdll!NtVdmControl : Unknown @ 0x7ffbab5c0270 (jmp 0xffffffff80137e10|jmp 0xfffffffffffffd89|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ ws2_32.dll) ntdll!NtLoadDriver : Unknown @ 0x7ffbab5c01d0 (jmp 0xffffffff80139530|jmp 0xfffffffffffffe29|jmp 0x19b)


Reply #1February 02, 2016, 08:10:56 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2477
  • Reputation:
    84
    • View Profile
Hi Cynthia,

At first sight, those hooks seem legit.
Please attach the JSON report in your next reply.

Regards.