Author Topic: At your request  (Read 4567 times)

0 Members and 1 Guest are viewing this topic.

February 13, 2016, 05:25:55 AM

the dude

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
At your request
« on: February 13, 2016, 05:25:55 AM »
Just ran Rogue Killer and got some weird unknown IAT hook in which you asked me to upload the results here. Hopefully we can get rid of it....

RogueKiller V11.0.11.0 (x64) [Feb  8 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.10586) 64 bits version
Started in : Normal mode
User : the dude [Administrator]
Started from : C:\Users\the dude\Desktop\RogueKillerX64.exe
Mode : Scan -- Date : 02/12/2016 20:17:49

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 29 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (explorer.exe) ntdll!NtSetSystemInformation : Unknown @ 0x7ffbb9e001e0 (jmp 0xffffffff80137f60|jmp 0xfffffffffffffe19|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtAssignProcessToJobObject : Unknown @ 0x7ffbb9e00390 (jmp 0xffffffff8013a1d0|jmp 0xfffffffffffffc69|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateEvent : Unknown @ 0x7ffbb9e002c0 (jmp 0xffffffff8013a950|jmp 0xfffffffffffffd39|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateSection : Unknown @ 0x7ffbb9e00300 (jmp 0xffffffff8013a950|jmp 0xfffffffffffffcf9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtTerminateProcess : Unknown @ 0x7ffbb9e003d0 (jmp 0xffffffff8013ade0|jmp 0xfffffffffffffc29|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenMutant : Unknown @ 0x7ffbb9e00290 (jmp 0xffffffff80138fd0|jmp 0xfffffffffffffd69|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtNotifyChangeKey : Unknown @ 0x7ffbb9e00480 (jmp 0xffffffff80139320|jmp 0xfffffffffffffb79|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtDuplicateObject : Unknown @ 0x7ffbb9e00380 (jmp 0xffffffff8013ab90|jmp 0xfffffffffffffc79|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtWriteVirtualMemory : Unknown @ 0x7ffbb9e003a0 (jmp 0xffffffff8013abf0|jmp 0xfffffffffffffc59|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenEvent : Unknown @ 0x7ffbb9e002d0 (jmp 0xffffffff8013aa60|jmp 0xfffffffffffffd29|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtQueryObject : Unknown @ 0x7ffbb9e00440 (jmp 0xffffffff8013b1d0|jmp 0xfffffffffffffbb9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateSemaphore : Unknown @ 0x7ffbb9e002a0 (jmp 0xffffffff80139c00|jmp 0xfffffffffffffd59|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenSemaphore : Unknown @ 0x7ffbb9e002b0 (jmp 0xffffffff80138f30|jmp 0xfffffffffffffd49|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateMutant : Unknown @ 0x7ffbb9e00280 (jmp 0xffffffff80139d20|jmp 0xfffffffffffffd79|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateTimer : Unknown @ 0x7ffbb9e00320 (jmp 0xffffffff80139c20|jmp 0xfffffffffffffcd9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenTimer : Unknown @ 0x7ffbb9e00330 (jmp 0xffffffff80138f30|jmp 0xfffffffffffffcc9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenProcess : Unknown @ 0x7ffbb9e00360 (jmp 0xffffffff8013ae30|jmp 0xfffffffffffffc99|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateThreadEx : Unknown @ 0x7ffbb9e003c0 (jmp 0xffffffff80139ce0|jmp 0xfffffffffffffc39|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtTerminateThread : Unknown @ 0x7ffbb9e003e0 (jmp 0xffffffff8013a910|jmp 0xfffffffffffffc19|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenThread : Unknown @ 0x7ffbb9e00370 (jmp 0xffffffff80138f90|jmp 0xfffffffffffffc89|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtSuspendThread : Unknown @ 0x7ffbb9e00420 (jmp 0xffffffff80137f60|jmp 0xfffffffffffffbd9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtSetContextThread : Unknown @ 0x7ffbb9e003f0 (jmp 0xffffffff80138550|jmp 0xfffffffffffffc09|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenSection : Unknown @ 0x7ffbb9e00310 (jmp 0xffffffff8013abc0|jmp 0xfffffffffffffce9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateIoCompletion : Unknown @ 0x7ffbb9e00340 (jmp 0xffffffff80139ec0|jmp 0xfffffffffffffcb9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtNotifyChangeMultipleKeys : Unknown @ 0x7ffbb9e00490 (jmp 0xffffffff80139310|jmp 0xfffffffffffffb69|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ rpcrt4.dll) ntdll!NtAlpcSendWaitReceivePort : Unknown @ 0x7ffbb9e00470 (jmp 0xffffffff8013a310|jmp 0xfffffffffffffb89|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ rpcrt4.dll) ntdll!NtQueueApcThreadEx : Unknown @ 0x7ffbb9e00430 (jmp 0xffffffff80138a10|jmp 0xfffffffffffffbc9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ user32.dll) ntdll!NtVdmControl : Unknown @ 0x7ffbb9e00270 (jmp 0xffffffff80137b70|jmp 0xfffffffffffffd89|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ ws2_32.dll) ntdll!NtLoadDriver : Unknown @ 0x7ffbb9e001d0 (jmp 0xffffffff80139290|jmp 0xfffffffffffffe29|jmp 0x19b)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: MKNSSDCR250GB-7-OEM +++++
--- User ---
[MBR] a84dd93b5b19931ceaddbccc47850486
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 450 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 923648 | Size: 100 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1128448 | Size: 16 MB
3 - Basic data partition | Offset (sectors): 1161216 | Size: 237116 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 486776832 | Size: 791 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: HGST HTS721010A9E630 +++++
--- User ---
[MBR] c6674c742af4d1a1d8d7b7773e9bedea
[BSP] 944a6a2c394c5513a8ffeef608e404e3 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1450340352 | Size: 245693 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


Reply #1February 15, 2016, 01:47:09 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: At your request
« Reply #1 on: February 15, 2016, 01:47:09 AM »
Hi the dude,

Theses IAT hooks are known false positives. We will fix this as soon as possible.

Regards.

Note : This thread has been moved to the "RogueKiller" section for clarity.

Reply #2February 17, 2016, 03:19:20 AM

the dude

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: At your request
« Reply #2 on: February 17, 2016, 03:19:20 AM »
OK...phew. Thank you for putting my nerves at ease. Keep up the great work. Rogue Killer has helped me many times when other programs just fall short.

the dude

Reply #3February 17, 2016, 07:45:29 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: At your request
« Reply #3 on: February 17, 2016, 07:45:29 PM »
Hi the dude,

You are welcome.
Thanks for the kind words.

Regards.