Author Topic: False positive IAT Hook?  (Read 4451 times)

0 Members and 2 Guests are viewing this topic.

February 18, 2016, 09:37:15 PM

electrocaid

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
False positive IAT Hook?
« on: February 18, 2016, 09:37:15 PM »
I've got this for some days  :(

No way to remove it (& my pc has strange behaviours [mouse's left click ceasing to work by moments... / auto-running of external HD...)

Thanks in advance for your help

RogueKiller V11.0.12.0 (x64) [Feb 15 2016] (Gratuit) par Adlice Software
email : http://www.adlice.com/contact/
Remontées : http://forum.adlice.com
Site web : http://www.adlice.com/fr/logiciels/roguekiller/
Blog : http://www.adlice.com

Système d'exploitation : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Démarré en  : Mode normal
Utilisateur : Utilisateur [Administrateur]
Démarré depuis : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 02/18/2016 21:24:21

¤¤¤ Processus : 0 ¤¤¤

¤¤¤ Registre : 0 ¤¤¤

¤¤¤ Tâches : 0 ¤¤¤

¤¤¤ Fichiers : 0 ¤¤¤

¤¤¤ Fichier Hosts : 0 ¤¤¤

¤¤¤ Antirootkit : 1 (Driver: Chargé) ¤¤¤
[IAT:Inl(Hook.IEAT)] (firefox.exe @ kernel32.dll) ntdll!LdrUnloadDll : Unknown @ 0x303fc (jmp 0x885c430c|jmp 0x64f0d334)

¤¤¤ Navigateurs web : 0 ¤¤¤

¤¤¤ Vérification MBR : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 4189a901a94fbaecad32b672704eb1ad
[BSP] 796015a17d03e7f12696675d8ef07f69 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1:  +++++
--- User ---
[MBR] c1a7de56b254098279cd7e9897a2a23c
[BSP] 398d1518378b9ba117fababd8647de05 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 238373 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2:  +++++
--- User ---
[MBR] 0086f36f0b7bc8b257f89fc226376c3d
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 3815318 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] Cette demande n?est pas prise en charge. )

+++++ PhysicalDrive3: Generic STORAGE DEVICE USB Device +++++
Error reading User MBR! ([15] Le périphérique n?est pas prêt. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] Cette demande n?est pas prise en charge. )


Reply #1February 19, 2016, 02:16:45 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: False positive IAT Hook?
« Reply #1 on: February 19, 2016, 02:16:45 PM »
Hi electrocaid,

This IAT hook is a false positive. It will be whitelisted as soon as possible.

Regards.

Reply #2February 19, 2016, 07:52:18 PM

electrocaid

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: False positive IAT Hook?
« Reply #2 on: February 19, 2016, 07:52:18 PM »
Hello Curson,

(Relief!)

Thanks a lot!

Kind regards

Reply #3February 22, 2016, 03:35:24 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: False positive IAT Hook?
« Reply #3 on: February 22, 2016, 03:35:24 PM »
Hi electrocaid,

You are very welcome.

Regards.