Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RogueKiller HOOKS...


  • Please log in to reply
1 reply to this topic

#1 chugbug

chugbug

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 10 February 2015 - 11:22 AM

Hello all,

 

Before I started working with some sensitive information on one of my laptops, I decided to run a few additional Adware, Malware and Av scanners (besides the ones that run on a routine bases).  The PC has been working fine, and as far as I know is clean, but I just wanted some additional reasurance.  All of the various scanners came up clean except for RogueKiller... 

 

After the scan, RogueKiller presented me with a list of Unknown HOOKS in the AntiRootkit tab, then opened a website about HOOKS.  After reading the information on the webpage, and reviewing the list, the files look like they could be related to Forum or email webpage--- it gives names like: CreateThread, PostMessage, GetMessage, so I think I can ignore them.  There are 23 in all, and all have the same identification "unknown @ 0x630008a6" (see the snapshot from the log file below).

 

 I think I can ignore them, but I wanted to get a second opinion.  I didn't want to post this in the logs section since I was only asking a general question about the hooks.  I figured those guys were busy enough.

 

I'd appreciate if someone could confirm my suspicion and let me know if they are OK to ignore or I should do something with them.

 

Thanks...JEBRogueKiller_logfile_snapshot.png



BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:23 AM

Posted 10 February 2015 - 02:04 PM

Userland rootkits: Part 1, IAT hooks

If you land here from RogueKiller......This is because RogueKiller has detected an IAT/EAT hook. Dont panic. Most of the time, they are made by legit modules (even some system DLLs) to add filtering features, or by antiviruses. However, most of these DLLs are whitelisted in RogueKiller, so either the DLL is not known (please verify by typing it on Google, or the module is a real malware (if you didnt find anything on it on Google, or worst, you found bad things), or because the module has not been identified (shellcoded outside of any module), the module is named Unknown. In this last case, If nothing else has been found by RogueKiller, just skip it. Another thing to know is its USELESS in most of the cases to remove a module, because if youre able to do it, it will be back at reboot, or at process restart. You have to target the persistence item instead (registry key, patched file, ). In RogueKiller, IAT hooks are just listed for diagnostic and will not be restored.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users