mbyuser
-
Posts
270 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by mbyuser
-
-
after installing quick time i noticed attacks comming from 0.0.0.0 this started alarm bells ringing.
so i tried on my own to figure,this led to me eventally useing tools i wasnt comfy with.
(OLT by oldtimmer,and rootrepeal) as well as a few other there just the ones that i find hard to figure.
i am not sure if to post a hi-jack log or not as i cant find anything useing that tool.
nor did i do so when i removed some other stuff that was malware.
today i moped up with Sophos threat detection test witch found Sus/TinyDL-G however that was in my system restore folder.
rootrepleal reports some hooking and some hidden code some might belong to IObit that was removed,i say that as i did find some IObit stuff i thought i had removed.however i am not sure 100% it is or isnt.
i am told the some off the hooking belongs to invald pathways.
the hidden code ive not tried to kill as that is going over my head and i dont know what it belongs to.and ive left it alone esp as it says system process.
rootrepleal log.
SSDT
-------------------
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x8565d8a0
#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x8565ccb0
#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x8565d0d0
#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8565d6d0
#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8565d4f0
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xf3eb40b0
#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8565d310
Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x8594c778]
Process: System Address: 0x8565b930 Size: 1000
i will post a hi-jack log even thou i cant find nothing there,just in case it helps.
i must admit apart from that code witch might well be legit as it is a system process i think i now might be clean,i am not sure so hence my post.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:30:48, on 25/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\lxdncoms.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\xxxx\Desktop\xxxxx\hm_3.2.71_beta7\hm.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVMain.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle.org/scraper.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [soundMan] "SOUNDMAN.EXE"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HostsMan] "C:\Documents and Settings\xxxxxx\Desktop\xxxxx\hm_3.2.71_beta7\hm.exe" -s
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1253979158293
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1253979276996
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: lxdnCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdnserv.exe
O23 - Service: lxdn_device - - C:\WINDOWS\system32\lxdncoms.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
--
End of file - 4928 bytes
(i do know ive a 04 enrty quick time i should stop booting up at start up)
-
opps wrong post.
-
i dont see the point.i know how long it should take quick or full scan.
i really hope this isnt thrown in,the program would use resources (even if only slightly) and myself i feel it would be a step in the wrong direction.thats how some others ended up being tossed in the waste basket;at first great dection rates then frills,then a crap bloated program.
frills dont intrest me at all,dection rates do.
-
i dropped lavasofts ad-aware when they started bundling in piad for bit parts in the free version.dont like useing just one or two scanners when it comes to looking for malware.
was looking at it a while back thinking mabye i should see how it does nowadays.
glad i looked at this post.
used to be a long time ago a fairly dencet program,lite and easy;then they seemed to riun it with all the frills.still got a very old version laying around on disc that ive not converted into a table mat or frizzbie as off yet,rather use that than there new program.
its why i like malwarebytes,no fancy extras piad for or free,just decent dectections.
-
ok.i will try harder to confuse you next time. (as if i needed to)
no in all seriousness,this forum seems self teaching in ways.
anyways this isnt gernral chat,best not ramble.
-
ok lets nip this in the bud.
yes c.net ect has various bad downloads or rouge programs.
its not where your downloading it from in regards to your q.
it what you download.
the malwarebytes download is safe.
no need for any more links imo we are guests and should behave as such.
with good intentions i make that comment,its makes hard work for the admin. to moniter so many links.we all know by know or should do how to download malwarebyes without the added links.
-
watching it on tv it was real obvious havent looked at that link,as i watched the program allready.and its was all over the news this morning.
fifa really need to tighen up.
be intresting if anything does result from this.
-
@ moutaintree
have you posted a screen shot in this thread?
i may have it blocked as ive been adding quite a few rules off recent to add block.
-
i cant not youch for it moutaintree.
non of thease sites are ever going to be 100% safe imo.
few less nasties mabye,but i still found one quite quickly.
mabye a tad less rubbish,however i wont as said i youch for the site.
-
uniblue is a rouge reg/driver prog.witch can still be found at mg`s site.
below the download you can still find a "recommended Download" for iobit advanced care.
file hippo is prefered myself if not the source.
-
where there money theres crime.
where there is a viable way to cause problems or pure theft the human race allways shows its colors.some will help you,some will take advatage.
hence why i try darn hard to learn more even if my aged brain is saying eh what,like trying to teach a old dog new tricks.
and its also why i have a lotta respect for them that do help and the obvious loathing for devious theifs,or malware writers and the like.
-
i overcomplexed myself as well as my ususal trerrible spelling.
on the 4th off nov this update failed;
"Update for Internet Explorer 8 for Windows XP (KB976749)" it later installed properly.so when the update/s on the 18th also failed,i just rebooted tried again after a quick scan and peek within hijack and a few other folders to see if something nasty was causing this.
nothing found and the updates below still failing;
Security Update for Windows XP (KB969947) & Windows Malicious Software Removal Tool - November 2009 (KB890830)
i then manually installed the update "Security Update for Windows XP (KB969947)."
without removing anything,it seemed to work as i was then offered;
"Windows Malicious Software Removal Tool - November 2009 (KB890830)" witch downloaded as per normal and properly installed.
i was stpuid yesterday and didnt look to see if the update i manually installed installed properly,looking at revo unistaller today i find it has.i was over tired and confused myself a tad yesterday as well as yourself.
all updates in place so far simply wonder why i didnt have to remove KB954430 when others have had to,today after a good kip and a freash mind i think nothings in error.
and feel like i have wasted your time,when i should off looked harder at the problem myself.
sorry.
-
resting the router;
"Reset the router to factory defaults by holding the reset button down for 15 seconds with power on.* Turn off everything, the modem, router, computer.
* Connect the modem to the router's WAN/Internet port.
* Connect the computer to one of the router's LAN/Network ports.
* Turn on the modem, wait for a steady connect light.
* Turn on the router, wait for two minutes.
* Boot the computer."
you might have to fiddle with (CMD screen) ip/config afterwards.
-
@exile.
i just back home from netherlands,visting fammily,so forgive me if there are other topics about this,or scold me.:
anyways i booted up and find two updates didnt install.
one was the update others found probs with the other was the mallicious tool remvol app.
both didnt install.
i simply downloaded the problamtic update and installed itall went fine,i didnt remove the KB954430 update beforhand as i thought i was just auto updates playing up.
would you think i should leave as is or remove KB954430?
afterwards the malcious tool downloaded ok.so i guess alls ok but i aint sure so here i am.
thanks my freind.
-
i did install IOBit,then unistaled it later.
the tool bar was prechecked,however you didnt have to install it,and it didnt install if opted out.least it never did when instaled IOBit.
not defending them one iota,i regard there behaviour with the database issue as theft and myself think its rouge in various ways.
just to say the crappy toolbar instals without the option to opt out.was not my experince when i instaled io***t
-
resolved.
-
my HOSTS file blocks this site;
hxxp://www.spywarevoid.com
bit off base,still the links live,wouldnt it be best to de-link that live link.
-
that fixed it.
i added via the firefox add on page.
removed it then i set it up now as discribed.
now theres no padlock.
thanks exile;again
-
i noticed the padlock was only being displayed if i searched from the bar with the magnifing glass,useing the main bar i dont see it,hence why i wondered.
-
spelling has me red faced.
somtimes i wish i had goine down the glasses route instead off the eye ops,i still see double occaisanly and all the school missed during that time,i caught up on a lot but spelling can still catch me out somtimes.
yes scroogle.
ohhh i wish i could get you a screan shot;make it so much easier.
try to explian,
if goto that small box (the one with the mangnifing glass) at the top and manage search engines and add scroogle then search from there,when it dispays the results theres a small lock looking thing at the bottom of the page hovering the mouse over it it says authenticated by GoDaddy.com
when youve finished spilling your tea over yourself;laughing at my spelling.....i hope you understood what i ment this time.
-
about scroggle;i noticed if you use the search engine the results are authenticated by GoDaddy.com
any comments on Godaddy/scroogle?
edit;spelling!
-
well that didnt work tottaly.
i didnt allow google-anaytics.com script to run.
if i do i run into the same,if i dont let this script run the pages load.
i dont want to use I.E i want to work out how to get this browser to run on this site.
edit;resolved
-
i did try this and that before i asked however i didnt remove malwarebytes from my whiltelist.
just done so then then added it again to the whiltelist.
all fixed.
strange but heck it worked.
-
i do have the forum in my fav.
just tried moving it to my desktop,still the same.
strage its not happing on any other forum.
ok.
in over my head.
in Resolved Malware Removal Logs
Posted
i no longer need help with this subject.
i was concered about;257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xf3eb40b0 and that hidden code.
i have since found that the above is not a rootkit.and the malware i did have has been removed.sorry just wasnt sure i had got everthing.i will make sure i need help before asking for it again.and post in the right forum,as i might need help,however this is not a malware issiue.
sorry.