in over my head.

[mbyuser]

after installing quick time i noticed attacks comming from 0.0.0.0 this started alarm bells ringing.

so i tried on my own to figure,this led to me eventally useing tools i wasnt comfy with.

(OLT by oldtimmer,and rootrepeal) as well as a few other there just the ones that i find hard to figure.

i am not sure if to post a hi-jack log or not as i cant find anything useing that tool.

nor did i do so when i removed some other stuff that was malware.

today i moped up with Sophos threat detection test witch found Sus/TinyDL-G however that was in my system restore folder.

rootrepleal reports some hooking and some hidden code some might belong to IObit that was removed,i say that as i did find some IObit stuff i thought i had removed.however i am not sure 100% it is or isnt.

i am told the some off the hooking belongs to invald pathways.

the hidden code ive not tried to kill as that is going over my head and i dont know what it belongs to.and ive left it alone esp as it says system process.

rootrepleal log.

SSDT

-------------------

#: 019 Function Name: NtAssignProcessToJobObject

Status: Hooked by "<unknown>" at address 0x8565d8a0

#: 122 Function Name: NtOpenProcess

Status: Hooked by "<unknown>" at address 0x8565ccb0

#: 128 Function Name: NtOpenThread

Status: Hooked by "<unknown>" at address 0x8565d0d0

#: 253 Function Name: NtSuspendProcess

Status: Hooked by "<unknown>" at address 0x8565d6d0

#: 254 Function Name: NtSuspendThread

Status: Hooked by "<unknown>" at address 0x8565d4f0

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xf3eb40b0

#: 258 Function Name: NtTerminateThread

Status: Hooked by "<unknown>" at address 0x8565d310

Stealth Objects

-------------------

Object: Hidden Code [ETHREAD: 0x8594c778]

Process: System Address: 0x8565b930 Size: 1000

i will post a hi-jack log even thou i cant find nothing there,just in case it helps.

i must admit apart from that code witch might well be legit as it is a system process i think i now might be clean,i am not sure so hence my post.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:30:48, on 25/11/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ESET\ESET Smart Security\ekrn.exe

C:\WINDOWS\system32\lxdncoms.exe

C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

c:\Program Files\Sophos\AutoUpdate\ALsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\ESET\ESET Smart Security\egui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\xxxx\Desktop\xxxxx\hm_3.2.71_beta7\hm.exe

C:\Program Files\Sophos\AutoUpdate\ALMon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Sophos\Sophos Anti-Virus\SAVMain.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle.org/scraper.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [soundMan] "SOUNDMAN.EXE"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [HostsMan] "C:\Documents and Settings\xxxxxx\Desktop\xxxxx\hm_3.2.71_beta7\hm.exe" -s

O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - ESC Trusted Zone: http://*.update.microsoft.com

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1253979158293

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1253979276996

O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe

O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe

O23 - Service: lxdnCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdnserv.exe

O23 - Service: lxdn_device - - C:\WINDOWS\system32\lxdncoms.exe

O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe

O23 - Service: Sophos AutoUpdate Service - Sophos Plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--

End of file - 4928 bytes

(i do know ive a 04 enrty quick time i should stop booting up at start up)

[mbyuser]

i no longer need help with this subject.

i was concered about;257 Function Name: NtTerminateProcess

Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xf3eb40b0 and that hidden code.

i have since found that the above is not a rootkit.and the malware i did have has been removed.sorry just wasnt sure i had got everthing.i will make sure i need help before asking for it again.and post in the right forum,as i might need help,however this is not a malware issiue.

sorry.

[extremeboy]

Thanks for letting us know.

Since the problem appears to be resolved, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic.

With Regards,

Extremeboy