Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

clickover.cn


  • Please log in to reply
7 replies to this topic

#1 Murray Dickie

Murray Dickie

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 13 June 2009 - 01:37 PM

When using a search engine in Internet Explorer or Firefox and clicking on a link I am being redirected to another link. The redirection starts with the display of an apparent link to clickover.cn/..... followed by a long alphanumeric string . It picks up the keywords I use in the original search. I have run Malwarebytes and McAfee.

Malware bytes reported:-

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\sysproc64 (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\NetworkService\Application Data\sysproc64 (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\LocalService\Application Data\sysproc64 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\sysproc64\sysproc32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\sysproc64\sysproc86.sys (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\sysproc64\sysproc32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\sysproc64\sysproc32.sys (Trojan.Agent) -> Quarantined and deleted successfully.

McAfee keeps finding files starting with SKYNET... While these files get removed or quarantined, the problem keeps recurring. The last three files detected by McAfee were:-

C:\WINDOWS\TEMP\SKYNETPFVRPVRSTB.TMP
C:\WINDOWS\TEMP\SKYNETTEQOOXTFGSS.TMP
C:\WINDOWS\TEMP\SKYNETCQEPVYABSP.TMP

Hope someone can help me get out of the loop.

Murray

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:26 PM

Posted 13 June 2009 - 04:16 PM

Hi Murray,

Please update and rerun malwarebytes. Post a fresh log. In the log, please include the version and database info. Thanks!

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 Murray Dickie

Murray Dickie
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 14 June 2009 - 08:23 AM

Hi there

Removed and downloaded new version of Malwarebytes and ran a full scan. Log pasted in below.

As no problems showing up reran McAffee and three "skynet" files show up again. Pasted in details below.

Still have the same problem when clicking on web search hyperlink. Don not have this problem when clicking on on internal link on any webiste.

Malwarebytes' Anti-Malware 1.37
Database version: 2274
Windows 5.1.2600 Service Pack 3

14/06/2009 11:09:26
mbam-log-2009-06-14 (11-09-26).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|G:\|H:\|I:\|J:\|K:\|)
Objects scanned: 381694
Time elapsed: 50 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

McAffee full scan run through BTNet Plus Protect
c:\windows\temp\Synetepmamptrr.tmp
c:\windows\temp\Synetrnssprrgpe.tmp
c:\windows\temp\Synetbqowwonrop.tmp


Not sure if this helps you.

Regards, Murray

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:26 PM

Posted 14 June 2009 - 05:18 PM

Yes that helps...

Please visit Jottis and submit those files. Post the results back here.

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 Murray Dickie

Murray Dickie
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 16 June 2009 - 12:20 PM

Have failed to find and copy files. Made sure that in the Control Panel Folder option was set to display hidden files and checked both the C;\Windows\System32 and C:\Windows\temp directories. No files displayed. Also used Windows search on the C:\Windows directory with no results. Despite this both SDFix and McAfee are reporting these files!

Have run SDFix with Firewall and Antivirus functions disabled and in Safe mode. Log pasted in below.

Regards, Murray

SDFix: Version 1.240
Run by Murray Dickie on 16/06/2009 at 17:26

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDfix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-16 17:38:06
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

HKLM\SYSTEM\CurrentControlSet\Services\SLIPETvptjlkrn

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\SKYNETrmbeheoi.sys 98304 bytes
C:\WINDOWS\system32\SKYNETyowtuumn.dll 65536 bytes
C:\WINDOWS\system32\SKYNETappvaitj.dat 163840 bytes
C:\WINDOWS\system32\SKYNETirmmgawa.dll 32768 bytes
C:\WINDOWS\Temp\SKYNETpeobqvpjip.tmp 32768 bytes

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 5


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\PROGRA~1\\YAHOO!\\MESSEN~1\\YPAGER.EXE"="C:\\PROGRA~1\\YAHOO!\\MESSEN~1\\YPAGER.EXE:*:Enabled:Yahoo! Messenger"
"C:\\PROGRA~1\\YAHOO!\\MESSEN~1\\yserver.exe"="C:\\PROGRA~1\\YAHOO!\\MESSEN~1\\yserver.exe:*:Enabled:Yahoo! FT Server"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\System32\\FXSCLNT.exe"="C:\\WINDOWS\\System32\\FXSCLNT.exe:*:Enabled:Microsoft Fax Console"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Real\\RealOne Player\\RealPlay.exe"="C:\\Program Files\\Real\\RealOne Player\\RealPlay.exe:*:Enabled:RealPlayer"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe:*:Enabled:Render Manager"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe:*:Enabled:Studio"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe:*:Enabled:umi"
"C:\\Program Files\\VoipCheapCom\\VoipCheapCom.exe"="C:\\Program Files\\VoipCheapCom\\VoipCheapCom.exe:*:Enabled:VoipCheapCom"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Messenger\\MSMSGS.EXE"="C:\\Program Files\\Messenger\\MSMSGS.EXE:*:Enabled:Windows Messenger"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\Lexmark X5400 Series\\lxdvamon.exe"="C:\\Program Files\\Lexmark X5400 Series\\lxdvamon.exe:*:Enabled:Lexmark Device Monitor"
"C:\\Program Files\\Lexmark X5400 Series\\frun.exe"="C:\\Program Files\\Lexmark X5400 Series\\frun.exe:*:Enabled:Lexmark Productivity Studio"
"C:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"="C:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe:*:Enabled:ABBYY FineReader"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\WINDOWS\\System32\\lxdvcoms.exe"="C:\\WINDOWS\\System32\\lxdvcoms.exe:*:Enabled:X5400 Series Server"
"C:\\Program Files\\Lexmark X5400 Series\\lxdvmon.exe"="C:\\Program Files\\Lexmark X5400 Series\\lxdvmon.exe:*:Enabled:Printer Device Monitor"
"C:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdvpswx.exe"="C:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdvpswx.exe:*:Enabled:Printer Status Window Interface"
"C:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdvtime.exe"="C:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdvtime.exe:*:Enabled:Lexmark Connect Time Executable"
"C:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\LXDVJSWX.EXE"="C:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\LXDVJSWX.EXE:*:Enabled:Job Status Window Interface"
"C:\\Program Files\\Lexmark X5400 Series\\LXDVFax.exe"="C:\\Program Files\\Lexmark X5400 Series\\LXDVFax.exe:*:Enabled:Fax Solutions Software"
"C:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\LXDVwbgw.exe"="C:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\LXDVwbgw.exe:*:Enabled:Lexmark Web Gateway"
"C:\\WINDOWS\\system32\\winlogin.exe"="C:\\WINDOWS\\system32\\winlogin.exe:*:Enabled:Explorer"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"

Remaining Files :



Files with Hidden Attributes :

Wed 28 May 2003 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv10.bak"
Wed 28 May 2003 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 29 Nov 2006 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv18.bak"
Wed 10 Jun 2009 20,688 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Wed 10 Jun 2009 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Tue 27 Feb 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 17 Jan 2005 366,592 A..H. --- "C:\Documents and Settings\Ellen Dickie\Local Settings\Temp\~WRD1167.tmp"
Mon 17 Jan 2005 678,912 A..H. --- "C:\Documents and Settings\Ellen Dickie\Local Settings\Temp\~WRD1351.tmp"
Mon 17 Jan 2005 992,256 A..H. --- "C:\Documents and Settings\Ellen Dickie\Local Settings\Temp\~WRD1534.tmp"
Mon 17 Jan 2005 365,568 A..H. --- "C:\Documents and Settings\Ellen Dickie\Local Settings\Temp\~WRD0454.tmp"
Mon 17 Jan 2005 679,424 A..H. --- "C:\Documents and Settings\Ellen Dickie\Local Settings\Temp\~WRD0645.tmp"
Mon 17 Jan 2005 990,720 A..H. --- "C:\Documents and Settings\Ellen Dickie\Local Settings\Temp\~WRD0856.tmp"
Mon 17 Jan 2005 679,424 A..H. --- "C:\Documents and Settings\Ellen Dickie\Local Settings\Temp\~WRD2711.tmp"
Mon 17 Jan 2005 1,619,456 A..H. --- "C:\Documents and Settings\Ellen Dickie\Local Settings\Temp\~WRD3391.tmp"
Sat 3 May 2003 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg_old.reg"
Sat 3 May 2003 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient_old.reg"
Tue 12 Aug 2003 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Tue 12 Aug 2003 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Tue 13 Jan 2004 401 A..H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 28 May 2003 4,348 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\My Music\License Backup\drmv1key.bak"
Tue 13 Jan 2004 1,536 A..H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\My Music\License Backup\drmv2lic.bak"
Sat 20 Sep 2003 312 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\My Music\License Backup\drmv2key.bak"
Sun 13 Apr 2003 20,480 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Personal\~WRL2133.tmp"
Wed 9 May 2007 50,688 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Personal\~WRL1007.tmp"
Wed 9 May 2007 56,832 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Personal\~WRL0352.tmp"
Wed 9 May 2007 59,392 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Personal\~WRL0829.tmp"
Wed 9 May 2007 61,952 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Personal\~WRL3770.tmp"
Wed 9 May 2007 60,928 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Personal\~WRL1957.tmp"
Wed 9 May 2007 77,312 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Personal\~WRL3661.tmp"
Wed 9 May 2007 74,752 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Personal\~WRL3933.tmp"
Wed 9 May 2007 74,752 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Personal\~WRL1067.tmp"
Wed 9 May 2007 73,728 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Personal\~WRL2586.tmp"
Wed 9 May 2007 72,704 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Personal\~WRL2021.tmp"
Wed 9 May 2007 73,216 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Personal\~WRL1097.tmp"
Thu 24 Jan 2008 24,064 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Personal\~WRL2393.tmp"
Tue 8 Jul 2008 31,232 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Cornton Vale\~WRL0002.tmp"
Wed 22 Sep 2004 19,456 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Cornton Vale\~WRL3407.tmp"
Wed 22 Sep 2004 19,456 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Cornton Vale\~WRL2885.tmp"
Tue 20 Sep 2005 62,464 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Open Secret\~WRL0003.tmp"
Thu 1 Mar 2007 26,112 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Open Secret\~WRL1335.tmp"
Wed 5 Jan 2005 194,048 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Open Secret\~WRL0004.tmp"
Thu 6 Jan 2005 194,560 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Open Secret\~WRL3664.tmp"
Thu 6 Jan 2005 195,584 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Open Secret\~WRL0067.tmp"
Thu 6 Jan 2005 196,608 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Open Secret\~WRL1660.tmp"
Thu 6 Jan 2005 195,584 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Open Secret\~WRL1784.tmp"
Tue 1 Oct 2002 28,160 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Scottish Forum\~WRL1588.tmp"
Thu 6 Jun 2002 24,576 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Scottish Forum\~WRL2334.tmp"
Tue 22 Oct 2002 22,528 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Scottish Forum\~WRL1617.tmp"
Fri 21 Oct 2005 19,456 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Scottish Forum\~WRL1542.tmp"
Fri 21 Oct 2005 21,504 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Scottish Forum\~WRL2420.tmp"
Wed 26 May 2004 22,528 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Scottish Forum\~WRL2097.tmp"
Fri 21 Oct 2005 23,552 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Scottish Forum\~WRL2424.tmp"
Mon 30 Dec 2002 21,504 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Scottish Forum\~WRL3293.tmp"
Mon 30 Dec 2002 22,528 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Scottish Forum\~WRL4061.tmp"
Mon 30 Dec 2002 25,600 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Scottish Forum\~WRL2505.tmp"
Mon 30 Dec 2002 31,744 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Scottish Forum\~WRL3934.tmp"
Tue 22 Jan 2002 25,600 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Scottish Forum\~WRL2067.tmp"
Fri 21 Oct 2005 24,576 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Scottish Forum\~WRL2044.tmp"
Fri 21 Oct 2005 26,112 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Scottish Forum\~WRL1470.tmp"
Fri 21 Oct 2005 25,600 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Scottish Forum\~WRL0695.tmp"
Mon 24 Oct 2005 19,456 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Scottish Centre for Non Violence\~WRL3323.tmp"
Wed 18 Mar 2009 24,064 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Leukaemia Care\~WRL3376.tmp"
Wed 18 Mar 2009 29,696 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Leukaemia Care\~WRL1602.tmp"
Wed 18 Mar 2009 32,256 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Leukaemia Care\~WRL0834.tmp"
Wed 18 Mar 2009 36,352 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Leukaemia Care\~WRL1523.tmp"
Wed 18 Mar 2009 2,382,336 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Leukaemia Care\~WRL1717.tmp"
Tue 21 Oct 2008 49,664 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Caroline Wylie\~WRL1508.tmp"
Wed 22 Sep 2004 20,480 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL3890.tmp"
Wed 22 Sep 2004 21,504 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL2522.tmp"
Thu 6 Jan 2005 195,584 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL1494.tmp"
Fri 21 Oct 2005 19,456 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL0005.tmp"
Fri 21 Oct 2005 19,456 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL0115.tmp"
Fri 21 Oct 2005 19,968 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL3461.tmp"
Fri 21 Oct 2005 20,480 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL0739.tmp"
Fri 21 Oct 2005 21,504 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL0355.tmp"
Thu 19 May 2005 19,456 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL2519.tmp"
Fri 21 Oct 2005 22,016 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL2127.tmp"
Fri 21 Oct 2005 23,552 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL3633.tmp"
Fri 21 Oct 2005 25,600 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL2387.tmp"
Mon 24 Oct 2005 19,456 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL0003.tmp"
Mon 21 Nov 2005 34,816 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL0004.tmp"
Mon 24 Oct 2005 20,992 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL3820.tmp"
Mon 24 Oct 2005 21,504 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL1032.tmp"
Mon 24 Oct 2005 21,504 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL2429.tmp"
Mon 24 Oct 2005 23,040 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL0120.tmp"
Wed 9 May 2007 53,760 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL0528.tmp"
Wed 9 May 2007 66,048 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL3252.tmp"
Mon 27 Aug 2007 19,456 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL0006.tmp"
Mon 27 Aug 2007 19,456 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL1739.tmp"
Wed 18 Mar 2009 841,728 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL2618.tmp"
Wed 9 May 2007 61,952 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL1461.tmp"
Wed 9 May 2007 67,072 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL2023.tmp"
Wed 9 May 2007 72,192 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL0242.tmp"
Wed 9 May 2007 74,240 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL3734.tmp"
Wed 9 May 2007 75,264 ...H. --- "C:\Documents and Settings\Ellen Dickie\Application Data\Microsoft\Word\~WRL1492.tmp"
Tue 3 Aug 2004 29,696 ...H. --- "C:\Documents and Settings\Murray Dickie\My Documents\Word\Public Appointments\~WRL0684.tmp"
Sun 26 Mar 2006 20,480 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Personal\Ellen's Newsletter\~WRL0001.tmp"
Wed 11 Feb 2004 31,232 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Scottish Forum\Minutes\~WRL3778.tmp"
Tue 9 Mar 2004 32,256 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Scottish Forum\Minutes\~WRL0524.tmp"
Tue 9 Mar 2004 32,256 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Scottish Forum\Minutes\~WRL1703.tmp"
Thu 19 May 2005 24,064 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Scottish Forum\Agenda\~WRL0001.tmp"
Thu 19 May 2005 24,576 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Scottish Forum\Agenda\~WRL3369.tmp"
Mon 7 Jun 2004 24,576 ...H. --- "C:\Documents and Settings\Murray Dickie\My Documents\Word\Community Trust\SNCT 2004\~WRL0966.tmp"
Mon 7 Jun 2004 24,576 ...H. --- "C:\Documents and Settings\Murray Dickie\My Documents\Word\Community Trust\SNCT 2004\~WRL1338.tmp"
Thu 21 Sep 2006 173,568 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Web News\Old Files\Website Saves\~WRL4092.tmp"
Mon 25 Sep 2006 171,520 ...H. --- "C:\Documents and Settings\Ellen Dickie\My Documents\Word\Web News\Old Files\Website Saves\~WRL1879.tmp"
Fri 19 Jan 2007 43,520 ...H. --- "C:\Documents and Settings\Murray Dickie\My Documents\Word\Community Council\CC 2006\Minutes\~WRL0003.tmp"
Mon 26 Feb 2007 27,136 ...H. --- "C:\Documents and Settings\Murray Dickie\My Documents\Word\Community Council\CC 2007\Letters\~WRL0003.tmp"
Fri 31 Aug 2007 152,064 ...H. --- "C:\Documents and Settings\Murray Dickie\My Documents\Word\Community Council\CC 2007\Letters\~WRL0004.tmp"
Wed 7 Feb 2007 472,064 ...H. --- "C:\Documents and Settings\Murray Dickie\My Documents\Word\Community Council\CC 2007\Newsletter\~WRL0003.tmp"
Fri 26 Oct 2007 53,248 ...H. --- "C:\Documents and Settings\Murray Dickie\My Documents\Word\Community Council\CC 2007\Newsletter\~WRL0143.tmp"
Wed 16 Mar 2005 27,648 ...H. --- "C:\Documents and Settings\Murray Dickie\My Documents\Word\Community Trust\SNCT 2005\Minutes\~WRL3440.tmp"
Wed 31 Jan 2007 45,056 ...H. --- "C:\Documents and Settings\Murray Dickie\My Documents\Word\Community Trust\SNCT 2007\Agendas\~WRL2429.tmp"

Finished!

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:26 PM

Posted 17 June 2009 - 06:24 AM

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 Murray Dickie

Murray Dickie
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 17 June 2009 - 07:27 AM

Hi there

This morning Mcafee caught up with the problem.

Ran a quick scan and the two trojans were named DNSchanger.ad and DNSchanger.0 which create SKYNET files with random file additions after SKYNET. Characteristics are redirecting web links with the possibilty of enabling identity theft.

Consulted Mcaffe's Threat Centre which indicated that current engine and database would remove both of them

but - if using Windows ME or XP you need to disable Restore function before running McAfee scan.

Disabled restore, rebooted,checked database current and ran Mcafee, rebooted, enabled restore and created a new restore point.

This has removed my problem - no longer being redirected.

I suspect that the procedure you advised for DSFix would have solved my problem if I had disabled restore.

So grateful for all your help - I did feel that I was going mad. Hope my final experience with McAfee will help someone else out there.

Regards, Murray

#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:26 PM

Posted 17 June 2009 - 11:20 AM

Thank you for letting us know what fixed you problem :thumbsup:

Safe surfing!

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users