Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Skynet Trojan Reinstalling after removal + Searching redirects to ads [Moved]


  • Please log in to reply
5 replies to this topic

#1 monnie101

monnie101

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 24 June 2009 - 09:55 PM

Hi, it looks like you all have a lot going on here similar to what's happening to me so I read some of others issues and tried fixing my problem that way but this Skynet Trojan keeps reinstalling itself. I just seen the Terminator 3 movie, if you know that movie then you know Skynet is the computer virus/network whatever that is trying to take over the world. So this seems like a weird coincidence. Or maybe that DivX movie had this virus in it. But I thought it was a music program I downloaded, from the timing of the logs when this started, that's what I figure. I posted a welcome intro post here: http://www.bleepingcomputer.com/forums/t/236406/hello-there-fellow-techies/

I always use an antivirus/firewall/Spybot Search & Destroy/ECT. I used to use zone alarm security suite but now I use McAfee because Comcast gives it to us as a free perk and it seems to find more then zone alarm which overlooked a virus once. I don't normally have Trojan/virus issues but when I have in the past I usually resort to reformatting. This time I did my yearly reformatting cleanup recently and I picked up a virus. I believe it was from a torrent I downloaded which was of a music program. I use a lot of programs and produce electronica. I'm a struggling music artist with a CD out soon and just finishing up the cover but. This virus/Trojan has been holding me up for 3-4 days I been trying to fix it myself.

When this first started, a fake antivirus program came up named "System Security" and started scanning. Something that crazy has never happened to me before. It was as if it was taking over my computer because it wouldn't allow me to bring up task manager for a while and my windows system restore dates are all gone so I can't roll back! I know windows system restore sucks anyway. I wish I could have gotten Norton GoBack (Formally Roxio and Gateway GoBack) which lets you roll back even if you can't get to the desktop. I did some research and that fake antivirus actually can be named a bunch of different types with the same graphics for a GUI. I downloaded like 4 of the top antivirus programs and nothing has gotten rid of this Skynet Trojan which seems to always come back named SkynetWHATEVER.

I've scanned in windows xp and removed it but when I use yahoo or google's search engine it still redirects me to ad sites on clicking. In order to use a search engine I have to right click and copy link, then paste it in the address bar, otherwise if I click, it redirects to ad sites. I always use and update Spybot Search and Destroy, always immunize. So usually now nothing shows up in it. But when I finally think I have gotten rid of the virus, it still shows up in McAfee or Malwarebyte's Anti-malware. I thought I had finally gotten it just now. After scanning in safe mode and manually deleting the Skynet files that showed up in antivirus over and over, I booted into xp and now an error pops up for every program opening. The application or DLL globallroot\system32\SKYNETkdueliyy.dll is not a valid windows image. Please check this against your installation diskette. It seemed as if this skynet virus was trying to reinstall itself everytime a program was opening! But it seemed like the virus was gone because I was able to google search again without getting redirected to ad sites. But I couldn't stand this error always popping up. So I rebooted the computer into safe mode and ran Malwarebyte's Anti-malware. Again, spynet is back.

I'm supposed to be working on this cover to send my CD to pressing and also editing some video. I'm so frustrated. For 4 days I have been trying to get rid of tis virus. I'm really tempted to reformat. I've learned to setup my computer so that it makes it easier for me to reformat and back things up so I don't have to reinstall everything.

My drives are settup like this:
C Drive (300GB Drive Partitioned)\ 60GB = System Drive
D Drive (300GB Drive Partitioned)/ 240GB My Games and Music Programs. Usually programs that can work without being reinstalled or so settings save.
E Drive 1TB Drive (My music, Sample Library, Movies, Video Production Projects)

Here a few examples of what I am getting. Let me know if I should post a HiJack This log.

VIRUSES and TROJANS - McAfee Security Center (Always Updated)
-------------------------------------------------------------
Generic Rootkit.d!rootkit (Trojan) File: NTOSKRNL-Hook
C:\WINDOWS\TEMP\SKYNETDMEBCIOUOW.TMP = DNSChanger.o (Trojan)
C:\WINDOWS\SYSTEM32\SKYNETDUELIYY.DLL = DNSChanger.o (Trojan)

Spy-Agent.bw!mem (Trojan) Process: c:\WINDOWS\system32\winlogon.exe
Generic PWSy!hv.i (Trojan) FILE: C:WINDOWS\TEMP\8.TMP

BUFFER OVERLOWS Example:
C:\RECYCLER\S-1-5-21-6785386496-6871692912-147512470-8883\svhost.exe


Ad-Aware (Updated)
-------------------------------------------------------------
Win32.TrojanSmall (Malware)
Win32.TrojanSpy (Malware)


Here is a Malwarebytes log I just took a second ago:

Malwarebytes' Anti-Malware 1.38
Database version: 2332
Windows 5.1.2600 Service Pack 3

6/24/2009 10:56:23 PM
mbam-log-2009-06-24 (22-56-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 203708
Time elapsed: 34 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\SKYNETkdueliyy.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\SKYNETrqpmpotr.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\drivers\SKYNETbrrnvvrg.sys (Trojan.Agent) -> Quarantined and deleted successfully.


Edited by monnie101, 24 June 2009 - 09:59 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:03 AM

Posted 24 June 2009 - 09:59 PM

Hello monnie101,

Good description of your issues.

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum so you can receive more immediate assistance.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:03 AM

Posted 24 June 2009 - 10:06 PM

Hello monnie101

EDIT: I meant to put this here. It looks like we will be removing a nasty rootkit. If wiping the drive and reib=nstalling is an easy process for you thien it would be what I would do if this were mine. To continue cleaning.


Next run ATF and SAS:

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.

Edited by boopme, 24 June 2009 - 10:09 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Waffa

Waffa

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 28 June 2009 - 07:16 PM

actually the new wersion of SkyNet does not allow you do install SuperAntispyware .. or Nod32... It does allow to install Avast but awast did not remove the virus.


and also things in this URL should help: http://support.microsoft.com/kb/313222

anyway, good luck : )


EDIT: Removed batch file instructions - Not allowed in this forum

Edited by garmanma, 29 June 2009 - 09:31 AM.


#5 Waffa

Waffa

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 28 June 2009 - 07:19 PM

PS, i think it MIGHT be a litte newer version them this: http://vil.nai.com/vil/content/v_1115.htm

Skynet:

Type Virus
SubType File Infector
Discovery Date 04/01/1994

Risk Assessment:
Corporate User Low
Home User Low

;)

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:03 AM

Posted 29 June 2009 - 02:17 AM

PS, i think it MIGHT be a litte newer version them this: http://vil.nai.com/vil/content/v_1115.htm

Skynet:

Type Virus
SubType File Infector
Discovery Date 04/01/1994

Risk Assessment:
Corporate User Low
Home User Low

;)


Hello Waffa,

the virus you referred to in the quoted post above is in no way related to what monnie101 has on his system. Completely different virus; different symptoms, different filenames, different behavior. And it's over 15 years old. . . it runs in DOS.

Malware research can be a tricky business :thumbsup:

back to you boopme. . .

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users