Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.TDSS/SKYNET Browser Search Hijacker


  • Please log in to reply
7 replies to this topic

#1 layladee

layladee

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Columbia, MO
  • Local time:10:13 PM

Posted 27 June 2009 - 04:45 PM

At about 1:00pm today Spyware Doctor alerted me to a high risk infection attempting to gain access. Since then every time I open up a Firefox window I get the same warning, and when I do a google search and click on any resulting link, I am redirected to an alternate site. (I never use Internet Explorer, but tried it, and the same thing happened)

I have reinstalled Firefox, Ran AVG with no results, ran spyware doctor, ran Glary Utilities registry cleaner, ran atleast 3 types of rootkit removal programs, restarted my computer several times, but I still am kind of stuck.

Root Repeal is the only thing that is showing the SKYNET hidden files on my computer, but even after "Wiping" the files and rerunning the program, everything is just like it was.

I need some outside help because I don't want to keep messing around and end up making things worse. I had to completely format my computer a year ago, and I really, really do not want to do that again.

I am on Windows XP, Mozilla Firefox 3.0.11
Thanks in advance for your help and time,
Layla

Here is what Root Repeal just gave me:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/06/27 16:32
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xACCD1000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79CD000 Size: 8192 File Visible: No Signed: -
Status: -

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xF7A5B000 Size: 2560 File Visible: No Signed: -
Status: -

Name: PCI_PNP8482
Image Path: \Driver\PCI_PNP8482
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: phooks.sys
Image Path: phooks.sys
Address: 0xF7707000 Size: 23552 File Visible: No Signed: -
Status: -

Name: SKYNETvakybyjo.sys
Image Path: C:\WINDOWS\system32\drivers\SKYNETvakybyjo.sys
Address: 0xACF90000 Size: 163840 File Visible: - Signed: -
Status: Hidden from Windows API!

Name: spmv.sys
Image Path: spmv.sys
Address: 0xF74D6000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\SKYNETmbyxuwqb.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETvfqqomti.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETwumodibp.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETyioyxejb.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETcvtneeismu.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETjqwinmnrpr.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETpecbdibcrj.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETuctccdtigi.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETxgvgqdetuw.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\SKYNETvakybyjo.sys
Status: Invisible to the Windows API!


Stealth Objects
-------------------
Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: winlogon.exe (PID: 744) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: services.exe (PID: 792) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: lsass.exe (PID: 804) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: Ati2evxx.exe (PID: 984) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETyioyxejb.dll]
Process: svchost.exe (PID: 1008) Address: 0x008d0000 Size: 57344

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: svchost.exe (PID: 1008) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: svchost.exe (PID: 1100) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: svchost.exe (PID: 1236) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: svchost.exe (PID: 1312) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: Ati2evxx.exe (PID: 1368) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: svchost.exe (PID: 1544) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: spoolsv.exe (PID: 1648) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: Explorer.EXE (PID: 2040) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: RTHDCPL.EXE (PID: 436) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: avgtray.exe (PID: 460) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: pctsTray.exe (PID: 484) Address: 0x01900000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: iTunesHelper.exe (PID: 544) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: jusched.exe (PID: 560) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: ctfmon.exe (PID: 584) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: CCC.Implementation.DLL]
Process: MOM.exe (PID: 592) Address: 0x03bb0000 Size: 36864

Object: Hidden Module [Name: LOG.Foundation.Private.DLL]
Process: MOM.exe (PID: 592) Address: 0x011b0000 Size: 45056

Object: Hidden Module [Name: MOM.Implementation.DLL]
Process: MOM.exe (PID: 592) Address: 0x01110000 Size: 118784

Object: Hidden Module [Name: LOG.Foundation.DLL]
Process: MOM.exe (PID: 592) Address: 0x01140000 Size: 45056

Object: Hidden Module [Name: MOM.Foundation.DLL]
Process: MOM.exe (PID: 592) Address: 0x012e0000 Size: 28672

Object: Hidden Module [Name: LOG.Foundation.Implementation.DLL]
Process: MOM.exe (PID: 592) Address: 0x011c0000 Size: 69632

Object: Hidden Module [Name: LOG.Foundation.Implementation.Private.DLL]
Process: MOM.exe (PID: 592) Address: 0x01500000 Size: 28672

Object: Hidden Module [Name: System.Runtime.Remoting.dll]
Process: MOM.exe (PID: 592) Address: 0x01520000 Size: 307200

Object: Hidden Module [Name: NEWAEM.Foundation.DLL]
Process: MOM.exe (PID: 592) Address: 0x03c20000 Size: 36864

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: MOM.exe (PID: 592) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: em_exec.exe (PID: 688) Address: 0x003e0000 Size: 32768

Object: Hidden Module [Name: CLI.Aspect.DisplaysColour2.Graphics.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05310000 Size: 36864

Object: Hidden Module [Name: CCC.Implementation.DLL]
Process: ccc.exe (PID: 1196) Address: 0x01120000 Size: 36864

Object: Hidden Module [Name: CLI.Foundation.DLL]
Process: ccc.exe (PID: 1196) Address: 0x01160000 Size: 86016

Object: Hidden Module [Name: MOM.Foundation.DLL]
Process: ccc.exe (PID: 1196) Address: 0x01150000 Size: 28672

Object: Hidden Module [Name: LOG.Foundation.DLL]
Process: ccc.exe (PID: 1196) Address: 0x01140000 Size: 45056

Object: Hidden Module [Name: LOG.Foundation.Implementation.DLL]
Process: ccc.exe (PID: 1196) Address: 0x01190000 Size: 69632

Object: Hidden Module [Name: LOG.Foundation.Implementation.Private.DLL]
Process: ccc.exe (PID: 1196) Address: 0x01180000 Size: 28672

Object: Hidden Module [Name: System.Runtime.Remoting.dll]
Process: ccc.exe (PID: 1196) Address: 0x011c0000 Size: 307200

Object: Hidden Module [Name: LOG.Foundation.Private.DLL]
Process: ccc.exe (PID: 1196) Address: 0x01220000 Size: 45056

Object: Hidden Module [Name: CLI.Foundation.XManifest.DLL]
Process: ccc.exe (PID: 1196) Address: 0x01670000 Size: 36864

Object: Hidden Module [Name: AxInterop.WBOCXLib.DLL]
Process: ccc.exe (PID: 1196) Address: 0x03d60000 Size: 36864

Object: Hidden Module [Name: MOM.Implementation.DLL]
Process: ccc.exe (PID: 1196) Address: 0x03cb0000 Size: 118784

Object: Hidden Module [Name: CLI.Component.SkinFactory.DLL]
Process: ccc.exe (PID: 1196) Address: 0x03cd0000 Size: 69632

Object: Hidden Module [Name: LOCALIZATION.Foundation.Private.DLL]
Process: ccc.exe (PID: 1196) Address: 0x03cf0000 Size: 28672

Object: Hidden Module [Name: CLI.Component.Runtime.Shared.Private.DLL]
Process: ccc.exe (PID: 1196) Address: 0x03d30000 Size: 53248

Object: Hidden Module [Name: CLI.Component.Runtime.DLL]
Process: ccc.exe (PID: 1196) Address: 0x03d10000 Size: 86016

Object: Hidden Module [Name: CLI.Foundation.Private.DLL]
Process: ccc.exe (PID: 1196) Address: 0x03d50000 Size: 53248

Object: Hidden Module [Name: AEM.Server.DLL]
Process: ccc.exe (PID: 1196) Address: 0x03da0000 Size: 53248

Object: Hidden Module [Name: ATICCCom.DLL]
Process: ccc.exe (PID: 1196) Address: 0x03d80000 Size: 45056

Object: Hidden Module [Name: CLI.Component.Runtime.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x03d70000 Size: 28672

Object: Hidden Module [Name: NEWAEM.Foundation.DLL]
Process: ccc.exe (PID: 1196) Address: 0x03dc0000 Size: 36864

Object: Hidden Module [Name: DEM.Graphics.I0601.DLL]
Process: ccc.exe (PID: 1196) Address: 0x044a0000 Size: 53248

Object: Hidden Module [Name: AEM.Plugin.DPPE.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x04110000 Size: 28672

Object: Hidden Module [Name: Interop.WBOCXLib.DLL]
Process: ccc.exe (PID: 1196) Address: 0x040c0000 Size: 36864

Object: Hidden Module [Name: AEM.Server.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x04090000 Size: 28672

Object: Hidden Module [Name: AEM.Plugin.Source.Kit.Server.DLL]
Process: ccc.exe (PID: 1196) Address: 0x040b0000 Size: 53248

Object: Hidden Module [Name: AEM.Plugin.WinMessages.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x04380000 Size: 28672

Object: Hidden Module [Name: AEM.Plugin.Hotkeys.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x04250000 Size: 28672

Object: Hidden Module [Name: DEM.Graphics.DLL]
Process: ccc.exe (PID: 1196) Address: 0x04540000 Size: 28672

Object: Hidden Module [Name: DEM.Foundation.DLL]
Process: ccc.exe (PID: 1196) Address: 0x044b0000 Size: 28672

Object: Hidden Module [Name: ATIDEMGX.dll]
Process: ccc.exe (PID: 1196) Address: 0x04550000 Size: 438272

Object: Hidden Module [Name: LOCALIZATION.Foundation.Implementation.DLL]
Process: ccc.exe (PID: 1196) Address: 0x045e0000 Size: 36864

Object: Hidden Module [Name: CLI.Caste.HydraVision.Runtime.DLL]
Process: ccc.exe (PID: 1196) Address: 0x04620000 Size: 36864

Object: Hidden Module [Name: CLI.Caste.HydraVision.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x04630000 Size: 28672

Object: Hidden Module [Name: AEM.Actions.CCAA.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x04640000 Size: 28672

Object: Hidden Module [Name: CLI.Caste.Graphics.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x04ed0000 Size: 69632

Object: Hidden Module [Name: AEM.Plugin.GD.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x04fd0000 Size: 28672

Object: Hidden Module [Name: DEM.OS.I0602.DLL]
Process: ccc.exe (PID: 1196) Address: 0x04f70000 Size: 28672

Object: Hidden Module [Name: CLI.Caste.Graphics.Runtime.DLL]
Process: ccc.exe (PID: 1196) Address: 0x04f00000 Size: 299008

Object: Hidden Module [Name: ACE.Graphics.DisplaysManager.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x04f60000 Size: 36864

Object: Hidden Module [Name: DEM.Graphics.I0709.dll]
Process: ccc.exe (PID: 1196) Address: 0x04fa0000 Size: 28672

Object: Hidden Module [Name: DEM.OS.DLL]
Process: ccc.exe (PID: 1196) Address: 0x04f80000 Size: 28672

Object: Hidden Module [Name: DEM.Graphics.I0804.dll]
Process: ccc.exe (PID: 1196) Address: 0x05030000 Size: 28672

Object: Hidden Module [Name: ATIDEMOS.DLL]
Process: ccc.exe (PID: 1196) Address: 0x04fe0000 Size: 94208

Object: Hidden Module [Name: CLI.Caste.Graphics.Runtime.Shared.Private.DLL]
Process: ccc.exe (PID: 1196) Address: 0x051f0000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.HotkeysHandling.Graphics.Runtime.DLL]
Process: ccc.exe (PID: 1196) Address: 0x051b0000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Runtime.DLL]
Process: ccc.exe (PID: 1196) Address: 0x051d0000 Size: 77824

Object: Hidden Module [Name: CLI.Aspect.HotkeysHandling.Graphics.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x051c0000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.DeviceProperty.Graphics.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05280000 Size: 45056

Object: Hidden Module [Name: CLI.Aspect.CustomFormats.Graphics.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05210000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05200000 Size: 53248

Object: Hidden Module [Name: CLI.Aspect.DeviceProperty.Graphics.Runtime.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05220000 Size: 45056

Object: Hidden Module [Name: DEM.Graphics.I0706.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05270000 Size: 28672

Object: Hidden Module [Name: DEM.Graphics.I0805.dll]
Process: ccc.exe (PID: 1196) Address: 0x05250000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x052b0000 Size: 77824

Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Runtime.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05290000 Size: 86016

Object: Hidden Module [Name: CLI.Aspect.DisplaysColour2.Graphics.Runtime.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05300000 Size: 53248

Object: Hidden Module [Name: CLI.Component.Wizard.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05f10000 Size: 413696

Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Runtime.DLL]
Process: ccc.exe (PID: 1196) Address: 0x054a0000 Size: 69632

Object: Hidden Module [Name: CLI.Aspect.DeviceCRT.Graphics.Runtime.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05350000 Size: 53248

Object: Hidden Module [Name: CLI.Aspect.DisplaysOptions.Graphics.Runtime.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05320000 Size: 45056

Object: Hidden Module [Name: CLI.Aspect.DisplaysOptions.Graphics.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05340000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.DeviceCRT.Graphics.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05360000 Size: 61440

Object: Hidden Module [Name: CLI.Aspect.DeviceDFP.Graphics.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05430000 Size: 61440

Object: Hidden Module [Name: CLI.Aspect.DeviceLCD.Graphics.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05400000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.DeviceLCD.Graphics.Runtime.DLL]
Process: ccc.exe (PID: 1196) Address: 0x053f0000 Size: 45056

Object: Hidden Module [Name: CLI.Aspect.DeviceDFP.Graphics.Runtime.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05410000 Size: 69632

Object: Hidden Module [Name: DEM.Graphics.I0712.dll]
Process: ccc.exe (PID: 1196) Address: 0x05440000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.VPURecover.Graphics.Runtime.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05450000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.VPURecover.Graphics.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05480000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.InfoCentre.Graphics.Wizard.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05690000 Size: 217088

Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x054c0000 Size: 61440

Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x054e0000 Size: 61440

Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Runtime.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05500000 Size: 94208

Object: Hidden Module [Name: APM.Server.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05520000 Size: 69632

Object: Hidden Module [Name: APM.Foundation.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05660000 Size: 28672

Object: Hidden Module [Name: atixclib.DLL]
Process: ccc.exe (PID: 1196) Address: 0x056f0000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.TransCode.Graphics.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x056d0000 Size: 53248

Object: Hidden Module [Name: CLI.Caste.HydraVision.Wizard.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05780000 Size: 28672

Object: Hidden Module [Name: CLI.Component.Runtime.Extension.EEU.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05910000 Size: 28672

Object: Hidden Module [Name: CLI.Component.Client.Shared.Private.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05940000 Size: 53248

Object: Hidden Module [Name: AEM.Plugin.EEU.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05930000 Size: 28672

Object: Hidden Module [Name: CLI.Component.Client.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05960000 Size: 28672

Object: Hidden Module [Name: CLI.Component.Wizard.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05970000 Size: 28672

Object: Hidden Module [Name: CLI.Component.Wizard.Shared.Private.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05980000 Size: 36864

Object: Hidden Module [Name: Branding.dll]
Process: ccc.exe (PID: 1196) Address: 0x059b0000 Size: 28672

Object: Hidden Module [Name: CLI.Caste.Graphics.Wizard.DLL]
Process: ccc.exe (PID: 1196) Address: 0x059c0000 Size: 53248

Object: Hidden Module [Name: CLI.Caste.Graphics.Wizard.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x059d0000 Size: 28672

Object: Hidden Module [Name: CLI.Component.Dashboard.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05ae0000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Wizard.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05a70000 Size: 413696

Object: Hidden Module [Name: CLI.Component.Systemtray.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05d80000 Size: 552960

Object: Hidden Module [Name: CLI.Component.Dashboard.DLL]
Process: ccc.exe (PID: 1196) Address: 0x06b60000 Size: 1085440

Object: Hidden Module [Name: CLI.Component.Dashboard.Shared.Private.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05f90000 Size: 28672

Object: Hidden Module [Name: CLI.Caste.Graphics.Dashboard.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05fa0000 Size: 86016

Object: Hidden Module [Name: CLI.Caste.Graphics.Dashboard.Shared.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05fc0000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.Welcome.Graphics.Dashboard.DLL]
Process: ccc.exe (PID: 1196) Address: 0x05fd0000 Size: 151552

Object: Hidden Module [Name: CLI.Aspect.InfoCentre.Graphics.Dashboard.DLL]
Process: ccc.exe (PID: 1196) Address: 0x06000000 Size: 233472

Object: Hidden Module [Name: CLI.Aspect.DisplaysOptions.Graphics.Dashboard.DLL]
Process: ccc.exe (PID: 1196) Address: 0x06050000 Size: 135168

Object: Hidden Module [Name: CLI.Aspect.TransCode.Graphics.Wizard.DLL]
Process: ccc.exe (PID: 1196) Address: 0x060d0000 Size: 479232

Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Wizard.DLL]
Process: ccc.exe (PID: 1196) Address: 0x06090000 Size: 102400

Object: Hidden Module [Name: CLI.Aspect.VPURecover.Graphics.Dashboard.DLL]
Process: ccc.exe (PID: 1196) Address: 0x06160000 Size: 118784

Object: Hidden Module [Name: CLI.Caste.HydraVision.Dashboard.DLL]
Process: ccc.exe (PID: 1196) Address: 0x06180000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.DisplaysManager.Graphics.Wizard.DLL]
Process: ccc.exe (PID: 1196) Address: 0x06340000 Size: 1699840

Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Wizard.DLL]
Process: ccc.exe (PID: 1196) Address: 0x06900000 Size: 700416

Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Wizard.DLL]
Process: ccc.exe (PID: 1196) Address: 0x067f0000 Size: 372736

Object: Hidden Module [Name: CLI.Aspect.HydraVision.Wizard.DLL]
Process: ccc.exe (PID: 1196) Address: 0x06a00000 Size: 315392

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: ccc.exe (PID: 1196) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: CLI.Aspect.DeviceCRT.Graphics.Dashboard.DLL]
Process: ccc.exe (PID: 1196) Address: 0x06e30000 Size: 446464

Object: Hidden Module [Name: CLI.Aspect.DisplaysManager.Graphics.Dashboard.DLL]
Process: ccc.exe (PID: 1196) Address: 0x06d70000 Size: 724992

Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Dashboard.DLL]
Process: ccc.exe (PID: 1196) Address: 0x070d0000 Size: 806912

Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Dashboard.DLL]
Process: ccc.exe (PID: 1196) Address: 0x06f50000 Size: 684032

Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Dashboard.DLL]
Process: ccc.exe (PID: 1196) Address: 0x07220000 Size: 389120

Object: Hidden Module [Name: CLI.Aspect.DeviceDFP.Graphics.Dashboard.DLL]
Process: ccc.exe (PID: 1196) Address: 0x071a0000 Size: 462848

Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Dashboard.DLL]
Process: ccc.exe (PID: 1196) Address: 0x073f0000 Size: 823296

Object: Hidden Module [Name: CLI.Aspect.DisplaysColour2.Graphics.Dashboard.DLL]
Process: ccc.exe (PID: 1196) Address: 0x07280000 Size: 602112

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: svchost.exe (PID: 1396) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: ACService.exe (PID: 1244) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: AppleMobileDeviceService.exe (PID: 1612) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: avgwdsvc.exe (PID: 1740) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: mDNSResponder.exe (PID: 1960) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: svchost.exe (PID: 188) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: jqs.exe (PID: 408) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: svchost.exe (PID: 580) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: svchost.exe (PID: 1528) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: RichVideo.exe (PID: 1968) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: pctsAuxs.exe (PID: 2104) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: avgrsx.exe (PID: 2160) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: avgnsx.exe (PID: 2172) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: pctsSvc.exe (PID: 2216) Address: 0x00f80000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: hpqSRMon.exe (PID: 2532) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: svchost.exe (PID: 2564) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: avgemc.exe (PID: 2648) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: avgcsrvx.exe (PID: 2792) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: jusched.exe (PID: 3760) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: iPodService.exe (PID: 2684) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: alg.exe (PID: 3632) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: firefox.exe (PID: 3808) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: googletalkplugin.exe (PID: 3868) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETvfqqomti.dll]
Process: RootRepeal.exe (PID: 5376) Address: 0x10000000 Size: 32768

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8a55f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8a55f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a55f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8a55f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a55f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a55f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a55f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8a55f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a55f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a55f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a55f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a55f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a55f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a55f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a55f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a55f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8a55f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a55f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a55f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a55f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a55f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8a55f1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x89b7c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x89b7c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x89b7c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x89b7c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89b7c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89b7c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x89b7c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x89b7c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89b7c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89b7c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89b7c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89b7c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89b7c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89b7c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89b7c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89b7c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x89b7c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x89b7c500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a15c1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a15c1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a15c1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a15c1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a15c1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a15c1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTHidden Services
-------------------
Service Name: SKYNETdadeayuf
Image Path: C:\WINDOWS\system32\drivers\SKYNETvakybyjo.sys

==EOF==

BC AdBot (Login to Remove)

 


#2 Sprachinseln

Sprachinseln

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wexford, PA
  • Local time:11:13 PM

Posted 27 June 2009 - 04:54 PM

I had similar issues with a SKYNET trojan. None of the major AV programs seemed to work in removing it (NAV, McAfee, AVG, MBAM, SSD).
A programmer finally pointed me to AVAST. I downloaded the free home edition, unloaded my Symantec product, installed AVAST, updated it to the latest version, and ran it.
It found all 4 occurrences and deleted them.
Give it a try.

#3 layladee

layladee
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Columbia, MO
  • Local time:10:13 PM

Posted 28 June 2009 - 12:22 AM

I installed avast and it did seem to detect and get rid of the problem. (I'm still running scans, so I'm not 100% sure yet) The irony is back when I had avast a year ago, it didn't detect the trojan that I got so I quit using and starting using AVG, and now AVG could not prevent this, so I am back to avast.

I don't know which program to drop! :thumbsup:

#4 honeyb

honeyb

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 29 June 2009 - 03:11 PM

Hi, I'd like to share my own skynet rootkit experience with you - and how it was resolved! :flowers:

Before I begin, I must say that I was being "protected" by McAfee Security Suite, as offered through our comcast service. Obviously, it did not stop or find these problems, so I have deleted McAfee altogether now. There is no free lunch I am afraid.

Anyway, I spent the last 6 days trying to fix my own skynet rootkit problem. It began with a hijacking, and devolved into a series of other errors, all stemming from this skynet thing. But, the bottom line is:

AVG Internet Security ROCKS! I downloaded the 30-day trial of their full program. I ran a scan and a rootkit scan and it found a lot of trojans (deleted them all) and it found the skynet rootkits. It did not delete them, but I went to their 24/7 support, emailed them, and they replied within 10 minutes. Within a few hours of my email request, they were offering support (at no charge) whereby their people remotely worked on my computer, and in a little over an hour, they had the problem fixed!!!!

I WILL be buying the AVG protection! It is worth the investment.

Don't mess around if you have SKYNET Rootkit problems. Get AVG and get on with your life! :thumbsup:

Good luck,
Honeyb

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:13 PM

Posted 29 June 2009 - 03:18 PM

Hi, please run the next steps.
I recommend that you DO NOT have more than one anti virus product installed and running on your computer at a time.

Now the next step...

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:


Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.

C:\WINDOWS\system32\SKYNETmbyxuwqb.dat
C:\WINDOWS\system32\SKYNETvfqqomti.dll
C:\WINDOWS\system32\SKYNETwumodibp.dat
C:\WINDOWS\system32\SKYNETyioyxejb.dll
C:\WINDOWS\Temp\SKYNETcvtneeismu.tmp
C:\WINDOWS\Temp\SKYNETjqwinmnrpr.tmp
C:\WINDOWS\Temp\SKYNETpecbdibcrj.tmp
C:\WINDOWS\Temp\SKYNETuctccdtigi.tmp
C:\WINDOWS\Temp\SKYNETxgvgqdetuw.tmp
C:\WINDOWS\system32\drivers\SKYNETvakybyjo.sys


Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Edited by boopme, 29 June 2009 - 03:21 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 layladee

layladee
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Columbia, MO
  • Local time:10:13 PM

Posted 29 June 2009 - 03:20 PM

Thanks for the suggestions. I will look into upgrading AVG, sounds like it is worth it.

#7 layladee

layladee
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Columbia, MO
  • Local time:10:13 PM

Posted 01 July 2009 - 02:02 AM

Hi, please run the next steps.
I recommend that you DO NOT have more than one anti virus product installed and running on your computer at a time.

Now the next step...

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:


Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.

C:\WINDOWS\system32\SKYNETmbyxuwqb.dat
C:\WINDOWS\system32\SKYNETvfqqomti.dll
C:\WINDOWS\system32\SKYNETwumodibp.dat
C:\WINDOWS\system32\SKYNETyioyxejb.dll
C:\WINDOWS\Temp\SKYNETcvtneeismu.tmp
C:\WINDOWS\Temp\SKYNETjqwinmnrpr.tmp
C:\WINDOWS\Temp\SKYNETpecbdibcrj.tmp
C:\WINDOWS\Temp\SKYNETuctccdtigi.tmp
C:\WINDOWS\Temp\SKYNETxgvgqdetuw.tmp
C:\WINDOWS\system32\drivers\SKYNETvakybyjo.sys


Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.



My last scan through Spyware Doctor found and quarantined all instances of the rootkit. I just opened RootRepeal up and did another scan, and nothing came up in the drivers or files. The only "Yes"'s I got was in the SSDT section, and I think I have narrowed PCTCore.sys to PCTools (Spyware Doctor), but I have yet to figure out what spnf.sys is.

Since I'm not having any obvious problems, should I be assured that I am all clean?

Any problems with running AVG free version along with Spyware Doctor(without the antivirus part)? That is what I have been doing for the past year...

Thanks for everyone's help!
Layla

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:13 PM

Posted 01 July 2009 - 03:18 PM

Hi Layla
Ok ,this looks clean and ther should be no problem running those 2 applications together.
I failed to mention this to you earlier..
A backdoor Trojan can allow an attacker to
gain control of the system, log keystrokes, steal passwords, access personal
data, send malevolent outgoing traffic, and close the security warning
messages displayed by some anti-virus and security programs.

I would advise you to disconnect this PC from the Internet, and then go to
a known clean computer and change any passwords or security information held
on the infected computer. In particular, check whatever relates to online
banking financial transactions, shopping, credit cards, or sensitive
personal information. It is also wise to contact your financial institutions
to apprise them of your situation.

We will do our best to clean the computer of any infections seen on the log.
However, because of the nature of this Trojan, I cannot offer a total
guarantee that there are no remnants left in the system, or that the
computer will be trustworthy.


The other item is related to PCTools. Perhaps now that the malware is gone, You can un and Re install PCTools and see if it was just a corrupted file.

Edited by boopme, 01 July 2009 - 03:21 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users