Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bad Image Error/ Annoying Popups/ system32\SKYNET suspected


  • Please log in to reply
18 replies to this topic

#1 DP-ology

DP-ology

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:13 AM

Posted 30 June 2009 - 10:59 PM

ANNOYING popup Bad Image error/ removed Skynet trogan, MBAM finds nothing.
Ive Ran MBAM wiht the LATEST updatesIn safemode while i Unpluged my internet, and deactivated AV software(McAfee Enterprise)
I also ran SuperAntispyware in same conditions to NO AVAIL.
I first ran a MBAM a couple of days ago, it foudn abot 20 SKYNET trogans and i removed them... Then i started gettign these random popups saysing blank is not a windows image file. it also shows"system32\skynet" so im thinkin its still it. Its seems NASTY.. PLEASE.. i have TOO many games and stuff to Reformatt... PLEASE help me fix.. thanks very much in advance for the time you have, and wil take. its drivign my crazy :thumbsup:

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,390 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:13 AM

Posted 01 July 2009 - 07:17 AM

Please download RootRepeal Rootkit Detector and save it to your Desktop.
alternate download link 1
  • Disconnect from the Internet as your system will be unprotected while using this tool.
  • Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
  • Click this link to see a list of such programs and how to disable them.
  • Create a new folder on your hard drive called RootRepeal (C:\RootRepeal) and extract (unzip) RootRepeal.zip. (click here if you're not sure how to do this. Vista users refer to this link.)
  • Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
  • When the program opens, click the Report tab at the bottom, then click the Scan button.
  • In the Select Scan, dialog What do you want to include in the scan?, check all the boxes.
    Posted Image
  • Click OK.
  • In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
  • The scan can take some time to finish. Do not use the computer while the scan is running.
  • When the scan has completed, a list of files will be generated in the RootRepeal window.
  • Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
  • Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
  • Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 DP-ology

DP-ology
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:13 AM

Posted 01 July 2009 - 11:54 AM

Thanks quiet man for the quick reply! When i get home to my PC i will get this done. In the meantime.. can you tell me how bad this sounds? Is this problem usually fixable? Tremendous thanks again.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,390 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:13 AM

Posted 01 July 2009 - 11:59 AM

You are dealing with a nasty variant of the TDSSSERV rootkit component. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 DP-ology

DP-ology
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:13 AM

Posted 01 July 2009 - 12:21 PM

Ok , yes im aware of that.. and thanks. Let me add that when i initially scanned with MBAM and found all those trojans, i removed them, THEN this started happening with the bad image popups.. but since then, as i orig, stated, i havent found anything through Kaspersky online scanner, MBAM, SuperAntiSpyware, and ATFscanner... all of which were done in Safemode with internet plug removed. I do understand that there may be, and probably is, some hidden spyware, rootkits, and trojans still, but in your opinion, based on the scans done in safemode, do you think we have a good chance of completely removing the remnants of skynet and fixxing the bad image pop-ups???
and if i may also ask, is there a high sucess rate at removing these??
% values??

Thanks again Quietman7, i really really appreciate it :D

Edited by DP-ology, 01 July 2009 - 12:27 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,390 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:13 AM

Posted 01 July 2009 - 01:31 PM

Scanning with Malwarebytes Anti-Malware in safe or normal mode will work but removal functions are not as powerful in safe mode. MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, MBAM loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. Additionally, there are various types of malware infections which target the safeboot keyset so booting into safe mode is not always possible. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Doing a safe mode scan should only be done when a regular mode scan fails or you cannot boot up normally.

There are no shortcuts or guarantees when it comes to malware removal, especially when dealing with backdoor Trojans and rootkits. Infections will vary and some will cause more harm to your system then others as a result of it having the ability to download more malicious files. Thus, sometimes it takes several efforts with different, the same or more powerful tools to do the job. Even then, with some types of malware infections, the task can be arduous. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them.

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is hidden piece of malware which has not been detected by your security tools that protects malicious files and registry keys (which have been detected) so they cannot be permanently deleted. In those cases, disinfection requires the use of more powerful tools than we recommend in this forum...so a referral is made to the HijackThis forum to continue with the malware removal.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 DP-ology

DP-ology
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:13 AM

Posted 01 July 2009 - 01:53 PM

Ok thank you quietman7 that is wonderful. I am willing to fight these viruses to the bitter end, so when i get home ill post the report from RootRepeal Rootkit Detector and we will take it from there. Thanks again i look forward to resolving this.

#8 DP-ology

DP-ology
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:13 AM

Posted 02 July 2009 - 01:25 AM

Hi, I had to scan in safe mode.. i originally saw 4 skynet stealth programs running before the rootrepeal program crashed. here are the contents .. let me know how we can remove these bastards!




THanks again, DAVID :thumbsup:




ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/01 10:00
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: aj7imbih.SYS
Image Path: C:\WINDOWS\System32\Drivers\aj7imbih.SYS
Address: 0xB84A6000 Size: 421888 File Visible: No Signed: -
Status: -

Name: dump_nvata.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_nvata.sys
Address: 0xB82BB000 Size: 102400 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79BB000 Size: 8192 File Visible: No Signed: -
Status: -

Name: giveio.sys
Image Path: giveio.sys
Address: 0xF7A50000 Size: 1664 File Visible: No Signed: -
Status: -

Name: PCI_NTPNP6990
Image Path: \Driver\PCI_NTPNP6990
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB78F1000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SKYNETuugwyllo.sys
Image Path: C:\WINDOWS\system32\drivers\SKYNETuugwyllo.sys
Address: 0xB82FC000 Size: 163840 File Visible: - Signed: -
Status: Hidden from Windows API!

Name: speedfan.sys
Image Path: speedfan.sys
Address: 0xF798B000 Size: 5248 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\SKYNETdoclkdjl.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNEThmtpiyoj.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETlmcmqcnd.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETnipptaod.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\SKYNETuugwyllo.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\David\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ
Status: Locked to the Windows API!

Path: C:\Documents and Settings\David\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ
Status: Locked to the Windows API!

Path: C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\BTRLYO3N\Skynet-monder-gen-google-redirect-t243203[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\BTRLYO3N\Skynet-monder-gen-google-redirect-t243203[1].html&pid=1566945&st=15
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\VKBMN6ZY\Skynet-monder-gen-google-redirect-t243203[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\VKBMN6ZY\Skynet-monder-gen-google-redirect-t243203[1].html&pid=1566945&st=15
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\David\Favorites\Links\Lexus es300\Links\Links\NotronAntiVirus\Links\Banking and Financing\Banking and Financing\Briana Banks, Briana Banks Pics, Briana Banks Images, Briana Banks Pictures, Briana Banks Movies, Briana Banks Videos.url:favicon
Status: Locked to the Windows API!

Path: C:\Documents and Settings\David\Favorites\Links\Lexus es300\Links\Links\NotronAntiVirus\Links\Banking and Financing\Banking and Financing\77735BerryBabes @ All Internet Hot Sexy Babes Raven Riley, Jordan Capri, Brandi Belle, Kate's Playground and other..url:favicon
Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8b80a1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8b80a1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8b80a1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8b80a1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8b80a1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8b80a1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8b80a1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8b80a1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8b80a1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8b80a1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8b80a1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8b80a1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8b80a1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8b80a1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8b80a1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8b80a1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8b80a1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8b80a1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8b80a1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8b80a1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8b80a1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8b80a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_CREATE]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_CLOSE]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_READ]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_WRITE]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_EA]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_EA]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_CLEANUP]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_POWER]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_PNP]
Process: System Address: 0x8b80b1e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8b7441e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8b7441e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8b7441e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8b7441e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8b7441e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8b7441e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8b7441e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8b7441e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8b7441e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8b7441e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8b7441e8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x8b5c0680 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x8b5c0680 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x8b5c0680 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x8b5c0680 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8b5c0680 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8b5c0680 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x8b5c0680 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8b5c0680 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x8b5c0680 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x8b78f790 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x8b78f790 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8b78f790 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8b78f790 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x8b78f790 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8b78f790 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x8b78f790 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8b80c1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8b80c1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8b80c1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8b80c1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8b80c1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8b80c1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8b80c1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8b80c1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8b80c1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8b80c1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8b80c1e8 Size: 121

Object: Hidden Code [Driver: aj7imbihЅ剒敬Ёఅ䵃䥖橘-쫁蘙憙, IRP_MJ_CREATE]
Process: System Address: 0x8b68a1e8 Size: 121

Object: Hidden Code [Driver: aj7imbihЅ剒敬Ёఅ䵃䥖橘-쫁蘙憙, IRP_MJ_CLOSE]
Process: System Address: 0x8b68a1e8 Size: 121

Object: Hidden Code [Driver: aj7imbihЅ剒敬Ёఅ䵃䥖橘-쫁蘙憙, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8b68a1e8 Size: 121

Object: Hidden Code [Driver: aj7imbihЅ剒敬Ёఅ䵃䥖橘-쫁蘙憙, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8b68a1e8 Size: 121

Object: Hidden Code [Driver: aj7imbihЅ剒敬Ёఅ䵃䥖橘-쫁蘙憙, IRP_MJ_POWER]
Process: System Address: 0x8b68a1e8 Size: 121

Object: Hidden Code [Driver: aj7imbihЅ剒敬Ёఅ䵃䥖橘-쫁蘙憙, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8b68a1e8 Size: 121

Object: Hidden Code [Driver: aj7imbihЅ剒敬Ёఅ䵃䥖橘-쫁蘙憙, IRP_MJ_PNP]
Process: System Address: 0x8b68a1e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8b745790 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8b745790 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8b745790 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8b745790 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8b745790 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8b745790 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8b745790 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ敓, IRP_MJ_CREATE]
Process: System Address: 0x8b58b790 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ敓, IRP_MJ_CLOSE]
Process: System Address: 0x8b58b790 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ敓, IRP_MJ_READ]
Process: System Address: 0x8b58b790 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ敓, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8b58b790 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ敓, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8b58b790 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ敓, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8b58b790 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ敓, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8b58b790 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ敓, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8b58b790 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ敓, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8b58b790 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ敓, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8b58b790 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ敓, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8b58b790 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ敓, IRP_MJ_CLEANUP]
Process: System Address: 0x8b58b790 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ敓, IRP_MJ_PNP]
Process: System Address: 0x8b58b790 Size: 121

==EOF==

Edited by DP-ology, 02 July 2009 - 01:27 AM.


#9 DP-ology

DP-ology
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:13 AM

Posted 02 July 2009 - 01:30 AM

Wow i page searched "Skynet"... how can i get rid of all those files, redirects, and every last remnant without it hidding somewhere? your help is appreciated tremendously! :thumbsup: :flowers:

Edited by DP-ology, 02 July 2009 - 12:26 PM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,390 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:13 AM

Posted 02 July 2009 - 08:35 AM

Double-click on RootRepeal.exe to launch it.
  • Click the Drivers tab, then click the Scan button.
  • Right-click on SKYNETuugwyllo.sys and then click the Wipe File option only.
  • Click on the Files tab, then click the Scan button.
  • In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
  • When the scan has completed, a list of files will be generated in the RootRepeal window.
  • Use your mouse to highlight the following files:
    Path: C:\WINDOWS\system32\SKYNETdoclkdjl.dll
    Path: C:\WINDOWS\system32\SKYNEThmtpiyoj.dat
    Path: C:\WINDOWS\system32\SKYNETlmcmqcnd.dat
    Path: C:\WINDOWS\system32\SKYNETnipptaod.dll
    Path: C:\WINDOWS\system32\drivers\SKYNETuugwyllo.sys
  • Right-click on those files and then click the Wipe File option only.
  • Exit RootRepeal and immediately restart the computer.
Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Now try to perform a Quick Scan with MBAM and post the scan log results.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 DP-ology

DP-ology
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:13 AM

Posted 02 July 2009 - 11:06 AM

Hey Quietman7, i did the first part,
•Click the Drivers tab, then click the Scan button.
•Right-click on SKYNETuugwyllo.sys and then click the Wipe File option only.

However....
I cannot do the second part because once i hit Scan on the Files Tab.. I DO NOT see those 5 files there.. i see 5, but they do not look anythign like that.. they are some temp files that have very differant names. Honestly - they look sketchy, an di would delete them.. however i am only going to do as directed. Ive seen people F stufff up quick. but let me ask you....

Is it possible those file names are disguised? i know that sound ssilly but hey, ive seen wierder things, lol.. you help is greatly appreciated.

another thought: This second time scan with RootRepeal doesnt need to be run in safemode again does it?? remember- it didnt work in normal mode for me originaly, i had to scan in safemode... im assuming now that ill need to run rootrepeal in safemode to find those files??

Edited by DP-ology, 02 July 2009 - 11:14 AM.


#12 DP-ology

DP-ology
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:13 AM

Posted 03 July 2009 - 12:13 AM

i want able to find the Five SKYNET files your said to remove.. so i went AHEAD and scanned with MBAM newest updates .. and it found 5 remved 5, and i had to restart .. whcih i just did.. and BOOM! NO MORE POP UPS! However.. i knwo we're far from done and that these are sneaky f%#@er$ so you tell me the next step..

Thanks.. here is malwarebytes log

DP-ology



Malwarebytes' Anti-Malware 1.38
Database version: 2366
Windows 5.1.2600 Service Pack 3

7/2/2009 10:03:42 PM
mbam-log-2009-07-02 (22-03-42).txt

Scan type: Quick Scan
Objects scanned: 124481
Time elapsed: 3 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\SKYNEThmtpiyoj.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETlmcmqcnd.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETdoclkdjl.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETnipptaod.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\SKYNETuugwyllo.sys (Trojan.Agent) -> Quarantined and deleted successfully.

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,390 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:13 AM

Posted 03 July 2009 - 06:13 AM

I'm not sure what files you are looking at so just run RootRepeal again and post a new log. RootRepeal can be run from either safe or normal mode. If you can boot normally now, then use that mode.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 DP-ology

DP-ology
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:13 AM

Posted 05 July 2009 - 02:08 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/04 08:37
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: c:\windows\temp\wfv5.tmp
Status: Allocation size mismatch (API: 54263808, Raw: 45875200)

Path: c:\documents and settings\david\local settings\temp\~df1f46.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david\local settings\temp\~df49f2.tmp
Status: Allocation size mismatch (API: 172032, Raw: 0)

Path: c:\documents and settings\david\local settings\temp\~dfe66a.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david\local settings\temp\~dff6f4.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\David\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ
Status: Locked to the Windows API!

Path: C:\Documents and Settings\David\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ
Status: Locked to the Windows API!

Path: c:\documents and settings\david\local settings\temporary internet files\content.ie5\index.dat
Status: Allocation size mismatch (API: 147456, Raw: 143360)

Path: C:\Documents and Settings\David\Favorites\Links\Lexus es300\Links\Links\NotronAntiVirus\Links\Banking and Financing\Banking and Financing\Briana Banks, Briana Banks Pics, Briana Banks Images, Briana Banks Pictures, Briana Banks Movies, Briana Banks Videos.url:favicon
Status: Locked to the Windows API!

Path: C:\Documents and Settings\David\Favorites\Links\Lexus es300\Links\Links\NotronAntiVirus\Links\Banking and Financing\Banking and Financing\77735BerryBabes @ All Internet Hot Sexy Babes Raven Riley, Jordan Capri, Brandi Belle, Kate's Playground and other..url:favicon
Status: Locked to the Windows API!

#15 DP-ology

DP-ology
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:13 AM

Posted 06 July 2009 - 01:48 AM

Malwarebytes' Anti-Malware 1.38
Database version: 2378
Windows 5.1.2600 Service Pack 3

7/5/2009 11:39:31 PM
mbam-log-2009-07-05 (23-39-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 307648
Time elapsed: 1 hour(s), 19 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)









OK, so am i still infected?? hehe :thumbsup: :flowers: :inlove: B) B) :huh: :trumpet: :huh:

Edited by DP-ology, 06 July 2009 - 01:50 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users