Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Definitely infected.. by a trojan/worm called SKYNET


  • This topic is locked This topic is locked
8 replies to this topic

#1 pjvex86

pjvex86

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 05 July 2009 - 10:55 AM

Hello....

I have had a bug (perhaps a virus, trojan, or a worm, or a combination of all of them, but the symptoms only indicate a rootkit), and have dealt with it since January/February of this year. It has managed to survive everything I have thought of doing, and I consider myself reasonably computer savvy.

While there is one caveat (see end) to this ostensibly astonishing list of attempted remedies, I thought it would be of interest to note the severity/ingenuity of this bug, or to just note my likely weariness in dealing with it given the number of things I have either tried to do to kill this bug, or just energy expended), by showing you this list:

1. Used free/standard AV software (late January, 2009)
2. used commercial AV software (early February, 2009)
3. Reinstalled Windows (32 bit Vista Home Premium from HP factory CDs) (late February, 2009)
4. Wiped the drive and reinstalled Windows (32 bit Vista Home Premium from HP factory CDs) (late February, 2009)
5. Wiped the drive and changed version of Windows (to Windows 7 RC1, Build 7100 -- downloaded from a clean machine using the MS download manager) early March, 2009)
6. Read Windows Vista Management and Administration (Abbate, Walker & Chimner, 2008), Winodws Command Line 2nd Edition (Stanek, 2008), and Microsoft Windows Registry Guide (Honeycutt, 2005), for purposes of understanding Windows Vista and the registry better so as to eradicate this bug
7. Wrote several lengthy batch programs to kill this bug to no avail.
8. Removed Wireless NIC
7. Spent 3 months on Sevenforums.com, a board specializing in all things Windows 7, discussing my problem in the Security Forum, until thread was closed presumably because some thought I was not being truthful in what was actually happening ( through April, 2009)
8. Purchased a new laptop (April 11, 2009) -- HP dv 4 1225dx x64 with Vista Home Premium 64 bit
9. Wiped the drive and changed the type of OS (to a Debian/Ubuntu Linux or a derivative thereof, including Ubuntu Intrepid (8.10), Linux Mint 6 (based on Ubuntu 8.10), and Linux Mint 7 (based on Ubuntu Jaunty? (9.1)), and Backtrack 4 pre-final (also based on Ubuntu 9.1) -- most all downloaded from a known clean machine) (April, 2009 to present)
10. Increased the dosage of my antidepressant (May, 2009)
11. For convenience, wiped drive and installed dual boot Vista HPrem x64 (factory disks) and Linux Mint x64 (downloaded from a clean machine)
12. With confidence eroding replaced Vista HPrem x64 with a modified Windows Vista Ultimate 32 bit (downloaded from a torrent), primarily because of quirkiness of a 64 bit OS and because this modded version only had an Administrator user enabled on startup and the creator removed a lot of superfluous Windows Services and other items which (I believed) made everything more difficult.

OK... now you should know that #8, above (new laptop purchase) would have been the end of it except for MY stupidity. Though I know better, I absent-mindly stuck a USB flash drive in the new laptop which had been used once or twice in the old (infected) laptop. Further, I will admit given the stress caused by the time and energy I have spent on this, but more importantly, the severity of this bug, for awhile I did become a bit over-defensive and started disabling several devices (mostly network adapters) in Windows and some non-essential services due to various theories I had as to the nature of this bug. This unknowingly caused more problems which I then attributed to the trojan/rootkit. So some of the energy expended in trying to defeat over the last 6 months has only served to increase my problem.

Basic Description of Symptoms: As I state above, this bug seens like a rootkit, or that I am now part of a botnet or something. There isn't any actual malicious acts going on like my hard drive disappearing. But, it uses bandwidth, and other system resources, and if I start doing things that interfere with that, it seems to exert control in some way. If I try to stop or delete whatever process I believe is causing this, I get "Access Denied" or I am similarly blocked. Also, please do not give me any pendantic warnings to not use the Administrator user...I say this for two reasons: A) I never would typically, but since I have had this bug, I am already in an active domain or under some ACL/group policy which renders my user rights inferior to those who have access to my system, and :thumbsup: I do not even think I am Administrator, even though that is my user name--- if memory serves, in HKCU, the admin user has the suffix of "1000", everytime I check the registry and notice the users (and there is only 1 or maybe 2 (with the long network SID or whatever) and I as Administrator am always "-500".

I have volumes of info, handwritten pages, screenshots, files, photos!, showing either evidence or what I suspected was evidence of it, so I do not really know what to include now. It doesn't really show up on HJT. However, I recently had a breakthrough when borrowed by dad's laptop. Of course, not meaning to, I infected it, but the upside was that his already installed (i.e., non-hooked) Trend-Micro anti-virus software managed to kill a key .dll of it. For the first time I am actually seeing names of files associated with this trojan. On my dad's laptop, I most recently tried the usual heavy artillary of SAS, MBAM (all renamed on download and then after installation, and then executed in safe mode), and then a ran combofix as a last resort. I renamed it on download, put in on the root directory, rebooted into safemode, and tried to run it. However, all during this process, (and during anything that involves access to the windows OS (which is Vista basic 32 bit), I receive an error (it is incessant actually), which states as follows:

In the Title of the dialog box is the application, process, service, etc. (e.g., when I ran combofix, I got grep, sed, attrib, and a host of other files that CF was obviously trying to run) followed by Bad Image, so for instance right now my dad's laptop has an error dialog box like this:

CHCP.COM - BAD IMAGE (Title bar of Dialog Box)

globalroot\systemroot\system32\SKYNETowmuvcnp.dll is either not
designed to run on Windows or it contains an error. Try installing the
program again using the original installation media or contact your
system administrator or software vendor for support.




Also, the following are things I KNOW beyond any doubt are involved in someway with this bug... the use of IPv6, Conflicker-like access to web and updating of itself -- wireless access to the web is preferred, but it will use ethernet, and more importantly, will use any other protocol it can from 6to4, Teredo, ISATAP, or others -- for awhile I thought bluetooth was involved until I realized my laptop was not bluetooth enabled, but L2CAP, RFCOMM, SDP, and SCO, all protocols of the bluetooth stack, seem to be pretty important to it. I am pretty sure (but I know now that I can be wrong) that it uses mDNS and DBUS in some very sneaky way -- for example, whether in windows or Linux, my routing table is always FULL of IPV6 addresses that are all mDNS related or other addresses on my particular networkle segment (varies). Tracing this connection is impossible as in linux or windows, it is always hidden and IPv6, and if I cannot disable IPv6 (which I was able to do in Linux for awhile...whatever I do in the registry is volatile and my changes have no effect), IPv4 will sill show only *.*.*.* or "Cannot Display Connection info" or something similar.

Currently I am using an ethernet connection to a cable modem. For illustration purposes of some of the things I mention above, here is the output of a few utilities

"IPCONFIG /ALL"

Windows IP Configuration

Host Name . . . . . . . . . . . . : b
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : wi.rr.com

Wireless LAN adapter Wireless Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom 802.11b/g WLAN
Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : wi.rr.com
Description . . . . . . . . . . . : Realtek RTL8102E Family PCI-E Fast Ethernet NIC (NDIS 6.0)
Physical Address. . . . . . . . . : XX.XX.XX.XX.XX.XX
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::584c:5e:9125:4f35%8(Preferred)
IPv4 Address. . . . . . . . . . . : 65.30.185.XXX(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Lease Obtained. . . . . . . . . . : Sunday, July 05, 2009 6:16:19 AM
Lease Expires . . . . . . . . . . : Monday, July 06, 2009 7:03:27 AM
Default Gateway . . . . . . . . . : 65.30.176.1
DHCP Server . . . . . . . . . . . : 65.24.14.33
DHCPv6 IAID . . . . . . . . . . . : 134225644
DNS Servers . . . . . . . . . . . : 65.24.7.10
65.24.7.11
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 6TO4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Connection-specific DNS Suffix . : wi.rr.com
Description . . . . . . . . . . . . . . : Microsoft 6to4 Adapter #3
Physical Address. . . . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Temporary IPv6 Address. . . . . . : 2002:411e:b9d3::411e:b9d3(Preferred)
Default Gateway . . . . . . . . . : 2002:c058:6301::c058:6301
DNS Servers . . . . . . . . . . . : 65.24.7.10
65.24.7.11
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 9:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 6TO4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 10:

Connection-specific DNS Suffix . : wi.rr.com
Description . . . . . . . . . . . : isatap.wi.rr.com
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::200:5efe:65.30.185.211%13(Preferred)
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 65.24.7.10
65.24.7.11
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 11:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{3B914B21-9B71-4240-9AFF-F59BA71D57FD}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes


'ROUTE PRINT'

==========================================================================
Interface List
11 ...XX XX XX XX XX XX...... Broadcom 802.11b/g WLAN
8 ... XX XX XX XX XX XX ...... Realtek RTL8102E Family PCI-E Fast Ethernet NIC (NDIS 6.0)
1 ........................... Software Loopback Interface 1
9 ...00 00 00 00 00 00 00 e0 6TO4 Adapter
14 ...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #3
10 ...00 00 00 00 00 00 00 e0 6TO4 Adapter
13 ...00 00 00 00 00 00 00 e0 isatap.wi.rr.com
12 ...00 00 00 00 00 00 00 e0 isatap.{3B914B21-9B71-4240-9AFF-F59BA71D57FD}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 65.30.176.1 65.30.185.211 20
65.30.176.0 255.255.240.0 On-link 65.30.185.211 276
65.30.185.XXX 255.255.255.255 On-link 65.30.185.211 276
65.30.191.255 255.255.255.255 On-link 65.30.185.211 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 65.30.185.211 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 65.30.185.211 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
14 1125 ::/0 2002:c058:6301::c058:6301
1 306 ::1/128 On-link
14 1025 2002::/16 On-link
14 281 2002:411e:b9d3::411e:b9d3/128 On-link
8 276 fe80::/64 On-link
13 281 fe80::200:5efe:65.30.185.211/128 On-link
8 276 fe80::584c:5e:9125:4f35/128 On-link
1 306 ff00::/8 On-link
8 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None




When I am in Linux, I will often run netstat and check my connections, and I see similar IPv6 address, and almost always catch a garden variety SSH tunnel.... this is definitely a Windows-tailored bug, however, whether through updates, or monitoring by its creators, it uses NetBios to port key .dlls over to Linux and uses WINE. Many times when I would be running Linux Mint, I would intend to install WINE (because I was using a brand new installation, which happens ~2/week depending on how angry I get or what I am trying to do), and because it did not show as installed (from synaptic anyway), nor was it included in the distro, but a "dpkg -l" would show that yes, in fact, WINE had, at some point, been installed....


Anyway, here is 'NETSTAT -abfno'


Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 888 RpcSs [svchost.exe]
TCP 0.0.0.0:1110 0.0.0.0:0 LISTENING 5128 [avp.exe]
TCP 0.0.0.0:19780 0.0.0.0:0 LISTENING 5128 [avp.exe]
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 572 [wininit.exe]
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 988 Eventlog [svchost.exe]
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 1412 nsi [svchost.exe]
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 1072 Schedule [svchost.exe]
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 632 [lsass.exe]
TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING 616 [services.exe]
TCP 65.30.185.XXX:139 0.0.0.0:0 LISTENING 4 Can not obtain ownership information
TCP 65.30.185.XXX:50007 195.27.181.23:443 CLOSE_WAIT 4416 [avp.exe]
TCP 127.0.0.1:49247 127.0.0.1:49248 ESTABLISHED 3156 [firefox.exe]
TCP 127.0.0.1:49248 127.0.0.1:49247 ESTABLISHED 3156 [firefox.exe]
TCP 127.0.0.1:49249 127.0.0.1:49250 ESTABLISHED 3156 [firefox.exe]
TCP 127.0.0.1:49250 127.0.0.1:49249 ESTABLISHED 3156 [firefox.exe]
TCP [::]:135 [::]:0 LISTENING 888 RpcSs [svchost.exe]
TCP [::]:445 [::]:0 LISTENING 4 Can not obtain ownership information
TCP [::]:1110 [::]:0 LISTENING 5128 [avp.exe]
TCP [::]:2869 [::]:0 LISTENING 4 Can not obtain ownership information
TCP [::]:5357 [::]:0 LISTENING 4 Can not obtain ownership information
TCP [::]:19780 [::]:0 LISTENING 5128 [avp.exe]
TCP [::]:49152 [::]:0 LISTENING 572 [wininit.exe]
TCP [::]:49153 [::]:0 LISTENING 988 Eventlog [svchost.exe]
TCP [::]:49154 [::]:0 LISTENING 1412 nsi [svchost.exe]
TCP [::]:49155 [::]:0 LISTENING 1072 Schedule [svchost.exe]
TCP [::]:49156 [::]:0 LISTENING 632 [lsass.exe]
TCP [::]:49157 [::]:0 LISTENING 616 [services.exe]
UDP 0.0.0.0:123 *:* 1412 W32Time [svchost.exe]
UDP 0.0.0.0:500 *:* 1072 IKEEXT [svchost.exe]
UDP 0.0.0.0:3702 *:* 1412 FDResPub [svchost.exe]
UDP 0.0.0.0:3702 *:* 1412 FDResPub [svchost.exe]
UDP 0.0.0.0:4500 *:* 1072 IKEEXT [svchost.exe]
UDP 0.0.0.0:5355 *:* 1532 Dnscache [svchost.exe]
UDP 0.0.0.0:49232 *:* 1412 FDResPub [svchost.exe]
UDP 65.30.185.XXX:137 *:* 4 Can not obtain ownership information
UDP 65.30.185.XXX:138 *:*




Lastly, despite the warning that precedes this post on notposting CF logs, because I have been around the block on this and really do not want to waste any more time, attached is the combofix output (BUG.txt) when I last ran it on my dad's laptop.


32788R22FWJFW\PEV.exe uzip "32788R22FWJFW\License\pv_5_2_2.zip" "32788R22FWJFW\License" && MOVE /Y "32788R22FWJFW\License\pv.exe" 32788R22FWJFW\
The system cannot find message text for message number 0x236e in the message file for Application.

32788R22FWJFW\pv.exe -kf n.com
Killing 'n.com'
pv: No matching processes found

MOVE /Y 32788R22FWJFW\pv.exe 32788R22FWJFW\pv.cfexe
The system cannot find message text for message number 0x236e in the message file for Application.

32788R22FWJFW\pv.cfexe -kf n.com
Killing 'n.com'
pv: No matching processes found

PUSHD "C:\32788R22FWJFW"

IF NOT EXIST pev.cfexe COPY /Y pev.exe pev.cfexe
The system cannot find message text for message number 0x2336 in the message file for Application.

IF NOT EXIST Nircmd.com COPY /Y n.com Nircmd.com
The system cannot find message text for message number 0x2336 in the message file for Application.

SET "Comspec=C:\Windows\system32\cmd.execf"

IF NOT EXIST C:\Windows\system32\cmd.exe GOTO Not_NT

IF EXIST OsVer EXIT

VER 1>OsVer

GREP.cfexe -F "5.2." OsVer

IF 1 == 0 GOTO Not_NT

GREP.cfexe -F "5.1.2" OsVer 1>XP.mac

IF 1 == 0 GOTO NT

DEL XP.mac

GREP.cfexe -F "5.00.2" OsVer 1>W2K.mac

IF 1 == 0 GOTO NT

DEL W2K.mac

GREP.cfexe -sq "currentversion.* 6.0" OsVer00 && GOTO NT

GREP.cfexe -isq "ProductType.*WinNT" WinNT00 || GOTO Not_NT

SED.CFEXE "/^PATH=/I!d; s///; s/\x22//g" Oripath 1>OriPath00

PEV.EXE -rtf -s+901 .\OriPath00 && (
SED.CFEXE -r "s/\x22//g; s/(.{900}).*/\1/; s/;[^;]*$//" OriPath00 1>OriPath01
FOR /F "TOKENS=*" %G IN (OriPath01) DO @SET "PATH=C:\32788R22FWJFW;C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;%G"
)

IF NOT EXIST OriPath01 FOR /F "TOKENS=*" %G IN (OriPath00) DO SET "PATH=C:\32788R22FWJFW;C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;%G"

SET "PATH=C:\32788R22FWJFW;C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\CyberLink\Power2Go"
Killing 'runonce.exe'
Killing 'grpconv.exe'
Killing 'procmon.exe'
pv: No matching processes found



I was going to attach some screenshots from sysinternal's process explorer and a GUI Netstat utility because they add to the overall picture, but I could not figure out how to attach jpegs.

I hope someone has seen this before or, in any event, somebody can guide me to effectively get rid of this.

Thanks,
Paul

Edited by pjvex86, 05 July 2009 - 10:57 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:12 AM

Posted 05 July 2009 - 01:24 PM

Hello and welcome.. You have done a lot if research there.. i would like to run ROOTREPEAL

Next Please install RootRepeal

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 pjvex86

pjvex86
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 05 July 2009 - 01:54 PM

Thank you very much for your post. Have been surfing and other things, but hoping someone would post something so I could get on with my life!!!

BTW, in addition to surfing I was trying different approaches with CF on my dad's laptop and at one point CF continued to run. Following is the sequence of events. I just want to add it to the overall informational resources we have to work with.

1. CF warns that Trend Micro Anti-Virus is running. I check Taskman and Process Explorer and cannot find any indication that TM is in fact running (though I guess it could be). After clicking "OK", I get another message (along with that godforsaken shrill pair of system beeps) informing me that Trend Micro is running and that I am proceeding at my own risk.

2. Next I get a message that questions whether my copy of CF is genuine suggesting I download a new copy. The dialog box lists the three sites where I can download a genuine copy of combofix. After clicking OK, Another dialog box and the system beeps come up, and I get the dialog box (presumably an authentic combofix generated message) which lists two sites which are NOT to be used to download anything related to combofix.

3. Please note that in the course of the above two events and the following events, I am continually clicking the error message I describe in my first post. I would guess to get to the end of this sequence I click OK perhaps 200 times. Every grep, sed, and findstr run by CF is interrupted (but at this point I do not think it actually prevents the execution) by this error.

4. The command line DOS window (w/ the blue background) starts and it shows two "Access Denied" Messages. The window disappears, but then reappears (I feel like I am watching a movie, since I am so emotionally invested in Combofix actually triumphing over this SOB), and it says "Attempting to Create a Restore Point", which at first alarms me because I would think that a restore point while the system is still infected is not the wisest choice to make--I also am suspect because I have seen this thing do some pretty cunning things so far.

5. Finally after another 50 times of clicking "OK" to the error described above, CF lets me know that it has discovered a rootkit, asks me to write down the .sys file, and reboots. I let it reboot without going into safe mode and nothing happens.

6. I reinstalled a fresh copy of CF. Did the above process all over again, but this time upon reboot, hit F8 to go into safe mode. Still nothing.

7. So Combofix cannot kill it, but there is a rootkit. That confirmation in itself is gratifying. Also, as detailed in the Rootrepeal instructions, the name of the file that combofix reports fits the description. That file is c:\windows\system32\drivers\SKYNETvrhsrvh.sys.

8. I am on my way to running RootRepeal right now. Will post back asap.

By the way, an interesting little piece of information regarding the laptop I am using at the moment (my laptop) which is thoroughly infected (I am fixing my dad's laptop first). Kapersky Internet Security, which I have installed but which is also hooked to hell, just asked me how I would like to classify a "New Network Found". As stated, I have a ethernet connection to a modem which gives me an external IP address. However the Kapersky alert just listed the so-called "New Network" as 192.168.100.11/24. This rootkit must be facilitating the creation of a huge network of hijacked machines!!!

#4 pjvex86

pjvex86
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 05 July 2009 - 06:37 PM

Well.... I think it would have been too easy for that to work. This rootkit has showed a resistance like nothing I have experienced or read about except for Downadup and Conflicker.

I ran Rootrepeal first from the desktop. Then I turned off the laptop, downloaded another copy to the root drive, renamed it and booted into safe mode. The only output I got was three Rootrepeal Crash Reports, shown below:

ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000005
Exception Address: 0x00430aa0
Attempt to read from address: 0x01658000

=====================================

ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000005
Exception Address: 0x77a41f2abox
Attempt to read from address: 0xc3eaebb1

=====================================

ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000005
Exception Address: 0x77a41f2a
Attempt to read from address: 0xc3eaebb1


I then took the info from the MBAM forum page which describes the various prefixes immune to removal by MBAM and on both my laptop and my dad's, I did a recursive search on the root (c:) for any and all .sys files and tried to manually find it. I was going to use Killbox if I had found anything, but unfortunately, I did not. It is almost as if this bug is self-aware. I find it so hard to believe that I could install spybot, MBAM, Kapersky, and rootkit reveal (I tried rootkit reveal a few weeks ago), and they installed (although they were not fully functional I am sure) but this one app, it coincidentally crashes when I run it. The rootkit must be updated very regularly.

In fact, before I ran Rootrepeal, I shut down Kapersky and Kap asked if I wanted to terminate my network (internet) connections. I clicked "OK", and it said "Terminating THREE network connections. Three??? I had not even looked since I know everything is infected, but that still surprised me.

By the way, I can't modify Kapersky at all. Immediately after install (and I was not even online during installation), I went to settings to make sure my firewall rules were set appropriately. Every Rule listed had unfettered access inbound and outbound for any and all protocol, and all options to edit or delete were grayed out (this type of thing has happened COUNTLESS times in the past...which was why I took up my study of the registry....I hoped I could make registry changes as need be to prevent these type of blocks by the rootkit. Unfortunately, the book I read is the only real comprehensive registry book I could find and it only goes through XP. I don't know if you have looked at the registry within Vista or Windows 7 much, but other than the framework, there are a lot of significant changes.

Another thing this rootkit/worm does to me is tailor itself to my specific attacks (or so it seems). For instance, if I start left clicking certain processes in the task manager which I have a strong hunch are used by it and only it (or primarily due to its occupation on my system), if I reboot, everything is fine, except now my context menu will not work. If I instead right click on a process and click on "end task" (i.e., do not use the context menu), after maybe the third time I end a particular process (which always immediately restarts after I terminate it), on the fourth time I try to end that same process, it will say "Operation Not Permitted". It's like it possess AI or something. Is this something anybody has encountered? I have a lot more stories like this.

Basically, when I was dealing with the elitist Windows 7 "experts" at the other board I was on a few months ago, I would tell them a lot of this stuff and I think they thought I was confused....and in their defense, as mentioned above, I did cause some of my own problems because of how this thing behaved, but I am certain that there is some type of immediate communication somewhere when ever stress is placed on it (by my trying to attack some part of it). And because IPv6 is being used as well as UDP, any adapter that is connected to a socket -- even if closed, allows it to communicate to the internet at large because it can bypass any gateway, NAT, or firewall--anything because of the fact that it is using UDP or IPv6 or both. Further, as mentioned above, since zero configuration networking has expanded so much over the years, if needed, it can use this.

So, I do appreciate your suggestion, but I hope you have another. Unfortunately, I use my laptop so much in my profession, that it has really hurt my income, and consequently since I really do not want to spend $200 or more to somebody else to try and fix it (after I have already tried just about everything plus my new laptop was only $700), I am stuck with my own creative problem solving (with any and everyone who cares to assist me).

Let me know what you think.

Again, thank you very much in advance for any continuing assistance....
Paul

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:12 AM

Posted 05 July 2009 - 06:47 PM

You are most welcome/ think that we willl need to run specialized tools. Now you need to run HJT/DDS.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 pjvex86

pjvex86
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 05 July 2009 - 07:07 PM

Thank you...will do this post haste.

One question however, the instructions say to post the name of this malware in the forum. Do we have a name for this particular nasty piece of code?

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:12 AM

Posted 05 July 2009 - 07:18 PM

Hi,Yes "SKYNET"
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 pjvex86

pjvex86
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 05 July 2009 - 07:30 PM

Boopme -- Per your instructions, the DDS.txt has been posted in the forum accordingly along with the attach.txt file, which was zipped and added as an attachment.

THANKS!!!!!!

See you there,
Paul

P.S. I did not see your post in time. I had submitted the DDS/HJT post but now am unable to edit the title....

Edited by pjvex86, 05 July 2009 - 07:33 PM.


#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:12 AM

Posted 05 July 2009 - 08:05 PM

Ok ,Good job Paul....
Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users