Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have a bad infection.


  • Please log in to reply
7 replies to this topic

#1 thefury

thefury

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:45 PM

Posted 07 July 2009 - 07:41 PM

Hey guys.
I am on a computer that has been infected with some trojan.
after scanning with my malwarebytes. I found i had some skynet trojan on my computer
It deleted the files... but now everytime i start my computer, it says
"The application or DLL globalroot\systemroot\system32\SKYNET (something) .dll is not a valid Windows image. Please check this against your installation diskette." Please help, im worried this is going to ruin my hard drive... and its very expensive and i got no money to fix it.

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 AM

Posted 07 July 2009 - 07:46 PM

Please download RootRepeal Rootkit Detector and save it to your Desktop.

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.
* Create a new folder on your hard drive called RootRepeal (C:\RootRepeal) and extract (unzip) RootRepeal.zip. (click here if you're not sure how to do this. Vista users refer to this link.)
* Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the Files tab, then click the Scan button.
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 thefury

thefury
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:45 PM

Posted 07 July 2009 - 08:25 PM

there we go.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/07 20:19
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP2
==================================================

Hidden/Locked Files
-------------------
Path: c:\windows\ntbtlog.txt
Status: Size mismatch (API: 618962, Raw: 618838)

Path: C:\WINDOWS\system32\SKYNETbxhxiqhw.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETnckyhhlc.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETvbexrlcb.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETxmpjevxo.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETbmwmbmdwoo.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETfspjodqvwr.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETllrlosibng.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETspsecxrovx.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETypqsbdkibh.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETcnrfjnvxfi.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETdbtfuvgufh.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETdfxpurbivr.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETevmhtlynja.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETpuhhbpkupc.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETqblnalpfto.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETqliejaiafn.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETqlwdsgaihs.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETrtldwibwww.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETaarcjititl.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETaayouiykes.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETaboetngsqd.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETanxpssekiv.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETaprkcoofck.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETapvxoolety.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETarnyriemus.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETawumwuntjy.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETinpsehuxpo.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETinwpeoamwq.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETipmbbuyuap.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETjguqnfbecu.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETjlgynkynch.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETjxyquolrtw.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETkfofuyqngp.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETlagrdhwjct.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETlgrlvhpmot.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETtljyqxthou.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETtpdsiymstb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETvrarsgnmdb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETvsgmjufnby.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETvtmffnxwea.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETvtpnscpqfa.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETwjqkdjdcbr.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETxklecjfcxw.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETxnxjlfqutq.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\SKYNETscdiuwme.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Miroslaw\Local Settings\Apps\2.0\38233QTP.BL5\RRZNZQJY.C5D\manifests\Orion.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Miroslaw\Local Settings\Apps\2.0\38233QTP.BL5\RRZNZQJY.C5D\manifests\Orion.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Miroslaw\Local Settings\Application Data\Microsoft\Messenger\xwhipx@live.com\SharingMetadata\cristianleon31@hotmail.com\DFSR\Staging\CS{2D1A17D1-44D4-C867-8BDA-B60C0CF0DB80}\01\10-{2D1A17D1-44D4-C867-8BDA-B60C0CF0DB80}-v1-{B00B85CF-38F2-485A-B81B-ABCA8DD3B6CC}-v10-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Miroslaw\Local Settings\Application Data\Microsoft\Messenger\xwhipx@live.com\SharingMetadata\cristianleon31@hotmail.com\DFSR\Staging\CS{2D1A17D1-44D4-C867-8BDA-B60C0CF0DB80}\11\43-{B00B85CF-38F2-485A-B81B-ABCA8DD3B6CC}-v11-{B00B85CF-38F2-485A-B81B-ABCA8DD3B6CC}-v43-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Miroslaw\Local Settings\Application Data\Microsoft\Messenger\xwhipx@live.com\SharingMetadata\cristianleon31@hotmail.com\DFSR\Staging\CS{2D1A17D1-44D4-C867-8BDA-B60C0CF0DB80}\21\42-{B00B85CF-38F2-485A-B81B-ABCA8DD3B6CC}-v21-{B00B85CF-38F2-485A-B81B-ABCA8DD3B6CC}-v42-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Miroslaw\Local Settings\Application Data\Microsoft\Messenger\xwhipx@live.com\SharingMetadata\cristianleon31@hotmail.com\DFSR\Staging\CS{2D1A17D1-44D4-C867-8BDA-B60C0CF0DB80}\28\38-{B00B85CF-38F2-485A-B81B-ABCA8DD3B6CC}-v28-{B00B85CF-38F2-485A-B81B-ABCA8DD3B6CC}-v38-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Miroslaw\My Documents\Website Ripper Copier\Downloads\sig.runelegion.net\dynsig\race\dragon\strcape\goldmen18\siry112\strength\99.png:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Miroslaw\My Documents\Website Ripper Copier\Downloads\sig.runelegion.net\dynsig\race\dragon\strcape\goldmen18\siry112\strength\99.png:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Miroslaw\My Documents\Website Ripper Copier\Downloads\sig.runelegion.net\dynsig\race\dragon\strcape\goldmen18\siry112\strength\99.png:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Miroslaw\My Documents\Website Ripper Copier\Downloads\sig.runelegion.net\dynsig\race\dragon\strcape\goldmen18\siry112\strength\99.png:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Miroslaw\My Documents\Website Ripper Copier\Downloads\sig.runelegion.net\dynsig\race\dragon\strcape\goldmen18\siry112\strength\99.png:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Miroslaw\My Documents\Website Ripper Copier\Downloads\sig.runelegion.net\dynsig\race\dragon\strcape\goldmen18\siry112\strength\99.png:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!



#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 AM

Posted 07 July 2009 - 08:30 PM

Rerun Rootrepeal. After the scan completes, go to the files tab and find this file:

C:\WINDOWS\system32\drivers\SKYNETscdiuwme.sys

Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.

Then run a quick-scan with Malwarebytes.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 thefury

thefury
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:45 PM

Posted 07 July 2009 - 09:54 PM

Rerun Rootrepeal. After the scan completes, go to the files tab and find this file:

C:\WINDOWS\system32\drivers\SKYNETscdiuwme.sys

Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.

Then run a quick-scan with Malwarebytes.


ok, I did everything.
I don't have the symptoms anymore.
Thank you so much for your help I thought I would have to reformat or buy a new hard drive,
but you ended up saving the day.
I love you! :thumbsup:

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 AM

Posted 07 July 2009 - 10:06 PM

If you’re clean, you should create a new Restore Point to prevent possible re-infection from an old one.

Go Start > Programs > Accessories > System Tools and click System Restore. Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name and then click Create. Then use Disk Cleanup to remove all but the most recently created Restore Point. Go Start > Run and type: "Cleanmgr" (without the quotes). Click Ok > More Options tab > Clean Up in the System Restore section to remove all previous restore points except the newly created one.

Also, go Start > Control Panel and double-click Add or Remove Programs. Post back and report any Java entries that you have.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 thefury

thefury
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:45 PM

Posted 07 July 2009 - 10:26 PM

If you’re clean, you should create a new Restore Point to prevent possible re-infection from an old one.

Go Start > Programs > Accessories > System Tools and click System Restore. Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name and then click Create. Then use Disk Cleanup to remove all but the most recently created Restore Point. Go Start > Run and type: "Cleanmgr" (without the quotes). Click Ok > More Options tab > Clean Up in the System Restore section to remove all previous restore points except the newly created one.

Also, go Start > Control Panel and double-click Add or Remove Programs. Post back and report any Java entries that you have.


ok, the restore point is made. and did also disk cleanup.

Here are my java applications.
-Java DB 10.4.1.3
-Java ™ 6 update 13
-Java ™ SE Development kit 6 Update 11

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 AM

Posted 07 July 2009 - 10:38 PM

This one is out of date: Java ™ 6 update 13. You should remove it and get the latest from here: http://www.java.com/en/download/index.jsp

This one is also out of date: Java ™ SE Development kit 6 Update 11. You can update it if you need to but I'm not sure how that effects any Java development you are doing - so I'll leave it up to you to decide.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users