Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit infection... Help Please!!?


  • Please log in to reply
5 replies to this topic

#1 Kosta

Kosta

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 07 July 2009 - 09:51 PM

I have Norton, windows deffender, and spyware doctor on my laptop which is running Vista.
i also have an external hard drive which i believe might be infected as well.
Spyware Doctor always reports a RootKit and blocks it and now i get an error everytime i open any application saying SKYNEToqpai.DLL is not running properly and this has become very annoying . i have gone to many websites and found this one which seemed very useful. other websites told me to use Rootrepeal but when i open the aplication i get an error . could you please help me and thanks in advance.

BC AdBot (Login to Remove)

 


m

#2 Kosta

Kosta
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 07 July 2009 - 10:15 PM

~~~~update~~~~~~
i pluged in my usb and imedietly i get this fake virus scan thing which keeps poping up and is anoying
Fake virus scan screen shot

#3 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:02:24 PM

Posted 07 July 2009 - 10:25 PM

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#4 Kosta

Kosta
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 07 July 2009 - 10:39 PM

i tried using Rootrepeal again but right after i press to alow the program to run i get an error message and i get a little crash log
Posted Image

#5 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:02:24 PM

Posted 08 July 2009 - 08:25 AM

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#6 Kosta

Kosta
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 07 August 2009 - 12:42 PM

Process

C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Protector Suite QL\upeksvr.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Sony\SmartWi Connection Utility\CCP.exe
C:\Program Files\Sony\SmartWi Connection Utility\SmartWiToggletProxy.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\SmartWi Connection Utility\SmartWiTogglet.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\SmartWi Connection Utility\ActivationManager.exe
C:\Program Files\Sony\SmartWi Connection Utility\PowerManager.exe
C:\Program Files\Sony\SmartWi Connection Utility\ThirdPartyAppMgr.exe
C:\Program Files\Sony\SmartWi Connection Utility\SWGadgetServer.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\wbem\wmiprvse.exe

hosts


C:\


C:\Windows


C:\Windows\system


C:\Windows\Web


C:\Windows\system32


C:\Windows\system32\LogFiles


C:\Users\Kosta


C:\Users\Kosta\AppData\Local\Temp


C:\Users\Kosta\Application Data


Start Menu


C:\Users\Kosta\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000000


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]




DNS

Description: Intel® PRO/Wireless 3945ABG Network Connection
DNS Server Search Order: 195.170.0.1
DNS Server Search Order: 195.170.2.2
DNS Server Search Order: 192.168.1.2

HKLM\SYSTEM\CCS\Services\Tcpip\..\{327ECB70-2C0A-4E66-B122-35916A4D1C0F}: DhcpNameServer=195.170.0.1 195.170.2.2 192.168.1.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{327ECB70-2C0A-4E66-B122-35916A4D1C0F}: DhcpNameServer=195.170.0.1 195.170.2.2 192.168.1.2
HKLM\SYSTEM\CS3\Services\Tcpip\..\{327ECB70-2C0A-4E66-B122-35916A4D1C0F}: DhcpNameServer=195.170.0.1 195.170.2.2 192.168.1.2
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=195.170.0.1 195.170.2.2 192.168.1.2
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=195.170.0.1 195.170.2.2 192.168.1.2
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=195.170.0.1 195.170.2.2 192.168.1.2


Scanning for wininet.dll infection


End




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users