Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Skynet Trojan [Moved]


  • Please log in to reply
10 replies to this topic

#1 wes1584

wes1584

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 10 July 2009 - 11:25 PM

Hello, this is my first post on these forums. :thumbsup:

I started getting blue screens randomly and kept having to reboot my PC. The only spyware/virus program I use is stopzilla because I have the whole version if it. I did a scan today and it deteced a bunch of search engine hijackers and also a trojan that was called "skynet".

Even when stopzilla detected the trojan and removes it, it comes back always when I reboot. Same with the search hijakers. . I really don't know what to do and would appreciate it very much any help anyone can give me.

Also, when it does cause me to get a blue screen. It's a message that starts with Driver_IRQL_NOT_LESS_OR_EQUAL. Im afraid a rootkit is causing this but i I dont know enough about them to be sure.

Here is the log from stopzilla


Block/Extraction Pop-up blocker 2009-07-10 23:19:37 Extracted package SkyNet
Block/Extraction Registry enforcer 2009-07-10 23:18:33 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-1935655697-1960408961-839522115-1003\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-10 23:18:33 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-1935655697-1960408961-839522115-1003\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-10 23:18:31 Deleted registry value DisableTaskMgr in hkus\S-1-5-21-1935655697-1960408961-839522115-1003\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-10 23:18:30 Detected malicious registry entry DisableTaskMgr in hkus\S-1-5-21-1935655697-1960408961-839522115-1003\software\microsoft\windows\currentversion\policies\system
Block/Extraction File enforcer 2009-07-10 23:16:10 Deleted file: c:\windows\system32\skynetkiqwhkym.dll
Information Home page protection 2009-07-10 23:16:08 Checking homepage... OK
Information Internet ExplorerSiteguard 2009-07-10 23:15:47 Inspecting registered Internet Explorer toolbars
Block/Extraction File enforcer 2009-07-10 23:15:46 Suppressed file: c:\windows\system32\skynetkiqwhkym.dll
Block/Extraction File enforcer 2009-07-10 23:15:46 Deleted file: c:\windows\system32\skynetwubqmiwf.dll
Information Registry enforcer 2009-07-10 23:15:46 Inspecting registered Explorer bars
Block/Extraction File enforcer 2009-07-10 23:15:16 Suppressed file: c:\windows\system32\skynetwubqmiwf.dll
Information Registry enforcer 2009-07-10 23:15:16 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-10 23:15:13 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-10 23:15:11 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2009-07-10 23:15:09 Starting process watcher
Block/Extraction File enforcer 2009-07-10 22:19:14 Deleted file: c:\windows\system32\skynetkiqwhkym.dll
Information Home page protection 2009-07-10 22:18:51 Checking homepage... OK
Block/Extraction File enforcer 2009-07-10 22:18:47 Suppressed file: c:\windows\system32\skynetkiqwhkym.dll
Block/Extraction File enforcer 2009-07-10 22:18:47 Deleted file: c:\windows\system32\skynetwubqmiwf.dll
Information Internet ExplorerSiteguard 2009-07-10 22:17:52 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-07-10 22:17:51 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-10 22:17:45 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Block/Extraction File enforcer 2009-07-10 22:17:44 Suppressed file: c:\windows\system32\skynetwubqmiwf.dll
Information Registry enforcer 2009-07-10 22:17:35 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-10 22:17:35 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2009-07-10 22:17:33 Starting process watcher
Block/Extraction File enforcer 2009-07-10 22:12:47 Deleted file: c:\windows\system32\skynetkiqwhkym.dll
Block/Extraction File enforcer 2009-07-10 22:11:33 Suppressed file: c:\windows\system32\skynetkiqwhkym.dll
Block/Extraction File enforcer 2009-07-10 22:11:33 Deleted file: c:\windows\system32\skynetwubqmiwf.dll
Information Home page protection 2009-07-10 22:11:18 Checking homepage... OK
Information Internet ExplorerSiteguard 2009-07-10 22:11:05 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-07-10 22:11:04 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-10 22:11:02 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Block/Extraction File enforcer 2009-07-10 22:11:01 Suppressed file: c:\windows\system32\skynetwubqmiwf.dll
Information Registry enforcer 2009-07-10 22:11:01 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-10 22:10:57 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2009-07-10 22:10:53 Starting process watcher
Information Registry enforcer 2009-07-10 22:09:25 Inspecting registered Explorer bars
Block/Extraction File enforcer 2009-07-10 22:08:34 Suppressed file: c:\windows\system32\skynetwubqmiwf.dll
Information Registry enforcer 2009-07-10 22:08:29 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-10 22:08:22 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-10 22:08:20 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2009-07-10 22:08:17 Starting process watcher
Block/Extraction Pop-up blocker 2009-07-10 21:56:38 Removed file c:\windows\system32\skynetkiqwhkym.dll
Block/Extraction Pop-up blocker 2009-07-10 21:56:37 Removed file c:\windows\system32\skynetwubqmiwf.dll
Block/Extraction Pop-up blocker 2009-07-10 21:56:23 Extracted package SkyNet
Information Home page protection 2009-07-10 21:52:20 Checking homepage... OK
Block/Extraction File enforcer 2009-07-10 21:52:17 Deleted file: c:\windows\system32\skynetkiqwhkym.dll
Block/Extraction File enforcer 2009-07-10 21:51:59 Suppressed file: c:\windows\system32\skynetkiqwhkym.dll
Block/Extraction File enforcer 2009-07-10 21:51:59 Deleted file: c:\windows\system32\skynetwubqmiwf.dll
Information Internet ExplorerSiteguard 2009-07-10 21:51:43 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-07-10 21:51:43 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-10 21:51:42 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-10 21:51:42 Inspecting WinSock registry (LSP Chain)
Block/Extraction File enforcer 2009-07-10 21:51:42 Suppressed file: c:\windows\system32\skynetwubqmiwf.dll
Information Registry enforcer 2009-07-10 21:51:41 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2009-07-10 21:51:39 Starting process watcher
Information General 2009-07-10 21:41:36 Completed system scan.
Information General 2009-07-10 21:40:17 Started system scan.
Block/Extraction File enforcer 2009-07-10 21:33:33 Deleted file: c:\windows\system32\skynetkiqwhkym.dll
Information Home page protection 2009-07-10 21:33:21 Checking homepage... OK
Block/Extraction File enforcer 2009-07-10 21:33:12 Suppressed file: c:\windows\system32\skynetkiqwhkym.dll
Block/Extraction File enforcer 2009-07-10 21:33:12 Deleted file: c:\windows\system32\skynetwubqmiwf.dll
Information Internet ExplorerSiteguard 2009-07-10 21:32:05 Inspecting registered Internet Explorer toolbars
Block/Extraction File enforcer 2009-07-10 21:32:05 Suppressed file: c:\windows\system32\skynetwubqmiwf.dll
Information Registry enforcer 2009-07-10 21:32:05 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-10 21:31:54 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-10 21:31:49 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-10 21:31:47 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2009-07-10 21:31:42 Starting process watcher
Information Home page protection 2009-07-10 19:27:20 Checking homepage... OK
Block/Extraction File enforcer 2009-07-10 19:27:16 Deleted file: c:\windows\system32\skynetkiqwhkym.dll
Block/Extraction File enforcer 2009-07-10 19:27:07 Suppressed file: c:\windows\system32\skynetkiqwhkym.dll
Block/Extraction File enforcer 2009-07-10 19:27:07 Deleted file: c:\windows\system32\skynetwubqmiwf.dll
Information Registry enforcer 2009-07-10 19:26:56 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-10 19:26:56 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Internet ExplorerSiteguard 2009-07-10 19:26:56 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-07-10 19:26:56 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-10 19:26:56 Inspecting registered Browser Helper Objects (BHOs)
Block/Extraction File enforcer 2009-07-10 19:26:55 Suppressed file: c:\windows\system32\skynetwubqmiwf.dll
Information Process enforcer 2009-07-10 19:26:54 Starting process watcher
Block/Extraction Pop-up blocker 2009-07-10 19:21:41 Removed file c:\windows\system32\skynetwubqmiwf.dll
Block/Extraction Pop-up blocker 2009-07-10 19:21:34 Removed file c:\windows\system32\skynetkiqwhkym.dll
Block/Extraction Pop-up blocker 2009-07-10 19:20:49 Extracted package SkyNet
Block/Extraction File enforcer 2009-07-10 19:17:25 Deleted file: c:\windows\system32\skynetwubqmiwf.dll
Information Home page protection 2009-07-10 19:17:04 Checking homepage... OK
Block/Extraction File enforcer 2009-07-10 19:16:51 Suppressed file: c:\windows\system32\skynetwubqmiwf.dll
Block/Extraction File enforcer 2009-07-10 19:16:51 Deleted file: c:\windows\system32\skynetkiqwhkym.dll
Block/Extraction File enforcer 2009-07-10 19:16:33 Suppressed file: c:\windows\system32\skynetkiqwhkym.dll
Information Registry enforcer 2009-07-10 19:16:33 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-10 19:16:33 Inspecting WinSock registry (LSP Chain)
Information Internet ExplorerSiteguard 2009-07-10 19:16:32 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-07-10 19:16:32 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-10 19:16:31 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2009-07-10 19:16:30 Starting process watcher
Block/Extraction Pop-up blocker 2009-07-10 18:41:07 Removed file c:\windows\system32\skynetwubqmiwf.dll
Block/Extraction Pop-up blocker 2009-07-10 18:41:05 Removed file c:\windows\system32\skynetkiqwhkym.dll
Block/Extraction Pop-up blocker 2009-07-10 18:40:43 Extracted package SkyNet
Block/Extraction File enforcer 2009-07-10 18:37:34 Deleted file: c:\windows\system32\skynetwubqmiwf.dll
Block/Extraction File enforcer 2009-07-10 18:37:18 Suppressed file: c:\windows\system32\skynetwubqmiwf.dll
Block/Extraction File enforcer 2009-07-10 18:37:18 Deleted file: c:\windows\system32\skynetkiqwhkym.dll
Information Home page protection 2009-07-10 18:37:17 Checking homepage... OK
Information Internet ExplorerSiteguard 2009-07-10 18:37:08 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-07-10 18:37:08 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-10 18:37:08 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-10 18:37:05 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-10 18:37:05 Inspecting registered Browser Helper Objects (BHOs)
Block/Extraction File enforcer 2009-07-10 18:37:04 Suppressed file: c:\windows\system32\skynetkiqwhkym.dll
Information Process enforcer 2009-07-10 18:37:02 Starting process watcher
Block/Extraction Pop-up blocker 2009-07-10 18:34:43 Removed file c:\windows\system32\skynetkiqwhkym.dll
Block/Extraction Pop-up blocker 2009-07-10 18:34:40 Removed file c:\windows\system32\skynetwubqmiwf.dll
Block/Extraction Pop-up blocker 2009-07-10 18:34:02 Extracted package SkyNet
Block/Extraction File enforcer 2009-07-10 18:31:13 Deleted file: c:\windows\system32\skynetkiqwhkym.dll
Information Home page protection 2009-07-10 18:31:12 Checking homepage... OK
Block/Extraction File enforcer 2009-07-10 18:30:56 Suppressed file: c:\windows\system32\skynetkiqwhkym.dll
Block/Extraction File enforcer 2009-07-10 18:30:56 Deleted file: c:\windows\system32\skynetwubqmiwf.dll
Information Registry enforcer 2009-07-10 18:30:45 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-10 18:30:44 Inspecting WinSock registry (LSP Chain)
Block/Extraction File enforcer 2009-07-10 18:30:43 Suppressed file: c:\windows\system32\skynetwubqmiwf.dll
Information Internet ExplorerSiteguard 2009-07-10 18:30:43 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-07-10 18:30:43 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-10 18:30:43 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2009-07-10 18:30:41 Starting process watcher
Block/Extraction NT Service enforcer 2009-07-10 18:29:29 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-07-10 18:29:27 Disabled service: messenger -
Information Registry enforcer 2009-07-10 18:28:23 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-10 18:27:58 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-10 18:27:40 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-10 18:27:36 Inspecting WinSock registry (LSP Chain)
Information General 2009-07-10 18:27:27 Completed system scan.
Information General 2009-07-10 18:11:16 Started system scan.
Block/Extraction Registry enforcer 2009-07-10 17:59:20 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-1935655697-1960408961-839522115-1003\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-10 17:59:20 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-1935655697-1960408961-839522115-1003\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-10 17:59:20 Deleted registry value DisableTaskMgr in hkus\S-1-5-21-1935655697-1960408961-839522115-1003\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-10 17:59:20 Detected malicious registry entry DisableTaskMgr in hkus\S-1-5-21-1935655697-1960408961-839522115-1003\software\microsoft\windows\currentversion\policies\system
Information Home page protection 2009-07-10 17:59:19 Checking homepage... OK
Block/Extraction File enforcer 2009-07-10 17:59:00 Deleted file: c:\windows\system32\skynetkiqwhkym.dll
Block/Extraction File enforcer 2009-07-10 17:58:54 Suppressed file: c:\windows\system32\skynetkiqwhkym.dll
Block/Extraction File enforcer 2009-07-10 17:58:54 Deleted file: c:\windows\system32\skynetwubqmiwf.dll
Information Registry enforcer 2009-07-10 17:58:44 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-10 17:58:44 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Internet ExplorerSiteguard 2009-07-10 17:58:44 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-07-10 17:58:44 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-10 17:58:44 Inspecting registered Browser Helper Objects (BHOs)
Block/Extraction File enforcer 2009-07-10 17:58:44 Suppressed file: c:\windows\system32\skynetwubqmiwf.dll
Information Process enforcer 2009-07-10 17:58:43 Starting process watcher
Information Registry enforcer 2009-07-10 17:54:49 Inspecting WinSock registry (LSP Chain)
Information General 2009-07-10 17:54:18 Completed system scan.
Information General 2009-07-10 17:40:35 Started system scan.
Block/Extraction Registry enforcer 2009-07-10 17:40:00 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-1935655697-1960408961-839522115-1003\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-10 17:40:00 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-1935655697-1960408961-839522115-1003\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-10 17:40:00 Deleted registry value DisableTaskMgr in hkus\S-1-5-21-1935655697-1960408961-839522115-1003\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-10 17:40:00 Detected malicious registry entry DisableTaskMgr in hkus\S-1-5-21-1935655697-1960408961-839522115-1003\software\microsoft\windows\currentversion\policies\system
Information Home page protection 2009-07-10 17:39:59 Checking homepage... OK
Information Internet ExplorerSiteguard 2009-07-10 17:39:19 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-07-10 17:39:18 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-10 17:39:15 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-10 17:39:13 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-10 17:39:11 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2009-07-10 17:39:11 Starting process watcher
Block/Extraction Registry enforcer 2009-07-10 16:39:13 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-1935655697-1960408961-839522115-1003\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-10 16:39:13 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-1935655697-1960408961-839522115-1003\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-10 16:39:12 Detected malicious registry entry DisableTaskMgr in hkus\S-1-5-21-1935655697-1960408961-839522115-1003\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-10 16:39:12 Deleted registry value DisableTaskMgr in hkus\S-1-5-21-1935655697-1960408961-839522115-1003\software\microsoft\windows\currentversion\policies\system
Block/Extraction Pop-up blocker 2009-07-10 16:24:53 Removed file c:\windows\system32\skynetkiqwhkym.dll
Block/Extraction Pop-up blocker 2009-07-10 16:24:50 Removed file c:\windows\system32\skynetwubqmiwf.dll
Block/Extraction Pop-up blocker 2009-07-10 16:24:11 Extracted package System Policies.DisableTaskMgr
Block/Extraction Pop-up blocker 2009-07-10 16:24:05 Extracted package System Policies.DisableRegistryTools
Block/Extraction Pop-up blocker 2009-07-10 16:23:59 Extracted package SkyNet
Block/Extraction Registry enforcer 2009-07-10 16:19:50 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-1935655697-1960408961-839522115-1003\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-10 16:19:50 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-1935655697-1960408961-839522115-1003\software\microsoft\windows\currentversion\policies\system
Block/Extraction File enforcer 2009-07-10 16:19:23 Deleted file: c:\windows\system32\skynetkiqwhkym.dll
Block/Extraction Registry enforcer 2009-07-10 16:19:21 Deleted registry value DisableTaskMgr in hkus\S-1-5-21-1935655697-1960408961-839522115-1003\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-10 16:19:21 Detected malicious registry entry DisableTaskMgr in hkus\S-1-5-21-1935655697-1960408961-839522115-1003\software\microsoft\windows\currentversion\policies\system
Information Home page protection 2009-07-10 16:19:20 Checking homepage... OK
Block/Extraction File enforcer 2009-07-10 16:18:57 Suppressed file: c:\windows\system32\skynetkiqwhkym.dll
Block/Extraction File enforcer 2009-07-10 16:18:57 Deleted file: c:\windows\system32\skynetwubqmiwf.dll
Information Registry enforcer 2009-07-10 16:18:43 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Block/Extraction File enforcer 2009-07-10 16:18:41 Suppressed file: c:\windows\system32\skynetwubqmiwf.dll
Information Registry enforcer 2009-07-10 16:18:41 Inspecting WinSock registry (LSP Chain)
Information Internet ExplorerSiteguard 2009-07-10 16:18:41 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-07-10 16:18:41 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-10 16:18:40 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2009-07-10 16:18:39 Starting process watcher
Block/Extraction File enforcer 2009-07-10 15:55:33 Deleted file: c:\windows\system32\skynetkiqwhkym.dll
Information Home page protection 2009-07-10 15:55:15 Checking homepage... OK
Block/Extraction File enforcer 2009-07-10 15:55:13 Suppressed file: c:\windows\system32\skynetkiqwhkym.dll
Block/Extraction File enforcer 2009-07-10 15:55:13 Deleted file: c:\windows\system32\skynetwubqmiwf.dll
Information Registry enforcer 2009-07-10 15:55:07 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-10 15:55:07 Inspecting WinSock registry (LSP Chain)
Block/Extraction File enforcer 2009-07-10 15:55:06 Suppressed file: c:\windows\system32\skynetwubqmiwf.dll
Information Internet ExplorerSiteguard 2009-07-10 15:55:05 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-07-10 15:55:05 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-10 15:55:05 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2009-07-10 15:55:03 Starting process watcher
Information Registry enforcer 2009-07-10 14:47:33 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-10 14:47:32 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-10 14:47:31 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-10 14:47:27 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-10 14:47:22 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-10 14:47:21 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-10 14:46:53 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-10 14:46:41 Inspecting WinSock registry (LSP Chain)
Information General 2009-07-10 14:46:14 Completed system scan.
Information General 2009-07-10 14:21:23 Started scheduled scan.
Block/Extraction Pop-up blocker 2004-11-07 22:24:54 Removed file c:\windows\system32\skynetwubqmiwf.dll
Block/Extraction Pop-up blocker 2004-11-07 22:24:54 Removed file c:\windows\system32\skynetkiqwhkym.dll
Block/Extraction Pop-up blocker 2004-11-07 22:24:01 Extracted package SkyNet
Block/Extraction File enforcer 2004-11-07 22:22:29 Deleted file: c:\windows\system32\skynetwubqmiwf.dll
Information Home page protection 2004-11-07 22:22:09 Checking homepage... OK
Block/Extraction File enforcer 2004-11-07 22:21:58 Suppressed file: c:\windows\system32\skynetwubqmiwf.dll
Block/Extraction File enforcer 2004-11-07 22:21:58 Deleted file: c:\windows\system32\skynetkiqwhkym.dll
Information Internet ExplorerSiteguard 2004-11-07 22:21:10 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2004-11-07 22:21:10 Inspecting registered Explorer bars
Block/Extraction File enforcer 2004-11-07 22:21:10 Suppressed file: c:\windows\system32\skynetkiqwhkym.dll
Information Registry enforcer 2004-11-07 22:21:06 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2004-11-07 22:21:03 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2004-11-07 22:21:01 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2004-11-07 22:20:58 Starting process watcher
Information General 2004-11-07 22:11:02 Started system scan.
Block/Extraction File enforcer 2004-11-07 22:07:04 Deleted file: c:\windows\system32\skynetkiqwhkym.dll
Information Home page protection 2004-11-07 22:06:43 Checking homepage... OK
Block/Extraction File enforcer 2004-11-07 22:06:43 Suppressed file: c:\windows\system32\skynetkiqwhkym.dll
Block/Extraction File enforcer 2004-11-07 22:06:43 Deleted file: c:\windows\system32\skynetwubqmiwf.dll
Information Registry enforcer 2004-11-07 22:06:35 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Block/Extraction File enforcer 2004-11-07 22:06:34 Suppressed file: c:\windows\system32\skynetwubqmiwf.dll
Information Registry enforcer 2004-11-07 22:06:34 Inspecting WinSock registry (LSP Chain)
Information Internet ExplorerSiteguard 2004-11-07 22:06:34 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2004-11-07 22:06:34 Inspecting registered Explorer bars
Information Registry enforcer 2004-11-07 22:06:33 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2004-11-07 22:06:33 Starting process watcher
Block/Extraction Pop-up blocker 2004-11-07 22:05:33 Removed file c:\windows\system32\skynetwubqmiwf.dll
Block/Extraction NT Service enforcer 2004-11-07 22:05:33 Disabled service: messenger -
Block/Extraction NT Service enforcer 2004-11-07 22:05:32 Disabled service: messenger -
Block/Extraction Pop-up blocker 2004-11-07 22:05:29 Removed file c:\windows\system32\skynetkiqwhkym.dll
Block/Extraction Pop-up blocker 2004-11-07 22:05:02 Extracted package SkyNet
Information Home page protection 2004-11-07 22:03:11 Checking homepage... OK
Block/Extraction File enforcer 2004-11-07 22:03:08 Deleted file: c:\windows\system32\skynetwubqmiwf.dll
Block/Extraction File enforcer 2004-11-07 22:02:56 Suppressed file: c:\windows\system32\skynetwubqmiwf.dll
Block/Extraction File enforcer 2004-11-07 22:02:56 Deleted file: c:\windows\system32\skynetkiqwhkym.dll
Information Registry enforcer 2004-11-07 22:02:30 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2004-11-07 22:02:30 Inspecting WinSock registry (LSP Chain)
Block/Extraction File enforcer 2004-11-07 22:02:30 Suppressed file: c:\windows\system32\skynetkiqwhkym.dll
Information Internet ExplorerSiteguard 2004-11-07 22:02:30 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2004-11-07 22:02:30 Inspecting registered Explorer bars
Information Registry enforcer 2004-11-07 22:02:30 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2004-11-07 22:02:28 Starting process watcher
Information Registry enforcer 2009-07-10 13:45:27 Inspecting WinSock registry (LSP Chain)
Information General 2009-07-10 13:45:15 Completed system scan.
Information General 2009-07-10 13:31:18 Started system scan.
Block/Extraction Pop-up blocker 2009-07-10 13:30:47 Extracted package Search Hijacker.G
Block/Extraction File enforcer 2009-07-10 13:30:47 Extracted files: path, c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp903\a0840088.ini
Block/Extraction File enforcer 2009-07-10 13:30:47 Deleted file: c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp903\a0840088.ini
Block/Extraction File enforcer 2009-07-10 13:30:46 Quarantined file: c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp903\a0840088.ini
Block/Extraction File enforcer 2009-07-10 13:30:45 Extracted files: path, c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp903\a0840086.ini
Block/Extraction File enforcer 2009-07-10 13:30:45 Deleted file: c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp903\a0840086.ini
Block/Extraction File enforcer 2009-07-10 13:30:45 Quarantined file: c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp903\a0840086.ini
Block/Extraction File enforcer 2009-07-10 13:30:44 Extracted files: path, c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp901\a0839106.ini
Block/Extraction File enforcer 2009-07-10 13:30:44 Deleted file: c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp901\a0839106.ini
Block/Extraction File enforcer 2009-07-10 13:30:44 Quarantined file: c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp901\a0839106.ini
Block/Extraction File enforcer 2009-07-10 13:30:43 Extracted files: path, c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp900\a0839082.ini
Block/Extraction File enforcer 2009-07-10 13:30:43 Deleted file: c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp900\a0839082.ini
Block/Extraction File enforcer 2009-07-10 13:30:43 Quarantined file: c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp900\a0839082.ini
Block/Extraction File enforcer 2009-07-10 13:30:43 Extracted files: path, c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp900\a0839081.ini
Block/Extraction File enforcer 2009-07-10 13:30:43 Deleted file: c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp900\a0839081.ini
Block/Extraction File enforcer 2009-07-10 13:30:42 Quarantined file: c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp900\a0839081.ini
Block/Extraction File enforcer 2009-07-10 13:30:42 Extracted files: path, c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp900\a0838154.ini
Block/Extraction File enforcer 2009-07-10 13:30:42 Deleted file: c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp900\a0838154.ini
Block/Extraction File enforcer 2009-07-10 13:30:41 Quarantined file: c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp900\a0838154.ini
Block/Extraction File enforcer 2009-07-10 13:30:41 Extracted files: path, c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp899\a0838116.ini
Block/Extraction File enforcer 2009-07-10 13:30:41 Deleted file: c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp899\a0838116.ini
Block/Extraction File enforcer 2009-07-10 13:30:40 Quarantined file: c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp899\a0838116.ini
Block/Extraction File enforcer 2009-07-10 13:30:40 Extracted files: path, c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp898\a0838082.ini
Block/Extraction File enforcer 2009-07-10 13:30:40 Deleted file: c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp898\a0838082.ini
Block/Extraction File enforcer 2009-07-10 13:30:39 Quarantined file: c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp898\a0838082.ini
Block/Extraction File enforcer 2009-07-10 13:30:39 Extracted files: path, c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp898\a0838081.ini
Block/Extraction File enforcer 2009-07-10 13:30:39 Deleted file: c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp898\a0838081.ini
Block/Extraction File enforcer 2009-07-10 13:30:38 Quarantined file: c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp898\a0838081.ini
Block/Extraction File enforcer 2009-07-10 13:30:37 Extracted files: path, c:\system volume information\_restore{3c5f0fce-d72a-4eaf-85a1-8a1ab6aa1b18}\rp898\a0837082.ini

Edited by wes1584, 11 July 2009 - 12:13 AM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:02 AM

Posted 11 July 2009 - 12:45 PM

Since the log you posted is from stopzilla, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST OTHER LOGS<== unless a log is specifically requested.

I have read that STOPzilla is not a recommended security product. It's not actually classified as a rogue, but it skirts the edge of it.

See here: http://www.malwarebytes.org/forums/index.php?showtopic=1416

Please wait for someone more knowledgeable than I to provide you with further assistance.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:02 AM

Posted 11 July 2009 - 03:21 PM

Here's a general guide to fighting this rootkit family

http://www.malwarebytes.org/forums/index.php?showtopic=12709

This is a very nasty infection

http://rootrepeal.googlepages.com/

http://rootrepeal.googlepages.com/RootRepeal.zip

Just use the file tab at the bottom, scan and paste the report into a reply here please
Chewy

No. Try not. Do... or do not. There is no try.

#4 wes1584

wes1584
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 11 July 2009 - 04:14 PM

Ok here is my log from RootRepeal

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/11 16:12
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP2
==================================================

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\SKYNETeewxnsbs.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETkiqwhkym.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETrftrvsig.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETwubqmiwf.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\sqlite_7dVBDHunUq9FCeo
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\sqlite_bUrio7aqhOZezvb
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\sqlite_cGHuXghVscvic7k
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\sqlite_CWVyQsiqaCHkH3E
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\sqlite_dPVubzgQOeLAXCh
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\sqlite_hhSbcZUafKFt73l
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\sqlite_lRsxplj88kvxLGH
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\sqlite_MfqPF9PtWzW3c5t
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\sqlite_N43K4EEzRb2cAGq
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\sqlite_pURcuSqOWaGJoRe
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\sqlite_pzQ2hlLrB15KDky
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\sqlite_qE1qyWP6Gcx1oHn
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\sqlite_QMY8YZ2bQVwgg0j
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\sqlite_qSihFjw1be2seO2
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\sqlite_qyoNIZctzhGDyJT
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\sqlite_SehOeEKg3ExmYYo
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\sqlite_UTEshp2uW6xXRDS
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\sqlite_WBLlRVDWQHOVbaw
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\sqlite_xtpSV8sjMvjfYpE
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\sqlite_YmHokYYdkKliaqE
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETqanwlhvxie.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETxhuftnwpip.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\sqlite_f9rOlb1JrrWCMFM
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\tmp000004a8
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETqdeqrapmoe.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETqmdxosornw.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETqxdnfyfucr.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETrtqpbhquln.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETrxuqibbnyl.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETschxtyeqcy.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETsctidetqni.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETsxpxfvrnnx.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETtuspthxfim.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETuibyoreelo.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETuqdeompcwv.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETuyayikuvbr.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETvbyapvbdmd.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETvfuvtegqdu.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETvnoetpsbcg.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETwrdibwngsv.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETwxkwnxphpy.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETabwqwobkuy.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETawksjnpspf.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETbvtiqemnwx.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETcdxbvfvniv.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETecwxvnwsec.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETetivxysvsg.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETevquxhjmvu.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETexjtrnbwmq.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETfeoufwsrsp.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETfvornmsypm.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETjhctqrcsky.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETjixtycxxey.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETjlmwmfqteo.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETmexuwofype.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETmpcwukmwiq.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETnvxibrrimu.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETnylbefvecq.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETobylarsbtx.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETpcysbrtkfg.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETprxiefxran.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SSBCA8.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\Temporary Internet Files
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000013e
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000041d
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\tmp000007f8
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\tmp000009f5
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\tmp00000b47
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\tmp00000f0f
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000251b
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\tmp00002742
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\tmp00002c90
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\tmp00002fc3
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\tmp000037cd
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\tmp000044e2
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000494d
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006179
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006659
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006bd9
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\tmp000070ee
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000749b
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\tmp00007fa0
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\userrep.ret
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETxrecvspmbc.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETxrrpipmpdw.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETykrcfhisfu.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETymyhirienh.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETyyctfpyoib.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SMI1.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\SKYNETkoscsrrv.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\owner\local settings\temp\etilqs_i0l9weox0rcomdqfaiye
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\documents and settings\owner\local settings\temp\etilqs_naajaedmuansb33kfjrs
Status: Allocation size mismatch (API: 65536, Raw: 0)

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:02 AM

Posted 11 July 2009 - 04:44 PM

Use rootrepeal to highlight this line

Path: C:\WINDOWS\system32\drivers\SKYNETkoscsrrv.sys
Status: Invisible to the Windows API!


Rightclick and choose Wipe File

Immediately reboot and run a quick scan with MBAM

Please download Malwarebytes Anti-Malware (v1.38) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Chewy

No. Try not. Do... or do not. There is no try.

#6 wes1584

wes1584
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 11 July 2009 - 05:56 PM

Alrighty, done with the Malware scan.

Also, i thought I should note: Every time I reboot, stopzilla always catches the same two Skynet trojans and removes them on login. This time included with the normal two it catches it caught c:\windows\system32\drivers\ollzxa.sys. I removed it before I did malware scan. Just thought I should note that if it matters.

Anyways here is my log:


Malwarebytes' Anti-Malware 1.38
Database version: 2411
Windows 5.1.2600 Service Pack 2

7/11/2009 5:50:13 PM
mbam-log-2009-07-11 (17-50-13).txt

Scan type: Quick Scan
Objects scanned: 96350
Time elapsed: 13 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 48

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5b4c3b43-49b6-42a7-a602-f7acdca0d409} (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5b4c3b43-49b6-42a7-a602-f7acdca0d409} (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\OneStepSearch (Adware.OneStepSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETqanwlhvxie.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETxhuftnwpip.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETqmdxosornw.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETqxdnfyfucr.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETrtqpbhquln.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETrxuqibbnyl.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETschxtyeqcy.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETsctidetqni.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETsxpxfvrnnx.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETtuspthxfim.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETuibyoreelo.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETuqdeompcwv.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETuyayikuvbr.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETvbyapvbdmd.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETvfuvtegqdu.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETvnoetpsbcg.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETwrdibwngsv.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETwxkwnxphpy.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETabwqwobkuy.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETawksjnpspf.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETbvtiqemnwx.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETcdxbvfvniv.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETecwxvnwsec.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETetivxysvsg.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETevquxhjmvu.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETexjtrnbwmq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETfeoufwsrsp.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETfvornmsypm.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETjhctqrcsky.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETjixtycxxey.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETjlmwmfqteo.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETmexuwofype.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETmpcwukmwiq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETnvxibrrimu.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETnylbefvecq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETobylarsbtx.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETpcysbrtkfg.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETprxiefxran.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETxrecvspmbc.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETxrrpipmpdw.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETykrcfhisfu.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETymyhirienh.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\windows\temp\SKYNETyyctfpyoib.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETeewxnsbs.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETrftrvsig.dat (Trojan.Agent) -> Quarantined and deleted successfully.

#7 wes1584

wes1584
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 11 July 2009 - 06:23 PM

Forgot to mention that after Malware Scan had me reboot, stopzilla no longer detected the 2 skynet trojans. It just caught 185 search hijakers which I had stopzilla delete. It had me reboot and it didn't detect anything on login this time but I dunno if that means anything :thumbsup:

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:02 AM

Posted 11 July 2009 - 06:33 PM

The rootkit should have shown in the MBAM log, I suspect stopzilla grabbed it upon reboot, that's OK but look what it missed!

Run a complete scan wityh MBAM next please, disable stopzilla first, many malware helpers have you just uninstall it before they will start a cleanup.
Chewy

No. Try not. Do... or do not. There is no try.

#9 wes1584

wes1584
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 11 July 2009 - 08:39 PM

Okay I ran malware fullscan without having stopzilla running and nothing was detected :thumbsup:

Is there anything left?

Here were logs:

Malwarebytes' Anti-Malware 1.38
Database version: 2411
Windows 5.1.2600 Service Pack 2

7/11/2009 8:14:57 PM
mbam-log-2009-07-11 (20-14-57).txt

Scan type: Full Scan (C:\|)
Objects scanned: 143710
Time elapsed: 58 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:02 AM

Posted 11 July 2009 - 09:20 PM

That should be it, unless you have any symptoms left?

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
Chewy

No. Try not. Do... or do not. There is no try.

#11 wes1584

wes1584
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 11 July 2009 - 09:42 PM

Yeah all symptoms seem to be gone. :flowers:

Also, when all the symptoms first appeared I couldn't even do a system restore. It wouldn't let me click anything on the calendar at all even in safe mode. But I seem to be able to access it now which is a good sign.

I made a new restore point and did disk cleanup like you said. I must confess, after reading about how bad skynet had messed up other peoples PC's, I thought removing it would be a long grueling process. But I suppose I got lucky or something because it wasn't as bad as I thought.

Thanks so much for your help I really do appreciate it. Maybe now If i ever encounter anyone else with same problems I can point them in the right direction as well :thumbsup:


Cheers




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users