Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can not remove hidden service SKYNETevvuvjap.sys


  • Please log in to reply
4 replies to this topic

#1 quacthulhu

quacthulhu

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 12 July 2009 - 12:49 AM

I'm having trouble from the SKYNET trojan. While I've already used RootRepeal to wipe out the drivers, stealth objects, and related that came with it, one file remains stubbornly clinging to my system. I've tried killing it with FileASSASSIN and it's still there. I've tried wiping it twice with RootRepeal and it's still there. I've used ATF cleaner, TFC, and CCleaner to wipe out everything else, but SKYNETevvuvjap.sys just keeps remaining as a hidden service, ready to reinfect me...

No other scanner program has detected other issues. I have run::
AVG (free latest version & updated) - nothing found.
SUPERantispyware (updated) - found nothing, full scan.
HiJackThis - nothing out of the ordinary (i'm not an expert but i'm more advanced than the "usual" computer user to know what's what)
Spybot (always updated) - the only one to find anything, it only found the temp files that were infected with SKYNET, and every time they were wiped they were brought back, presumably by the hidden service or the stealth object dll's (that have since been cleaned out via rootrepeal)

I have logs of my before-wipe RootRepeal logs, and after cleaning everything except the SKYNETevvuvjap.sys hidden service. Everything was hidden from the Windows API (which is why nothing else really found anything).

So far this trojan has only given me majorly annoying browser redirects, and dropped Win32/Cryptor once (and it was immediately cleaned out). I discovered after that, that it was most likely working through my explorer.exe and a svchost.exe, so I blocked what I could through ZoneAlarm to keep more dangerous items from coming in. Of course since the svchost file "multitasks" for browsing (Firefox) and other processes, I can't always bias which are needed and which are not, so things may still be slipping though. I need to nip this in the bud before something devastating happens to my system and I won't be able to undo the damage.

I am trying to avoid rolling back my system to a previous restore point, if only because I'm not sure when infection began (my "fail-safe" plan was 1.5 months ago)

edit:: running Windows XP Home Edition

edit 2:: forgot to mention: also tried MBAM (updated) and it also found nothing.

Edited by quacthulhu, 12 July 2009 - 01:00 AM.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:34 AM

Posted 12 July 2009 - 05:42 AM

You had the right tools, but you were using them in the wrong way.

Run rootrepeal in file scan only

Right click and wipe file for the SKYNETevvuvjap.sys in the driver folder

There could easily be another similar clb driver there also

http://www.malwarebytes.org/forums/index.php?showtopic=12709

Immediately reboot and let MBAM do the cleanup
Chewy

No. Try not. Do... or do not. There is no try.

#3 quacthulhu

quacthulhu
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 12 July 2009 - 12:08 PM

Except that .sys file wasn't coming up under the file scan!

Happily, I've since been able to clear out that .sys file, but then another problem started up. Now my MBAM and SUPERAntispyware programs are picking up things. SAS found:
Rootkit.Agent/Gen
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETHMPSUOOD
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETHMPSUOOD#start
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETHMPSUOOD#type
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETHMPSUOOD#group
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETHMPSUOOD#imagepath
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETHMPSUOOD\main
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETHMPSUOOD\main#aid
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETHMPSUOOD\main#sid
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETHMPSUOOD\main#cmddelay
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETHMPSUOOD\main\delete
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETHMPSUOOD\main\injector
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETHMPSUOOD\main\injector#*
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETHMPSUOOD\main\tasks
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETHMPSUOOD\modules
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETHMPSUOOD\modules#SKYNETrk.sys
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETHMPSUOOD\modules#SKYNETcmd.dll
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETHMPSUOOD\modules#SKYNETlog.dat
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETHMPSUOOD\modules#SKYNETwsp.dll
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETHMPSUOOD\modules#SKYNET.dat
MBAM found::
Files Infected:
c:\WINDOWS\system32\SKYNETanvyedlo.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETwohlroil.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETqkqnsawy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETwpjnbdiv.dll (Trojan.Agent) -> Quarantined and deleted successfully.

RootRepeal did not find them. I cleaned once with both programs, then rebooted and scanned again, and SAS found a:
Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E78C983C-88EC-4ECF-9299-99E07E14A66E}\RP249\A0079371.SYS

Which was then removed, system rebooted again.

I looked for the CLB driver thru RootRepeal but nothing even similar came up.

However, the good news is that my subsequent scans are coming up clean and I'm getting no more redirects! But I'm still very worried that there's still something hidden, most likely in a registry, ready to redrop stuff. I hate to use the analogy, but it's like the computer has cancer, received chemo for it, and now we're in the "watch and wait" stage. I'm still trying to figure out how any trojan got on my computer; i don't download attachments (or even receive them), I don't go to questionable sites (adult or otherwise), all I can think of is that it got through via some ad on failblog.org that triggered Spybot and AVG to prompt me to "GTFOutta there" (in more or less words).

What are MBAM, SAS, and RootRepeal's track records with removing rootkit.Agent/trojan.Agent? a search return showed the outlook wasn't that rosy (others having lots of trouble uprooting it)

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:34 AM

Posted 12 July 2009 - 12:38 PM

For future reference, once infected, programs like AVG or TeaTimer cause more harm than good till the infection is removed.

Too many cooks spoil the soup, etc.
Chewy

No. Try not. Do... or do not. There is no try.

#5 quacthulhu

quacthulhu
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 13 July 2009 - 01:58 AM

For future reference, once infected, programs like AVG or TeaTimer cause more harm than good till the infection is removed.

Too many cooks spoil the soup, etc.

Yes, I realized this. So I had TeaTimer off the entire time while trying to remove that stuff :thumbsup: AVG is a pain to get to shut down completely once it's already booted up (watchdog doesn't like to fully stop, and it's related processes can't be killed either - it wouldn't even go down thru administrator tools)

Frankly, getting all this junk out of the computer has only been time consuming and annoying based on having to wait for scans, then rebooting each time something was found/quarantined. I've lost most of my free time this weekend because of it (and that's almost all the free time i ever get from work). Thankfully, I keep my windows system & main program folders on a separate partition, so limiting scans to that isn't as long as it could be (and before someone freaks out, yes the entire hard drive was scanned, but for urgent care the scans were limited to my root).

I'll be doing the "watch and wait" approach for a while, although for now the system seems clean. If something related pops back up, I'll either amend to this topic or start a new thread with a link to this one. Thanks for the support! Hope for the best!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users