Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Overclick.cn [Moved]


  • Please log in to reply
11 replies to this topic

#1 dgeissler

dgeissler

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 21 July 2009 - 11:04 PM

Hi,

When I search in Google and click a result the link is redirected to the wrong site. Very frustrating. It appears to be the dreaded Overclick.cn malware infestation. I tried to run MalwareBytes and it did not fix the problem... which is suprising because it usually removes most malware issues. Reports I read to fix the problem directed me here and suggested running ComboFix. Per the site policies, I am waiting for some expert assistance before running the software.
System info... running WinXP SP2 with Symantec Endpoint Protection for anti-virus protection.

Thank you in advances for all your help.

Don

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:06 PM

Posted 21 July 2009 - 11:23 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 dgeissler

dgeissler
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 21 July 2009 - 11:39 PM

Sorry Orange Blossom... didn't realize I posted to the wrong forum. My bad.
Thanks
Don

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:06 PM

Posted 21 July 2009 - 11:48 PM

Hello Don, I would like to run a few tools.

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
****************

Next Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 dgeissler

dgeissler
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 22 July 2009 - 08:53 AM

Hi boopme,

As instructed, I ran the tools. Here are the requested logs. Thanks for checking into this. Don

GooredFix:
--------------
GooredFix by jpshortstuff (12.07.09)
Log created at 08:23 on 22/07/2009 (kboudrea)
Firefox version [Unable to determine]

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{F1D3EBF9-56D4-4F5A-86A0-DA7FA868CEDB} -> Success!
Deleting C:\Documents and Settings\kboudrea\Local Settings\Application Data\{F1D3EBF9-56D4-4F5A-86A0-DA7FA868CEDB} -> Success!

C:\Program Files\Mozilla Firefox\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Program Files\Real\RealPlayer\browserrecord" [16:04 03/06/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [13:34 20/07/2009]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [15:37 20/07/2009]

-=E.O.F=-



RootRepeal:
--------------
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/22 08:27
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB4752000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xB8650000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB265B000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SKYNETtrrqjyou.sys
Image Path: C:\WINDOWS\system32\drivers\SKYNETtrrqjyou.sys
Address: 0xB4ADB000 Size: 163840 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: uphcleanhlp.sys
Image Path: C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
Address: 0xB25A1000 Size: 8960 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\SKYNETbocidayk.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETcvbfpbbx.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETevvcqtmn.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETwfimrmkt.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\_ISDel.exe
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\_ISTMP0.DIR
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\_ISTMP1.DIR
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\_ISTMP2.DIR
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\_ISTMP3.DIR
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\_Setup.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\_sys1.cab
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\_sys1.hdr
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\_user1.cab
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\_user1.hdr
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\{2EDA9289-CCA7-11D7-8466-00D0B726B56E}
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\~nsu.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETajpboyplxh.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETcoprpidcbg.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETeyrpmpndre.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETkbbqymuifk.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETmydengirrm.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETprxiedspwh.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETstrpfhqfpy.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETviqbqrfnuj.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\_inst32i.ex_
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SNDunin.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\Software Update for Web Folders (KB907306) (0).log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\srtUnin.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SYMEVENT.LOG
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\T30DebugLogFile.txt
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\Temporary Internet Files
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UpdateAgent.bat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UpdateAgent.msi
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\WGAErrLog.txt
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\WPDNSE
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\xpdplat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETfjyjqlleot.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETfpgupuuynv.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETfresxvnikq.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETfuinlxqnxs.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETfybhwbiovo.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETfymyrofamt.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETgfdeqmcbhr.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETgniebyfjxf.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETgqhiucosoi.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETgwkipyhcxn.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNEThkknejgouh.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNEThqowpsyjft.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETibkywmbvvx.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETidoidkllqn.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETiecgcjcgtn.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETimrqiuonav.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETiovqxusspb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETirjuqaavgm.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETixtgvoqowj.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETjgfqkrfura.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETjkapfcylhs.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETjnwspgopym.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETjpcswbfami.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETjrrieohtqx.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETjxayxrljpq.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETpxuoefvmpb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETpyriwwostb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETqgodnhlxvn.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETqhosixrnfv.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETqpxcciqxar.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETqrnpuaebvs.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETqrxnmebvtp.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETqswjkesdxr.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETqwlfsbgeni.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETqypsvovbeq.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETrbqmbcpqmx.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETrkyxjrsqcn.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETrnvnstbdic.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETroejwexogm.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETrrypfqqmnb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETrwcvihbgcx.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETrxtqbwajwk.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETsecbirqqdj.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETsingewmxnj.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETskbduoskym.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETsqvtxvnide.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETstplwvkyub.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETstrdmduhpu.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETkiysknhtnr.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETkobbfpmbid.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETlatijyqrpt.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETldnnpxerqa.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETllopoasrxr.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETlnkikospwt.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETmctsenppbs.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETmdwofthtse.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETmijlhuylor.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETmjhpjgjbhu.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETmkgaisenti.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETmkwcvbymbf.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETmotoiewgaq.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETmpetusibid.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETmsdqfmfbkb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETmxibfqxeow.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETmxlkiqmqal.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETmxxegbrgbb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETsxelicvxfh.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETtablyimuij.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETtcygexylbd.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETtiotsixfuf.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETtiqqycrirb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETtoduumftld.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETttpogwujfq.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETtxjpwtiqys.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETufbdmectce.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETufhloievji.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETujlhssmuty.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETumiqdxnfnv.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETuouomcvpec.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETuxftchhbcn.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETuyqqaworxt.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETalniulhugs.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETapxxrhcrit.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETbcrsbxegnw.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETbdoqajdklm.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETbluenxennl.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETbmytvvtphe.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETbomlubdrtc.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETbosiclcfrs.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETbvxetrvlnk.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETbxqfsixvxo.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETcbjynomsmq.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETccqoefpciq.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETcdxgsjnfya.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETchxytptxju.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETcimccdtiks.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETnadhpkxegp.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETncycbcxtrp.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETniikwoimik.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETnjwoseqvmc.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETnngyjupcjy.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETnnskrmkfjd.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNEToavnforevx.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETofsvcgadxp.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNEToitlrovktw.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNEToqklpjuiiu.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETorncvbotpe.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETouveixwioo.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNEToxcxkvwxip.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNEToylnqdnvtw.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETpcswremnwu.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETpfxdwnuutk.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETpidxyyarik.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETvnsqibvput.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETvrxbediqov.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETvxylbwrtfd.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETweecimueom.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETwkluraxiuj.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETwljtuecjoh.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETxbmmxrnosw.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETxfsuapnatb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETxisvjwjnmw.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETxjjqqomkgr.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETxvxpwdlbks.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETxwivttboci.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETydepmlaibc.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETykbbofteey.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETytwsecjrlw.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETctydsgrxri.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETcxayuicqpf.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETcywlqsixfx.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETddfnmcxrxe.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETdliaqjvagg.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETdutvxhjrqj.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETdwfhwhxrpo.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETdypfyhlidi.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETecqfvscpmj.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETefdxphnjyx.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETeljoxmioyv.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETenpwtqdpfv.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETenymfxigoi.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETetmpncwbdx.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETeuicattbym.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\SKYNETtrrqjyou.sys
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: winlogon.exe (PID: 1768) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: services.exe (PID: 1816) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: lsass.exe (PID: 1828) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETcvbfpbbx.dll]
Process: svchost.exe (PID: 124) Address: 0x008d0000 Address: 57344

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: svchost.exe (PID: 124) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: svchost.exe (PID: 292) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: svchost.exe (PID: 584) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: svchost.exe (PID: 816) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: svchost.exe (PID: 1024) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: WLTRYSVC.EXE (PID: 1660) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: bcmwltry.exe (PID: 1684) Address: 0x00cf0000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: brsvc01a.exe (PID: 968) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: brss01a.exe (PID: 1012) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: spoolsv.exe (PID: 1028) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: SCardSvr.exe (PID: 1132) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: svchost.exe (PID: 520) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: AsfIpMon.exe (PID: 668) Address: 0x00660000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: cvpnd.exe (PID: 1140) Address: 0x00cf0000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: jqs.exe (PID: 184) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: MDM.EXE (PID: 452) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: ntmulti.exe (PID: 2072) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: nvsvc32.exe (PID: 2276) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: GravitixService.exe (PID: 2292) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: svchost.exe (PID: 2312) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: PSIService.exe (PID: 2348) Address: 0x00810000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: StacSV.exe (PID: 2528) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: svchost.exe (PID: 2632) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: tcsd_win32.exe (PID: 2768) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: uphclean.exe (PID: 2812) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: dllhost.exe (PID: 2852) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: dllhost.exe (PID: 3276) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: alg.exe (PID: 3776) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: Explorer.EXE (PID: 6056) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: Apoint.exe (PID: 3172) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: rundll32.exe (PID: 4312) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: RUNDLL32.EXE (PID: 4820) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: ApMsgFwd.exe (PID: 880) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: stsystra.exe (PID: 4580) Address: 0x00950000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: docmgr.exe (PID: 2536) Address: 0x00a10000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: HidFind.exe (PID: 276) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: SecureUpgrade.exe (PID: 2452) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: WLTRAY.exe (PID: 2240) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: KADxMain.exe (PID: 4808) Address: 0x00970000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: PDVDDXSrv.exe (PID: 676) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: Apntex.exe (PID: 4640) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: UltraMon.exe (PID: 4176) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: pddm.exe (PID: 2912) Address: 0x003f0000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: realsched.exe (PID: 4896) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: GoogleToolbarNotifier.exe (PID: 3168) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: isyssc.exe (PID: 6076) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: wmiprvse.exe (PID: 2916) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: SKYNETevvcqtmn.dll]
Process: RootRepeal.exe (PID: 4452) Address: 0x10000000 Address: 32768

Hidden Services
-------------------
Service Name: SKYNETuiyqboet
Image PathC:\WINDOWS\system32\drivers\SKYNETtrrqjyou.sys

==EOF==

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:06 PM

Posted 22 July 2009 - 12:55 PM

Ok that was good ,now do this and MBAm should now run and remove the rest.

Now the next step...

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:

C:\WINDOWS\system32\SKYNETcvbfpbbx.dll
C:\WINDOWS\system32\SKYNETevvcqtmn.dll
C:\WINDOWS\system32\drivers\SKYNETtrrqjyou.sys



Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.



Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

How is it running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 dgeissler

dgeissler
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 22 July 2009 - 03:51 PM

Alrighty... preformed the steps... and here is the MBAM log.

---
Malwarebytes' Anti-Malware 1.39
Database version: 2481
Windows 5.1.2600 Service Pack 2

7/22/2009 3:28:00 PM
mbam-log-2009-07-22 (15-28-00).txt

Scan type: Quick Scan
Objects scanned: 105026
Time elapsed: 4 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 139

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Temp\SKYNETajpboyplxh.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETcoprpidcbg.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETeyrpmpndre.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETkbbqymuifk.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETmydengirrm.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETprxiedspwh.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETstrpfhqfpy.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETviqbqrfnuj.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETfjyjqlleot.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETfpgupuuynv.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETfresxvnikq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETfuinlxqnxs.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETfybhwbiovo.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETfymyrofamt.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETgfdeqmcbhr.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETgniebyfjxf.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETgqhiucosoi.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETgwkipyhcxn.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNEThkknejgouh.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNEThqowpsyjft.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETibkywmbvvx.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETidoidkllqn.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETiecgcjcgtn.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETimrqiuonav.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETiovqxusspb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETirjuqaavgm.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETixtgvoqowj.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETjkapfcylhs.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETjnwspgopym.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETjpcswbfami.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETjrrieohtqx.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETjxayxrljpq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETpxuoefvmpb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETpyriwwostb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETqgodnhlxvn.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETqrnpuaebvs.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETqrxnmebvtp.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETqswjkesdxr.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETqwlfsbgeni.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETqypsvovbeq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETrkyxjrsqcn.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETroejwexogm.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETrrypfqqmnb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETrwcvihbgcx.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETrxtqbwajwk.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETsecbirqqdj.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETskbduoskym.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETsqvtxvnide.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETstplwvkyub.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETstrdmduhpu.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETkiysknhtnr.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETkobbfpmbid.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETlatijyqrpt.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETldnnpxerqa.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETllopoasrxr.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETlnkikospwt.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETmctsenppbs.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETmdwofthtse.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETmijlhuylor.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETmjhpjgjbhu.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETmkwcvbymbf.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETmotoiewgaq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETmpetusibid.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETmsdqfmfbkb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETmxibfqxeow.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETmxlkiqmqal.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETmxxegbrgbb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETsxelicvxfh.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETtablyimuij.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETtcygexylbd.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETtiotsixfuf.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETtoduumftld.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETttpogwujfq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETtxjpwtiqys.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETufbdmectce.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETujlhssmuty.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETumiqdxnfnv.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETuqqeumgtwb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETuxftchhbcn.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETalniulhugs.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETapxxrhcrit.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETbcrsbxegnw.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETbdoqajdklm.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETbluenxennl.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETbmytvvtphe.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETbomlubdrtc.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETbosiclcfrs.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETbvxetrvlnk.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETbxqfsixvxo.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETcbjynomsmq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETccqoefpciq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETchxytptxju.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETnadhpkxegp.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETncycbcxtrp.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETniikwoimik.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETnngyjupcjy.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETnnskrmkfjd.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNEToavnforevx.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETofsvcgadxp.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNEToitlrovktw.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNEToqklpjuiiu.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETorncvbotpe.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETouveixwioo.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNEToxcxkvwxip.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNEToylnqdnvtw.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETpidxyyarik.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETvrxbediqov.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETvxylbwrtfd.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETweecimueom.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETwkluraxiuj.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETwljtuecjoh.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETxbmmxrnosw.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETxfsuapnatb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETxisvjwjnmw.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETxjjqqomkgr.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETxvxpwdlbks.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETxwivttboci.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETykbbofteey.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETytwsecjrlw.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETcxayuicqpf.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETcywlqsixfx.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETddfnmcxrxe.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETdliaqjvagg.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETdutvxhjrqj.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETdwfhwhxrpo.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETdypfyhlidi.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETecqfvscpmj.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETeextvylsvd.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETefdxphnjyx.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETeljoxmioyv.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETenpwtqdpfv.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETenymfxigoi.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETetmpncwbdx.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETeuicattbym.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETbocidayk.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETwfimrmkt.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETcvbfpbbx.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETevvcqtmn.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\SKYNETtrrqjyou.sys (Trojan.Agent) -> Quarantined and deleted successfully.

---

The computer seems to be running good... I preformed a Google search and clicked on 6 or 7 links without being redirected to bogus sites!! *cheers*
Thanks for all your help in killing this trojan. Is SKYNET the same as or related to Overclick?

Please, let me know if there are any further steps to preform.

Don

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:06 PM

Posted 22 July 2009 - 08:14 PM

Hello, First a word about the trojan you have found.
A backdoor Trojan can allow an attacker to
gain control of the system, log keystrokes, steal passwords, access personal
data, send malevolent outgoing traffic, and close the security warning
messages displayed by some anti-virus and security programs.

I would advise you to disconnect this PC from the Internet, and then go to
a known clean computer and change any passwords or security information held
on the infected computer. In particular, check whatever relates to online
banking financial transactions, shopping, credit cards, or sensitive
personal information. It is also wise to contact your financial institutions
to apprise them of your situation.


Please do these so we can see how clear you are.
run ATF and SAS:

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Please ask any needed questions,post 2 logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 dgeissler

dgeissler
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 23 July 2009 - 03:00 PM

Hi boopme,

Followed the directions... But, I was unable to login to Safe Mode with my domain user account. Instead I logged in as local administrator and ran SuperAntiSpyware scan in Safe Mode.
Super found several ad-aware and cookie items which it removed. After rebooting into normal mode with my domain user account... I ran SuperAntiSypware to retrieve the logs... but, there were none. Not sure where the log went or where to find it. Are the logs associated with the logged in user?

Anyway... here is the MalwareBytes log.

MBAM log:
-----------------
Malwarebytes' Anti-Malware 1.39
Database version: 2489
Windows 5.1.2600 Service Pack 2

7/23/2009 2:02:09 PM
mbam-log-2009-07-23 (14-02-09).txt

Scan type: Quick Scan
Objects scanned: 111084
Time elapsed: 4 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
--------------------------------------------------

The computer seems to be running good now... most importantly... no redirected links as of yet.
Should I remove/uninstall the software... (GooredFix, RootRepeal, ATF_Cleaner, SuperAntiSpyware)?

Thanks,
Don

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:06 PM

Posted 23 July 2009 - 03:34 PM

Hello, sometimes this happens with SAS and it comes back after a shut down and reboot. Also it sometimes shows up in the Admin or other user account. I don't know why.

Yes you can remove all the tools.. If there are no more signs of infection then...

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 dgeissler

dgeissler
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 24 July 2009 - 12:55 PM

Hi boopme!

All done. Thank you so much for all your help and assistance with removing the Trojan. I really appreciate it!!

Cheers!
Don

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:06 PM

Posted 24 July 2009 - 02:36 PM

You're most welcome Don, please take a moment to read quietman7's excellent prevention tips in post 17 here
Click>>Tips to protect yourself against malware and reduce the potential for re-infection:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users