Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rogue Antivirus program


  • This topic is locked This topic is locked
31 replies to this topic

#1 fredp333

fredp333

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 09 August 2009 - 02:29 AM

Hello,

I am running a Dell Inspiron E1705 with Windows XP. I was recently browsing using Mozilla and encountered a nasty virus. I have a blue screen replacing my desktop background with the message "Your system is infected! System has been stopped due to a serious malfunction. Spyware activity has been detected. It is recommeded (sic) to use spyware removal tool to prevent data loss. Do not use the computer before all spyware removed"

I started getting new programs running in the taskbar, all with the red shield-icon (similar to security center) with a white X. The first thing I did was close Mozilla, then run Malwarebytes' Anti-Malware. It would not open. Then I tried to run Spybot-Search and Destroy, it wouldn't run either. Then my cpu was frozen so I had to manually turn it off. When it restarted, I tried Malwarebytes' again, no luck..the hourglass appears but the program doesn't open. Then I tried to restart in safe mode. I was able to get into safe mode once, but when I tried Malwarebytes' again, it didn't run. So I restarted in normal mode and tried searching for solutions online. The next time I tried Safe Mode I got a blue-screen error message and it comes back every time I try safe mode.

I was locked out of the task manager, I used RegEdit and deleted the two registry entries that were removing my access so I can get into Taskmgr now. I also removed the registry entries for "Advanced Antivirus Remover" which is what I thought the name of the virus was, based on searching for the specific verbage in the popup windows and on my desktop background.

I tried restarting without the startup items, but when it restarts the same problem occurs. I have also tried disabling system restore (after unsuccessfully trying to restore to a previous point--it said there were no changes.

I have tried to download new versions of malwarebytes' software and superantispyware. When I open Mozilla, it usually works for a few seconds, then it will freeze up and stop responding. Randomly, two internet explorer windows will open (one for www.newgoldencasino.com/global/etc...... and one for online555casino.com or something like that). I have the Malwarebytes' Anti-malware installer file on my desktop, but when I run it it doesn't ever open the program for me. It will install, get to the "extracting files" stage then take about 10 minutes to finish the installation. The "run Malwarebytes' anti-malware" box is checked but it will not open the program.

I am pretty tech-savvy but am in waaaay over my head here, any help would be greatly appreciated.

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:35 AM

Posted 09 August 2009 - 07:27 AM

Hi fredp333, and :thumbsup: to BleepingComputer!

Those rogues are getting pretty creative in preventing you to run any removal tools!

Since you mention you have the MBAM installer on your desktop, please rename it to winlogon.exe and double click on it in order to install MBAM.

Now, instead of launching the program, after it is installed, browse to the folder in which the mbam executable is located (default c:\Program Files\malwarebytes' Anti-Malware\mbam.exe) and rename it to winlogon.exe as well

Now start the program by double clicking the renamed file. First update it and after that run a full system scan.

If you need more detailed instructions, please let me know.

Please post the results back in your next reply!

Edited by elise025, 09 August 2009 - 07:29 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 fredp333

fredp333
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 09 August 2009 - 10:54 AM

Thank you for the reply, I really appreciate the help.

This morning, when starting up my laptop, I was given the "Windows did not close correctly" screen and given options for startup, I chose "Start Windows Normally."

I am about to try your advice but I want to point out that I already have MBAM installed--I'm hoping this will install a new version that I can modify, because I have tried to rename my existing MBAM program and run it without success.

I re-named the MBAM installer and ran it, it ran fine until the "Extracting Files" phase, where it stayed for several minutes without the bar moving. Then it took forever on the "Finishing Installation" phase. It's still on the Finishing Installation phase, been about 20 minutes. The rogue software keeps opening popups at the bottom of my screen during this, so I know the screen isn't frozen. I'll just wait this out and reply if and when the installer finishes.

#4 fredp333

fredp333
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 09 August 2009 - 10:59 AM

Ok, naturally once I posted that reply the installer finished. So I unclicked the two boxes to update/run the program, got into the program file, renamed my MBAM file winlogon.exe, and tried to open it. The MBAM file I renamed is not listed as an .exe file, it just says MBAM on the top line, then Malwarebytes' Anti-Malware on the second line, then Malwarebytes Corporation on the bottom. No luck so far, when I double click the file the hourglass appears for about 5 seconds but nothing opens. I have tried a couple of times. Any suggestions?

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:35 AM

Posted 09 August 2009 - 11:22 AM

right click on that file, select rename, rename it to winlogon.exe, press enter, and try double clicking it now

If this wont work, try it in safe mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 fredp333

fredp333
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 09 August 2009 - 11:36 AM

It wouldn't work, just brought up the hourglass for a few seconds then stopped working.

The problem is I can't get into Safe Mode. I just tried to restart into safe mode and got a blue screen message saying "A problem has been detected and windows has been shut down to prevent damage to your computer. If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps: Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers. Check your hard drive to make sure it is properly configured and terminated. Run CHKDSK/F to check for hard drive corruption, and then restart your computer.
Technical information: ***STOP: 0x00000007B (0xF7902524, 0xc000034, 0x00000000, 0x00000000)

This happened all last night when I tried to get into safe mode using F8 on startup.

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:35 AM

Posted 09 August 2009 - 11:41 AM

I was just editting my last post, but you answered already, so instead I post here :thumbsup:

Try running MBAM using start > run. Browse to the executable and click Run. If it doesnt work, just skip it, we will think of something else.

Also, I think we should do a rootkit scan.

ROOTREPEAL
-------------
We need to check for rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 fredp333

fredp333
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 09 August 2009 - 12:26 PM

OK, using Run and browsing to the file actually opened the program, YAY! THe program would not update, each time it did it encountered an error and closed on its own. So I ran a full scan. 64 infected objects, i removed all of them, some were put in the delete on reboot folder. I will post the log in my next reply, as I am using another computer to read this thread. I will restart now.

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/9/2009 10:23:58 AM
mbam-log-2009-08-09 (10-23-58).txt

Scan type: Full Scan (C:\|)
Objects scanned: 196308
Time elapsed: 34 minute(s), 52 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 2
Registry Keys Infected: 20
Registry Values Infected: 7
Registry Data Items Infected: 10
Folders Infected: 2
Files Infected: 21

Memory Processes Infected:
C:\Program Files\AdvancedVirusRemover\PAVRM.exe (Rogue.AdvancedVirusRemover) -> Unloaded process successfully.
C:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\winhelper.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e24211b3-a78a-c6a9-d317-70979ace5058} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aec (Rootkit.Bezopi) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\aec (Rootkit.Bezopi) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aec (Rootkit.Bezopi) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AVR (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advanced virus remover (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msupdate (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.
C:\Program Files\AdvancedVirusRemover (Rogue.AdvancedVirusRemover) -> Delete on reboot.

Files Infected:
C:\WINDOWS\msupdate.exe (Worm.Emold) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Fredo\Local Settings\Temp\rdl1.tmp (Rootkit.Bezopi) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\aec.sys (Rootkit.Bezopi) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\Program Files\AdvancedVirusRemover\PAVRM.exe (Rogue.AdvancedVirusRemover) -> Delete on reboot.
C:\WINDOWS\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\msb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\msc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Fredo\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Fredo\Start Menu\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winhelper.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\Temp\rdlA.tmp.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:35 AM

Posted 09 August 2009 - 12:31 PM

You can manually download the MBAM latest definitions from here

Double click that file (if necessary, rename it to winlogon.exe) to install the latest definitions.

Thats quite some stuff MBAM found. Please run rootRepeal following the steps from my previous post and post the report here.

Edited by elise025, 09 August 2009 - 12:35 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 fredp333

fredp333
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 09 August 2009 - 12:50 PM

Thanks so much! Here's the RootRepeal log




ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/09 10:39
Program Version: Version 1.3.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: arbaifhe.sys
Image Path: C:\WINDOWS\system32\drivers\arbaifhe.sys
Address: 0xF7551000 Size: 61440 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE429000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A09000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBA7A8000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SKYNETlnepqita.sys
Image Path: C:\WINDOWS\system32\drivers\SKYNETlnepqita.sys
Address: 0xEE6B9000 Size: 151552 File Visible: - Signed: -
Status: Hidden from the Windows API!

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\UAChaudqhuelg.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETmnatpptq.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETorgjufvu.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETqjialncl.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETrntdojnp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACkfjwyhkcur.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACkwixnmpvwh.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACmuhhonoeoi.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACohwmspxaip.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACwxyplrqldd.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACxgejtkdprs.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACa94b.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACbd7e.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACc53f.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACc9b3.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACcf41.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACuwiilvleoy.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\qbcd77a.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\SKYNETlnepqita.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Fredo\Local Settings\Temp\UACe109.tmp
Status: Invisible to the Windows API!

SSDT
-------------------
#: 066 Function Name: NtDeviceIoControlFile
Status: Hooked by "<unknown>" at address 0x86d0e4a0

Stealth Objects
-------------------
Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: winlogon.exe (PID: 860) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: services.exe (PID: 908) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: lsass.exe (PID: 920) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: Ati2evxx.exe (PID: 1120) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETorgjufvu.dll]
Process: svchost.exe (PID: 1144) Address: 0x008f0000 Size: 53248

Object: Hidden Module [Name: UACbd7e.tmptkdprs.dll]
Process: svchost.exe (PID: 1144) Address: 0x00990000 Size: 73728

Object: Hidden Module [Name: UAChaudqhuelg.dll]
Process: svchost.exe (PID: 1144) Address: 0x02f00000 Size: 45056

Object: Hidden Module [Name: UACkfjwyhkcur.dll]
Process: svchost.exe (PID: 1144) Address: 0x02f90000 Size: 49152

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: svchost.exe (PID: 1144) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: svchost.exe (PID: 1264) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: svchost.exe (PID: 1360) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: EvtEng.exe (PID: 1408) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: S24EvMon.exe (PID: 1520) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: WLKeeper.exe (PID: 1608) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: Ati2evxx.exe (PID: 1652) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: svchost.exe (PID: 1836) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: Explorer.EXE (PID: 1844) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: svchost.exe (PID: 1916) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: spoolsv.exe (PID: 312) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: svchost.exe (PID: 440) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: AppleMobileDeviceService.exe (PID: 548) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: mDNSResponder.exe (PID: 580) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: ehRecvr.exe (PID: 612) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: ehSched.exe (PID: 656) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: NICCONFIGSVC.exe (PID: 732) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: RegSrvc.exe (PID: 1060) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: svchost.exe (PID: 1492) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: ViewpointService.exe (PID: 1792) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: svchost.exe (PID: 1992) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: mcrdsvc.exe (PID: 2096) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: wmiprvse.exe (PID: 2368) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: dllhost.exe (PID: 2616) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: alg.exe (PID: 2888) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: ctfmon.exe (PID: 3576) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: stsystra.exe (PID: 2460) Address: 0x00960000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: iTunesHelper.exe (PID: 2180) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: DLG.exe (PID: 2324) Address: 0x009c0000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: iPodService.exe (PID: 3056) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 3864) Address: 0x01000000 Size: 20480

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: svchost.exe (PID: 3864) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: wuauclt.exe (PID: 3520) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: UAChaudqhuelg.dll]
Process: firefox.exe (PID: 124) Address: 0x011a0000 Size: 45056

Object: Hidden Module [Name: UACkfjwyhkcur.dll]
Process: firefox.exe (PID: 124) Address: 0x01890000 Size: 49152

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: firefox.exe (PID: 124) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: UAChaudqhuelg.dll]
Process: Iexplore.exe (PID: 2176) Address: 0x017a0000 Size: 45056

Object: Hidden Module [Name: UACkfjwyhkcur.dll]
Process: Iexplore.exe (PID: 2176) Address: 0x01850000 Size: 49152

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: Iexplore.exe (PID: 2176) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: UAChaudqhuelg.dll]
Process: RootRepeal.exe (PID: 4056) Address: 0x01780000 Size: 45056

Object: Hidden Module [Name: UACkfjwyhkcur.dll]
Process: RootRepeal.exe (PID: 4056) Address: 0x01940000 Size: 49152

Object: Hidden Module [Name: SKYNETrntdojnp.dll]
Process: RootRepeal.exe (PID: 4056) Address: 0x10000000 Size: 32768

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x86d09ad0 Size: 1332

Object: Hidden Code [Driver: Mup, IRP_MJ_CREATE]
Process: System Address: 0x86d09ad0 Size: 1332

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x86d0c740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x86d0c740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x86d0c740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x86d0c740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x86d0c740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86d0c740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86d0c740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x86d0c740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x86d0c740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86d0c740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86d0c740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86d0c740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86d0c740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86d0c740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86d0c740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86d0c740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86d0c740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86d0c740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x86d0c740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x86d0c740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86d0c740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86d0c740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x86d0c740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86d0c740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x86d0c740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x86d0c740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x86d0c740 Size: 1715

Object: Hidden Code [Driver: RAW, IRP_MJ_CREATE]
Process: System Address: 0x86d09ad0 Size: 1332

Object: Hidden Code [Driver: FltMgr, IRP_MJ_CREATE]
Process: System Address: 0x86d09ad0 Size: 1332

Hidden Services
-------------------
Service Name: SKYNETnvpexmql
Image Path: C:\WINDOWS\system32\drivers\SKYNEThtputhwe.sys

Service Name: SKYNETokwxfira
Image Path: C:\WINDOWS\system32\drivers\SKYNETlnepqita.sys

Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACuwiilvleoy.sys

==EOF==

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:35 AM

Posted 09 August 2009 - 12:55 PM

Okay, you have a nasty TDSS rootkit infection there.

Please re-run RootRepeal, and go to the Drivers tab, click the Scan button.
After the results are shown, locate this file C:\WINDOWS\system32\drivers\SKYNETlnepqita.sys

Right click on the file and select Wipe

Now go to the Hidden services tab and click scan
Wipe the following two entries
Service Name: SKYNETnvpexmql
Image Path: C:\WINDOWS\system32\drivers\SKYNEThtputhwe.sys

and
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACuwiilvleoy.sys



Now reboot immediately and re-run MBAM, full scan. Please make sure you install the latest definitions (see my previous post). If you have trouble with it, run it just like that.

Please post the MBAM log and a fresh RootRepeal log (make that log after you finish MBAM).

Edited by elise025, 09 August 2009 - 12:57 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 fredp333

fredp333
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 09 August 2009 - 01:01 PM

When I try to wipe the SKYNETnvpexmql Hidden Services file, it brings up an error message saying it cannot find the file on disk. Should I remove the other three and restart/run MBAM again nonetheless?

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:35 AM

Posted 09 August 2009 - 01:02 PM

yes, as long it tells you the file is not found you can just move on to the next.

Most likely the two hidden services both will tell you the file is not found, but I have to be sure.


Edit, some iny tiny explanation, this is a registry entry, not a file, the image path is referring to a file that may or may not be there.

Edited by elise025, 09 August 2009 - 01:04 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:35 AM

Posted 09 August 2009 - 01:05 PM

Is rootrepeal still open?
Chewy

No. Try not. Do... or do not. There is no try.

#15 fredp333

fredp333
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 09 August 2009 - 01:06 PM

Ok got it, I am running a full scan now, it usually takes about 25-30 mins I'll post when it's done. Thanks again




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users