Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SKYNET and/or Win32/Rootkit.Agent.ODG trojan


  • This topic is locked This topic is locked
17 replies to this topic

#1 phoenixevanidus

phoenixevanidus

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 10 August 2009 - 01:49 PM

Hi!

My computer's defenses started going crazy last night, and after hours of trying to google up possible issues and finding myself continually redirected to ad sites, I did finally find rootrepeal, which revealed SKYNET issues. In addition, I had been using AVG, but deleted it in favor for using ESET's free trial. ESET revealed: Operating memory - Win32/Rootkit.Agent.ODG trojan - unable to clean.

I don't know if they're they same thing or two separate issues, but I can't get rid of either.

I became aware of my issue when SpyBot alerted me that (something).exe (I don't remember what it was anymore, cme or something like that) was trying to run and SpyBot was trying to stop it, then next thing I know, the little windows shield has gone red and is telling me I'm infected and to "click here", then SOME antivirus-looking program started to run which I was NOT familiar with, so I closed it immediately. Found my desktop background changed to a huge picture warning me I was infected with something (no, really??)

From there, I had issues running both Ad-Aware and SpyBot, so I removed them and downloaded malwarebytes and SUPERAntiSpyware, as well as installed NoScript.

ESET, malewarebytes and SUPERAntiSpyware all found things and fixed them (no more wonky desktop background image), but rootrepeal is still showing SKYNET things in my system32 and system32 drivers folder, 6 things hooked in the SSDT scan, a ton of things in the stealthed scan, and ESET is left looking at the Win32/Rootkit like a sad, helpless panda. I tried wiping and force deleting the SKYNET things rootrepeal reveals, but no luck.

So far, it seems like the worst thing its doing is keeping me from using links brought up by search engines, but I'd love help removing it, since everything seems to be pointing to things like ComboFix, which I have no idea how to use.

erm, OS is: Windows XP Professional

Edited by phoenixevanidus, 10 August 2009 - 02:53 PM.


BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:23 PM

Posted 10 August 2009 - 01:58 PM

Download Sophos Anti-rootkit & save it to your desktop.
Be sure to read the Sophos Anti-Rookit User Manual. A copy of this manual sarman.pdf can also be found inside the program folder after installation.
  • Double-click sarsfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
  • Make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click "Start scan".
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will be done when you restart your computer. Click "Restart Now".
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\.
Note: If the scan is performed while the computer is in use, false positives may appear in the scan results. This is caused by files or registry entries being deleted, including temporary files being deleted automatically.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 phoenixevanidus

phoenixevanidus
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 10 August 2009 - 02:34 PM

Well, two of the files were "Removable: No", and the rest were removable "but clean up not recommended for this file". Here is the log:


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 8/10/2009 at 14:07:08 PM
User "The Pixie Slayer" on computer "THEPIXIESLAYER"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SKYNETqvmybwrt
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SKYNETqvmybwrt
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\system32\drivers\SKYNETqequboew.sys
Hidden: file C:\WINDOWS\system32\SKYNETrxdorlup.dll
Hidden: file C:\WINDOWS\system32\SKYNETgwsnumyi.dat
Hidden: file C:\WINDOWS\system32\SKYNETmyxyokpf.dat
Hidden: file C:\WINDOWS\system32\SKYNETcijxjidx.dll
Stopped logging on 8/10/2009 at 14:23:47 PM

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:23 PM

Posted 10 August 2009 - 05:44 PM

Yes, it will say that for safety and review purposes...

One word... Please understand that yo have been infected by a nasty TDSS Trojan. Please change all on line passwords from a clean computer.

Please rerun Sophos ARK and delete the following files:
  • Hidden: file C:\WINDOWS\system32\drivers\SKYNETqequboew.sys
  • Hidden: file C:\WINDOWS\system32\SKYNETrxdorlup.dll
  • Hidden: file C:\WINDOWS\system32\SKYNETgwsnumyi.dat
  • Hidden: file C:\WINDOWS\system32\SKYNETmyxyokpf.dat
  • Hidden: file C:\WINDOWS\system32\SKYNETcijxjidx.dll
Reboot immediately after removal of these files. Then run this procedure

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 phoenixevanidus

phoenixevanidus
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 10 August 2009 - 05:50 PM

Before I begin, I already have Malwarebytes Anti-Malware installed and updated (as of very early this morning, at least).

Should I run another update before I begin or junk it all and re-download it for whatever reason?

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:23 PM

Posted 10 August 2009 - 05:54 PM

Sorry, you do not have to download a new copy, but please update. :thumbsup:

Thanks

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 phoenixevanidus

phoenixevanidus
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 10 August 2009 - 07:14 PM

This is the Mbam log after full scan:

Malwarebytes' Anti-Malware 1.40
Database version: 2594
Windows 5.1.2600 Service Pack 3

8/10/2009 7:13:16 PM
mbam-log-2009-08-10 (19-13-16).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 136840
Time elapsed: 45 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\SKYNETmyxyokpf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SKYNETcijxjidx.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SKYNETrxdorlup.dll (Trojan.Agent) -> Quarantined and deleted successfully.

#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:23 PM

Posted 10 August 2009 - 07:56 PM

Good... Our next step

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 phoenixevanidus

phoenixevanidus
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 10 August 2009 - 08:48 PM

It's not letting me boot in safe mode. It pauses and restarts and then I get a black screen saying something along the lines of "We apologize, we fail at life and all things good and humane, and as such we couldn't boot in the mode you wanted us to. Do you know why? It could be this, or that, or this and that. So here are your options! But you should probably save yourself some time and boot normally, k?" Very heavily paraphrasing, but... that was the gist.

It gives me the option for Safe Mode, Safe Mode with Networking, Safe Mode with something else, Last Good Configuration, or Normal. I did not try the other "Safe Mode with <blah>" options because I don't have any idea what they meeeeeean. D:

#10 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:23 PM

Posted 11 August 2009 - 09:57 PM

Let's try an online alternate to DrWeb and the see if safe mode works...

Please perform a scan with Eset Onlinescan (NOD32).
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista Users be sure to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
  • You will see the Terms of Use. Tick the check-box in front of YES, I accept the Terms of Use
  • Now click Start.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?" (OnlineScanner.cab)".
  • Answer Yes to install and download the ActiveX controls that allows the scan to run.
  • Click Start. (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, check: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan to start the online scan. (this could take some time to complete)[/color]
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software. Just close the window.
  • Now click Start > Run... > type: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad.
  • Copy and paste the log results in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn\ them back on after you are finished.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#11 phoenixevanidus

phoenixevanidus
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 12 August 2009 - 02:06 AM

Sorry for the delay ><

The directory listed above wasn't where the log went due to me already having ESET free online trial downloaded (it automatically put it with the free trial directory, separate folder instead)... it just took me a little bit to figure that out >.> It also worked fine from IE and Firefox, though there wasn't any active x prompt? Either way, it says "all ok". Though, Rootrepeal's still showing one SKYNET file floating around and a bunch of "hooked" things. D:


ESETSmartInstaller@High as downloader log:
all ok
# version=6
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.5889
# api_version=3.0.2
# EOSSerial=c6329f9ce9e3014da35f38b0bb9709f2
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-08-12 06:42:05
# local_time=2009-08-12 01:42:05 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8201 21 100 100 10971406250
# scanned=42723
# found=0
# cleaned=0
# scan_time=692
# nod_component=V3 Build:0x30000000
esets_scanner_update returned -1 esets_gle=53251

Edited by phoenixevanidus, 12 August 2009 - 02:12 AM.


#12 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:23 PM

Posted 12 August 2009 - 06:35 AM

Post a fresh Rootrepeal log please

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#13 phoenixevanidus

phoenixevanidus
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 12 August 2009 - 06:51 AM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/12 06:47
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB72BF000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADE2000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB60DD000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\The Pixie Slayer\Application Data\Mozilla\Firefox\Profiles\8wpulokm.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x8a4d5da8]
Process: System Address: 0x89d48790 Size: 1000

Hidden Services
-------------------
Service Name: SKYNETqvmybwrt
Image Path: C:\WINDOWS\system32\drivers\SKYNETqequboew.sys

==EOF==

#14 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:23 PM

Posted 12 August 2009 - 07:57 AM

The files is hiding from us.

Please rerun Sophos ARK and post the new log. If you find this file: SKYNETqequboew.sys Please delete it and reboot immediately. Please update and rerun Malwarebytes after the reboot and post the fresh log.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#15 phoenixevanidus

phoenixevanidus
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 12 August 2009 - 04:21 PM

It found nuzzing.

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 8/12/2009 at 15:56:46 PM
User "The Pixie Slayer" on computer "THEPIXIESLAYER"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Stopped logging on 8/12/2009 at 16:19:44 PM




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users