Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search redirects & program blocks after MSA killed


  • This topic is locked This topic is locked
16 replies to this topic

#1 cedarsave

cedarsave

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 13 August 2009 - 05:07 AM

Problem: I am still getting websearch redirects and multiple program blocks (in particular I don't seem to be able to run anything out of Control Panel).
Also after a while I get random system hang.

Scenario: Yesterday I quickly realised I had become infected with MS Antivirus, and took steps to kill it. Not knowing exactly what to do, I tried to install Malwarebytes but found the program hung on each install. So instead I bought the full version of Spyware Doctor - ran it, and supposedly killed off MS Antivirus and about a billion other things.
However it appears that only solved half the problem, as while the popup program is no more, there seem to be plenty of other problems still there, as I mentioned.
In particular each time I reboot and run Spyware Doctor it tells me it is blocking a TDSS rootkit (I think that's right) and a few instances of a Trojan called FakeAlert.

Mea culpa: In 26 years of using computers this is the first time I've ever been stupid enough to get really infected. I feel absolutely ridiculous. Thanks to all you fabulous community-minded people on this great website for any help you can provide.

*I am at work right now but should be home at about 1pm GMT/8am EST to work on fixing this madness.*

Edited by cedarsave, 13 August 2009 - 05:24 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:17 AM

Posted 13 August 2009 - 08:02 AM

-- Some types of malware will disable Malwarebytes Anti-Malware and other security tools. If MBAM will not install, try renaming it first.
  • Right-click on the mbam-setup.exe file file and rename it to mysetup.exe.
  • Double-click on mysetup.exe to start the installation.
  • If that did not work, then try renaming and changing the file extension. <- click this link if you do not see the file extension
  • Right-click on the mbam-setup.exe file, rename it to mysetup and change the .exe extension to .scr, .com, .pif, or .bat.
  • Then double-click on mysetup.scr (or whatever extension you renamed it) to begin installation.
If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan.exe.
  • Double-click on myscan.exe to launch the program.
  • If that did not work, then right-click on the file and rename it to winlogon.exe.
  • If that still did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.

Be sure to update MBAM through the program's interface (preferable method), then perform a Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the report in your next reply.

Note: MBAM uses Inno Setup instead of the Windows Installer Service to install the program. If installation fails in normal mode, try installing and scanning in safe mode. Doing this is usually not advised as MBAM is designed to be at full power when running in normal mode and loses some effectiveness for detection & removal when used in safe mode. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Therefore, after completing a scan it is recommended to uninstall MBAM, then reinstall it in normal mode and perform another Quick Scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 cedarsave

cedarsave
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 13 August 2009 - 08:44 AM

Thanks for everything. Here I am after succeeding in your tasks!
Spyware Doctor may have removed some of the reoccurring Trojans before I ran this. Hope that doesn't screw things up. It seemed to cite something called Monopod.
Also - while windows loaded ok after the scan, I had a bunch of popups as follows:
"The application or DLL globalroot\systemroot\system32\SKYNETwttsmect.dll is not a valid Windows image. Please check this against your installation diskette". It also had popups similar for UAClppektkrai.dll and UACeupbfxkncf.dll
Quickly afterwards, the computer crashed (hung).
I rebooted - it gave me some popups, not as many, then crashed shortly afterwards (again hung)
I rebooted again - and this time no popups and I live to post!
Here is the Malwarebytes log you asked for.
Malwarebytes' Anti-Malware 1.40
Database version: 2615
Windows 5.1.2600 Service Pack 3

13/08/2009 14:20:03
mbam-log-2009-08-13 (14-20-03).txt

Scan type: Quick Scan
Objects scanned: 117086
Time elapsed: 9 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 11
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\UAClppektkrai.dll (Rogue.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Windows antiVirus pro (Rogue.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_ANTIPPRO2009_12 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Rogue.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\WINDOWS\system32\desot.exe "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\UAClppektkrai.dll (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dddesot.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\desot.exe (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xa.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\d.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\e.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\f.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\g.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\h.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\i.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\mnsrwcoeax.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\mreoxwsnac.tmp (Rogue.AVCare) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\nxwsrmaeoc.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

So... what's next, boss?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:17 AM

Posted 13 August 2009 - 09:01 AM

Now rescan again with Malwarebytes Anti-Malware but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Important: Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Note: Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Both Legitimate programs and rootkits can hook into and alter this table. You should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

IMPORTANT NOTE: One or more of the identified infections (uacinit.dll) was related to a nasty variant of the TDSSSERV rootkit component. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit was identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Edited by quietman7, 13 August 2009 - 09:02 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 cedarsave

cedarsave
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 13 August 2009 - 10:59 AM

Sounds like I'm in really BIG trouble here. Particularly since the Sophos program didn't find ANYTHING it could recommend for removal. Here's the log:


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 13/08/2009 at 16:11:33
User "Owner" on computer "JCFBACH"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\UAC
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SKYNETnklawldv
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UACd.sys
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SKYNETnklawldv
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\UACd.sys
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\Temp\UAC546f.tmp
Hidden: file C:\WINDOWS\Temp\UAC677a.tmp
Hidden: file C:\WINDOWS\Temp\UAC6901.tmp
Hidden: file C:\WINDOWS\system32\SKYNETwttsmect.dll
Hidden: file C:\WINDOWS\system32\SKYNETbpjdedrc.dat
Hidden: file C:\WINDOWS\system32\SKYNETpvdhciko.dat
Hidden: file C:\WINDOWS\system32\drivers\SKYNETkayuubns.sys
Hidden: file C:\WINDOWS\system32\SKYNETxckmaboe.dll
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temp\UAC902.tmp
Hidden: file C:\WINDOWS\Temp\UAC4fbc.tmp
Hidden: file C:\WINDOWS\system32\drivers\UACmjdvjsntso.sys
Hidden: file C:\WINDOWS\system32\UACugnofdjxyt.dll
Hidden: file C:\WINDOWS\system32\uacinit.dll
Hidden: file C:\WINDOWS\system32\UAClppektkrai.dll
Hidden: file C:\WINDOWS\system32\UACgarhxeaqrp.dat
Hidden: file C:\WINDOWS\system32\UAChxhddwrqok.db
Hidden: file C:\WINDOWS\system32\UACeupbfxkncf.dll
Hidden: file C:\Documents and Settings\Owner\Application Data\SecuROM\UserData\???????????p?????????
Hidden: file C:\Documents and Settings\Owner\Application Data\SecuROM\UserData\???????????p?????????
Stopped logging on 13/08/2009 at 16:54:16

:thumbsup:

#6 cedarsave

cedarsave
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 13 August 2009 - 11:07 AM

Also - this:

Malwarebytes' Anti-Malware 1.40
Database version: 2615
Windows 5.1.2600 Service Pack 3

13/08/2009 15:50:12
mbam-log-2009-08-13 (15-50-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 193093
Time elapsed: 32 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\UAClppektkrai.dll (Rogue.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\UAClppektkrai.dll (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:17 AM

Posted 13 August 2009 - 11:54 AM

Sophos ARK does not recommend removal of files which the scanner does not recognize. However, that does not mean those files are all good and should be left alone. Further investigation is required after the initial scan to analyze and identify malicious files which were detected so they can be manually removed during a subsequent scan.

Please rescan with Sophos AntiRootkit again and select to remove the following entries if still present.
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\UAC
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SKYNETnklawldv
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UACd.sys
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SKYNETnklawldv
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\UACd.sys
Hidden: file C:\WINDOWS\Temp\UAC546f.tmp
Hidden: file C:\WINDOWS\Temp\UAC677a.tmp
Hidden: file C:\WINDOWS\Temp\UAC6901.tmp
Hidden: file C:\WINDOWS\system32\SKYNETwttsmect.dll
Hidden: file C:\WINDOWS\system32\SKYNETbpjdedrc.dat
Hidden: file C:\WINDOWS\system32\SKYNETpvdhciko.dat
Hidden: file C:\WINDOWS\system32\drivers\SKYNETkayuubns.sys
Hidden: file C:\WINDOWS\system32\SKYNETxckmaboe.dll
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temp\UAC902.tmp
Hidden: file C:\WINDOWS\Temp\UAC4fbc.tmp
Hidden: file C:\WINDOWS\system32\drivers\UACmjdvjsntso.sys
Hidden: file C:\WINDOWS\system32\UACugnofdjxyt.dll
Hidden: file C:\WINDOWS\system32\uacinit.dll
Hidden: file C:\WINDOWS\system32\UAClppektkrai.dll
Hidden: file C:\WINDOWS\system32\UACgarhxeaqrp.dat
Hidden: file C:\WINDOWS\system32\UAChxhddwrqok.db
Hidden: file C:\WINDOWS\system32\UACeupbfxkncf.dll
  • Follow the prompts to remove them and restart your computer.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and exit the program when done.
Then rescan again with Malwarebytes Anti-Malware (Full Scan) in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 cedarsave

cedarsave
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 13 August 2009 - 11:58 AM

Do I need to rescan with Sophos? As I have the first scan sat on my desktop right now and could just action it... seeing how I didn't get it to remove anything last time!

Edit: Whoa hang on - Sophos suggests it's not possible to remove all the HKEY entries. It won't let me check-mark them...

Edited by cedarsave, 13 August 2009 - 12:00 PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:17 AM

Posted 13 August 2009 - 12:05 PM

Then just let Sophos remove what it can.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 cedarsave

cedarsave
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 13 August 2009 - 01:04 PM

Thanks for everything so far quietman.
The latest:

Malwarebytes' Anti-Malware 1.40
Database version: 2615
Windows 5.1.2600 Service Pack 3

13/08/2009 18:59:17
mbam-log-2009-08-13 (18-59-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 177767
Time elapsed: 43 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{285FED33-0518-425F-BCE4-97BAED84E05D}\RP816\A0151822.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{285FED33-0518-425F-BCE4-97BAED84E05D}\RP816\A0151827.dll (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SKYNETwttsmect.dll (Trojan.Agent) -> Quarantined and deleted successfully.

EDIT:
But... I remain concerned.
When I ran Sophos it told me it couldn't get rid of SKYNETwttsmect.dll as it was "being used by another programme".


And a quick RootReveal shows this:
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/13 19:13
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: bysfrle.sys
Image Path: bysfrle.sys
Address: 0xBA0A8000 Size: 61440 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAC342000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5F4000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA92C5000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xba6c9b0c

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xba6c9af8

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xba6c9afd

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xba6c9b07

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0xba6c9b02

Stealth Objects
-------------------
Object: Hidden Code [Driver: prodrv06Ѕఐ卆浩, IRP_MJ_CREATE]
Process: System Address: 0xe1ffac30 Size: 976

Object: Hidden Code [Driver: prodrv06Ѕఐ卆浩, IRP_MJ_CLOSE]
Process: System Address: 0xe1ffac30 Size: 976

Object: Hidden Code [Driver: prodrv06Ѕఐ卆浩, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xe1ffac30 Size: 976

Object: Hidden Code [Driver: prohlp02, IRP_MJ_CREATE]
Process: System Address: 0xe181af20 Size: 227

Object: Hidden Code [Driver: prohlp02, IRP_MJ_CLOSE]
Process: System Address: 0xe181af20 Size: 227

Object: Hidden Code [Driver: prohlp02, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xe181af20 Size: 227

Hidden Services
-------------------
Service Name: SKYNETnklawldv
Image Path: C:\WINDOWS\system32\drivers\SKYNETkayuubns.sys

Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACmjdvjsntso.sys

==EOF==

Cause for concern? Any ideas sir?

Edited by cedarsave, 13 August 2009 - 01:21 PM.


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:17 AM

Posted 13 August 2009 - 04:09 PM

I can't find any info on bysfrle.sys. Go to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file(s) and submit (upload) it for scanning/analysis.
-- Post back with the results of the file analysis.

Double-click on RootRepeal.exe to launch it.
  • Click the Drivers tab, then click the Scan button.
  • Double check to make sure SKYNETkayuubns.sys and UACmjdvjsntso.sys are not listed.
  • If so, right-click on each and then click the Wipe File option only.
  • Click the Hidden Services tab, then click the Scan button.
  • Right-click on SKYNETnklawldv and then click the Wipe File option.
  • Right-click on UACd.sys and then click the Wipe File option.
  • Exit RootRepeal and immediately restart the computer.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 cedarsave

cedarsave
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 16 August 2009 - 03:58 PM

Hello there. Sorry for the delay, I've been away.

Unfortunately I've not been able to complete either of these tasks.

1st - I can't upload the bysfrle.sys file because I can't work out where on my system it resides. No standard search that I know how to conduct shows up where it can be found.

2nd - in Hidden Services in RootRepeal, trying to "Wipe File" them, returns the answer "Could not find file on disk".

Thanks for your help so far. Any further ideas?

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:17 AM

Posted 16 August 2009 - 04:49 PM

You can use Windows Search feature > More advanced options to see if the file(s) are still present. To do this, go to Start -> Search and click For Files or Folders... or just press the Windows key + F key on the keyboard.
  • Click All files and folders.
  • Type in the name of the file (bysfrle.sys) under "Search by...criteria."
  • Click More advanced options and check these options:
    • "Search system folders"
    • "Search hidden files and folders"
    • "Search subfolders"
  • Then click "Search" to look for the file(s).
Just exit RootRepeal and reboot for now.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 cedarsave

cedarsave
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 18 August 2009 - 09:59 AM

No amount of searching turned that file up. Then I did another root repeal in desperation - and found that bysfrle.sys entry had in fact vanished. Mysterious!

At any rate I am still labouring under the skynet and UAC hidden services - not having been able to remove them. And the upshot is my web activities remain extremely slow.

Any further thoughts or have I exasperated you yet? :thumbsup:

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:17 AM

Posted 18 August 2009 - 10:17 AM

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is hidden piece of malware which has not been detected by your security tools that protects malicious files and registry keys so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS/HijackThis log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users