Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Globalroot Skynet virus


  • Please log in to reply
14 replies to this topic

#1 Crede15

Crede15

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 16 August 2009 - 01:08 PM

So last night my computer goes into meltdown, I seem to remember the java logo coming up out of nowhere, while I was just online and then the computer crashed.

I'm finally able to bet back online, I keep getting this message to upgrade this virus protection from trial to permanent and saying that the computer couldn't be fixed without upgrading to permanent and I needed a credit card. Looked official but seemed like an obvious scam. Anyway I had let my anti-virus run out but I finally was able to get the internet working enough to download the free AVG and after a scan it showed a number of files corrupted with a virus called globalroot/system23/SKYNET

I looked online, didn't see this at first, and was able to get my computer somewhat back to normal by using something called MSconfig. Then I ran malwarebytes and removed something like 21 infected files.

From looking at the other skynet thread I ran repealroot and got this

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/16 07:06
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF535F000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A15000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF05D8000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SKYNETlewfgilt.sys
Image Path: C:\WINDOWS\system32\drivers\SKYNETlewfgilt.sys
Address: 0xF5587000 Size: 167936 File Visible: - Signed: -
Status: Hidden from the Windows API!

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\SKYNETabwqqlam.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNEToujwckqf.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETovrdqjdu.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETrqvpepxj.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETxjvenappfh.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETxmxgokprxe.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETxobcgfnyyb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETxouftkbfni.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETxrxtcepowx.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETxtvxunmcqf.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETxwbcqvnmsp.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETxxvcxnlqru.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETyigmtnrxkv.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETynxvripjir.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETyovnfvorxi.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETyrbqyneewd.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETyrbrxrxvnl.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\T30DebugLogFile.txt
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\Temporary Internet Files
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\wallpaper.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\WizInstaller.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\_avast4_
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\_ISTMP1.DIR
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETchroienwen.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETcqxdcsbdie.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETcrnsexjqqo.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETcvitqsbfns.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETcxnqvqtvpy.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETcxrnvxmdqx.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETdivrxthrej.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETdmcvfvnnxb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETdrinccatfi.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETdtipyscvtt.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETdwqibabxux.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETeexnlqddtt.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETeiwucrjiej.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETeqvoremdri.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETetbvoufjix.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETeudylbeyio.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETphpfvcdbdr.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETpiksvirtft.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETppfjixjuxp.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETppokviuxtk.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETpporjexbnv.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETpqrnssprxy.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETprirbvfiyv.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETpsqnkbduor.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETpsxnkbduor.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETpylqypqfvk.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETqfuxphorxu.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETqlfkssqlrs.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETqmbvrnspyp.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETqrnsspgroi.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETqspfthxxvr.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETqvcdgdeofv.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNEThqjopfquxg.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNEThxncwosvnp.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETidbdvqbuxo.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETidipqdkpug.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETimbvtirxwt.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETitarpsemkp.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETittyljbuxt.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETixrdmpuwts.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETjqcvnwfwpf.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETkoixgexoih.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETkrutaikwmi.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETlbetseqooi.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETlgbpxiqdcd.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETlqibitqnqr.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETmdibabdrbr.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETmfntixgtrx.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETmitnbqcxri.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETmkbftabvfv.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETmxbdwfhtrd.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETmxmxqncgpm.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETtinlqpuksv.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETtipuoieerc.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETtixtrqrjkq.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETtlidfhcmso.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETtqbwuxxtiq.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETtqdrhffueh.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETtqkxdpyycv.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETttuicqoien.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETtvsiycbqpx.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETubapbdibiv.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETucbcqhepxd.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETucrnlvtivb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETuibirdoxtb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETujohukroys.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETuoipornspe.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETncibirxvbc.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETnhdtsexcir.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETnidgfuiusy.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETnkibirxvbc.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETnkibymbcrj.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETnkorxvkhsc.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETnntkwmqipf.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETnnxrqiomtj.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETnrionvlxcy.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETobqhwnweex.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNEToibiqjxtuw.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNEToientixrxi.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNEToqgtirxbkm.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETouetqfuyqx.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETowibapbuyp.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETowprprofht.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETpbwuclgtim.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETpfvnspwtpe.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETpfwkbyqoms.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETapqvlhjpyy.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETbdwqykmxca.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETbumfoetguq.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETbuyubrrbqt.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETbvfuxpxxtn.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETbvpqxxnorx.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETbvsuvnupkg.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETbvtidutvax.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETuyifcoaips.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETuyyscbttur.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETvcpcimqbww.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETvirtcepmpv.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETvmtooqwecq.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETvnpshowtxv.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETvrvjkbyuxf.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETvrxtccdbdw.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETwbdrtfjwti.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETwfpognylpx.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETwlosunfthm.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETwmivytelym.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETwofteibpxx.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETwopsxoriuw.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETwovgnwrmyy.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETwsdeqdnucp.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETxbbhwmqppe.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETqvsefkgbqm.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETrchlnxpbum.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETrirjqpquor.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETrpqriufful.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETrpvnfvhivn.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETrtetwxvkoi.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETrximcripqk.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETrxtptqsbco.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETrxvbcvpesu.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETrxvirbvpex.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETsaonoibctp.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETsgewipylpv.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETspqqhekhhi.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETsyeddsitnq.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETtfpfwbycvn.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETthlxfnawtt.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETevsipjqomb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETexylqppqdr.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETfjdqngupvy.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETfjixthpjux.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETfpfvksmixb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETfpxxorxtqe.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETfqpjhboglb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETfvipydievm.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETfvksecqpej.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETfvoerppdky.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETfwbpsetqsp.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETfykaxfqxat.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETgarngogoid.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETggjpptbdoe.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETgqfuymsbcr.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETcgvhllxkxc.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETeviutwbwwc.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNEThemqxvjqvr.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETnbvrxtqpih.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETpgrhjpvulb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETqvmqpmosim.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETthqgwhxnec.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETusipfyfquo.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETxetrbnvsqh.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\SKYNETlewfgilt.sys
Status: Invisible to the Windows API!

Path: C:\Program Files\Alwil Software\Avast4\DATA\moved\SKYNETovrdqjdu.dll.2.vir
Status: Invisible to the Windows API!

Path: C:\Program Files\Alwil Software\Avast4\DATA\moved\SKYNETovrdqjdu.dll.vir
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: SKYNETabwqqlam.dll]
Process: svchost.exe (PID: 868) Address: 0x10000000 Size: 57344

==EOF==

Then I ran malwarebytes again and there were no infected files.

Malwarebytes' Anti-Malware 1.40
Database version: 2634
Windows 5.1.2600 Service Pack 2

8/16/2009 11:13:41 AM
mbam-log-2009-08-16 (11-13-41).txt

Scan type: Quick Scan
Objects scanned: 119941
Time elapsed: 32 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I have also run avast and spybot search and destroy. My computer seems to be running fine but I am just wondering if there is anything else I need to do. Thanks.

BC AdBot (Login to Remove)

 


#2 Crede15

Crede15
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 16 August 2009 - 02:18 PM

ran malwarebytes again and it came up with two infected files this time

edit-have run it a few more times since and come up with no infected files.

there's not much I can do about the financial stuff as I am simply house sitting for my parents who are in Europe and am not able to get in touch with them.

The computer seems to be running fine.

Edited by Crede15, 16 August 2009 - 04:48 PM.


#3 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:48 PM

Posted 16 August 2009 - 05:08 PM

Hi again. :thumbsup:
The rootkit is still in place on your system. . . you aren't clean. We'll get you there though.

I looked online, didn't see this at first, and was able to get my computer somewhat back to normal by using something called MSconfig.

What exactly did you do in msconfig? Messing around with that can easily render your system unbootable. In addition, some of the settings you changed may be suppressing the malware which, while it may seem like a great thing, can actually make it more difficult to remove.

***************************************************

Since you've run some scans since posting that RootRepeal log, your situation may have changed. Please generate a new log for me just as you did before, and please don't run anything else until directed to do so. This will make it much easier for me to zero in on the culprit so that I can direct you on how to kill it.

~Blade


In your next reply, please include the following:
list of changes made to msconfig
new RootRepeal log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#4 Crede15

Crede15
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 16 August 2009 - 05:34 PM

I don't know all of what I did on MSConfig, it was 2:30 in the morning and I was in a bit of a panic, thought the computer was pretty much broken, I didn't even use MSconfig exactly, my parents computer is kind of old and I thought for some reason it was Windows 2000 not XP (it is XP) and there is no MSConfig for 2000 according to the site I was looking at, just something similar. I was told to delete what didn't look like it had been there before but I don't remember exactly what I deleted. A dumb move I assume now. I just looked at MSConfig on this computer and this is what comes up on the startup tab of the System configuration Utility after you hit run and MSConfig and all that

dumpprep 0- k
TeaTimer
GoogleToolbarNotifier

This time when I ran the rootrepeal it took only like five minutes to scan

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/16 17:18
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF513A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A3B000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEFFB1000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

==EOF==

the only thing that I can think of that I did between the first rootrepeal scan and this one was run malware a few times and do an Avast start up scan.

#5 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:48 PM

Posted 16 August 2009 - 05:35 PM

Hmm. . . well the rootkit is gone now. . . you wiped the driver the first time through didn't you.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#6 Crede15

Crede15
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 16 August 2009 - 05:37 PM

I'm not sure, do you mean when I did the MSconfig stuff?

#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:48 PM

Posted 16 August 2009 - 05:57 PM

Sorry. . . let me rephrase it into a question. When you first ran RootRepeal. . . did you do anything other than generate the log?

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 Crede15

Crede15
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 16 August 2009 - 06:13 PM

no I followed the directions you gave the guy on the other thread, the one I first posted in.

did same thing both times

* Extract RootRepeal.exe from the zip archive.
* Open on your desktop.
* At the top of the window, click Settings, then Options.
* Click the Ssdt & Shadow Ssdt Tab.
* Make sure the box next to "Only display hooked functions." is checked.
* Click the "X" in the top right corner of the Settings window to close it.
* Click the tab.
* Click the button.
* Check all seven boxes:
* Push Ok
* Check the box for your main system drive (Usually C:), and press Ok.
* Allow RootRepeal to run a scan of your system. This may take some time.
* Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:48 PM

Posted 16 August 2009 - 06:34 PM

I wonder if AVG and MBAM got the rootkit?

Let's get a good look at what's running on that computer.

Please download and run Processexplorer

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Under file and save as, create a log and post here

copy and paste into a reply
Chewy

No. Try not. Do... or do not. There is no try.

#10 cdlink

cdlink

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England,UK
  • Local time:03:48 AM

Posted 16 August 2009 - 06:37 PM

Hi, I've joined just to post this ( I'll post it inside any other threads so all others with the similar problem can see it )

I had this problem, started yesterday. After trying multiple AV's, and anti-malware solutions, I couldn't get rid of the virus ( known as the "skynet virus" )

After losing all hope today, I decided to try running an old program I once loved called "Hitman Pro". It used to be a simple macro/script that would download all the latest anti-spyware/malware programs. It would automatically update, run, and tweak them.

Now it seems to be a lone scanner. After running it, immediately several results popped up with postive viruses, all with "skynet" in their name. And all completely invisible to explorer ( rootkit ).

Give Hitmanpro a run:
http://www.surfright.nl/en

When isntalling it will say you need to purchase to remove the threats DISREGARD IT! You should see an option underneath to start a 30 day trial. Choose that, it will give you a free 30 days trial, and remove the skynet virus on next boot.

Problem solved!
:thumbsup:

#11 Crede15

Crede15
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 16 August 2009 - 07:52 PM

I wonder if AVG and MBAM got the rootkit?

Let's get a good look at what's running on that computer.

Please download and run Processexplorer

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Under file and save as, create a log and post here

copy and paste into a reply


couldn't get the link to work but assume I downloaded the right thing on there, anyway I ran it and here's the saved file

was in the middle of running an AVG scan, don't know if that matters

Process PID CPU Description Company Name
System Idle Process 0 40.00
Interrupts n/a 1.54 Hardware Interrupts
DPCs n/a 1.54 Deferred Procedure Calls
System 4 4.62
smss.exe 576 Windows NT Session Manager Microsoft Corporation
csrss.exe 644 Client Server Runtime Process Microsoft Corporation
winlogon.exe 668 Windows NT Logon Application Microsoft Corporation
services.exe 712 1.54 Services and Controller app Microsoft Corporation
svchost.exe 876 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 956 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1048 Generic Host Process for Win32 Services Microsoft Corporation
wuauclt.exe 2064 Windows Update Automatic Updates Microsoft Corporation
svchost.exe 1104 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1236 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1548 Spooler SubSystem App Microsoft Corporation
svchost.exe 1904 Generic Host Process for Win32 Services Microsoft Corporation
AppleMobileDeviceService.exe 1936 Apple Mobile Device Service Apple Inc.
mDNSResponder.exe 1948 Bonjour Service Apple Inc.
Crypserv.exe 1976 CrypKey License Service CrypKey (Canada) Ltd.
McciCMService.exe 2016 mcci+McciCMService Motive Communications, Inc.
MDM.EXE 232 Machine Debug Manager Microsoft Corporation
HPZipm12.exe 292 PML Driver HP
svchost.exe 388 Generic Host Process for Win32 Services Microsoft Corporation
wdfmgr.exe 404 Windows User Mode Driver Manager Microsoft Corporation
alg.exe 144 Application Layer Gateway Service Microsoft Corporation
avgwdsvc.exe 3960 AVG Watchdog Service AVG Technologies CZ, s.r.o.
avgrsx.exe 4016 AVG Resident Shield Service AVG Technologies CZ, s.r.o.
avgcsrvx.exe 128 AVG Scanning Core Module - Server Part AVG Technologies CZ, s.r.o.
avgnsx.exe 2568 AVG Network scanner Service AVG Technologies CZ, s.r.o.
avgemc.exe 1224 AVG E-Mail Scanner AVG Technologies CZ, s.r.o.
avgcsrvx.exe 2308 AVG Scanning Core Module - Server Part AVG Technologies CZ, s.r.o.
lsass.exe 724 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1500 Windows Explorer Microsoft Corporation
GoogleToolbarNotifier.exe 1736 GoogleToolbarNotifier Google Inc.
firefox.exe 2976 Firefox Mozilla Corporation
hh.exe 2640 Microsoft® HTML Help Executable Microsoft Corporation
procexp.exe 2100 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
avgtray.exe 2272 AVG Tray Monitor AVG Technologies CZ, s.r.o.
avgui.exe 332 AVG User Interface AVG Technologies CZ, s.r.o.
avgcsrvx.exe 2188 AVG Scanning Core Module - Server Part AVG Technologies CZ, s.r.o.
avgscanx.exe 3084 AVG Command-line Scanning Utility AVG Technologies CZ, s.r.o.
avgcsrvx.exe 3120 50.77 AVG Scanning Core Module - Server Part AVG Technologies CZ, s.r.o.

#12 Crede15

Crede15
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 16 August 2009 - 07:53 PM

BTW now when I do an AVG scan I'm just finding tracking cookies, no virus corrupted files like before.

#13 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:48 PM

Posted 16 August 2009 - 08:33 PM

Alright. . . I'm not sure what happened, but the rootkit doesn't appear to be present on your system anymore. Perhaps it is as DaChew said and AVG or MBAM managed to take it out. I'm not going to complain! :thumbsup:

Is everything on your computer running normally now?

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#14 Crede15

Crede15
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 16 August 2009 - 08:36 PM

Yes I have no symptoms/problems at all

I guess I will just see if anything happens but the computer is running smoothly.

Thanks a lot for all the help.

#15 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:48 PM

Posted 16 August 2009 - 08:38 PM

Let us know if something happens.

Glad we could help :thumbsup:

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users