Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible SKYNET resurgence?


  • Please log in to reply
1 reply to this topic

#1 2hands0feet

2hands0feet

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 19 August 2009 - 01:47 PM

Hello all. This is a great site and knowing that I can post stuff here and get some advice and some help makes these malware/spyware flareups less aggravating by half. So thank you.

Here's my situation: I'm using a friend's Lenovo R61i laptop, and I need to give it back to her in a few days. I'd like to give it back clean! I had used MBAM, SpybotS&D, and RootRepeal to eradicate a host of problems shortly after borrowing the computer-- or so I thought.

At the time, MBAM found a variety of malware and quarantined or successfully deleted all of it. RootRepeal found several elements of SKYNET, which I had thought I'd succeeded in wiping. Today, however, a routine MBAM scan took almost twice as long as a typical full scan had been taking last week, yet found nothing. This made me suspicious, so I ran RRepeal again, and it found a buncha stuff. When I attempted to wipe the hidden service "SKYNETksrtlwos" (path: C:\WINDOWS\system32\drivers\SKYNETsrssnkap.sys) the wiper could not find the file on the system. Huh?

Sneaky malware. I was already getting out of my depth, so I know I need help from you-all with this one.

Here is the log from this morning's RRepeal scan. I also have logs saved from the previous wipe, both before and after. Help?

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/19 13:56
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9C57E000 Size: 819200 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9AAA6000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090814.004\EraserUtilRebootDrv.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x89b1eb80

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x89b12a98

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x89d77df0

Hidden Services
-------------------
Service Name: SKYNETksrtlwos
Image Path: C:\WINDOWS\system32\drivers\SKYNETsrssnkap.sys

==EOF==

Thank you!

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:59 AM

Posted 20 August 2009 - 06:43 PM

Run the ROOTREPEAL Files scan and post that log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users