Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Police Pro Virus, but I got a log to post


  • This topic is locked This topic is locked
2 replies to this topic

#1 smithbro

smithbro

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 09 September 2009 - 07:11 PM

It took some doing but I was able to download RootRepeal and run AVG in safe mode C:,
ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/09/09 18:46
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: aujasnkj.sys
Image Path: C:DOCUME~1ADMINI~1LOCALS~1Tempaujasnkj.sys
Address: 0xF625B000 Size: 84352 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:WINDOWSSystem32Driversdump_atapi.sys
Address: 0xF6E42000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:WINDOWSSystem32Driversdump_WMILIB.SYS
Address: 0xF7AE4000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:WINDOWSsystem32driversrootrepeal.sys
Address: 0xF67C2000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SKYNETqaqgkvrn.sys
Image Path: C:WINDOWSsystem32driversSKYNETqaqgkvrn.sys
Address: 0xF705E000 Size: 163840 File Visible: - Signed: -
Status: Hidden from the Windows API!

Hidden/Locked Files
-------------------
Path: C:WINDOWSSYSTEM32SKYNETbwnlghon.dll
Status: Invisible to the Windows API!

Path: C:WINDOWSSYSTEM32SKYNETfpfvkloo.dll
Status: Invisible to the Windows API!

Path: C:WINDOWSSYSTEM32SKYNETipgvitud.dat
Status: Invisible to the Windows API!

Path: C:WINDOWSSYSTEM32SKYNETirrfuirw.dat
Status: Invisible to the Windows API!

Path: C:WINDOWSSYSTEM32SKYNETlog.dat
Status: Invisible to the Windows API!

Path: C:WINDOWSSYSTEM32SKYNETpetymoto.dll
Status: Invisible to the Windows API!

Path: C:WINDOWSSYSTEM32UACavkhfiurrl.dll
Status: Invisible to the Windows API!

Path: C:WINDOWSSYSTEM32UACcmhqkmiteo.dll
Status: Invisible to the Windows API!

Path: C:WINDOWSSYSTEM32uacinit.dll
Status: Invisible to the Windows API!

Path: C:WINDOWSSYSTEM32UAClidqiqmkto.dll
Status: Invisible to the Windows API!

Path: C:WINDOWSSYSTEM32UACossfodjeuo.dll
Status: Invisible to the Windows API!

Path: C:WINDOWSSYSTEM32UACwqvpoamkwb.dat
Status: Invisible to the Windows API!

Path: C:WINDOWSTempUAC57e7.tmp
Status: Invisible to the Windows API!

Path: C:WINDOWSTempUAC57f1.tmp
Status: Invisible to the Windows API!

Path: C:WINDOWSTempUACc3ff.tmp
Status: Invisible to the Windows API!

Path: C:WINDOWSSYSTEM32DRIVERSUACbqwbrnkvdu.sys
Status: Invisible to the Windows API!

Path: C:WINDOWSSYSTEM32DRIVERSSKYNETqaqgkvrn.sys
Status: Invisible to the Windows API!

Path: c:documents and settingsadministratorlocal settingstempetilqs_4r2jro6cqy8fxiipdbfp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:documents and settingsadministratorlocal settingstempetilqs_uewpagsidwa6exwplwh0
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:documents and settingsadministratorlocal settingstemp~df6c77.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:documents and settingsadministratorlocal settingstemp~df6c81.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Stealth Objects
-------------------
Object: Hidden Module [Name: SKYNETbwnlghon.dll]
Process: winlogon.exe (PID: 604) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETbwnlghon.dll]
Process: services.exe (PID: 660) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETbwnlghon.dll]
Process: lsass.exe (PID: 672) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETpetymoto.dll]
Process: svchost.exe (PID: 828) Address: 0x00920000 Size: 57344

Object: Hidden Module [Name: UACc3ff.tmpiqmkto.dll]
Process: svchost.exe (PID: 828) Address: 0x009b0000 Size: 217088

Object: Hidden Module [Name: UACossfodjeuo.dll]
Process: svchost.exe (PID: 828) Address: 0x00c10000 Size: 65536

Object: Hidden Module [Name: SKYNETbwnlghon.dll]
Process: svchost.exe (PID: 828) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETbwnlghon.dll]
Process: svchost.exe (PID: 940) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETbwnlghon.dll]
Process: svchost.exe (PID: 1128) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETbwnlghon.dll]
Process: svchost.exe (PID: 1228) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETbwnlghon.dll]
Process: svchost.exe (PID: 1324) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: UACcmhqkmiteo.dll]
Process: Explorer.EXE (PID: 1472) Address: 0x00ba0000 Size: 49152

Object: Hidden Module [Name: SKYNETbwnlghon.dll]
Process: Explorer.EXE (PID: 1472) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETbwnlghon.dll]
Process: ctfmon.exe (PID: 1412) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETbwnlghon.dll]
Process: avgui.exe (PID: 1852) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETbwnlghon.dll]
Process: firefox.exe (PID: 1332) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: UAClidqiqmkto.dll]
Process: Iexplore.exe (PID: 2132) Address: 0x00d40000 Size: 217088

Object: Hidden Module [Name: UAClidqiqmkto.dll]
Process: Iexplore.exe (PID: 2208) Address: 0x00d40000 Size: 217088

Hidden Services
-------------------
Service Name: SKYNETwruwpuhr
Image Path: C:WINDOWSsystem32driversSKYNETqaqgkvrn.sys

Service Name: UACd.sys
Image Path: C:WINDOWSsystem32driversUACbqwbrnkvdu.sys

==EOF==

AVG SCAN,
AVG 8.5 Anti-Virus command line scanner
Copyright 1992 - 2009 AVG Technologies
Program version 8.0.401, engine 8.0.408
Virus Database: Version 270.13.82/2351 2009-09-07

?globalrootsystemrootsystem32UAClidqiqmkto.dll Virus found Win32/Cryptor Object was moved to Virus Vault.
C:WINDOWSSYSTEM32svchost.exe (1128) Virus found Win32/Cryptor Object was moved to Virus Vault.
?globalrootsystemrootsystem32UACcmhqkmiteo.dll Virus found Win32/Cryptor Object was moved to Virus Vault.
C:Program FilesInternet Exploreriexplore.exe (1372) Virus found Win32/Cryptor Object was moved to Virus Vault.
?globalrootsystemrootsystem32UACcmhqkmiteo.dll Virus found Win32/Cryptor Object was moved to Virus Vault.
C:Program FilesInternet Exploreriexplore.exe (1332) Virus found Win32/Cryptor Object was moved to Virus Vault.
?globalrootsystemrootsystem32UAClidqiqmkto.dll Virus found Win32/Cryptor Object was moved to Virus Vault.
C:Program FilesMozilla Firefoxfirefox.exe (564) Virus found Win32/Cryptor Object was moved to Virus Vault.
C:WINDOWSsystem32desote.exe Adware Generic4.LPF Object was moved to Virus Vault.
HKCRexefileshellopencommand Found registry key with reference to file C:WINDOWSsystem32desote.exe Object was healed.
C:Documents and SettingsAdministratorApplication DataMozillaFirefoxProfilesei2u9tij.defaultparent.lock Locked file. Not tested.
C:Documents and SettingsAdministratorApplication DataMozillaFirefoxProfilesei2u9tij.defaultplaces.sqlite-journal Locked file. Not tested.
C:Documents and SettingsAdministratorLocal SettingsApplication DataMicrosoftInternet ExplorerRecoveryActiveRecoveryStore.{37C083A2-9D6D-11DE-92EC-001CDFA04829}.dat Locked file. Not tested.
C:Documents and SettingsAdministratorLocal SettingsApplication DataMicrosoftInternet ExplorerRecoveryActive{37C083A3-9D6D-11DE-92EC-001CDFA04829}.dat Locked file. Not tested.
C:Documents and SettingsAdministratorLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat Locked file. Not tested.
C:Documents and SettingsAdministratorLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat.LOG Locked file. Not tested.
C:Documents and SettingsAdministratorLocal SettingsTempetilqs_bITnZHdJcn5blfFU2dcV Locked file. Not tested.
C:Documents and SettingsAdministratorNTUSER.DAT Locked file. Not tested.
C:Documents and SettingsAdministratorntuser.dat.LOG Locked file. Not tested.
C:Documents and SettingsAll UsersApplication DataAVG Security ToolbarIEToolbar.dll Locked file. Not tested.
C:Documents and SettingsAll UsersApplication DataMicrosoftDr Watsonuser.dmp Locked file. Not tested.
C:Documents and SettingsLocalServiceLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat Locked file. Not tested.
C:Documents and SettingsLocalServiceLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat.LOG Locked file. Not tested.
C:Documents and SettingsLocalServiceNTUSER.DAT Locked file. Not tested.
C:Documents and SettingsLocalServicentuser.dat.LOG Locked file. Not tested.
C:Documents and SettingsNetworkServiceLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat Locked file. Not tested.
C:Documents and SettingsNetworkServiceLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat.LOG Locked file. Not tested.
C:Documents and SettingsNetworkServiceNTUSER.DAT Locked file. Not tested.
C:Documents and SettingsNetworkServicentuser.dat.LOG Locked file. Not tested.
C:pagefile.sys Locked file. Not tested.
C:Program FilesAVGAVG8ToolbarIEToolbar.dll.dmp Locked file. Not tested.
C:System Volume Information Locked file. Not tested.
C:WINDOWSPrefetchlayout.ini Locked file. Not tested.
C:WINDOWSsvchasts.exe Potentially harmful program Fake_AntiSpyware.DFZ Object was moved to Virus Vault.
C:WINDOWSSYSTEM32CONFIGDEFAULT Locked file. Not tested.
C:WINDOWSSYSTEM32CONFIGDEFAULT.LOG Locked file. Not tested.
C:WINDOWSSYSTEM32CONFIGSAM Locked file. Not tested.
C:WINDOWSSYSTEM32CONFIGSAM.LOG Locked file. Not tested.
C:WINDOWSSYSTEM32CONFIGSECURITY Locked file. Not tested.
C:WINDOWSSYSTEM32CONFIGSECURITY.LOG Locked file. Not tested.
C:WINDOWSSYSTEM32CONFIGSOFTWARE Locked file. Not tested.
C:WINDOWSSYSTEM32CONFIGSOFTWARE.LOG Locked file. Not tested.
C:WINDOWSSYSTEM32CONFIGSYSTEM Locked file. Not tested.
C:WINDOWSSYSTEM32CONFIGSYSTEM.LOG Locked file. Not tested.
C:WINDOWSSYSTEM32dddesot.dll Trojan horse BHO.JOM Object was moved to Virus Vault.
C:WINDOWSSYSTEM32wscsvc32.exe Virus found Win32/Cryptor Object was moved to Virus Vault.
C:WINDOWSTempInstaller.exe Virus found Win32/Cryptor Object was moved to Virus Vault.

------------------------------------------------------------
Objects scanned : 186349
Found infections : 11
Found PUPs : 2
Healed infections : 11
Healed PUPs : 2
Warnings : 0
------------------------------------------------------------

Thanks garmanma for getting me this far.......

I also was able to download HijackThis but will not open or run.

Merged posts. ~ OB

Edited by Orange Blossom, 09 September 2009 - 07:29 PM.


BC AdBot (Login to Remove)

 


#2 smithbro

smithbro
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 10 September 2009 - 12:31 PM

I want to kindheartedly thank you so far for your help. But stop further investigations and your time for I have Blade from SB helping me at this time. Kudos to you!
Thanks,
Rick

#3 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 10 September 2009 - 04:36 PM

Thanks for letting us know Rick.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users