Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SKYNET Rootkit, and other stuff ...


  • This topic is locked This topic is locked
3 replies to this topic

#1 AzJazz

AzJazz

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 05 October 2009 - 12:24 AM

I was referred to this group by Blade Zephon. My original posting for my problem was here.

I may have to raise the white flag on this one. Hopefully, you can help!

The infected computer is running WinXP Pro SP2.

Here are the characteristics of this attack (or attacks):

- For the first few days I had the computer, no executibles would run on the computer. I always saw a 'What application would you like to run an .EXE file with?" standard Microsoft response for an unknown file type. It took awhile, but I finally partially fixed it. "Partially", because of this:
- Now, if I do anything on the desktop (like a right-click on an icon), I see the entire desktop disappear except for the wallpaper. I can do a Ctrl-Alt-Del and get the Task Manager to run OK, but little else. Rebooting seems to start OK, but after logging in, I only see the wallpaper. No task bar, Start button, or anything else. Once I get to this point, C:\WINDOWS\explorer.exe has been corrupted. If I try to run explorer.exe directly, I get a "Windows can not access the specified device, path, or file." error message. If I boot Knoppix, I can replace a good "explorer.exe" over the corrupted version. Then, things are "fixed" again temporarily - until I do something on the desktop - which reinfects the computer.
- I can't seem to run many anti-virus/anti-malware/anti-rootkit programs. Most of the repair programs abruptly terminate without warning. If I try to re-run the same repair program again, I get a "Windows can not access the specified device, path, or file." error message. Replacing explorer.exe again temporarily fixes things.
- I submitted a corrupted version of explorer.exe to VirusTotal. Nothing was detected on 40/41 of the virus scanners. The only one that came back with a hit was: McAfee-GW-Edition 6.8.5-Heuristic.LooksLike.Win32.Luder.K
- Running anti-virus programs will occasionally cause the computer to crash to a BSOD (STOP 0x8E).
- I know that one or more other files are corrupted, but I haven't figured out which ones are damaged yet.
- I tried running MGTools, but it always terminated with an error.

I believe I have multiple infections, though I don't know for sure. Blade Zephon had me run Win32kDiag, which pointed me towards SKYNET. I rebooted into Knoppix6, and deleted every file that contained the characters "SKYNET" in the file name. That did not remove all of the infection, however.

My first Win32kDiag results are here:

----------------------------------------------------------------------------------------------

Running from: C:\Win32kDiag.exe
Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\explorer.exe.old
[2] 2004-08-03 17:56:50 1032192 C:\WINDOWS\explorer.exe (Microsoft Corporation)
[1] 2005-10-15 01:07:16 1032192 C:\WINDOWS\explorer.exe.old ()
[2] 2004-08-03 17:56:50 1032192 C:\WINDOWS\explorer_.exe (Microsoft Corporation)
[2] 2005-10-15 01:07:16 1032192 C:\WINDOWS\system32\dllcache\explorer.exe (Microsoft Corporation)

Found mount point : C:\WINDOWS\ime\chsime\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\shared\res\res
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\Managed
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Minidump\Minidump
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\security\logs\logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\system32\dumprep.exe
[1] 2004-08-03 15:56:50 10752 C:\WINDOWS\system32\dllcache\dumprep.exe (Microsoft Corporation)
[1] 2004-08-03 15:56:50 10752 C:\WINDOWS\system32\dumprep.exe ()

Cannot access: C:\WINDOWS\system32\eventlog.dll
[1] 2004-08-03 15:56:44 55808 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)
[1] 2004-08-03 15:56:44 61952 C:\WINDOWS\system32\eventlog.dll ()
[2] 2004-08-03 15:56:44 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\Temp\IXP000.TMP\IXP000.TMP
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^

Finished!

----------------------------------------------------------------------------------------------

After I tried deleting all the SKYNET files from Knoppix, I re-ran Win32kDiag. Here are the results of the second run:

********************************************************************

Running from: C:\Win32kDiag.exe
Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\chsime\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\shared\res\res
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\Managed
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Minidump\Minidump
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\security\logs\logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\system32\dumprep.exe
[1] 2004-08-03 15:56:50 10752 C:\WINDOWS\system32\dllcache\dumprep.exe (Microsoft Corporation)
[1] 2004-08-03 15:56:50 10752 C:\WINDOWS\system32\dumprep.exe ()

Cannot access: C:\WINDOWS\system32\eventlog.dll
[1] 2004-08-03 15:56:44 55808 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)
[1] 2004-08-03 15:56:44 61952 C:\WINDOWS\system32\eventlog.dll ()
[2] 2004-08-03 15:56:44 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\Temp\IXP000.TMP\IXP000.TMP
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^

Finished!

********************************************************************

So, I fixed a little bit, but not much. Some of the explorer.exe stuff got a little better.

When I tried running GMER with a random file name, it terminated abruptly, and could not be accessed afterward.

Sigh.

Any help would be appreciated!

AzJazz

Edited by AzJazz, 05 October 2009 - 12:25 AM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:36 AM

Posted 22 October 2009 - 01:07 PM

Hello,

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • log.txt
  • info.txt
Thanks

unite.jpg


#3 AzJazz

AzJazz
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 23 October 2009 - 08:12 AM

Hi, Syler -

Thanks for getting back to me. I can understand why you guys are jammed!

I had to return the PC back to the owners. They live a few hundred miles away, and they had a friend stop by to pick it up a couple of days ago.

The good news is that I think I may have removed the multiple infections, but I wasn't 100% sure when I sent it back. ComboFix removed most of the SKYNET infection, and I manually removed the rest through Linux and RegEdit modifications.

Win32kDiag did come back clean when I ran it last. Hopefully, their PC is all right now.

You guys pointed me in the right direction when I searched through these forums. You provide a fantastic service. Keep up the great work!

Cheers!

AzJazz

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:36 AM

Posted 23 October 2009 - 09:42 AM

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users