Skynet virus has infected my PC

[pjap]

I have a laptop with XP SP3 on it. I use IE8.

On the 4th of January I was surfing the net when my virus checker (F-Prot Antivirus) issued a warning that a virus had been detected. The pop up said that it had transferred the virus to qurantine. It also allowed me to disinfect it, which I clicked 'yes'. I quickly closed IE. I tried to open Task Manager but it stated 'the file is infected' and refused to open.

Natually I ran F-Prot, it found a worm. Win32 something. I could not find the log with the correct name. It was not Skynet at this stage.

I restarted to enable a pre boot scan. I missed the timing for pressing F8 and the computer started loading properly. A Windows message appeared stating that the computer had been infected with a Worm called Skynet and suggested I run a full virus scan. When the computer had loaded a fake virus checker opened up and a white x in a red circle appeared in the task tray stating 'Update virus checker now'. It also opened up IE8 and tried to go to two websites. (one was www.porno.org but I forget the other). As my laptop connects to my modem by Wifi I turned off my WiFi by the switch. This did not allow the websites to load.

I recognised this as a virus and so ran my virus checker again and once in safe mode. It could not find a skynet virus.

I then logged onto the other house computer and found this website to get help. I found your post 'I'm infected - What do I do now?'

I downloaded Malwarebytes' Anti-Malware and transferred it to my laptop. I opened it and it searched for an update. This message appeared:

"An error occurred. Please report the following error code to the Malwarebytes' Anti-Malware support team - Error code 732 (12029,0)"

The reason I did not report this on the 4th was because after clicking ok the file still opened and was able to run. I assumed it was slightly out of date but it was working.

The quick scan worked and found files that it deleted. When I re booted the Skynet message did not appear and I believed it had worked. I have then re run Malwarebytes' Anti-Malware program again, and in safe mode. As per the post on this website, if the program appears to have fixed the problem I could finish at that point and not do the other downloads and checks listed.

Instead over the next couple of days I ran in normal & safe mode the following:

F-Prot antivirus

Avast antivirus (I am aware you should have only one, but I will try anything to fix this)

Windows scan disk

Disk defragment program

All appeared ok.

I opened up a baseball sim game (played on the laptop, not connected to internet) and while I was playing, the game lagged very badly.

I then tried to get on the internet. My Wifi connection said it was connected, however, no websites could open up. I could not see anything else could be effecting the connection.

I re read the main topic and decided to continue from where I left off and then post the logs etc as requested. So here I am.

There was a problem when I ran the GMER Rootkit Scanner. A Microsoft window appeared stating that "67xj6trv.exe had encounted a problem and was closing."

No log file appeared or could be saved. I am therefore unable to attach a "ark.txt" log file.

This is the DDS log below.

DDS (Ver_09-12-01.01) - FAT32x86

Run by Peter at 12:43:58.10 on Fri 08/01/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.385 [GMT 11:00]

AV: F-PROT Antivirus for Windows *On-access scanning disabled* (Outdated) {3F8BAFFE-D251-4DC6-ACF9-81FDF61FB9C9}

============== Running Processes ===============

C:\WINDOWS\System32\svchost.exe -k Cognizance

C:\WINDOWS\system32\svchost -k DcomLaunch

SVCHOST.EXE

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

c:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\AsGHost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

SVCHOST.EXE

SVCHOST.EXE

C:\WINDOWS\system32\spoolsv.exe

SVCHOST.EXE

C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe

c:\WINDOWS\system32\IFXSPMGT.exe

c:\WINDOWS\system32\IFXTCS.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

c:\Program Files\Infineon\Security Platform Software\PSDsrvc.EXE

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\ATK0100\HControl.exe

c:\Program Files\Infineon\Security Platform Software\PSDrt.exe

c:\Program Files\Infineon\Security Platform Software\SpTna.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\Program Files\ASUS\PowerForPhone\PowerForPhone.exe

C:\Program Files\ASUS\ASUS Live Update\ALU.exe

C:\Program Files\ASUS\Splendid\ACMON.exe

C:\Program Files\Wireless Console 2\wcourier.exe

C:\Program Files\ASUS\ATK Media\DMEDIA.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe

C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\system32\ACEngSvr.exe

C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe

C:\WINDOWS\ATK0100\ATKOSD.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\Documents and Settings\Peter\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.premierleague.com/page/Home/0,,12306,00.html

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: ASUS Security Protect Manager: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\asus security center\asus security protect manager\bin\ItIEAddIn.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [HControl] c:\windows\atk0100\HControl.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [skyTel] SkyTel.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [sMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe

mRun: [PowerForPhone] c:\program files\asus\powerforphone\PowerForPhone.exe

mRun: [ASUS Live Update] c:\program files\asus\asus live update\ALU.exe

mRun: [CognizanceTS] rundll32.exe c:\progra~1\asusse~1\asusse~1\bin\ASTSVCC.dll,RegisterModule

mRun: [ACMON] c:\program files\asus\splendid\ACMON.exe

mRun: [Wireless Console 2] c:\program files\wireless console 2\wcourier.exe

mRun: [ATKMEDIA] c:\program files\asus\atk media\DMEDIA.EXE

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [ABLKSR] c:\windows\ablksr\ABLKSR.exe

mRun: [RemoteControl] "c:\program files\asustek\asusdvd\PDVDServ.exe"

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [Power_Gear] c:\program files\asus\power4 gear\BatteryLife.exe 1

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [F-PROT Antivirus Tray application] c:\program files\frisk software\f-prot antivirus for windows\FProtTray.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\multif~1.lnk - c:\program files\asus\asus multiframe\MultiFrame.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.shockwave.com/content/insaniquarium/sis/popcaploader_v10.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Notify: IfxWlxEN - IfxWlxEN.dll

Notify: OneCard - c:\program files\asus security center\asus security protect manager\bin\ASWLNPkg.dll

AppInit_DLLs: c:\windows\system32\kbdsock.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

LSA: Notification Packages = scecli ASWLNPkg

Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 FPAV_RTP;FPAV_RTP;c:\windows\system32\drivers\FStopW.sys [2007-11-4 682840]

R1 ItSDisk;ItSDisk;c:\windows\system32\drivers\itsdisk.sys [2006-5-16 17840]

R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2005-11-29 36768]

R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2004-8-20 14336]

R2 FPAVServer;F-PROT Antivirus for Windows system;c:\program files\frisk software\f-prot antivirus for windows\FPAVServer.exe [2009-8-27 75424]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-10-12 36352]

S0 ybzglqll;ybzglqll;c:\windows\system32\drivers\ybzglqll.sys [2010-1-3 0]

S3 ipswuio;ipswuio;c:\windows\system32\drivers\ipswuio.sys [2006-10-12 34944]

S3 SynMini;USB2.0 1.3M WebCam;c:\windows\system32\drivers\SynMini.sys [2006-10-12 1116544]

S3 SynScan;USB2.0 1.3M WebCam Still Image;c:\windows\system32\drivers\synscan.sys --> c:\windows\system32\drivers\SynScan.sys [?]

=============== Created Last 30 ================

2010-01-08 01:39:50 0 ----a-w- c:\documents and settings\peter\defogger_reenable

2010-01-08 01:32:50 0 d-----w- c:\windows\E58B329BFB28487490DE0D7CB2709267.TMP

2010-01-04 09:44:02 0 d-----w- c:\docume~1\peter\applic~1\Malwarebytes

2010-01-04 09:43:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-04 09:43:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-01-04 09:43:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-04 09:43:52 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-03 07:28:01 0 ----a-w- c:\windows\system32\24464.exe

2010-01-03 07:08:01 0 ----a-w- c:\windows\system32\26962.exe

2010-01-03 06:48:01 0 ----a-w- c:\windows\system32\29358.exe

2010-01-03 06:28:01 0 ----a-w- c:\windows\system32\11478.exe

2010-01-03 06:07:57 0 ----a-w- c:\windows\system32\15724.exe

2010-01-03 05:47:57 0 ----a-w- c:\windows\system32\19169.exe

2010-01-03 05:27:57 0 ----a-w- c:\windows\system32\26500.exe

2010-01-03 03:54:28 0 ----a-w- c:\windows\system32\6334.exe

2010-01-03 03:34:25 0 ----a-w- c:\windows\system32\18467.exe

2010-01-03 03:06:54 0 ----a-w- c:\windows\system32\drivers\ybzglqll.sys

2010-01-03 03:04:53 1 ----a-w- C:\s

2010-01-03 03:04:46 25088 ----a-w- C:\umgwljsb.exe

2009-12-31 06:02:56 0 d-----w- C:\Sports Mogul

2009-12-29 04:53:36 0 d-----w- c:\program files\EV Nova

==================== Find3M ====================

2009-12-01 09:32:40 98304 ----a-w- c:\windows\W2BNEUnin.exe

2009-12-01 09:32:40 2829 ----a-w- c:\windows\W2BNEUnin.pif

2009-12-01 09:32:40 19886 ----a-w- c:\windows\W2BNEUnin.dat

2009-10-28 14:40:48 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll

2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll

2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys

2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll

2009-10-12 13:38:20 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38:20 149504 ------w- c:\windows\system32\dllcache\rastls.dll

2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll

2009-10-10 17:17:28 411368 ----a-w- c:\windows\system32\deploytk.dll

2008-10-16 03:27:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101620081017\index.dat

============= FINISH: 12:44:35.54 ===============

I have attached three Malwarebytes' Anti-Malware logs (Two on the 4th Jan and the last one today)

as well as the zipped attach.txt file

Thank you in advance for any help you can provide.

mbam_log_2010_01_04__20_58_50_.txt

mbam_log_2010_01_04__21_15_28_.txt

mbam_log_2010_01_04__20_58_50_.txt

Attach.zip

[kahdah]

Hello pjap

Welcome to Malwarebytes.

=====================

Download the following GMER Rootkit Scanner from Here

• Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  
• Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  
• It may take a minute to load and become available.
  
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
  

  
  

• Sections
  
  
• IAT/EAT
  
  
• Drives/Partition other than Systemdrive (typically only C:\ should be checked)
  
  
• Show All (don't miss this one)

  
  

• Then click the Scan button & wait for it to finish.
  
• Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop
  
• **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  
• Click OK and quit the GMER program.
  
• Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  
• Post that log in your next reply.
  

[pjap]

Thank you for your assistance. This time the file worked. Please find ark.txt zipped attached to this post.

ark.zip

[kahdah]

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

[pjap]

Kahdah,

Thank you for your comments. I think I will do a full wipe.

I want to copy some files to a flash drive to keep so I can use after the fresh install. Are there any normal program files (ie saved computer game files) that I should not keep because they are infected?

I have the install disks for MS XP & Office so I have no problem there.

A website I found regarding reformating a ASUS laptop suggested I can just do the following:

Step 1 Enter your Windows OS installation CD into your ASUS laptop's CD-ROM, then restart your computer.

Step 2 When your computer restarts, instead of booting up normally you will now see a Windows "Welcome" screen. Press "Enter" to continue. At the next screen, press "F8" to accept the Windows licensing agreement.

Step 3 The next screen that appears will show a list of all of your hardware partitions. Tab down to the hard drive you would like to format and press "D" to delete it.

Step 4 Once you have deleted your hard drive partitions, you will now see a drive labeled "Unpartitioned Space." Press "Enter" to begin installing Windows on your ASUS laptop.

Step 5 There will now be several options for Windows installation. Select the option labeled "Format the partition using the NTFS file system." NTFS is the type of file system used by Windows, meaning that Windows requires files to be structured a certain way to be used.

Step 6 You will now see a Windows installation screen. Follow the instructions and enter your product key. Windows will now begin automatic installation. Wait until the process completes and your computer restarts. You have now successfully formatted and reinstalled Windows on your hard drive.

Sorry for the newbie question, but will this process work or is there a better procedure?

Thanks for your help. Its a pity my computer is past the point of no return

[kahdah]

Yes you can backup pretty much anything you want but for the C:\Windows folder.

You won't need anything in there anyway.

Yes the above procedure will work.

Here is a tutorial on how to do it.

http://www.geekstogo.com/forum/Reformat-In...ws-t173729.html

Your computer can be repaired but I needed to alert you to the capabilities that this infection has.

We can clean it no problem but cannot guarantee that it will be 100% secure afterwards.

[pjap]

Kahdah,

Sorry for the long delay in replying. I was away from home for a while this week and I had wanted to set aside several hours to do the wipe of my laptop.

I have just done it. I am using my laptop to write this reply. I have downloaded all of Microsoft's updates. I have my antivirus updated and running. All is great.

This reply is just to thank you for your help.

pjap.

[kahdah]

You are welcome glad it is fixed.