1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Active Won't run programs, some kind of virus!

Discussion in 'Malware and Virus Removal Archive' started by DareDevil, 2009/07/31.

Page 2 of 2
  1. 2009/08/05
    DareDevil

    DareDevil Inactive Thread Starter

    Joined:
    2009/07/31
    Messages:
    14
    Likes Received:
    0
    Ok did the Panda scan, doing the other. Here is Panda log:

    ;***********************************************************************************************************************************************************************************
    ANALYSIS: 2009-08-05 17:33:23
    PROTECTIONS: 1
    MALWARE: 22
    SUSPECTS: 2
    ;***********************************************************************************************************************************************************************************
    PROTECTIONS
    Description Version Active Updated
    ;===================================================================================================================================================================================
    Kaspersky Anti-Virus 8.0.0.506 Yes Yes
    ;===================================================================================================================================================================================
    MALWARE
    Id Description Type Active Severity Disinfectable Disinfected Location
    ;===================================================================================================================================================================================
    00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@trafficmp[1].txt
    00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@casalemedia[2].txt
    00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Cookies\owner@doubleclick[4].txt
    00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Cookies\owner@doubleclick[3].txt
    00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Cookies\owner@doubleclick[2].txt
    00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Cookies\owner@doubleclick[1].txt
    00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@doubleclick[1].txt
    00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Cookies\owner@atdmt[1].txt
    00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Cookies\owner@atdmt[2].txt
    00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@atdmt[1].txt
    00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Cookies\owner@atdmt[3].txt
    00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@247realmedia[2].txt
    00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Cookies\owner@247realmedia[1].txt
    00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Cookies\owner@fastclick[2].txt
    00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Cookies\owner@tribalfusion[3].txt
    00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Cookies\owner@tribalfusion[1].txt
    00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Cookies\owner@tribalfusion[2].txt
    00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@mediaplex[2].txt
    00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@statcounter[2].txt
    00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@ad.yieldmanager[1].txt
    00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Cookies\owner@ad.yieldmanager[2].txt
    00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Cookies\owner@ad.yieldmanager[1].txt
    00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Cookies\owner@apmebf[1].txt
    00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@apmebf[1].txt
    00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@burstnet[1].txt
    00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@www.burstbeacon[1].txt
    00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@adtech[1].txt
    00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@advertising[1].txt
    00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Cookies\owner@advertising[1].txt
    00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@realmedia[1].txt
    00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@questionmarket[2].txt
    00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Cookies\owner@questionmarket[1].txt
    00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Cookies\owner@zedo[1].txt
    00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Cookies\owner@zedo[2].txt
    00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Cookies\owner@zedo[3].txt
    00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@zedo[1].txt
    00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Cookies\owner@target[1].txt
    00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Cookies\owner@target[2].txt
    00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@ads.addynamix[1].txt
    02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{05E7CD20-FF79-4087-8F3D-36A84E01EAED}\RP2\A0000317.sys
    03074964 Trj/CI.A Virus/Trojan No 0 Yes Yes C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\SKYNETjkdbfhcj.sys.vir
    03074964 Trj/CI.A Virus/Trojan No 0 Yes Yes C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETtlmscyxl.dll.vir
    ;===================================================================================================================================================================================
    SUSPECTS
    Sent Location q
    ;===================================================================================================================================================================================
    No C:\Documents and Settings\owner\Desktop\ComboFix.exe q
    No C:\System Volume Information\_restore{05E7CD20-FF79-4087-8F3D-36A84E01EAED}\RP2\A0000154.exe q
    ;===================================================================================================================================================================================
    VULNERABILITIES
    Id Severity Description q
    ;===================================================================================================================================================================================
    ;===================================================================================================================================================================================
     
    DareDevil,
    #21
  2. 2009/08/05
    DareDevil

    DareDevil Inactive Thread Starter

    Joined:
    2009/07/31
    Messages:
    14
    Likes Received:
    0
    Ok and here is the other:

    GMER 1.0.15.15011 [gmer.exe] - http://www.gmer.net
    Rootkit scan 2009-08-05 19:53:45
    Windows 5.1.2600 Service Pack 3


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0xB15551DA]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwClose [0xB15557AE]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwConnectPort [0xB15571EA]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateFile [0xB1556B9C]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateKey [0xB1554950]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xB1558B7C]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateThread [0xB15555AE]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteKey [0xB1554D92]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteValueKey [0xB1554F92]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeviceIoControlFile [0xB1556EAC]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDuplicateObject [0xB1559084]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xB15550A8]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xB1555110]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwFsControlFile [0xB1556D5E]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwLoadDriver [0xB1558620]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenFile [0xB15569F8]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenKey [0xB1554AB2]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenProcess [0xB15553B2]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenSection [0xB1558BA6]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenThread [0xB15552FE]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryKey [0xB1555178]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0xB1554E7C]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryValueKey [0xB1554C5A]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueueApcThread [0xB1558888]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwReplaceKey [0xB15545D2]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0xB1557A74]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRestoreKey [0xB1554734]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwResumeThread [0xB1558F56]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSaveKey [0xB15543D0]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSecureConnectPort [0xB155708C]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetContextThread [0xB15556AC]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSecurityObject [0xB155871A]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSystemInformation [0xB1558BD0]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetValueKey [0xB1554B08]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendProcess [0xB1558CB4]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendThread [0xB1558DE0]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSystemDebugControl [0xB155854C]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwTerminateProcess [0xB155547E]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwWriteVirtualMemory [0xB15554F0]

    Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess
    Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
    AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
    AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
    AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToyrdlmlk@start 1
    Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToyrdlmlk@type 1
    Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToyrdlmlk@group file system
    Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToyrdlmlk@imagepath \systemroot\system32\drivers\SKYNETjkdbfhcj.sys
    Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToyrdlmlk\main (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToyrdlmlk\main@aid 10038
    Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToyrdlmlk\main@sid 0
    Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToyrdlmlk\main@cmddelay 14400
    Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToyrdlmlk\main\delete (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToyrdlmlk\main\injector (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToyrdlmlk\main\injector@* SKYNETwsp.dll
    Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToyrdlmlk\main\tasks (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToyrdlmlk\modules (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToyrdlmlk\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETjkdbfhcj.sys
    Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToyrdlmlk\modules@SKYNETcmd.dll \systemroot\system32\SKYNETavtpxmmq.dll
    Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToyrdlmlk\modules@SKYNETlog.dat \systemroot\system32\SKYNETltoiqwjx.dat
    Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToyrdlmlk\modules@SKYNETwsp.dll \systemroot\system32\SKYNETtlmscyxl.dll
    Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToyrdlmlk\modules@SKYNET.dat \systemroot\system32\SKYNETupxfbnsk.dat

    ---- EOF - GMER 1.0.15 ----
     
    DareDevil,
    #22


  3. to hide this advert.

  4. 2009/08/06
    Juliet

    Juliet Well-Known Member

    Joined:
    2008/09/15
    Messages:
    976
    Likes Received:
    6
    Welcome back


    That is a clean scan from GMER.

    The CurrentControlSet is the only one we need to be concerned about and that is clean.

    ControlSet001 is there as your "Last Known Good Configuration" and needs to be left alone. It will change on it's own. (it doesn't mean those files are active or present on your system)

    There is nothing there that is active, I think we have finally killed it.



    But, just to check I want to do this:

    Locate the ComboFix icon on your desktop > right click and select delete.

    We'll get an updated copy.


    Download Combofix© by sUBs from any of the links below.

    Save it to your desktop.

    Link 1
    Link 2


    Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    (Click on this link to see a list of programs that should be disabled.)
    http://www.bleepingcomputer.com/forums/topic114351.html


    ** Please Note:
    At times ComboFix may appear to stall, please be patient.
    • When finished, it will produce a report for you.
    • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

    Please only run the tool once, ty.
     
    Juliet,
    #23
Page 2 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...