TechSpot

Packed.rolex Skynet Virus

By robbobbob
Jun 18, 2009
Topic Status:
Not open for further replies.
  1. I recently downloaded an application and then virus scanned it first with AVG (up-to-date), which reported no infection. However on executing the install, I suddenly had many real-time alerts from AVG about a virus (without Windows Firewall alerts). I exited the install but the alerts continued, reporting multiple instances of a “Skynet” and “packed.rolex” virus in my Windows\System32 directory. I seem to get ~15 reports when I start Windows (Vista Home Deluxe) and then at least 3 more every time I start a programme. A full AVG scan and Windows Defender scan found nothing.

    I followed your very helpful "8 Step Guide to Virus & Malware Removal" which seemed to find one trojan (see attached logs), however the problem still exists.

    Of note, the Malawarebytes' Anti-Malware caused the system to become unresponsive both on normal and safe mode whilst scanning, stopping on a file on my recovery drive (as set-up by Dell) “D:\windows\system32\config\security”. I then scanned the C: separately (log attached) and went through the “D:\windows\system32\config\” folder scanning files individually with Malawarebytes', where it again became unresponsive on the two following files: “D:\windows\system32\config\software.file” and “D:\windows\system32\config\system.file”. I am unsure as to the significance of this, but thought I would err on the side of caution and let you know.

    Sorry for the long post but I wanted to be comprehensive, many thanks for reading it all!

    Attached Files:

  2. mflynn

    mflynn TS Rookie Posts: 2,793

    Run HJT select and Fix the below!
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe

    Update MBAM and SAS do not run!

    Download ComboFix

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    Install Recovery Console if connected to the Internet!

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    Next.....

    Download the below in full mode to be run in Safe Mode

    Download DrWeb Curit from here http://www.snapfiles.com/get/cureit.html

    Now do the below before booting to Safe Mode with Networking

    Left Drag mouse and Copy for Pasting all text in the box below.
    Make sure the slider bar goes to bottom from the @ to the end of the second exit.
    Then paste to the black screen of an open command prompt.
    Code:
    @echo off
    
    attrib -h -s -r /s c:\SKYNET*.*
    del /f /q /s c:\SKYNET*.*
    
    exit
    exit
    Once in Safe Mode networking do the copy paste operation above again! Then run MBAM Quickscan and post log if not clean. If not clean run MBAM again until clean.

    Then same with SAS!

    Finally run Cureit.

    If a reboot is required do not go back to normal but back to Safe Mode until Cureit is finished!

    Mike
  3. robbobbob

    robbobbob TS Rookie Topic Starter

    Thanks for your quick reply mflynn :)

    That seems to have worked! Thank you so much!
  4. mflynn

    mflynn TS Rookie Posts: 2,793

    Thread Closing-------------------------------------------------------------------

    Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

    Remove ComboFix
    Start-Run
    type
    combofix /u
    Hit enter or click OK.

    Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

    Save to desktop.

    This will remove all the tools we used to clean your computer.

    Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

    Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

    If prompted to Reboot click, Yes.
    OTCleanit will delete itself when finished, If not delete it by yourself.

    -------------------------------------------------------------------------------------
    Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
    Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean. You may have this from the 8 Steps.

    Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

    KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
    Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
    -------------------------------------------------------------------------------------
    The issues can and are likely found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.
    -------------------------------------------------------------------------------------
    ERUNT
    Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.

    ERUNT http://www.larshederer.homepage.t-online.de/erunt/
    Yes! Even if you use system restore and other backups Registry and Images.
    -------------------------------------------------------------------------------------

    Every two weeks or so, run MBAM and SAS until clean.

    They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

    If they find something they can not clean, then get back to us.

    Additionally run CCleaner. ATF-Cleaner and KCleaner.
    ----------------------------------------------------------------------------------------
    I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

    It was designed to be used with and to co-exist with other Virus scanners.

    Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

    It's like looking at it with 2 sets of eyes and from a different angle.

    It works like some Firewalls do to learn what is good/bad.

    After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

    As it queries you about the prompt to help you determine to approve or not you can google it with one click.

    http://www.threatfire.com/Download/
    -------------------------------------------------------------------------------------
    Look at http://www.javacoolsoftware.com/spywareblaster.html

    Run SpyBot ocassionally and use the Immunize function.
    http://www.safer-networking.org/en/download/

    I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html

    Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

    A Disk Scan (chkdsk) and Defrag are in order.

    Mike
  5. liljenstar

    liljenstar TS Rookie

    help i cnt even getonline on my laptop, it says i have the same virus as above but wat can i do please help, im using a friends att the moment and nt having much luck in remmoving te virus
  6. mflynn

    mflynn TS Rookie Posts: 2,793

    Well on the other computer you will have to go here:
    TechSpot 8 steps: http://www.techspot.com/vb/topic58138.html

    Download these programs and copy to a Flash Drive or burn to CD and take to effected Computer and install and run them. After installed and run Computer should connect then attach the logs and follow the steps above.

    Mike
  7. liljenstar

    liljenstar TS Rookie

    ok thanks il get bk to u later once iv got somethiing ti doownload it on to if i hav any probs x im awful at thngs like ths
  8. liljenstar

    liljenstar TS Rookie

    having truble dwnloading the promgram u sed and then saving it to disk, not verygood with computers and am going insane with the virus on mine, avg keeps telling me they are there then i get blue screen crash dump and unable to kp cmputer on, it will load in safe mode tho, so how is the best way to do this, and get it sorted in simple terms please
  9. Xaoban

    Xaoban TS Rookie

    Hi, i too have this problem however the explanations above don't mean anything to me, for example what is HJT? what are MBAM and SAS?

    AVG won't shup up, telling me i have an infected C:\Windows\system32\SKYNETxdihlamj.dll file, which is hidden so it won't delete.

    any help would be appreciated.
  10. mflynn

    mflynn TS Rookie Posts: 2,793

    Well do this and you wil know that HJT is HighJackThis, MBAM is MalwareBytes AntiSpyware and SAS is SuperAntiSpyware.

    TechSpot 8 steps: http://www.techspot.com/vb/topic58138.html

    Read this entire thread for insight

    So git-er-done!

    Attach the logs

    Mike
  11. Xaoban

    Xaoban TS Rookie

     
  12. Xaoban

    Xaoban TS Rookie

    Hey; Just as an update, as part of the SKYNET alerts i'm also getting one from the system32/drivers folder that AVG identifies as a "Win32/Cryptor" virus... i don't know the difference or how to get rid of them but i'm getting a Lot of alerts of these.

    any more help is eternally appreciated >.<

    cheers, Xao
  13. Xaoban

    Xaoban TS Rookie

    bump if i may? >.< i'm very close to reinstalling windows, avg can't delete the rootkits and the online database on norton hasn't heard of it.

    i can do more scans and repost logs if needbe
  14. tystanwick

    tystanwick TS Rookie Posts: 29

    First thing you need to do is shut off system restore. If you are running Windows XP: Right-click "My Computer," select properties, click on system restore tab, put a check next to "Turn off system restore on all drives." Restart your computer.

    Next go into safe-mode with networking by pressing F8 while your computer is rebooting. Once in safe mode download Malwarebytes anti-malware here:

    *EDIT* You'll have to get the links for MBAM and Combofix from the post above. Techspot won't let me post links because I haven't posted enough.

    Then download combofix here:

    If you CANT get online, you will need another computer with a functional internet. Save the installers to a flash drive or CD. Then copy them to the infected PC.

    Install and update Malwarebytes(MBAM)
    Run a quick scan and remove everything it finds. Reboot if prompted. Save the log file to your desktop.

    Once reboot is done, run combofix. Do NOT click, type, or move ANYTHING while combofix is running. Combofix is finiky while it's doing it's thing. Agree with everything combofix asks you. Once it's complete, save the log file to your desktop.

    Run MBAM again....if it comes back clean, youre done. If not, post your log files here.

    Another alternative is if you have a linux boot CD (like Knoppix/XUnbuntu) or a ERD type CD (I like Winternals ERD Commander 05) you can boot off of those (Make sure you DONT load Windows reg info if using ERD)and go straight to Windows\System32 and Windows\System32\Drivers and delete the virus files manually. Of course I'd only recommend this for someone who is comfortable with the inner workings of their OS.
  15. dennishalsey

    dennishalsey TS Rookie

    The correct way to remove skynet

    download combofix from another pc to a flash drive (make sure you have the latest version of combofix because if it has expired, it will not kill this virus! this is essential!)
    unplug internet connection on infected pc
    boot it in safe mode
    log in as administrator
    install combofix from flash drive
    run the program and
    everything is back to normal!
    That's it!
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.