1 of 1 people found this helpful
The detections in your previous post point to a security threat called a rootkit. Rootkits are software designed to hide and protect files, programs, registry entries, network connections, or any other object in the computer system. They load at the core "root" of your system ahead of much of your software in order to act as a man-in-the-middle to intercept normal computer activity.
There are tools out there that be used to detect and possibly remove these threats but as this is a cat and mouse game, detection and repair is not guaranteed. You can try "RootRepeal" to scan and possibly remove the bad files.
- Download RootRepeal
- Extract the file to your Desktop and Rename the file to something random like "abcd1234"
- Run the program by double-clicking on it.
- Click on the REPORT TAB at the bottom of the program. [DO NOT SKIP THIS STEP]
- Click on the SCAN Button. Check each option EXCEPT "Files". Click OK.
- After a few moments, the scan should be done and show a Report text file. Please reply with the information in this file.
This report file will contain the information about some hidden drivers and hooks in your system. Once we can determine the bad files, you should be able to right click on the entries in each tab and have an option to delete or wipe the file out.
Because of how these threats load, RootRepeal may fail. If it cannot detect and remove the threat, the best way to detect and remove them is by using an "Out of Box" clean up method. This means using another Clean Operating System to scan your computer. I have created a BootCD for emergency use that can be used to clean up your computer.
Thnx alot for your reply and spending ur precious time. As u said "Because of how these threats load, RootRepeal may fail" am really worried about my system.
I have done what u said and the report is below:-
ROOTREPEAL (c) AD, 2007-2009
Scan Start Time: 2009/11/22 22:59
Program Version: Version 220.127.116.11
Windows Version: Windows Vista SP2
Image Path: C:\Windows\system32\drivers\acdb321.sys
Address: 0x9D5D7000 Size: 49152 File Visible: No Signed: -
Image Path: C:\Windows\System32\drivers\svcl.sys
Address: 0x805B5000 Size: 54016 File Visible: No Signed: -
PID: 4 Status: Locked to the Windows API!
PID: 1284 Status: Locked to the Windows API!
#: 334 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0x8ee980b0
Service Name: SKYNETgwpusywq
Image Path: C:\Windows\system32\drivers\SKYNETmjxtrnvv.sys
Now what is the next step to do? Is it possible to completely remove all these infections? As am a novice to these stuffs i kindly request you to guide me step-by-step in completely removing these infections.
any help or advice ll be greatly appreciated.
Your RootRepeal log shows 1 definite bad entry and 1 questionable one. It also shows that the file names are changing (randomly) possibly because the files are getting removed or redownloaded/reinstalled. To start, I would go to the Services tab in RootRepeal, do the scan, then find the SKYNET file, right click and choose Delete, Force Delete, or Wipe. Start with Delete and if it fails, move to the next option. After this, you need to start your computer in SAFE MODE and run McAfee VirusScan.
If the above method fails...
A BootCD I created can also remove this but generally takes the most time (download, burn, CD boot, and Scan/Clean).
Note: I have no idea what " C:\Windows\System32\drivers\svcl.sys" is... It might be a part of the virus or something else legit. I couldn't find anything on a quick Google Search and most legit programs are not hidden files so this could be bad too. However, since I can't tell, I did not include instructions to remove it since it *might* be required for some software or hardware you use on your computer.