• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

global root

hello i have something that keeps popping up on my screen its globalroot/systemroot/system32/skynetcmtcirsf.dll. In the files of virues norton got rid of this if there but it windows instead of global root. Please help me resovle this problem if you can thank you :)

Replies

Kudos0

Re: global root

Please download and run both RootRepeal and GMER as per the instructions below. We are only looking for the log files right now so do not do anything else in GMER.

1. Download to your Desktop "RootRepeal.exe" from http://homepages.slingshot.co.nz/~crutches/RootRepel

Start it, Click on the "Report" Tab

Select (tick) in the box that appears "Drivers", "Stealth Objects" and "Hidden Services" and click OK

After it scans click "Save Report" and save the txt file; use notepad to copy the info if needed.



2. Download GMER from http://www.gmer.net and then run the program, click "Scan" and then "Save" the log.


Post the logs in multiple posts on the Norton User Forum here.  Some one will be with you shortly after that this evening. Thank you.
Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: global root

i tried to download the 2 things u posted for me and i cant i think the virsus is stopping me . the 2nd download does say there is a virus but in middle of the scan it stops.
Kudos0

Re: global root

Hi Could you please be a bit more specific? what are you reffering to?
"All that we are is the result of what we have thought"
Kudos0

Re: global root

ok im srry i have something called globalroot/systemroot/system32/skynetcmtcirsf.dll i tried to run both programs ...RootRepeal and GMER, but they freeze up and the comp screen goes blue on me.
Kudos0

Re: global root

aha

Where did you download these from?

"All that we are is the result of what we have thought"
Kudos0

Re: global root

ok i got these from the website http://homepages.slingshot.co.nz/~crutches/RootRepel
 and um  http://www.gmer.net. it wont let me finish them  :/ can u help me out i dont wanna get a new com.?

Kudos0

Re: global root

Cherrybomb:

Just hang in there for a short while until Quads gets online.  He may have some other suggestions for getting those programs to run. I will send him a message that you need assistance

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: global root

Just to confirm, you were not running them at the same time were you?
Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: global root

no i wasnt but i hav to go to work . ill bbl and try again :)
Kudos0

Re: global root

Try Running GMER while you are in Safe Mode

Quads 

Kudos0

Re: global root

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-24 07:44:56
Windows 6.0.6000


---- System - GMER 1.0.15 ----

Code     83C82818                                                                                  ZwEnumerateKey
Code     83C97E80                                                                                  ZwFlushInstructionCache
Code     83C9A245                                                                                  IofCallDriver
Code     83C9C7DE                                                                                  IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text    ntkrnlpa.exe!IofCallDriver                                                                81C27F37 5 Bytes  JMP 83C9A24A
.text    ntkrnlpa.exe!IofCompleteRequest                                                           81C27FA4 5 Bytes  JMP 83C9C7E3
PAGE     ntkrnlpa.exe!ZwEnumerateKey                                                               81D37F06 5 Bytes  JMP 83C8281C
PAGE     ntkrnlpa.exe!ZwFlushInstructionCache                                                      81DE849F 5 Bytes  JMP 83C97E84

---- User code sections - GMER 1.0.15 ----

.text    C:\Users\Administrator\Downloads\bld0i08u.exe[336] ntdll.dll!LdrLoadDll                   77B4EB00 5 Bytes  JMP 003A000A
.text    C:\Program Files\Internet Explorer\iexplore.exe[1832] USER32.dll!DialogBoxIndirectParamW  767414EA 5 Bytes  JMP 72B1178F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Program Files\Internet Explorer\iexplore.exe[1832] USER32.dll!MessageBoxExA            7675570D 5 Bytes  JMP 72B116D6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Program Files\Internet Explorer\iexplore.exe[1832] USER32.dll!DialogBoxParamA          767565BF 5 Bytes  JMP 72B11754 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Program Files\Internet Explorer\iexplore.exe[1832] USER32.dll!MessageBoxIndirectW      7675F1B3 5 Bytes  JMP 729A16B6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Program Files\Internet Explorer\iexplore.exe[1832] USER32.dll!DialogBoxIndirectParamA  767829C9 5 Bytes  JMP 72B117CA C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Program Files\Internet Explorer\iexplore.exe[1832] USER32.dll!MessageBoxIndirectA      7678FACF 5 Bytes  JMP 72B11710 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Program Files\Internet Explorer\iexplore.exe[1832] USER32.dll!MessageBoxExW            7678FBC9 5 Bytes  JMP 72B1169C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service  C:\Windows\system32\drivers\SKYNETnmjngjyn.sys (*** hidden *** )                          [SYSTEM] SKYNETundfqdqh                                                                                    <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNETundfqdqh                                    
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNETundfqdqh@start                               1
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNETundfqdqh@type                                1
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNETundfqdqh@group                               file system
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNETundfqdqh@imagepath                           \systemroot\system32\drivers\SKYNETnmjngjyn.sys
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNETundfqdqh\main                               
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNETundfqdqh\main@aid                            10096
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNETundfqdqh\main@sid                            0
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNETundfqdqh\main@cmddelay                       7200
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNETundfqdqh\main\delete                        
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNETundfqdqh\main\injector                      
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNETundfqdqh\main\injector@*                     SKYNETwsp.dll
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNETundfqdqh\main\tasks                         
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNETundfqdqh\modules                            
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNETundfqdqh\modules@SKYNETrk.sys                \systemroot\system32\drivers\SKYNETnmjngjyn.sys
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNETundfqdqh\modules@SKYNETcmd.dll               \systemroot\system32\SKYNETfoeoowpn.dll
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNETundfqdqh\modules@SKYNETlog.dat               \systemroot\system32\SKYNETxhmlpygl.dat
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNETundfqdqh\modules@SKYNETwsp.dll               \systemroot\system32\SKYNETcmtcirsf.dll
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNETundfqdqh\modules@SKYNET.dat                  \systemroot\system32\SKYNETihmurbyu.dat
Reg      HKLM\SYSTEM\ControlSet002\Services\SKYNETundfqdqh                                        
Reg      HKLM\SYSTEM\ControlSet002\Services\SKYNETundfqdqh@start                                   1
Reg      HKLM\SYSTEM\ControlSet002\Services\SKYNETundfqdqh@type                                    1
Reg      HKLM\SYSTEM\ControlSet002\Services\SKYNETundfqdqh@group                                   file system
Reg      HKLM\SYSTEM\ControlSet002\Services\SKYNETundfqdqh@imagepath                               \systemroot\system32\drivers\SKYNETnmjngjyn.sys
Reg      HKLM\SYSTEM\ControlSet002\Services\SKYNETundfqdqh\main                                   
Reg      HKLM\SYSTEM\ControlSet002\Services\SKYNETundfqdqh\main@aid                                10096
Reg      HKLM\SYSTEM\ControlSet002\Services\SKYNETundfqdqh\main@sid                                0
Reg      HKLM\SYSTEM\ControlSet002\Services\SKYNETundfqdqh\main@cmddelay                           7200
Reg      HKLM\SYSTEM\ControlSet002\Services\SKYNETundfqdqh\main\delete                            
Reg      HKLM\SYSTEM\ControlSet002\Services\SKYNETundfqdqh\main\injector                          
Reg      HKLM\SYSTEM\ControlSet002\Services\SKYNETundfqdqh\main\injector@*                         SKYNETwsp.dll
Reg      HKLM\SYSTEM\ControlSet002\Services\SKYNETundfqdqh\main\tasks                             
Reg      HKLM\SYSTEM\ControlSet002\Services\SKYNETundfqdqh\modules                                
Reg      HKLM\SYSTEM\ControlSet002\Services\SKYNETundfqdqh\modules@SKYNETrk.sys                    \systemroot\system32\drivers\SKYNETnmjngjyn.sys
Reg      HKLM\SYSTEM\ControlSet002\Services\SKYNETundfqdqh\modules@SKYNETcmd.dll                   \systemroot\system32\SKYNETfoeoowpn.dll
Reg      HKLM\SYSTEM\ControlSet002\Services\SKYNETundfqdqh\modules@SKYNETlog.dat                   \systemroot\system32\SKYNETxhmlpygl.dat
Reg      HKLM\SYSTEM\ControlSet002\Services\SKYNETundfqdqh\modules@SKYNETwsp.dll                   \systemroot\system32\SKYNETcmtcirsf.dll
Reg      HKLM\SYSTEM\ControlSet002\Services\SKYNETundfqdqh\modules@SKYNET.dat                      \systemroot\system32\SKYNETihmurbyu.dat
 

Kudos0

Re: global root

 Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNETundfqdqh                                        
Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNETundfqdqh@start                                   1
Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNETundfqdqh@type                                    1
Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNETundfqdqh@group                                   file system
Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNETundfqdqh@imagepath                               \systemroot\system32\drivers\SKYNETnmjngjyn.sys
Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNETundfqdqh\main                                   
Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNETundfqdqh\main@aid                                10096
Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNETundfqdqh\main@sid                                0
Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNETundfqdqh\main@cmddelay                           7200
Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNETundfqdqh\main\delete                            
Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNETundfqdqh\main\injector                          
Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNETundfqdqh\main\injector@*                         SKYNETwsp.dll
Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNETundfqdqh\main\tasks                             
Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNETundfqdqh\modules                                
Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNETundfqdqh\modules@SKYNETrk.sys                    \systemroot\system32\drivers\SKYNETnmjngjyn.sys
Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNETundfqdqh\modules@SKYNETcmd.dll                   \systemroot\system32\SKYNETfoeoowpn.dll
Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNETundfqdqh\modules@SKYNETlog.dat                   \systemroot\system32\SKYNETxhmlpygl.dat
Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNETundfqdqh\modules@SKYNETwsp.dll                   \systemroot\system32\SKYNETcmtcirsf.dll
Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNETundfqdqh\modules@SKYNET.dat                      \systemroot\system32\SKYNETihmurbyu.dat
Reg      HKLM\SYSTEM\ControlSet004\Services\SKYNETundfqdqh                                        
Reg      HKLM\SYSTEM\ControlSet004\Services\SKYNETundfqdqh@start                                   1
Reg      HKLM\SYSTEM\ControlSet004\Services\SKYNETundfqdqh@type                                    1
Reg      HKLM\SYSTEM\ControlSet004\Services\SKYNETundfqdqh@group                                   file system
Reg      HKLM\SYSTEM\ControlSet004\Services\SKYNETundfqdqh@imagepath                               \systemroot\system32\drivers\SKYNETnmjngjyn.sys
Reg      HKLM\SYSTEM\ControlSet004\Services\SKYNETundfqdqh\main                                   
Reg      HKLM\SYSTEM\ControlSet004\Services\SKYNETundfqdqh\main@aid                                10096
Reg      HKLM\SYSTEM\ControlSet004\Services\SKYNETundfqdqh\main@sid                                0
Reg      HKLM\SYSTEM\ControlSet004\Services\SKYNETundfqdqh\main@cmddelay                           7200
Reg      HKLM\SYSTEM\ControlSet004\Services\SKYNETundfqdqh\main\delete                            
Reg      HKLM\SYSTEM\ControlSet004\Services\SKYNETundfqdqh\main\injector                          
Reg      HKLM\SYSTEM\ControlSet004\Services\SKYNETundfqdqh\main\injector@*                         SKYNETwsp.dll
Reg      HKLM\SYSTEM\ControlSet004\Services\SKYNETundfqdqh\main\tasks                             
Reg      HKLM\SYSTEM\ControlSet004\Services\SKYNETundfqdqh\modules                                
Reg      HKLM\SYSTEM\ControlSet004\Services\SKYNETundfqdqh\modules@SKYNETrk.sys                    \systemroot\system32\drivers\SKYNETnmjngjyn.sys
Reg      HKLM\SYSTEM\ControlSet004\Services\SKYNETundfqdqh\modules@SKYNETcmd.dll                   \systemroot\system32\SKYNETfoeoowpn.dll
Reg      HKLM\SYSTEM\ControlSet004\Services\SKYNETundfqdqh\modules@SKYNETlog.dat                   \systemroot\system32\SKYNETxhmlpygl.dat
Reg      HKLM\SYSTEM\ControlSet004\Services\SKYNETundfqdqh\modules@SKYNETwsp.dll                   \systemroot\system32\SKYNETcmtcirsf.dll
Reg      HKLM\SYSTEM\ControlSet004\Services\SKYNETundfqdqh\modules@SKYNET.dat                      \systemroot\system32\SKYNETihmurbyu.dat
Reg      HKLM\SYSTEM\ControlSet005\Services\SKYNETundfqdqh                                        
Reg      HKLM\SYSTEM\ControlSet005\Services\SKYNETundfqdqh@start                                   1
Reg      HKLM\SYSTEM\ControlSet005\Services\SKYNETundfqdqh@type                                    1
Reg      HKLM\SYSTEM\ControlSet005\Services\SKYNETundfqdqh@group                                   file system
Reg      HKLM\SYSTEM\ControlSet005\Services\SKYNETundfqdqh@imagepath                               \systemroot\system32\drivers\SKYNETnmjngjyn.sys
Reg      HKLM\SYSTEM\ControlSet005\Services\SKYNETundfqdqh\main                                   
Reg      HKLM\SYSTEM\ControlSet005\Services\SKYNETundfqdqh\main@aid                                10096
Reg      HKLM\SYSTEM\ControlSet005\Services\SKYNETundfqdqh\main@sid                                0
Reg      HKLM\SYSTEM\ControlSet005\Services\SKYNETundfqdqh\main@cmddelay                           7200
Reg      HKLM\SYSTEM\ControlSet005\Services\SKYNETundfqdqh\main\delete                            
Reg      HKLM\SYSTEM\ControlSet005\Services\SKYNETundfqdqh\main\injector                          
Reg      HKLM\SYSTEM\ControlSet005\Services\SKYNETundfqdqh\main\injector@*                         SKYNETwsp.dll
Reg      HKLM\SYSTEM\ControlSet005\Services\SKYNETundfqdqh\main\tasks                             
Reg      HKLM\SYSTEM\ControlSet005\Services\SKYNETundfqdqh\modules                                
Reg      HKLM\SYSTEM\ControlSet005\Services\SKYNETundfqdqh\modules@SKYNETrk.sys                    \systemroot\system32\drivers\SKYNETnmjngjyn.sys
Reg      HKLM\SYSTEM\ControlSet005\Services\SKYNETundfqdqh\modules@SKYNETcmd.dll                   \systemroot\system32\SKYNETfoeoowpn.dll
Reg      HKLM\SYSTEM\ControlSet005\Services\SKYNETundfqdqh\modules@SKYNETlog.dat                   \systemroot\system32\SKYNETxhmlpygl.dat
Reg      HKLM\SYSTEM\ControlSet005\Services\SKYNETundfqdqh\modules@SKYNETwsp.dll                   \systemroot\system32\SKYNETcmtcirsf.dll
Reg      HKLM\SYSTEM\ControlSet005\Services\SKYNETundfqdqh\modules@SKYNET.dat                      \systemroot\system32\SKYNETihmurbyu.dat

---- EOF - GMER 1.0.15 ---- ok here the rest . ty so much :)

Kudos0

Re: global root

Thanks very much Cherrybomb.  Quads will be along later due to time zone differences.  In the meantime, please resist any temptation you may have to try and fix it yourself.  Other people have tried and got themselves into problems.  We don't like to see that happen, and once the damage is done, it is beyond Quads' ability to fix long distance.
Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: global root

Hi

Now (Script been sent)

1.  Download Combofix  to your Desktop, http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Don't use yet.

2. I have Personal Messaged you the script between the lines, look for the yellow envelope at the upper right hand side.   Copy the Script.

3.  Open Notepad and paste it in to notepad with the first line being killall::

4. Save the script as "CFScript.txt"       CFScript.txt is what you see on your desktop after saving.

5. Disable Nortons Auto-Protect and Firewall.

6.  Drag and drop CFScript.txt on top of Combofix.exe, like when you drop files into the recycle bin.

7. Combofix will start,  When it is scanning don't move the mouse cursor inside the box, can cause freezing.

Quads 

Kudos0

Re: global root

Ty ty sooo much :D no more pop ups so far. thanks very much quads :)

Kudos0

Re: global root

Hi Cherrybomb1099:

Please scan again with Malwarebytes to make sure all the left-overs are cleaned up.  Quarantine and delete anything found.  Maintain regular scans with Norton and MBAM for the next couple of weeks to be sure nothing sneaks back in.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: global root

Moved to own thread for better exposure.
Kudos0

Re: global root

Moved to own thread for better exposure.

This thread is closed from further comment. Please visit the forum to start a new thread.