Thanks for the logs Joenati.  Quads will be along after he has had some time to go over it an get set up to remove it.  Disable your system restore in case anything is hidden in there. 

I looked at some other Skynet issues discussed on this form, but I’m not sure what to do next. Can anyone explain what the Skynet rootkit is and what it does to a computer?

joenati -

What to do next is wait for Quads to finish compiling a script that will remove the rest of this malware.  Right now the best bet on SKYNET is that it is trying to see if it can get in and not be removed at all.  We are working on trying to stop that at present.  Most of the time this RootKit will bring along at least one other with it to try and make the removal / cleanup that much harder.

From what we have seen so far, SKYNET gets more destructive as unsuccessful removals are made by users trying to run ineffective software to remove the malware.  Quads has been successful in removing SKYNET but it has to be done correctly the first time.  Patience is key here.

Hi Joenati:

Quads was  working to build a list of files that have to be carefully compiled from the logs that you provided.  That takes some time as you can imagine by looking at your log.  Once that is checked for accuracy, and ready to be used, he will provide you with links and instructions to get the job done.  There are two of you with SKYNET at the moment and Quads is the only forum member who is able to do this sort of work.

The thing of most importance at the moment is the protection of your system.  SKYNET can't be removed the way UAC and gxvxc can.  It is a riskier process, but usually successful.  Patience is crucial.  

Hi

Now

1.  Download Combofix  to your Desktop, http://www.combofix.org/

Don't use yet.

2. I have Personal Messaged you the script between the lines, look for the yellow envelope at the upper right hand side.   Copy the Script.

3.  Open Notepad and paste it in to notepad with the first line being killall::

4. Save the script as "CFScript.txt"       CFScript.txt is what you see on your desktop after saving.

5. Disable Nortons Auto-Protect, Firewall and Spyware Doctor 

6.  Drag and drop CFScript.txt on top of Combofix.exe, like when you drop files into the recycle bin.

7. Combofix will start,  When it is scanning don't move the mouse cursor inside the box, can cause freezing.

Quads 

Quads,

Thanks for the script! I think it worked. NIS 2009 ran a full scan for the first time since I noticed this issue. 

I am having one problem. The fix now button is red - when I click it Auto-Protect shows up in the item list, but the status shows up Not Fixed after processing. Any ideas?

Thanks again!

Also, I attached the ComboFix log.

Hi Joenati:

Does Norton show anything in the unresolved threats section of history.  If so we will be able to clear that.  Have you done a full scan using Malwarebytes?

Also, if I'm not mistaken, part of the instructions were to disable auto-protect and tamper protection.  Have you re-enabled those settings.  Norton shows as disabled in the Combofix log.

If not, please run it for us and attach as always.  There are usually a few remnants to clear up after the removal.  Also if, Norton was installed when the rootkit was already there, it could cause problems.  So, nearly done, just some clean up.

Hi

Have you tried updated full scans with Malwarebytes and SuperAntispyware??

Quads 

Hello,

I have completed scans with Malwarebytes, SAS and GMER. I attached the logs.

Thanks

The file Malwarebytes finds is in the System Restore.  So turn off System Restore

I will do an Avenger script to remove the last registry entries

Quads 

Now  (read carefully) If you have Spybot S&D uninstall it.

1. Download Avenger to your desktop,

Unzipped version http://homepages.slingshot.co.nz/~crutches/Avenger/

Creators website http://swandog46.geekstogo.com/avenger2/avenger2.html with zipped version to the unzip to desktop 

2. Click to run "Avenger.exe"  (right click "Run as Administrator" if using Vista)

3. In the "Input script here:" copy and paste the script between the lines

Registry keys to delete:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SKYNETtakmkkjy

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SKYNETtakmkkjy

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SKYNETtakmkkjy 

Here is a screenshot (script updated since shot)

Make sure the "Automatically disable any rootkits found" is NOT selected

4. Click "Execute"

You will be asked to restart the PC click "Yes", when the PC restarts the load screen will takes slightly longer, then when it looks as though windows is loading the PC will restart again.

Then when Windows fully loads the Avenger log will be loaded, showing files it could and could not remove

The others Avenger won't remove due to being in the HKCU

I will have to think if there is still a problem.

Quads 

Hello,

It appears as if everything is working now. I've attached my latest logs.

Thanks