Can’t get rid of the SKYNET trojan?

This is a particulary difficult rootkit trojan to get rid of I have found on a couple of systems. Both were infected even though they were running Trend. Trend would detect and quaranteen it, but never get rid of it and it kept recurring. I also ran spybot search and destroy which found multiple instances that it could not get rid of.

In the end I pulled the drive from the customers computer, slaved it up to one of our office systems running sophos and did a scan and clean. I also reset the permissions to allow admin access to the c:\System Volume Information folder as there were infections in there, and then manually wiped the restore folders. I also manually deleted SKYNET files I found under the c:\windows\system32 folder.

Once I plugged it back into the customers computer Trend was not picking up anything, but spybot was still picking up registry infections in

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SKYNET xyvibneo

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SKYNET

and a doubleclick tracking cookie.

I poked into the registry and found the SKYNET entry, but could not initially delete it until I had reset the permissions on it – then I could also see the entries in this key which were not visible before.

SKYNET trojan registry entry

I also had to use the Advanced button under permissions to reset the permissions on child objects in the registry key in order to delete the whole entry.

After I had deleted this the trojan entries were clear. However I did find windows udpate was not working. I then cleared the c:\program files\windows update folder and also cleared internet explorer cache files and then windows update worked after reinstalling itself from windowsupdate.microsoft.com.

 

The search & destroy website said to remove these registry entries which may also exist

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

• Delete the registry key “gaopdx\disallowed” at “HKEY_LOCAL_MACHINE\SOFTWARE\”.
• Delete the registry key “gaopdxserv.sys” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\”.
• Delete the registry key “gaopdxserv.sys” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\”.
• Delete the registry key “gaopdxserv.sys” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\”.
• Delete the registry key “gxvxc\disallowed” at “HKEY_LOCAL_MACHINE\SOFTWARE\”.
• Delete the registry key “gxvxcserv.sys” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\”.
• Delete the registry key “gxvxcserv.sys” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\”.
• Delete the registry key “gxvxcserv.sys” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gaopdxserv.sys\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gxvxcserv.sys\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kungsf<$ENV(TDSSregkungsf)>\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSIVXserv.sys\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqpdxserv.sys\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ovfsth<$ENV(TDSSregovfsth)>\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SKYNET<$ENV(TDSSregSKYNET)>\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\uacd.sys\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\gaopdxserv.sys\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\gxvxcserv.sys\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kungsf<$ENV(TDSSregkungsf)>\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MSIVXserv.sys\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msqpdxserv.sys\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ovfsth<$ENV(TDSSregovfsth)>\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SKYNET<$ENV(TDSSregSKYNET)>\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\uacd.sys\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gaopdxserv.sys\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gxvxcserv.sys\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\kungsf<$ENV(TDSSregkungsf)>\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\MSIVXserv.sys\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\msqpdxserv.sys\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ovfsth<$ENV(TDSSregovfsth)>\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SKYNET<$ENV(TDSSregSKYNET)>\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv.sys\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\uacd.sys\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\kungsf<$ENV(TDSSregkungsf)>\”.
• Delete the registry key “modules” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\MSIVXserv.sys\”.
• Delete the registry key “MSIVX\disallowed” at “HKEY_LOCAL_MACHINE\SOFTWARE\”.
• Delete the registry key “MSIVXserv.sys” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\”.
• Delete the registry key “MSIVXserv.sys” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\”.
• Delete the registry key “MSIVXserv.sys” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\”.
• Delete the registry key “MSIVXserv.sys” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\”.
• Delete the registry key “msqpdx\disallowed” at “HKEY_LOCAL_MACHINE\SOFTWARE\”.
• Delete the registry key “msqpdxserv.sys” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\”.
• Delete the registry key “msqpdxserv.sys” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\”.
• Delete the registry key “msqpdxserv.sys” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\”.
• Delete the registry key “TDSS\connections” at “HKEY_LOCAL_MACHINE\SOFTWARE\”.
• Delete the registry key “TDSS\disallowed” at “HKEY_LOCAL_MACHINE\SOFTWARE\”.
• Delete the registry key “TDSS\injector” at “HKEY_LOCAL_MACHINE\SOFTWARE\”.
• Delete the registry key “TDSS\versions” at “HKEY_LOCAL_MACHINE\SOFTWARE\”.
• Delete the registry key “TDSSserv.sys” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\”.
• Delete the registry key “TDSSserv.sys” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\”.
• Delete the registry key “TDSSserv.sys” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\”.
• Delete the registry key “UAC\disallowed” at “HKEY_LOCAL_MACHINE\SOFTWARE\”.
• Delete the registry key “UAC\injector” at “HKEY_LOCAL_MACHINE\SOFTWARE\”.
• Delete the registry key “UAC\mask” at “HKEY_LOCAL_MACHINE\SOFTWARE\”.
• Delete the registry key “UAC\versions” at “HKEY_LOCAL_MACHINE\SOFTWARE\”.
• Delete the registry key “uacd.sys” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\”.
• Delete the registry key “uacd.sys” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\”.
• Delete the registry key “uacd.sys” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gaopdxserv.sys\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gxvxcserv.sys\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kungsf<$ENV(TDSSregkungsf)>\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSIVXserv.sys\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqpdxserv.sys\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ovfsth<$ENV(TDSSregovfsth)>\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SKYNET<$ENV(TDSSregSKYNET)>\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\uacd.sys\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\gaopdxserv.sys\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\gxvxcserv.sys\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kungsf<$ENV(TDSSregkungsf)>\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MSIVXserv.sys\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msqpdxserv.sys\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ovfsth<$ENV(TDSSregovfsth)>\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SKYNET<$ENV(TDSSregSKYNET)>\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\uacd.sys\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gaopdxserv.sys\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gxvxcserv.sys\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\kungsf<$ENV(TDSSregkungsf)>\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\MSIVXserv.sys\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\msqpdxserv.sys\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ovfsth<$ENV(TDSSregovfsth)>\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SKYNET<$ENV(TDSSregSKYNET)>\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv.sys\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\uacd.sys\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\kungsf<$ENV(TDSSregkungsf)>\”.
• Delete the registry value “imagepath” at “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\MSIVXserv.sys\”.

From http://forums.spybot.info/showthread.php?s=ca8bb40718bc2ca8b348090194b44502&p=320403#post320403