No, the global A.I. network of man killing machines from the Terminator movie is not on your computer, it’s just a browser redirection rootkit. 
Figure 1 – The Skynet Rootkit
I went over Tom’s house last night on the report that he couldn’t run a quick scan with SuperAntiSpyware (his box blue screened with a bad pool error). When I got there he said he couldn’t load some websites when he searched for them on Google because of a “syntax error”. That “syntax error” turned out to be a malvertised search engine that wasn’t working. Tom’s queries were being redirected. I thought it was a little unusual because Tom had a fully updated and enabled copy of Avira AntiVir 9 free along with Malwarebytes and Sas (free versions). It turns out this rootkit went right through Avira.
Combofix laid waste to this rootkit along with about 24 other pieces of adware. I advised Tom to pick up a copy of Kaspersky Internet Security.
You can remove the Skynet rootkit with combofix, rootkit repeal or a bootable av disc with updated signatures.
{ 19 comments… read them below or add one }
omg my friend had this exact rootkit a few months ago coulndt run no scans sas did detect it but when it rebooted it came back we tried everything nothing could remove it he ended up reformatting his box
do you know how he got infected?
I had 57 actually of these a few months back, they are soo annoying. This root kit re directs you on every link you press on google. I removed by downloading avg anti root kit.
There is no AV that provides 100% protection.We all know that.That’s why it is nessesary to use a sandbox or HIPS product as well.
@927 – Na, they never know.
@Vasilis – Sandboxie works great for those non x64 guys.
Great Movie malware haha, anyways matt do you know if theres any sandboxes for 64 bit?
I’m using Geswall and now that they just released version 2.9, it works great on Vista and Windows 7. Nothing has ever gotten past Geswall, even when I’ve tried.
Dieselman and I just helped somebody clean up a computer that had that rootkit on it.
The truth is – if you’re using Vista x64 or Win 7 x64 you won’t get rootkits. The architecture won’t allow it. So it’s pretty straightforward to remove infections. Whenever we see an infection on Vista x64, it’s usually just a regular program that autostarts at boot. You can kill it’s process, delete the startup entry, and delete the files/folders and – viola! – no more infection. A quick scan with an antimalware like malwarebytes or kaspersky to clean up behind you and you’re done.
@medeis – not enough to deal with douchebag’s like you…
@rescuenerds – just like the good’ole days of removing malware
It still blows me away that malware coders haven’t found a way to patch the OS to allow rootkits on x64.
Matt,
Is there any HIPS software that works well on a 64 bits OS?
Thanks in advance.
what do you think would have happenet if Tom would have had defenswall, would he have been infected then? Just want to know sinse im using Defenswall and Avira together.
Why don’t rootkits work on x64 systems? Any sources you could cite to help me understand?
Read this for why you do not need a Sandbox on 64 bit systems.
http://www.sandboxie.com/index.php?WindowsVista64
haha dude, iv’e had this piece of crap .dll forever
and i havent though of running combofix xD
thanks
FYI
The session, titled “Vista: How Secure Are We?,” was presented by David Tan, co-founder and chief technology officer at CHIPS Computer Consulting.
By Moore’s side were equally prestigious hackers Joanna Rutkowska—security researcher at COSEINC—and Jon “Johnny Cache” Ellch, author of “Hacking Exposed Wireless.”
Not all bugs are being detected by Vista,” pointed out famed hacker H.D. Moore. “Look at how a hacker gets access to the driver: Right now I’m working on Microsoft’s automated process to get Metasploit-certified. It [only] costs $500.”
Moore is the founder of the Metasploit Project and a core developer of the Metasploit Framework—the leading open-source exploit development platform—and is also director of security research at BreakingPoint Systems. The irony of his statement lies in the idea that Vista trusts Microsoft-certified programs—programs that can include a hacker exploit platform that walks through the front door for a mere $500 and a conveyor-belt approval process.
For her part, Rutkowska granted that yes, one way to own a Vista system is by getting a rootkit certified, but if you want a compromised system, you don’t even have to waste your time and money with certification—”It can be a graphics card with a stupid bug,” she said. “You can’t do anything about it. You can’t sue the vendor for introducing a bug. You can’t prove it was done intentionally.”
Until Microsoft or some security vendor concocts a black list for buggy drivers, Rutkowska said, Vista is potential toast. Of course, bugs can always be detected in memory, right? Except—oops!—Rutkowska