Jump to content


  • Content Count

  • Joined

  • Last visited

About tomdkat

  • Rank
  1. So, I'm helping a friend get a laptop running Windows Vista Basic cleaned up. It was infected with several vermin, including Rootkit.agent/Gen. I couldn't get Spybot, SUPERAntiSpyware, or Malwarebytes to install and run on the system, so I took the hard drive out and connected it to known clean system using an external USB hard drive enclosure. I scanned the hard drive with SUPERAntiSpyware, Malwarebytes, and AntiVir and got several files quarantined. When I put the hard drive back into the laptop, I WAS able to scan with Spybot, SUPERAntiSpyware, Malwarebytes, and AntiVir to remove whatever was left and to deal with the registry. At this point, the system is running pretty well and I've got the latest program versions AND database updates of Spyboy, SUPERAntiSpyware, Malwarebytes, and AntiVir installed and running. I've been running scans until the system scans clean and at this point, there is only ONE detection that persists. It's a registry detection of Rootkit.agent/Gen by SUPERAntiSpyware in a registry key that refers to uacd.sys. Here is sample log: SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 05/27/2009 at 12:44 PM Application Version : 4.26.1004 Core Rules Database Version : 3912 Trace Rules Database Version: 1856 Scan type : Complete Scan Total Scan Time : 01:03:09 Memory items scanned : 627 Memory threats detected : 0 Registry items scanned : 7658 Registry threats detected : 5 File items scanned : 26347 File threats detected : 0 Rootkit.Agent/Gen HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#start HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#type HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#imagepath HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#group That scan was done with the system booted normally in the sole administrator account. When I boot in safe mode, using the administrator account, SUPERAntiSpyware detects nothing: SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 05/26/2009 at 11:07 PM Application Version : 4.26.1002 Core Rules Database Version : 3909 Trace Rules Database Version: 1853 Scan type : Complete Scan Total Scan Time : 00:47:20 Memory items scanned : 269 Memory threats detected : 0 Registry items scanned : 7677 Registry threats detected : 0 File items scanned : 26344 File threats detected : 0 Each time SUPERAntiSpyware detects the threat, it acts like it removes it and prompts me to reboot. I reboot, scan again, and it detects the same threat again. Any ideas? Should I just delete that registry entry manually? At this point, Spybot, Malwarebytes, and AntiVir detect nothing. Thanks! Peace...
  • Create New...