Jump to content
Sign in to follow this  
tomdkat

Question about Rootkit.agent/Gen detection

Recommended Posts

So, I'm helping a friend get a laptop running Windows Vista Basic cleaned up. It was infected with several vermin, including Rootkit.agent/Gen. I couldn't get Spybot, SUPERAntiSpyware, or Malwarebytes to install and run on the system, so I took the hard drive out and connected it to known clean system using an external USB hard drive enclosure.

I scanned the hard drive with SUPERAntiSpyware, Malwarebytes, and AntiVir and got several files quarantined. When I put the hard drive back into the laptop, I WAS able to scan with Spybot, SUPERAntiSpyware, Malwarebytes, and AntiVir to remove whatever was left and to deal with the registry.

At this point, the system is running pretty well and I've got the latest program versions AND database updates of Spyboy, SUPERAntiSpyware, Malwarebytes, and AntiVir installed and running. I've been running scans until the system scans clean and at this point, there is only ONE detection that persists. It's a registry detection of Rootkit.agent/Gen by SUPERAntiSpyware in a registry key that refers to uacd.sys.

Here is sample log:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com
Generated 05/27/2009 at 12:44 PM
Application Version : 4.26.1004

Core Rules Database Version : 3912
Trace Rules Database Version: 1856

Scan type       : Complete Scan
Total Scan Time : 01:03:09
Memory items scanned      : 627
Memory threats detected   : 0
Registry items scanned    : 7658
Registry threats detected : 5

File items scanned        : 26347
File threats detected     : 0

Rootkit.Agent/Gen
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#start
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#type
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#imagepath
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#group

That scan was done with the system booted normally in the sole administrator account. When I boot in safe mode, using the administrator account, SUPERAntiSpyware detects nothing:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com
Generated 05/26/2009 at 11:07 PM

Application Version : 4.26.1002

Core Rules Database Version : 3909
Trace Rules Database Version: 1853

Scan type       : Complete Scan
Total Scan Time : 00:47:20

Memory items scanned      : 269
Memory threats detected   : 0
Registry items scanned    : 7677
Registry threats detected : 0
File items scanned        : 26344
File threats detected     : 0

Each time SUPERAntiSpyware detects the threat, it acts like it removes it and prompts me to reboot. I reboot, scan again, and it detects the same threat again.

Any ideas? Should I just delete that registry entry manually? At this point, Spybot, Malwarebytes, and AntiVir detect nothing.

Thanks!

Peace...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×