Jump to content
Sign in to follow this  
daveh

Can't remove rootkit.agent

Recommended Posts

I've used both SAS and malwarebytes, changing the names so that they would run, trying to get rid of trojan.agent and rootkit.agent/gen. I'm using the latest updates and have tried in both safe and complete modes. After reboot, a scan shows they are still there. Latest scan below

(I tried to submit this as a customer ticket but it wouldn't complete the process)

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 08/07/2009 at 02:56 PM

Application Version : 4.27.1000

Core Rules Database Version : 4044

Trace Rules Database Version: 1984

Scan type : Complete Scan

Total Scan Time : 00:42:22

Memory items scanned : 591

Memory threats detected : 0

Registry items scanned : 6973

Registry threats detected : 5

File items scanned : 25926

File threats detected : 1

Adware.Tracking Cookie

C:\Users\Mackenzie\AppData\Roaming\Microsoft\Windows\Cookies\mackenzie@atdmt[2].txt

Rootkit.Agent/Gen

HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys

HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#start

HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#type

HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#imagepath

HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#group

Share this post


Link to post
Share on other sites

Root kits are very difficult to remove and most AV programs can't do it. I had the same one, UAC, and an additional one, a variant TDSS, and it took several steps to remove them.

Have you tried the Malwarebytes' forum, since you have that program? http://www.malwarebytes.org/forums/inde ... topic=9573

Also, you can try the Bleeping Computer forums( scroll down to Security: Am I infected? What do I do?) http://www.bleepingcomputer.com/forums/

Share this post


Link to post
Share on other sites
What do you mean by "good"?

That reply is from spammer or spambot, see the link in signature ...

There are several here now, I reported one of them which has 7 posts. I hope staff sees them and deals with the issue.

Having forum populated by spambots is not a good thing. Their nonsense posts are not needed. Users can easily spot them by their links and nonsense posts.

Share this post


Link to post
Share on other sites

Thanks for the info, Jormungandr. I've noticed people getting chewed out for asking for help from more than one forum at a time, so I want to see if SAS can help before I go somewhere else. Malewarebytes now comes up clean, but SAS still shows the same as the log I posted. I hope someone from SAS can help - maybe the problem is gone but some traces are left?

thanks

Share this post


Link to post
Share on other sites
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys

HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#start

HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#type

HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#imagepath

HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#group

These are all in the system registry. SAS is probably being blocked by Windows from removing them because SAS does not have the proper "permissions" to remove the registry key "uacd.sys" and its subkeys. If you are familiar with how to use Regedit for modifying the system registry, below is a procedure that you can follow to change permissions and manually remove uacd.sys. Be sure that you are signed on under a user account that has full administrative privileges.

WARNING: If you are not confident in using Regedit, DO NOT perform the procedure below. Instead, submit a CSR to SAS and let the SAS gurus assist you.

https://www.superantispyware.com/precreateticket.html

The procedure below will change the Permissions for the folder named uacd.sys to your user account and give you full control of that folder. You should then be able to delete it.

Remove Registry Key named "uacd.sys" located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uacd.sys

1. Open Regedit

2. Expand HKEY_LOCAL_MACHINE by clicking on the + sign next to HKEY_LOCAL_MACHINE

3. Scroll down the registry key folders until you find the folder named SYSTEM.

4. Expand folder SYSTEM by clicking on the + sign next to SYSTEM.

4a. Under SYSTEM, scroll down until you find the folder named CurrentControlSet

4b. Expand folder CurrentControlSet by clicking on the +sign next to CurrentControlSet

4c. Under CurrentControlSet, scroll down until you find the folder named Services

4d. Expand folder Services by clicking on the +sign next to Services

5. Scroll down the registry key folders until you find the folder named uacd.sys

6. Right click on the folder named uacd.sys and select Permissions from the right-click menu

7. Click on Advanced

8. Select the Owner tab

9. In the "Change owner to" window, highlight the one that is your personal user account.

10. Checkmark "Replace owner on subcontainers and objects"

11. Click on Apply. Your personal user account should now be in the Current Owner box.

12. Click on OK. You should now be back to the Security tab.

13. Click on OK

14. Again, right click on the folder named uacd.sys and select Permissions from the menu

15. In the Group or user names: window, highlight the one that is your personal user account.

16. In the Permissions for (your user name), the Full Control and Read boxes should be checked under Allow. IF NOT, skip to step 20.

17. Click on OK to close the Permissions window.

18. Right click on the folder named uacd.sys and select Delete. Confirm the Delete. The folder named uacd.sys should disappear.

19. Close Regedit. The folder should now be gone and you are done with that deletion. REBOOT YOUR COMPUTER.

20. If your user account does not have Full Control, click on Advanced

21. In the Permissions entries window, highlight the entry with your user account name.

22. Checkmark the box "Include inheritable permissions from this object's parent."

23. Click on Edit

24. In the Permissions window, check mark all the boxes under Allow

25. Check mark the box "Apply these permissions to objects and/or containers within this container only."

26. In the Apply to: window, it should be "This key and subkeys"

27. Click on OK.

28. Click on Apply and OK.

29. Click on Apply and OK.

30. Right click on the folder named uacd.sys and select Delete. Confirm the Delete. the folder named uacd.sys should disappear.

31. Close Regedit. The folder should now be gone. REBOOT YOUR COMPUTER

32. Rescan with SAS. The registry keys should no longer be detected.

NOTE: If there are subkeys within folder uacd.sys, you may have to remove each one of them first before you can remove uacd.sys itself. Use the above procedure on each one of the subkeys to change their permissions and delete each one.

Share this post


Link to post
Share on other sites

Thanks siliconman01,

I get right to step 11 but if i check replace owner on subcontainers and objects, I get "unable to set new owner on UACd.sys access is denied" With the box unchecked, it puts my account name in the current owner box. I am unable to set permissions following your steps. Rather than attempting it myself (guessing at what to do), I stopped.

I am not able to submit a customer ticket. I've tried many times with IE 7, then IE 8 and firefox. When I get to the step that submits it for scan, I get an http 406 error with IE and firefox just doesn't go there. The instructions that come up don't mention Vista. I do click on the install active x box in IE, but that's when the next page says it can't connect.

Are these registry traces just left overs that don't cause harm? Malwarebytes scans come up clean.

Share this post


Link to post
Share on other sites

They do look like traces left over. HOWEVER, they should be removed from your system. Try this:

1. Go to the link below and download Combofix.exe.

- Save it onto your Desktop.

- At the time you are saving it, change its name to Combo-fix.exe

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Temporarily disable all your other security programs EXCEPT your software firewall.

3. Close down other running programs (icons in the Notification Tray next to the clock.)

4. Double click on Combo-Fix.exe & follow the prompts.

- Vista users: Right-Click on Combo-Fix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

- When the scan completes it will open a text window. Note that Combo-fix.exe will probably reboot your computer during this.

5. Post the contents of that log in your next reply.

6. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

Share this post


Link to post
Share on other sites

As I said, I was able to get my account name into the current owner's box, but not able to change permissions. Well, I ran SSA again and this time it seems to have deleted the registry traces. Scans come up clean now, both in safe and normal mode. Thanks for the help!

Share this post


Link to post
Share on other sites

I suspect that the owner change took affect allowing SAS the ability to gain access to these registry keys and remove them. Good job! Glad you are cleaned up. :wink:

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...