Rootkit Malware issue.

[Cerenia]

Hi guys, first post here, wondering if you can help me!

I was infected with the Rouge antivirus last year, and got it cleaned up, purdy, and since then, no viruses (although Avira has quarentined a couple of things from when i've been on photobucket). However, I scanned with MBAM, Avira, kapersky online and SuperAntiSpyware. MBAM, Kapersky and Avira all came back clean, but SAS came back with:

 

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 01/12/2009 at 09:59 AM

 

Application Version : 4.21.1004

 

Core Rules Database Version : 3700

Trace Rules Database Version: 1676

 

Scan type : Complete Scan

Total Scan Time : 00:40:01

 

Memory items scanned : 635

Memory threats detected : 0

Registry items scanned : 6182

Registry threats detected : 24

File items scanned : 16111

File threats detected : 224

 

Adware.Tracking Cookie

<deleted due to the amount XD>

 

Browser Hijacker.Deskbar

HKCR\Interface\{8F15B157-40D9-4B20-8D3B-B1F8B475B58D}

HKCR\Interface\{8F15B157-40D9-4B20-8D3B-B1F8B475B58D}\ProxyStubClsid

HKCR\Interface\{8F15B157-40D9-4B20-8D3B-B1F8B475B58D}\ProxyStubClsid32

HKCR\Interface\{8F15B157-40D9-4B20-8D3B-B1F8B475B58D}\TypeLib

HKCR\Interface\{8F15B157-40D9-4B20-8D3B-B1F8B475B58D}\TypeLib#Version

HKCR\Interface\{A0881AA1-68BE-41AC-9C0D-4C8A69C6C72C}

HKCR\Interface\{A0881AA1-68BE-41AC-9C0D-4C8A69C6C72C}\ProxyStubClsid

HKCR\Interface\{A0881AA1-68BE-41AC-9C0D-4C8A69C6C72C}\ProxyStubClsid32

HKCR\Interface\{A0881AA1-68BE-41AC-9C0D-4C8A69C6C72C}\TypeLib

HKCR\Interface\{A0881AA1-68BE-41AC-9C0D-4C8A69C6C72C}\TypeLib#Version

HKCR\Interface\{E827FFD9-95D1-4B49-BEB3-5D49E688C108}

HKCR\Interface\{E827FFD9-95D1-4B49-BEB3-5D49E688C108}\ProxyStubClsid

HKCR\Interface\{E827FFD9-95D1-4B49-BEB3-5D49E688C108}\ProxyStubClsid32

HKCR\Interface\{E827FFD9-95D1-4B49-BEB3-5D49E688C108}\TypeLib

HKCR\Interface\{E827FFD9-95D1-4B49-BEB3-5D49E688C108}\TypeLib#Version

 

Rootkit.Component/Trace

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VBAGZ

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VBAGZ#NextInstance

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VBAGZ\0000

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VBAGZ\0000#Service

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VBAGZ\0000#Legacy

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VBAGZ\0000#ConfigFlags

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VBAGZ\0000#Class

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VBAGZ\0000#ClassGUID

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VBAGZ\0000#DeviceDesc

 

 

SAS says they've been deleted and asks me to reboot, but they're still there, any advice? Thankyou :)

[DirtyPolo]

Hello cerenia

 

Have you run through our full antimalware proceedure?

 

If not, please follow this:

 

Your computer could be infected with Malware.

 

• Malware is software designed to infiltrate or damage a computer system without the owner's informed consent.
  It is a combination of the words malicious and software.
  The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.
  

 

• Required Cleanup Steps
  
  1. Disable the Spybot Search & Destroy TEA TIMER if you use it and if it is enabled
     
  2. Run a Temporary file and cache cleaner (ATF)
     
  3. Run 2 Anti-Malware scanners (Listed Below)
     
  4. Run an Online Anti-Virus / Anti-Malware Scanner (Listed Below)
     
  5. Clear out old System Restore points
     
  6. If continued Malware type activity is present you may be asked to post a TrendMicro™ HijackThis™ Log file, do not do so unless requested.
     

   

The reason to run multiple scanners is to ensure that no single scanner is missing something.

The time it takes will vary depending on your system and your internet connection speed.

Typically the SUPERAntiSpyware and Malwarebytes scanners will take between 10 to 90 minutes.

The ESET online scan should take between 1 to 3 hours.

In most cases, these scans will suffice to clean and disinfect your computer.

Heavily infected systems or slower PCs can take much longer to scan and clean.

 

For best results print the following instructions and bookmark this Web page

To keep this guide printer-friendly, use your cursor to highlight the contents below.

From your browser select File - Print and in the printer dialog box under "Print range"

click the

Selection

choice to print out these instructions for removal of malware.

 

 

http://i306.photobucket.com/albums/nn266/FPCH/Malware%20Guide/printer-selection.gif

 

____________________________________________

STEP 1

• Disable Spybot Search & Destroys' TEA TIMER: (if installed, if not go to Step 2)
  
  
  1. Run Spybot-S&D in Advanced Mode.
     
     
  2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
     
     
  3. On the left hand side, Click on Tools
     
     
  4. Then click on the Resident Icon in the List
     
     
  5. Uncheck "Resident TeaTimer" and OK any prompts.
     
     
  6. Restart your computer.
     
     
   

__________________________________________________

STEP 2

• Follow these instructions carefully.
  
  
• Download ATF-Cleaner from
  Snapfiles.com
  to remove un-needed temporary files from your computer that may contain malware.
  
  
• When you run ATF-Cleaner, check the items as shown below for Main.
  
  
• For FireFox, be sure to click on the FireFox tab on top and check the items as shown below for FireFox
  
  
• NOTE:
  If you don't have FireFox or Opera installed then they will be grayed out and can be ignored
  
  
• Then click on "Empty Selected".
  
  

http://i306.photobucket.com/albums/nn266/FPCH/Malware%20Guide/atf-cleaner01.gif

.

http://i306.photobucket.com/albums/nn266/FPCH/Malware%20Guide/atf-cleaner02.gif

__________________________________________________

STEP 3

• Install and run the free version (not the Professional version) of SUPERAntiSpyware from
  SUPERAntiSpyware.com
  
  
  • Accept any prompts to allow SUPERAntiSpyware to install the latest rules and infection definition files.
    
    
  • You do not have to send them your e-mail address, just click next.
    
    
  • You can leave the automated check for updates on.
    
    
  • You can uncheck "Send a diagnostic report to research center" if you don't want to send the information.
    
    
  • DO NOT
    allow SUPERAntiSpyware to protect your Home Page settings.
    
    
  • On the
    Top Left
    select the
    Scan your computer
    button.
    
    
  • Make sure there is a CHECK MARK on all
    Fixed Drives
    .
    
    
  • Click "Perform a Complete Scan". Click "Next" to Repair issues found and reboot the computer when prompted to do so.
    
    
   

__________________________________________________

STEP 4

• Install and run
  Malwarebytes' Anti-Malware
  from
  Malwarebytes - (direct download)
  
  
  • Accept all defaults for the installer
    
    
  • Allow the program to update the definitions
    
    
  • Click on the
    Quick Scan
    and click Next.
    
    
  • If any items are found allow it to clean them and then Reboot your computer.
    
    
   

__________________________________________________

STEP 5

• Run an online scan with ESET from
  Free Virus Scan: Use ESET's Online Antivirus Scanner
  
  
  • You
    must
    use Internet Explorer for this online scan. FireFox, Opera, etc will not work for this scan.
    
    
  • If your computer is running Window's Vista, then you
    must first
    start Internet Explorer as an Administrator. To do so, right-click on the
    Internet Explorer
    icon in the Start Menu and select "
    Run as administrator
    " from the popup context menu.
    
    
   
  • Accept the terms and click "Start".
    
    
  • Once the scanner is ready, check "Remove found threats" AND "Scan unwanted applications".
    
    
  • Click "Start" to begin the scan.
    
    
  • When completed restart your computer
    
    
   

__________________________________________________

Make sure your internet firewall security is enabled, and then please return to Extreme Tech Support - Free PC Help and tell us how the computer seems to be operating.

At that time, you will receive instructions to assist you in removing malicious programs from your Add/Remove program list if warranted.

[Cerenia]

The PC's running as it was before - Fine, except I have those rootkit/trace. left. Mbam clear, ESET clear, Kapersky online clear,, Avira clear, ran ATF cleaner, cleared all files. I have found the registry keys, shall I just try deleting them? Its only SAS finding them.

[RandyL]

I would leave well enough alone Cerenia. They are probably just left over entries in the registry that can do no harm. Since your computer is working well you wouldn't want to do any harm.

[Dalo Harkin]

If one of the programs has quarantined some of the files - then SAS is probably just picking up the remnants from inside the quarantined file as Randy mentioned

[Cerenia]

Well, talking to a PC literate friend of mine last night advised I research the infected file (at work, so don't have links), and its confirmed these are remnants of the MS Rogue antivirus that goes around. The only thing that happens is occasionally, my PC flickers or lags a little, but that happened on my old laptop, think its just an overused laptop syndrome, nothing to fret over.

I do scan very frequently as when I was 15, I got infected with Parite-B, and that was a demon to remove XD Just paranoid about data being stolen and passed over to someone, but I check my bank statements frequently, just to be safe. Did try deleting the registry keys, it let me delete the sub folder 000, but thats all.

 

 

Thanks guys, as long as I can rest easy, thats cool!! :)

[Dalo Harkin]

I would look into the flickering and freezing issue - this can be anything from the Monitor about to break or the MOBO being shot - just make sure you have a back up of what you need - just to make sure

[Cerenia]

I would look into the flickering and freezing issue - this can be anything from the Monitor about to break or the MOBO being shot - just make sure you have a back up of what you need - just to make sure

 

Uh-oh, I just assumed its normal now and again with laptops, its still rather new (4monthish), and I just thought I had too much stuff on there (have a 15gb archive folder of everything i've done on PCs in the 7 years i've had one, aiming to get down to 5gb and external hardrive it. All backed up on 2 other PCs in the house anyway, one with no internet access.

[BeeCeeBee]

Laptops should not flicker just because you have a lot of stuff on its hard drive although it is usually a good idea to keep them "lean" so long as you have sufficient and reliable external backup.

 

Of course we may all have our own ideas of what constitutes a flicker and how often "now and again" may be.

[Cerenia]

My bad, I got a lecture last night - its fine after turning my PC off and leaving it a few moments before rebooting, I managed to nab someone to check it :D

 

Thankyou very much all! :D

[Dalo Harkin]

Glad its all ok