Rootkit removal!!

[daf501]

Hi, can anyone help. I think i may be infected with a rootkit. I have installed a couple of different recommended anti spyware programs (adaware & spybot) but they refuse to run. I run superantispyware on safe mode and keep finding "Rootkit.Agent/Gen-UACFake" It says it is being removed, but if i run another scan, its still there!! I also get music and voices starting up in the background, even if i'm doing nothing, i dont know if its related. Thanks for any help that is given.

[RandyL]

Rootkits can be the hardest form of malware to remove. It can also be the most dangerous. If you want to attempt to remove it we'll surely try to help you. Be advised though when it comes to rootkits we can't gaurantee you'll remain trouble free unless you reinstall Windows.

 

Also after removal you should change any saved passwords etc. for online sites such as banking or forums. If you have any personal financial information stored on your computer now would be a good time to consider it hacked as well.

 

Please follow our guide carefully. I notice you have already ran SuperAntispyware. Follow our guide to the letter anyway and run ALL the steps including SAS in the order provided. Make sure you update the programs first.

 

When you are done there is a good chance we may want you to run one or more additional programs.

 

 

Your computer is infected with Malware. Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. It is a combination of the words malicious and software. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

 

It is in your best interest to note the following:

1. Please disable your resident security applications (such as AVG, Spybot, WinPatrol, etc.) before performing the below procedure so that they do not interfere with the process.
   
2. Perform all the steps in the order listed to avoid any conflicts.
   
3. If unsure, please stop and voice your doubts.
   
4. You might be required to go offline during the disinfection process. Therefore, it is recommended to print off the instructions below for ease of reference.
   

If you stick to the above guidelines, all should go smoothly.

 

 

 

================================================

STEP 1

1. Download ATF-Cleaner by Atribune.
   
2. Save the file to your Desktop.
   
3. Double-click on the file to run the program.
   
4. On the Main tab, check the Select All button.
   
5. Next, click on the Firefox tab (if applicable) and check the Select All button.
    
   Note: If you would like to preserve your saved passwords in Firefox, then click No at the corresponding prompt.
   
6. Now, click on the Opera tab (if applicable) and check the Select All button.
    
   Note: If you would like to preserve your saved passwords in Opera, then click No at the corresponding prompt.
   
7. Press the Empty Selected button and click OK to acknowledge the corresponding prompt.
   
8. Click on the Exit button to quit the program.
   

================================================

STEP 2

1. Please click here to download Malwarebytes' Anti-Malware.
   
2. Save the file to your Desktop.
   
3. Double-click mbam-setup.exe and follow the prompts to install the program.
   
4. At the end, make sure a check mark is placed next to:
   1. 
      
   2. Update Malwarebytes' Anti-Malware
      
   3. Launch Malwarebytes' Anti-Malware
      

[*]Click Finish.

[*]The program will download and update itself if it finds the necessity to do so. Please allow this.

[*]Once the program has loaded, select Perform full scan, then click Scan.

 

 

Note: Depending on your computer specifications, the scan may take some time to complete. Please wait patiently and do not interrupt the process.

[*]When the scan is complete, click OK, and then Show Results to view the results.

[*]Make sure that every entry is selected, and click Remove Selected.

[*]Restart your computer.

================================================

STEP 3

1. Please click here to download SUPERAntiSpyware (Free Version).
   
2. Save the file to your Desktop.
   
3. Double-click SUPERAntiSpyware.exe and follow the prompts to install the program.
   
4. Open SUPERAntiSpyware.
   
5. Under Configuration and Preferences, click the Preferences button.
   
6. Click the Scanning Control tab.
   
7. Under Scanner Options make sure the following fields checked:

   [*]Click the Close button to leave the control center screen.

   [*]On the main screen, under Scan for Harmful Software click Scan your computer.

   [*]On the left, make sure you check mark All the Fixed Drives.

   [*]On the right, under Complete Scan, choose Perform Complete Scan.

   [*]Click Next to start the scan. Please be patient while it scans your computer.

   [*]After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.

   [*]Make sure every entry has a check mark next to it and click Next.

   [*]A notification will appear that Quarantine and Removal is Complete. Click OK and then Finish to return to the main menu.

   [*]Restart your computer.

   ================================================

   STEP 4
   1. Please visit the ESET Online Scanner, using Internet Explorer to initiate the scan.
       
      Note: If you are running Windows Vista, then you will need Administrative privileges to complete the latter part of the procedure. To do so, right-click on the Internet Explorer icon in the Start Menu and select the Run As Administrator option in the shell context menu.
      
   2. Check mark the YES, I accept the Terms of Use box.
      
   3. Click the Start button.
      
   4. Click the Install button on the following screen.
      
   5. Click Start. This will will initialize and update the scanner engine.
      
   6. Check mark the box beside Remove found threats.
      
   7. Click the Scan button. This will start the scan. Please be patient while it is in progress.
      
   8. Restart your computer.
      

   ================================================

   STEP 5
   1. Click on Start > Programs > Accessories > System Tools and select System Restore.
      
   2. Choose the radio button marked Create a Restore Point on the first screen and click Next. Give the restore point a name then click Create. The new point will be stamped with the current date and time. Keep a note of this so you can find it easily should you need to use System Restore.
      
   3. Next, click on Start > Run, type Cleanmgr and click on OK.
      
   4. Click on the More Options tab.
      
   5. Click the Clean Up button in the System Restore section to remove all previous restore points except the most recent one.
      

   This will remove any infected files that have been backed up by Windows. The files in "System Restore" are protected to prevent any programs changing those files. This is the only foolproof way to ensure the deletion of those files.

    

   Note: Do not clear restore points on a regular basis as doing so will clear all previous restore points even those that you may need. System Restore is a useful tool to revert your computer back to a working condition if something goes wrong.

    

   Re-enable all your security applications and please return here and tell us how the computer seems to be operating

Close browsers before scanning
Scan for tracking cookies
Terminate memory threats before quarantining

[rodi]

Hi,

 

there's a useful tool called Rootkit revealer. You can download it form Microsoft website: RootkitRevealer

[daf501]

Rootkit update.

 

Hi, thanks for trying to help. I tried to download the 2 programs (MWB & SAS) but they will not open for me, not even in safe mode. The ESET program did run and scan, but it would need to run after the others, as per your instructions. Any ideas why they would not load for me?

[RandyL]

They won't install or they won't run?

 

If malwarebytes won't install then download and save the file mbam-setup.exe

 

Rename the file to m.exe and try to install it.

 

If it won't run look at this post.

http://extremetechsupport.com/forum/malware-removal-av-firewalls-etc/6647-windows-firewall-3.html#post48178

 

SAS won't install in safemode but will run in safemode.

 

What did ESET find?

[danzil]

additionally rename the file to .com or .bat then retry the install...you will have to untick "hide extensions for known file types" in folder options...you can get to this by loading my docs then tools>folder options.

 

do you know the exact name of the rootkit.

i have seen many false positive's on rootkit scanners and anti virus scanners.

 

please post back

regards

danzil

:)

[RandyL]

Hi danzil.

Good to have you helping out. You bring up a good point that may well be needed.

 

Here is the name.

Rootkit.Agent/Gen-UACFake