I know of a few cases where issues come up, you run MBAM/SAS and it detects and cleans, but they cannot look at the registry and decide if the things it might find are legitimate changes or made by the malware, so it just leaves them. I can appreciate that. No tool seems to know about everything, so those are my favorites starting points.
Subsequent scans may be clean (you are no longer "infected"), but the problem in the registry is still there. It may not jump out at you either as it looks like so many other legit entries.
Or the malware uses a different method to create bogus entries with random names so if it was ever detected once, it will not be detected again. Pretty sneaky. Some of those I know how to fix, but I do not have a method for this situation.
There may be some other AV tools to run, but you still may end up having to do some things by hand, but I don't like guessing. I am not sure about this koobface thing.
What you last post shows is a Class ID (CLSID) which I do not have here, I can't use a tool to find it or find it in a Google search to know who it belongs to, my stuff in that areas of the registry does not show any empty entries like yours, and are they really identical (lines 1, 2, 3)? I know you typed them or copy/paste?
Look at some of the many other CLSID entries - there is other "good" stuff in them, are these just some empty placeholders or is there really stuff under them? They are browser related.
I can't get to to you other posts on the other forum with your Hijackthis log to see if they are in there, but that is not a virus scanner, but you could delete them from that if they show up. I will try again later.
You can backup your registry with this:http://www.larshederer.homepage.t-online.de/erunt/
And then export out that part of the registry (I would do both).
You could find the 3 entries that Spyware Doctor found and remove them yourself from the registry. They really don't make sense to me the way they are, but maybe SD only prints part of the info. If things get worse, put them back.
I also read that for your koobface infection these keys should be located and deleted if they exist (they don't exist for me).
The above might be an example where the scans deleted the mbsvalid1&2 files, but left the junk in the registry.
So, I am guessing
and I think if it was me, I would backup the reg, look for those mbsvalid things, whack them, export those CLSIDs, reboot, test if they are found. Then whack those CLSIDs, reboot and test. You can always put them back. I would not change two things at a time. If the mbsvalids are there, do them, test - then do the CLSID things which you know are there for sure.
You need to be sure you can undo things if you make changes and things get worse.
Or, hang out for some other ideas from somebody else.
Or put up a Hijackthis log and get moved again. Maybe I can look at your old log later - something is going on with BC right now I think.
Edited by joseibarra, 07 October 2009 - 08:14 AM.