Страница 1 из 2 12 Последняя
Показано с 1 по 20 из 31.

Removal of Win32:Rootkit-gen [Rtk]. Thanks to help

  1. #1
    Junior Member Репутация
    Регистрация
    22.02.2010
    Сообщений
    17
    Вес репутации
    25

    Removal of Win32:Rootkit-gen [Rtk]. Thanks to help

    Hello,

    Since several days, I'm trying to get rid of a rootkit trojan that all antivirus (etc...) softwares detects, but none is able to suppress it.

    The names given by the software I used are:
    Win32:Rootkit-gen [Rtk]
    Trojan:WinNT/Bubnix.gen!A
    Trojan Agent/Gen-Virut
    Trojan.NtRootkit.5823
    Trojan.Siggen.586
    Tool.Prockill

    The file that comes the more often is:
    C:\Windows\System32\drivers\zoxausba.sys

    This file seems impossible to remove, even with unlockers reboots, etc.

    (It constantly change its "modified date" to the current time).
    I also searched into the registry, but the records referencing this file are locked

    The Kaspersky generated report is attached here and the Hijack report is here under.

    THANK YOU VERY MUCH IN ADVANCE FOR YOUR HELP !

    np2c / Paul
    Brussels

    moderated::: the logs have to been attached, not posted
    Вложения Вложения
    Последний раз редактировалось Rene-gad; 22.02.2010 в 10:09.

  2. #2
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,108
    Вес репутации
    2996
    Switch off/Disable:
    - Antivirus and and, if you have - Firewall.
    - System Restore

    - Execute following script in Manual disinfection
    Код:
    begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(True);
    ClearQuarantine;
     QuarantineFile('wscsvc.sys','');
     StopService('PEVSystemStart');
     DeleteService('PEVSystemStart');
     QuarantineFile('C:\zz\PEV.cfxxe','');
     QuarantineFile('C:\Windows\System32\Drivers\zoxausba.sys','');
     QuarantineFile('C:\Windows\system32\drivers\bvdy.sys','');
     DeleteFile('C:\Windows\system32\drivers\bvdy.sys');
     DeleteFile('C:\Windows\System32\Drivers\zoxausba.sys');
     DeleteFileMask('C:\zz\','*.*',true);
     DeleteDirectory('C:\zz\');
     DeleteService('Bonjour Service');
     BC_DeleteSvc('Bonjour Service');
     DeleteFileMask('%programfiles%\Bonjour\','*.*',true);
     DeleteDirectory('%programfiles%\Bonjour\');
     DelCLSID('{9999A076-A9E2-4C99-8A2B-632FC9429223}');
     RegKeyDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\Eventlog\Application\Bonjour Service');
     ExecuteRepair(14);
    ExecuteWizard('TSW', 2, 2, true);
    ExecuteWizard('SCU', 2, 2, true);
    BC_ImportAll;
    ExecuteSysClean;
    BC_DeleteSvc('PEVSystemStart');
    BC_Activate;
    ExecuteRepair(1);
    ExecuteRepair(6);
    ExecuteRepair(8);
    ExecuteRepair(9);
    ExecuteRepair(11);
    ExecuteRepair(16);
    ExecuteRepair(17);
    SetAVZPMStatus(True);
    RebootWindows(true);
    end.
    After reboot execute following script in Manual disinfection
    Код:
    begin
    CreateQurantineArchive('C:\quarantine.zip');
    end.
    and upload the C:\quarantine.zip over the link Upload quarantined files on the top of this page.


    - Repeat a log file of AVPTool.
    - Make a log file with Hijackthis ( Analysis, p.3 for further informations).
    - Attach a log to your new post..

  3. #3
    Junior Member Репутация
    Регистрация
    22.02.2010
    Сообщений
    17
    Вес репутации
    25
    Dear Rene-Gad,
    Much thanks for your quick answer!
    I am presently working at my office, but will surely try your scripts tonight, as soon as I'm back home.
    I'll cross my fingers and will let you know more soon.
    THANK YOU!
    Paul (np2c)

  4. #4
    Junior Member Репутация
    Регистрация
    22.02.2010
    Сообщений
    17
    Вес репутации
    25
    Dear Rene-Gad,
    I tried your script as you said (no sys restore, no firewall...) without succeeding to remove the virus...
    I also tried the same in safe mode, but with the same (no) result.
    The log files are uploaded here.
    I hope you can suggest me something else: you are my only hope...!!!
    Kindest regards,
    Paul
    Вложения Вложения
    Последний раз редактировалось Rene-gad; 23.02.2010 в 10:13. Причина: quarantine removed

  5. #5
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,108
    Вес репутации
    2996
    Where have I written: And now try to remove a virus by yourself?
    But I wrote: Repeat a log file of AVPTool.
    And I'm missing it.
    Последний раз редактировалось Rene-gad; 23.02.2010 в 15:29. Причина: grammar

  6. #6
    Junior Member Репутация
    Регистрация
    22.02.2010
    Сообщений
    17
    Вес репутации
    25
    Hi Rene-Gad,
    No, you've indeed not written "try to remove virus", but I was hoping such a miracle...!

    Re. "Repeat a log file of AVPTool", you are right, I totally forgot this, SORRY !!!
    I'll do it tonight, when back home. Thank you for your patience.

    However, to be sure not to loose any more of your precious time, please correct me if I am wrong: by "Repeat a log file of AVPTool", you well mean that I should go to AVPTool (=Kaspersky Virus Removal Tool) manual disinfection, click "step 1" and send you the avptool_sysinfo.zip file, right ?

    Thank you again !!!
    Paul / np2c

  7. #7
    Junior Member Репутация
    Регистрация
    22.02.2010
    Сообщений
    17
    Вес репутации
    25
    Hi Rene-Gad,
    Here are thus the requested AVPTool logs.
    Cheers & Thank you.
    Paul
    Изображения Изображения
    Вложения Вложения
    Последний раз редактировалось Rene-gad; 24.02.2010 в 10:49. Причина: unrequested attachment removed

  8. #8
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,108
    Вес репутации
    2996
    Switch off/Disable:
    - Antivirus and and, if you have - Firewall.
    - System Restore

    - Execute following script in Manual disinfection
    Код:
    begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(True);
    ClearQuarantine;
     QuarantineFile('C:\Windows\System32\Drivers\zoxausba.sys','');
     DeleteFile('C:\Windows\System32\Drivers\zoxausba.sys');
     DeleteService('zoxausba');
     RegKeyResetSecurity('HKLM','SYSTEM\CurrentControlSet\Services\zoxausba');
    BC_ImportAll;
    ExecuteSysClean;
    BC_Activate;
    SetAVZPMStatus(True);
    RebootWindows(true);
    end.
    After reboot execute following script in Manual disinfection
    Код:
    begin
    CreateQurantineArchive('C:\quarantine.zip');
    end.
    and upload the C:\quarantine.zip over the link Upload quarantined files on the top of this page.

    - Repeat a log file of AVPTool.
    - Make a GMER-Log
    - Attach both logs to your new post. Pls. don't attach anything else!

  9. #9
    Junior Member Репутация
    Регистрация
    22.02.2010
    Сообщений
    17
    Вес репутации
    25
    Dear Rene-gad,
    I followed, as much as possible, your instructions, and the resulting files are attached here.
    Note that, before sending my S.O.S.-help to you, I already tried to suppress that zoxausba.sys file, even with specialized reboot tools, but without success. It always give errors like: "Cannot read from the source file or disk" or "A device attached to the system is not functioning."
    Thanks again and have a good night / day.
    Paul
    Вложения Вложения
    • Тип файла: log GMER.log (11.0 Кб, 4 просмотров)
    Последний раз редактировалось Rene-gad; 25.02.2010 в 10:17. Причина: non-requested log removed

  10. #10
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,108
    Вес репутации
    2996
    Run GMER, press the tab >>>>>, go to the tab CMD.
    Copy/paste the follow code in the upper window
    Код:
    wGbm1e7rv8or.exe -del service zoxausba  
    wGbm1e7rv8or.exe -del reg "HKLM\SYSTEM\CurrentControlSet\Services\zoxausba"
    wGbm1e7rv8or.exe -del reg "HKLM\SYSTEM\ControlSet002\Services\zoxausba"
    wGbm1e7rv8or.exe -reboot
    Press th button RUN.
    After reboot repeat log of GMER and CORRECT LOG of AVPTool.

  11. #11
    Junior Member Репутация
    Регистрация
    22.02.2010
    Сообщений
    17
    Вес репутации
    25
    Hello Rene-gad,

    Thank you for the new script. I'll do this later today and let you know results.

    However, I'm sorry (both my English and my computer knowledges are rather basic) but I'm still very confused about AVPTool and CORRECT LOG of AVPTool, sorry.
    As far as I understand, AVPTool is an other name for Kaspersky Virus Removal Tool, which is also called setup_9.0.0.722_23.02.2010_12-08.exe. This should be right.

    But, once I am into that 3-equivalent-names-program, how do I save the CORRECT LOG ?
    • Manual tab + Save Report = quarantine.zip, which doesn't seems to be the LOG you want, because you ask for it separately?

    • If I go to Report, it opens a window where I can see logs, that I've then copied to you, but you say it is not the CORRECT LOG...

    So, I do not know exactly how I should do, sorry.
    Paul

  12. #12
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,108
    Вес репутации
    2996
    Цитата Сообщение от np2c Посмотреть сообщение
    how do I save the CORRECT LOG ?
    Do just the same as in your post #7.

  13. #13
    Junior Member Репутация
    Регистрация
    22.02.2010
    Сообщений
    17
    Вес репутации
    25
    Dear Rene-gad,
    I just tried your Gmer script, but it didn't have a chance to do anything:
    (Error) DeleteService: Access is denied
    (Error) DeleteKey: Access is denied
    I tried also in Safe Mode, but there it says:
    (Error) DeleteService or DeleteKey: The specified module could not be found.

    Notes:
    - when pasting your script in the Gmer window, I left everything as it is, ie CMD.EXE checked, and REGEDIT.EXE not checked.
    - some days ago, I tried myself to search Registry for reference to that crazily unbreakable zoxausba.sys file, but also remarked that the keys referencing that file where impossible to delete or even edit.

    By the way, is there perhaps a way to export the Registry, edit it elsewhere when not protected (when not in use?), and then reimport it back?

    Despite it is probably useless, I'll now do the same once more, plus the scans, and will send you the logs.
    Thank you for your help.
    Paul

  14. #14
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,108
    Вес репутации
    2996
    Did you disable antivirus and firewall before executing of gmer? If not - do it and try once more.
    In each case repeat log of GMER and log of AVPTool.

  15. #15
    Junior Member Репутация
    Регистрация
    22.02.2010
    Сообщений
    17
    Вес репутации
    25
    Yes, all disabled.
    Gmer Log attached here, AVPTool coming through above general red link.
    Paul
    Вложения Вложения
    • Тип файла: log Gmer.log (11.0 Кб, 2 просмотров)

  16. #16
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,108
    Вес репутации
    2996
    Цитата Сообщение от np2c Посмотреть сообщение
    AVPTool coming through above general red link.
    Do you really understand the difference between LOG and QUARANTINE???
    LOGs should be attached to the post, QUARANTINE should be uploaded over red link.

    - Execute following script in Manual disinfection
    Код:
    begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(True);
    DeleteService('zoxausba');
    RegKeyResetSecurity('HKLM','SYSTEM\CurrentControlSet\Services\zoxausba');
    BC_ImportAll;
    ExecuteSysClean;
    BC_Activate;
    SetAVZPMStatus(True);
    RebootWindows(true);
    end.
    - Repeat a log file of AVPTool.
    Последний раз редактировалось Rene-gad; 25.02.2010 в 17:43. Причина: Добавлено

  17. #17
    Junior Member Репутация
    Регистрация
    22.02.2010
    Сообщений
    17
    Вес репутации
    25

    Log or quanrantine...?
    This virus starts to drive me crazy too, sorry!
    (Note that you have nice pages for, by example, how to obtain the Gmer log. But I've not seen explanations for novices like me for AVPT log)

    OK, I ran your last script and the log is attached here, correctly I hope.
    Paul
    Вложения Вложения

  18. #18
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,108
    Вес репутации
    2996
    - Execute following script in Manual disinfection
    Код:
    begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(True);
     DeleteFile('C:\Windows\System32\Drivers\zoxausba.sys');
     DeleteService('zoxausba',true);
     RegKeyResetSecurity('HKLM','SYSTEM\CurrentControlSet\Services\zoxausba');
    BC_ImportAll;
    ExecuteSysClean;
     BC_DeleteSvc('zoxausba');
    BC_Activate;
    SetAVZPMStatus(True);
    RebootWindows(true);
    end.
    - Repeat a log file of AVPTool.
    - Make a GMER-Log

  19. #19
    Junior Member Репутация
    Регистрация
    22.02.2010
    Сообщений
    17
    Вес репутации
    25
    Here it is.
    Thanks.
    Paul
    Вложения Вложения

  20. #20
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,108
    Вес репутации
    2996
    Remove Superantispyware - it's a bullsh... and possibly blocks gmer.

    Run GMER, press the tab >>>>>, go to the tab CMD.
    Copy/paste the follow code in the upper window
    Код:
    gmer.exe -del reg "HKLM\SYSTEM\CurrentControlSet\Services\zoxausba"
    gmer.exe -del reg "HKLM\SYSTEM\ControlSet002\Services\zoxausba"
    gmer.exe -del file "C:\Windows\System32\Drivers\zoxausba.sys"
    gmer.exe -del service zoxausba  
    gmer.exe -reboot
    Press the button RUN.
    After reboot repeat logs of GMER and of AVPTool.

Страница 1 из 2 12 Последняя

Похожие темы

  1. Rootkit and trojan removal
    От artieloc в разделе Malware Removal Service
    Ответов: 8
    Последнее сообщение: 27.06.2010, 02:46
  2. rootkit.win32.pakes.zo removal
    От Laurencs в разделе Malware Removal Service
    Ответов: 4
    Последнее сообщение: 02.06.2010, 15:29
  3. Win32.TDSS.d Removal.
    От lovalova69 в разделе Malware Removal Service
    Ответов: 11
    Последнее сообщение: 07.05.2010, 20:03
  4. Prevx Gromozon Rootkit Removal Tool и Prevx CSI
    От Surfer в разделе Антируткиты
    Ответов: 0
    Последнее сообщение: 02.10.2009, 06:31
  5. Ответов: 7
    Последнее сообщение: 22.02.2009, 07:44

Свернуть/Развернуть Ваши права в разделе

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  
Page generated in 0.01158 seconds with 20 queries