Removal of Win32:Rootkit-gen [Rtk]. Thanks to help

Hello,

Since several days, I'm trying to get rid of a rootkit trojan that all antivirus (etc...) softwares detects, but none is able to suppress it.

The names given by the software I used are:
Win32:Rootkit-gen [Rtk]
Trojan:WinNT/Bubnix.gen!A
Trojan Agent/Gen-Virut
Trojan.NtRootkit.5823
Trojan.Siggen.586
Tool.Prockill

The file that comes the more often is:
C:\Windows\System32\drivers\zoxausba.sys

This file seems impossible to remove, even with unlockers reboots, etc.

(It constantly change its "modified date" to the current time).
I also searched into the registry, but the records referencing this file are locked

The Kaspersky generated report is attached here and the Hijack report is here under.

THANK YOU VERY MUCH IN ADVANCE FOR YOUR HELP !

np2c / Paul
Brussels
[COLOR="Red"][B]
moderated::: the logs have to been attached, not posted[/B][/COLOR]

Switch off/Disable:
- Antivirus and and, if you have - Firewall.
- System Restore

- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL] in Manual disinfection
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ClearQuarantine;
QuarantineFile('wscsvc.sys','');
StopService('PEVSystemStart');
DeleteService('PEVSystemStart');
QuarantineFile('C:\zz\PEV.cfxxe','');
QuarantineFile('C:\Windows\System32\Drivers\zoxausba.sys','');
QuarantineFile('C:\Windows\system32\drivers\bvdy.sys','');
DeleteFile('C:\Windows\system32\drivers\bvdy.sys');
DeleteFile('C:\Windows\System32\Drivers\zoxausba.sys');
DeleteFileMask('C:\zz\','*.*',true);
DeleteDirectory('C:\zz\');
DeleteService('Bonjour Service');
BC_DeleteSvc('Bonjour Service');
DeleteFileMask('%programfiles%\Bonjour\','*.*',true);
DeleteDirectory('%programfiles%\Bonjour\');
DelCLSID('{9999A076-A9E2-4C99-8A2B-632FC9429223}');
RegKeyDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\Eventlog\Application\Bonjour Service');
ExecuteRepair(14);
ExecuteWizard('TSW', 2, 2, true);
ExecuteWizard('SCU', 2, 2, true);
BC_ImportAll;
ExecuteSysClean;
BC_DeleteSvc('PEVSystemStart');
BC_Activate;
ExecuteRepair(1);
ExecuteRepair(6);
ExecuteRepair(8);
ExecuteRepair(9);
ExecuteRepair(11);
ExecuteRepair(16);
ExecuteRepair(17);
SetAVZPMStatus(True);
RebootWindows(true);
end.[/CODE]

After reboot [URL="http://virusinfo.info/showthread.php?t=9207"]execute following script[/URL] in Manual disinfection
[code]begin
CreateQurantineArchive('C:\quarantine.zip');
end.
[/code]and upload the C:\quarantine.zip over the link [COLOR="Red"][B]Upload quarantined files[/B][/COLOR] on the top of this page.


- Repeat a log file of AVPTool.
- Make a log file with Hijackthis ([URL="http://virusinfo.info/showthread.php?t=9184"] Analysis, p.3 [/URL] for further informations).
- Attach a log to your new post..

Dear Rene-Gad,
Much thanks for your quick answer!
I am presently working at my office, but will surely try your scripts tonight, as soon as I'm back home.
I'll cross my fingers and will let you know more soon.
THANK YOU!
Paul (np2c)

Dear Rene-Gad,
I tried your script as you said (no sys restore, no firewall...) without succeeding to remove the virus...
I also tried the same in safe mode, but with the same (no) result.
The log files are uploaded here.
I hope you can suggest me something else: you are my only hope...!!!
Kindest regards,
Paul

Where have I written: [I]And now try to remove a virus by yourself?[/I]
But I wrote: [B]Repeat a log file of AVPTool. [/B]
And I'm missing it.

Hi Rene-Gad,
No, you've indeed not written "try to remove virus", but I was hoping such a miracle...!
;)
Re. "Repeat a log file of AVPTool", you are right, I totally forgot this, SORRY !!!
I'll do it tonight, when back home. Thank you for your patience.

However, to be sure not to loose any more of your precious time, please correct me if I am wrong: by "Repeat a log file of AVPTool", you well mean that I should go to AVPTool (=Kaspersky Virus Removal Tool) manual disinfection, click "step 1" and send you the avptool_sysinfo.zip file, right ?

Thank you again !!!
Paul / np2c

Hi Rene-Gad,
Here are thus the requested AVPTool logs.
Cheers & Thank you.
Paul

Switch off/Disable:
- Antivirus and and, if you have - Firewall.
- System Restore

- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL] in Manual disinfection
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ClearQuarantine;
QuarantineFile('C:\Windows\System32\Drivers\zoxausba.sys','');
DeleteFile('C:\Windows\System32\Drivers\zoxausba.sys');
DeleteService('zoxausba');
RegKeyResetSecurity('HKLM','SYSTEM\CurrentControlSet\Services\zoxausba');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
SetAVZPMStatus(True);
RebootWindows(true);
end.[/CODE]

After reboot [URL="http://virusinfo.info/showthread.php?t=9207"]execute following script[/URL] in Manual disinfection
[code]begin
CreateQurantineArchive('C:\quarantine.zip');
end.
[/code]and upload the C:\quarantine.zip over the link [COLOR="Red"][B]Upload quarantined files[/B][/COLOR] on the top of this page.

- Repeat a log file of AVPTool.
- Make a [URL="http://virusinfo.info/showthread.php?t=51878"]GMER-Log[/URL]
- Attach both logs to your new post. [COLOR="Red"]Pls. don't attach anything else![/COLOR]

Dear Rene-gad,
I followed, as much as possible, your instructions, and the resulting files are attached here.
Note that, before sending my S.O.S.-help to you, I already tried to suppress that zoxausba.sys file, even with specialized reboot tools, but without success. It always give errors like: "Cannot read from the source file or disk" or "A device attached to the system is not functioning."
Thanks again and have a good night / day.
Paul

Run GMER, press the tab >>>>>, go to the tab CMD.
Copy/paste the follow code in the upper window
[CODE]wGbm1e7rv8or.exe -del service zoxausba
wGbm1e7rv8or.exe -del reg "HKLM\SYSTEM\CurrentControlSet\Services\zoxausba"
wGbm1e7rv8or.exe -del reg "HKLM\SYSTEM\ControlSet002\Services\zoxausba"
wGbm1e7rv8or.exe -reboot[/CODE]
Press th button RUN.
After reboot repeat log of GMER and [U][COLOR="Red"]CORRECT LOG[/COLOR][/U] of AVPTool.

Hello Rene-gad,

Thank you for the new script. [I]I'll do this later today and let you know results[/I].

However, I'm sorry (both my English and my computer knowledges are rather basic) but I'm still very confused about AVPTool and [COLOR="Red"][U]CORRECT LOG[/U][/COLOR] of AVPTool, sorry.
As far as I understand, AVPTool is an other name for Kaspersky Virus Removal Tool, which is also called setup_9.0.0.722_23.02.2010_12-08.exe. This should be right.

But, once I am into that 3-equivalent-names-program, how do I save the CORRECT LOG ?
[LIST]Manual tab + Save Report = quarantine.zip, which doesn't seems to be the LOG you want, because you ask for it separately?[/LIST]
[LIST]If I go to Report, it opens a window where I can see logs, that I've then copied to you, but you say it is not the CORRECT LOG...[/LIST]
So, I do not know exactly how I should do, sorry.
Paul

[QUOTE=np2c;593448]how do I save the CORRECT LOG ?[/QUOTE]Do just the same as in your post #7.

Dear Rene-gad,
I just tried your Gmer script, but it didn't have a chance to do anything:
[INDENT](Error) DeleteService: Access is denied
(Error) DeleteKey: Access is denied[/INDENT]I tried also in Safe Mode, but there it says:
[INDENT](Error) DeleteService or DeleteKey: The specified module could not be found.[/INDENT]

Notes:
- when pasting your script in the Gmer window, I left everything as it is, ie CMD.EXE checked, and REGEDIT.EXE not checked.
- some days ago, I tried myself to search Registry for reference to that crazily unbreakable zoxausba.sys file, but also remarked that the keys referencing that file where impossible to delete or even edit.

By the way, is there perhaps a way to export the Registry, edit it elsewhere when not protected (when not in use?), and then reimport it back?

Despite it is probably useless, I'll now do the same once more, plus the scans, and will send you the logs.
Thank you for your help.
Paul

Did you disable antivirus and firewall before executing of gmer? If not - do it and try once more.
In each case repeat log of GMER and log of AVPTool.

Yes, all disabled.
Gmer Log attached here, AVPTool coming through above general red link.
Paul
:?

[QUOTE=np2c;593655]
AVPTool coming through above general red link.
[/QUOTE]Do you really understand the difference between LOG and QUARANTINE??? :rtfm:
LOGs should be attached to the post, QUARANTINE should be uploaded over red link.

- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL] in Manual disinfection
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteService('zoxausba');
RegKeyResetSecurity('HKLM','SYSTEM\CurrentControlSet\Services\zoxausba');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
SetAVZPMStatus(True);
RebootWindows(true);
end.[/CODE]
- Repeat a log file of AVPTool.

:O
Log or quanrantine...?
This virus starts to drive me crazy too, sorry! :>
(Note that you have nice pages for, by example, how to obtain the Gmer log. But I've not seen explanations for novices like me for AVPT log)

OK, I ran your last script and the log is attached here, correctly I hope.
Paul

- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL] in Manual disinfection
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteFile('C:\Windows\System32\Drivers\zoxausba.sys');
DeleteService('zoxausba',true);
RegKeyResetSecurity('HKLM','SYSTEM\CurrentControlSet\Services\zoxausba');
BC_ImportAll;
ExecuteSysClean;
BC_DeleteSvc('zoxausba');
BC_Activate;
SetAVZPMStatus(True);
RebootWindows(true);
end.[/CODE]

- Repeat a log file of AVPTool.
- Make a [URL="http://virusinfo.info/showthread.php?t=51878"]GMER-Log[/URL]

Here it is.
Thanks.
Paul

Remove Superantispyware - it's a bullsh... and possibly blocks gmer.

Run GMER, press the tab >>>>>, go to the tab CMD.
Copy/paste the follow code in the upper window
[CODE]
gmer.exe -del reg "HKLM\SYSTEM\CurrentControlSet\Services\zoxausba"
gmer.exe -del reg "HKLM\SYSTEM\ControlSet002\Services\zoxausba"
gmer.exe -del file "C:\Windows\System32\Drivers\zoxausba.sys"
gmer.exe -del service zoxausba
gmer.exe -reboot[/CODE]
Press the button RUN.
After reboot repeat logs of GMER and of AVPTool.