rootkit.win32.pakes.zo removal

Printable View

31.05.2010, 19:28
Laurencs

rootkit.win32.pakes.zo removal

I am unable to delete a file that is infected with "rootkit.win32.pakes.zo removal".
I have attached the log files.
Please help
31.05.2010, 21:32
Rene-gad

[COLOR="Red"][B]Download the latest version of AVPTool: [url]http://ftp.kaspersky.com/devbuilds/AVPTool/[/url].[/B][/COLOR]
Close/unload all the programs excepted AVZ and Internet Explorer

Switch off:
- Antivirus and and, if you have - Firewall.
- System Restore

- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL] in Manual Healing
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
StopService('Passthru');
StopService('MyWebSearchService');
StopService('cblyefry');
StopService('buoiajryeeyina');
RegKeyParamDel('HKEY_USERS','S-1-5-21-842925246-1844237615-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Run','Startup');
RegKeyParamDel('HKEY_USERS','S-1-5-21-842925246-1844237615-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Run','or4VRheh1aqLTOEeQEbGuXcOEf');
RegKeyParamDel('HKEY_USERS','S-1-5-21-842925246-1844237615-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Run','MyWebSearch Email Plugin');
RegKeyParamDel('HKEY_USERS','S-1-5-21-842925246-1844237615-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Run','MSWUpdate');
RegKeyParamDel('HKEY_USERS','S-1-5-21-842925246-1844237615-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Run','Microsoft Corp');
RegKeyParamDel('HKEY_USERS','S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run','jasuru');
RegKeyParamDel('HKEY_USERS','.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run','jasuru');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','WinSVC');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','svchost32');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','SuIaOfBkW1FndOp');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','MyWebSearch Email Plugin');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','My Web Search Bar Search Scope Monitor');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','MSWUpdate');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','Microsoft Windows Network');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','Microsoft Corp');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','jykuzif');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','jasuru');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run','Microsoft Corp');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbssreg','DLLName');
QuarantineFile('Explorer.exe C:\Documents and Settings\David1\Application Data\lsass.exe','');
QuarantineFile('C:\WINDOWS\WinSVC.exe','');
QuarantineFile('C:\WINDOWS\system32\wono.exe','');
QuarantineFile('C:\WINDOWS\system32\vydoha.exe','');
QuarantineFile('C:\WINDOWS\system32\rupywer.exe','');
QuarantineFile('C:\WINDOWS\system32\DRIVERS\ndisvvan.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\cblyefry.sys','');
QuarantineFile('C:\WINDOWS\system32\Drivers\cblyefry.sys','');
QuarantineFile('C:\WINDOWS\raidhost.exe','');
QuarantineFile('C:\WINDOWS\Egezib.exe','');
QuarantineFile('C:\SYSTEMFILES\x-f-324553-12314-3344-1\ise32.exe','');
QuarantineFile('C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe','');
QuarantineFile('C:\Documents and Settings\LocalService\Application Data\Microsoft\wono.exe','');
QuarantineFile('C:\Documents and Settings\David1\Application Data\svchosts.exe','');
QuarantineFile('C:\Documents and Settings\David1\Application Data\svchost32.exe','');
QuarantineFile('C:\Documents and Settings\David1\Application Data\Microsoft\svchost.exe','');
QuarantineFile('C:\Documents and Settings\David1\Application Data\lsass.exe','');
QuarantineFile('C:\Documents and Settings\David1\Application Data\IvDUA.exe','');
QuarantineFile('C:\Documents and Settings\David1\Application Data\Driver.exe','');
QuarantineFile('C:\Documents and Settings\David1\Application Data\bywsf.exe','');
QuarantineFile('C:\Documents and Settings\All Users\Documents\Settings\cbss.dll','');
DeleteService('Passthru');
DeleteService('MyWebSearchService');
DeleteService('cblyefry');
DeleteService('buoiajryeeyina');
DeleteFile('Explorer.exe C:\Documents and Settings\David1\Application Data\lsass.exe');
DeleteFile('C:\WINDOWS\WinSVC.exe');
DeleteFile('C:\windows\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job');
DeleteFile('C:\WINDOWS\system32\wono.exe');
DeleteFile('C:\WINDOWS\system32\vydoha.exe');
DeleteFile('C:\WINDOWS\system32\rupywer.exe');
DeleteFile('C:\WINDOWS\system32\DRIVERS\ndisvvan.sys');
DeleteFile('C:\WINDOWS\system32\Drivers\cblyefry.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\cblyefry.sys');
DeleteFile('C:\WINDOWS\raidhost.exe');
DeleteFile('C:\WINDOWS\Egezib.exe');
DeleteFile('C:\SYSTEMFILES\x-f-324553-12314-3344-1\ise32.exe');
DeleteFile('C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL');
DeleteFile('C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe');
DeleteFile('C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe');
DeleteFile('C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe');
DeleteFile('C:\Documents and Settings\LocalService\Application Data\Microsoft\wono.exe');
DeleteFile('C:\Documents and Settings\David1\Application Data\svchosts.exe');
DeleteFile('C:\Documents and Settings\David1\Application Data\svchost32.exe');
DeleteFile('C:\Documents and Settings\David1\Application Data\Microsoft\svchost.exe');
DeleteFile('C:\Documents and Settings\David1\Application Data\lsass.exe');
DeleteFile('C:\Documents and Settings\David1\Application Data\IvDUA.exe');
DeleteFile('C:\Documents and Settings\David1\Application Data\Driver.exe');
DeleteFile('C:\Documents and Settings\David1\Application Data\bywsf.exe');
DeleteFile('C:\Documents and Settings\All Users\Documents\Settings\cbss.dll');
DelBHO('{00A6FAF6-072E-44cf-8957-5838F569A31D}');
BC_DeleteSvc('Passthru');
BC_DeleteSvc('MyWebSearchService');
BC_DeleteSvc('cblyefry');
BC_DeleteSvc('buoiajryeeyina');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
[/CODE]
After reboot:
- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL] in Manual Healing
[CODE]begin
CreateQurantineArchive('C:\quarantine.zip');
end.
[/CODE]
- Upload the C:\quarantine.zip here: [url]http://virusinfo.info/upload_virus_eng.php?tid=79825[/url]
- Make a new log file.
- Attach a new log to your new post..
01.06.2010, 12:47
Laurencs

The link to [url]http://ftp.kaspersky.com/devbuilds/AVPTool/[/url] does not appear to be working at the moment. I will try again later. In the meantime I did a scan with the current verion of the AVP tool that I have and I have attached the log file
01.06.2010, 15:29
Rene-gad

This link is OK: [url]http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/[/url]
It hasn't any sense to try to heal a system with a such obsolete tool.

- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL] in Manual Healing
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
StopService('fej8221');
StopService('cgld4b3');
StopService('cblyefry');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','Drivers');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbssreg','DLLName');
RegKeyDel('HKLM','SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}');
RegKeyDel('HKLM','SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}');
DeleteService('fej8221');
DeleteService('cgld4b3');
DeleteService('cblyefry');
DeleteFile('Drivers.exe');
DeleteFile('cblyefry.sys');
DeleteFile('C:\WINDOWS\System32\drivers\fej8221.sys');
DeleteFile('C:\WINDOWS\System32\drivers\cgld4b3.sys');
DeleteFile('C:\SYSTEMFILES\x-f-324553-12314-3344-1\ise32.exe');
DeleteFileMask('C:\Program Files\MyWebSearch\','*.*',true);
DeleteDirectory('C:\Program Files\MyWebSearch\');
DeleteFile('C:\Documents and Settings\David1\Application Data\bywsf.exe');
DeleteFile('C:\Documents and Settings\All Users\Documents\Settings\cbss.dll');
DelCLSID('{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612} ');
BC_DeleteSvc('fej8221');
BC_DeleteSvc('cgld4b3');
BC_DeleteSvc('cblyefry');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
[/CODE]
After reboot:
- Make a new log file.
- Attach a new log to your new post..
02.06.2010, 15:29
CyberHelper

Итог лечения

Статистика проведенного лечения:
[LIST][*]Получено карантинов: [B]1[/B][*]Обработано файлов: [B]55[/B][*]В ходе лечения обнаружены вредоносные программы:
[LIST=1][*] c:\documents and settings\all users\documents\settings\cbss.dll - [B]Trojan-Downloader.Win32.Piker.cju[/B] ( DrWEB: Trojan.Packed.20343, BitDefender: Backdoor.Generic.369467, AVAST4: Win32:Rootkit-gen [Rtk] )[*] c:\documents and settings\david1\application data\bywsf.exe - [B]Trojan.Win32.Gibi.ay[/B] ( DrWEB: Win32.HLLW.Lime.18, BitDefender: Backdoor.Generic.349144, AVAST4: Win32:Malware-gen )[*] c:\documents and settings\david1\application data\driver.exe - [B]HEUR:Trojan.Win32.Generic[/B] ( DrWEB: Trojan.Packed.20353 )[*] c:\documents and settings\david1\application data\microsoft\svchost.exe - [B]Worm.Win32.VBNA.b[/B] ( BitDefender: Gen:Variant.Palevo.2 )[*] c:\documents and settings\david1\application data\svchosts.exe - [B]Trojan.Win32.Scar.cfxl[/B] ( AVAST4: Win32:VB-OXI [Drp] )[*] c:\documents and settings\david1\application data\svchost32.exe - [B]Worm.Win32.VBNA.b[/B] ( BitDefender: Worm.Generic.239541, AVAST4: Win32:Trojan-gen )[*] c:\documents and settings\localservice\application data\microsoft\wono.exe - [B]Trojan-Dropper.Win32.Vidro.aoz[/B] ( DrWEB: Trojan.WinSpy.711, BitDefender: Gen:Variant.Zbot.7, AVAST4: Win32:Bamital-T [Drp] )[*] c:\systemfiles\x-f-324553-12314-3344-1\ise32.exe - [B]Worm.Win32.VBNA.b[/B] ( BitDefender: Worm.Generic.239541, AVAST4: Win32:Trojan-gen )[*] c:\windows\egezib.exe - [B]Trojan-Downloader.Win32.FraudLoad.gsb[/B] ( DrWEB: Trojan.DownLoad1.55745, BitDefender: Trojan.FakeAlert.CBH, AVAST4: Win32:MalOb-AP [Cryp] )[*] c:\windows\system32\vydoha.exe - [B]Trojan-Dropper.Win32.Vidro.aoy[/B] ( DrWEB: Trojan.WinSpy.818, BitDefender: Gen:Variant.Zbot.7, AVAST4: Win32:Bamital-T [Drp] )[*] c:\windows\system32\wono.exe - [B]Trojan-Dropper.Win32.Vidro.aoy[/B] ( DrWEB: Trojan.WinSpy.818, BitDefender: Gen:Variant.Zbot.7, AVAST4: Win32:Bamital-T [Drp] )[*] c:\windows\winsvc.exe - [B]Worm.Win32.VBNA.b[/B] ( DrWEB: Trojan.Packed.20346 )[/LIST][/LIST]