Removal of Win32:Rootkit-gen [Rtk]. Thanks to help

[np2c]

OK, thank you, I'll do this tomorrow, when back in my office, where I left the infected computer, as I have much other work tonight.

By the way, it could indeed be that Superantispyware is bullsh...; in fact, I tried everything (!!!) I could find to get rid of that infection, before finally coming to you.

And, if it is not too much to ask you, once it is settled, I was indeed going to ask you if you perhaps had a link to a page with some good advices on how to be better protected, in the future: recommended softwares, possibly a UTM (Unified threat management) unit at the incoming adsl line, a remover for USB autorun.inf and... what else...???

Thank you again for helping me fighting that incredibly resistant virus.
Good night / day,
Paul

[np2c]

Goog morning Rene-gad,
Sorry I couldn't answer faster: I was in meetings with customers.
Here it is:
- I uninstalled Superantispyware and all similar programs, except for your AVPTool.
- I ran GMER with your latest script, but still with the same errors:
(Error) DeleteService: Access is denied
(Error) DeleteKey: Access is denied
and a new one:
(Error) An error 0x0000001F occured during the deletion of file: "C:\Wind ... \zoxausba.sys": Access denied

The logs are attached here.
Thanks again for your time and courage!
Paul

[Rene-gad]

Did you run GMER AS ADMINISTRATOR?

[np2c]

YES
I am the only user of the computer, log as administrator and, additionally, by precaution, do the "run as admin" option when clicking on the pgm...

Добавлено через 1 минуту

PS: in case you would answer immediately, pls, just note that I'm leaving now for +/- 2 hours, for a customer visit.
THANK YOU
Paul

[Rene-gad]

I am the only user of the computer, log as administrator and, additionally, by precaution

it's not relevant

do the "run as admin" option when clicking on the pgm...

It's correct.

Download and extract this program: http://forum.sysinternals.com/upload...ku37300509.rar
Disable Antivirus.
Run the file rku37300509.exe as administrator, search zn the tab SSDT the string with

zoxausba with the file C:\Windows\System32\Drivers\zoxausba.sys

choose it an in context menu choose Unhook selected and Wipe File.
Probably you'll be asked to reboot the system to remove the file.

Reboot, repeat the log

[np2c]

Dear Rene-gad,
Sorry for my long silence: I was away for work (without my infected computer, of course...!)
OK, now I just tried your latest instructions and ran rku37300509.exe as administrator.
However, it immediately gives an "Error loading driver, NTSTATUS code: C0000001" and nothing else: no windows of any kind.
I searched "rku + ntstatus" on Google but could not find helpful advices, sorry.
What would you suggest now ?
THANK YOU.
Paul

[np2c]

Dear Rene-gad,
Would you have a new suggestion for fighting that nasty rootkit ?
It would be a shame to let him definitely win against us...
With hope and thanks,
Cordially yours,
Paul

[Rene-gad]

It would be a shame to let him definitely win against us...

It's a wrong position: for your security it's be better, just from the very beginnig to make a format c:\. Pls. read here: http://technet.microsoft.com/de-de/l...8en-us%29.aspx

[np2c]

Dear Rene-gad,
OK, if there are no other choice then reformatting and re-installing everything, that's what I'll do...
However, as you are a specialist, would you perhaps have some recommendation (or links to recommended web pages or sites) for:
- being sure not to have the virus hided into the special partition with the original windows install, nor into my files backups ?
- how to be better protected in the future, ideally with freeware programs (anti-virus, anti-rootkit, firewall, anti-USB-autoruns, etc ?)
- do you think that a UTM (Unified threat management) unit at the incoming adsl line would be recommended and efficient ? (Like the Netgear Prosecure UTM 5, etc)
Thank you,
Paul

[Rene-gad]

- being sure not to have the virus hided into the special partition with the original windows install, nor into my files backups ?

We have to make a difference between file infectors, which can be hidden in file array and rootkits, which have to been installed and integrated in the active system. After removing/creating of system partition, formating it and installing of OS and all actuall service packs the has rootkit no chance to be installed. File infector will be dangerous further, if you call the infected file.

- how to be better protected in the future, ideally with freeware programs (anti-virus, anti-rootkit, firewall, anti-USB-autoruns, etc ?)

The best solution was, is and will be BRAIN.exe - always think before make . One antivirus program is recommended.

- do you think that a UTM (Unified threat management) unit at the incoming adsl line would be recommended and efficient ?

It would be nice, if you test it and write a small report here I've no idea, if this thing is really effective and good.

[CyberHelper]

Статистика проведенного лечения:

• Получено карантинов: 3
• Обработано файлов: 13
• В ходе лечения вредоносные программы в карантинах не обнаружены