Infected by virtool.win32/obfuscator.XZ on Windows 7

Hi All,

My last MSE scan was in October of 2012, did a scan last night and found that I'm infected with virtool.win32/obfuscator.XZ.

I tried to do some research before posting and found these two threads that are relatively recent:
1. Solved: Please help removing virtool:win32/obfuscator.XZ - Tech Support Guy Forums
2. http://www.sevenforums.com/system-security/208452-infected-virtool-win32-obfuscator-xz-2.html

This is what I did so far:

1. Delete infected files that MSE was latching on to, but was unable to remove because of file size.
2. Ran AdwCleaner and restarted my system.
3. Ran ComboFix and restarted my system.
4. Currently running ESET Online Scanner.

I'm wondering if I'm taking the appropriate steps to remove this virus from my computer? Also am wondering if someone can kindly take a look at my log files to see if I have removed the threat because according to this thread (http://www.sevenforums.com/system-security/267795-unable-get-rid-virtool-win32-obfuscator-xz-2.html) the problem was not solved because of a "rootkit" and a system wipe was necessary.

Thanks for any help in advance!

Anytime you have a rootkit, the best option is to do a clean install. A rootkit generally creates a hidden partition on your HD & boots from that. So it's up & running even before Windows is running.

https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=VirTool%3AWin32%2FObfuscator.XZ

There are tools you can try to clean out the system with, however in many cases, the damage is done & some of the Windows files are corrupted, to the point that they cannot be repaired (depending on the rootkit). The best option would be to try to get your PC as clean as possible, save your personal files & do a clean install.

http://www.sevenforums.com/tutorials/1649-clean-install-windows-7-a.html

TDSSKiller is a anti rootkit utility that may/may not be able to remove the infection.

Windows Defender Offline can also help to clean up your system. Be aware that this AV needs to be made on a clean PC, otherwise there is a risk the scanning engine will be compromised.

In the future you may wish to make a system image so if something like this hits again, you can restore your PC to the state it was in when you made the system image. Keep 2 or 3 on an external HD in case you accidentally make a image that contains a virus.

http://www.sevenforums.com/tutorials/663-backup-complete-computer-create-image-backup.html

Thanks for the quick reply Borg.

Is there any way to confirm whether or not I have a rootkit from this? Or is it pretty much certain?

Generally TDSSKiller is good at spotting them. And as I mentioned, may be able to clean the infection.

Windows Defender Offline will spot them too, but sometimes has trouble cleaning them out.

The other way you can check it to d/l & run GParted, a free bootable partition editor. You'll need to make a boot disk, then run it & look for a hidden partition. If you find one, usually at the end of the drive, between 1 - 10 MB, then it's highly likely you a rootkit.

GParted -- About

Okay thanks, will work with your suggestions and if worst comes to worst, will do a fresh install.

Thanks again! Happy new year

Thank you, a Happy New year to you also

After backing up my files and running GParted as you suggested, I see that I do have an unallocated partition that is 1.87mb in size. Does this mean that I most likely have a rootkit?

I have attached a picture I took of my partitions. Can someone look to see if things look normal?

Unallocated means there's nothing there. If TDSSKiller did find a rootkit on your previous scans, then this is probably the remnant. Otherwise, everything looks normal.

Most rootkits will show up as a partition 1 - 10 MB in size, and it will be listed as hidden & as a boot partition.

Hopefully everything is running well, assuming it is, keep a close watch on your system for strange behavior.

It would still be a good idea to run WDO if you haven't already, as this is a boot scanner & might find some things. Never hurts to be double sure when it comes to PC viruses.

That's great news!

I think WDO is the last thing that I have to run, so I'll be sure to do that today.

Thanks for your quick and clear responses!

Glad I could help. Please keep a close eye on your system for any suspicious behavior.

It would be a good idea to change your passwords on any websites you visited, from a clean PC (don't use yours, wait a couple weeks to see if anything suspicious happens).

Some VirTool:Win32/Obfuscator.XZ infections contain trojan and keyloggers which can be used to steal sensitive data like passwords, credit card, bank account information etc.

Click to expand...

Edit: I would also like to add that the only way you can be 100% sure everything is gone is to do a clean install. Judging by what MS wrote about the virus, you may never know if you got it all. Once it looks like everything is clean & running well, you may wish to consider saving all your personal files & the re-install when it's convenient.

VirTool:Win32/Obfuscator are detections for programs that have had their purpose obfuscated to hinder analysis or detection by anti-virus scanners. They commonly employ a combination of methods including encryption, compression, anti-debugging and anti-emulation techniques.

These obfuscation techniques are used on various kinds of malware. The malware that lies "underneath" may have virtually any purpose. Hence, there are no obvious symptoms that indicate the presence of this malware on an affected machine.​

Click to expand...