Remove Obfuscator.xz Virus Tool

italicus3000 · 09 Nov 2012

Hi to all,

I scanned with MSE and it found virtool.win32/obfuscator.XZ but when I tried to clean the system it fails.

So after a research in the forum I found that some users recomend to follow that guide:

How to Remove VirTool:Win32/obfuscator.XZ Completely and Effectively (Step-by-step Removal) - Tee Support Blog

So I decided to follow the manual removal, but I'm not really sure of what I'm doing, so I would really appreciate some help

.....

ok so....Now I'm finding the registry entries that I have to remove, like the manual said, but I find some registry entries with different values. Let me to take an example:

I have found

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS " CERTIFICATEREVOCATION" = '1'

instead of

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS " CERTIFICATEREVOCATION" = '0'

Do I have to remove that key anyway???

Edit

While I was waiting for some responses, I have scanned my pc ( in safe mode) using Microsoft Safety Scanner, ESET online, Hitman Pro and Malwarebytes but Now nothing has been detected:
Does this mean that I'm safe again???

programmer40 · 13 Nov 2012

italicus3000 said:

Hi to all,

I scanned with MSE and it found virtool.win32/obfuscator.XZ but when I tried to clean the system it fails.

So after a research in the forum I found that some users recomend to follow that guide:

How to Remove VirTool:Win32/obfuscator.XZ Completely and Effectively (Step-by-step Removal) - Tee Support Blog

So I decided to follow the manual removal, but I'm not really sure of what I'm doing, so I would really appreciate some help

.....

ok so....Now I'm finding the registry entries that I have to remove, like the manual said, but I find some registry entries with different values. Let me to take an example:

I have found

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS " CERTIFICATEREVOCATION" = '1'

instead of

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS " CERTIFICATEREVOCATION" = '0'

Do I have to remove that key anyway???

Edit

While I was waiting for some responses, I have scanned my pc ( in safe mode) using Microsoft Safety Scanner, ESET online, Hitman Pro and Malwarebytes but Now nothing has been detected:
Does this mean that I'm safe again???

I'd remove it because on my computer, the keys don't exist.

tom982 · 13 Nov 2012

programmer40 said:

I'd remove it because on my computer, the keys don't exist.

Yes it does :) They're not keys by the way, they're values.

Code:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\System32>reg query "HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURR
ENTVERSION\INTERNET SETTINGS"

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    IE5_UA_Backup_Flag    REG_SZ    5.0
    User Agent    REG_SZ    Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    EmailName    REG_SZ    User@
    PrivDiscUiShown    REG_DWORD    0x1
    EnableHttp1_1    REG_DWORD    0x1
    WarnOnIntranet    REG_DWORD    0x1
    MimeExclusionListForCache    REG_SZ    multipart/mixed multipart/x-mixed-rep
lace multipart/x-byteranges
    AutoConfigProxy    REG_SZ    wininet.dll
    UseSchannelDirectly    REG_BINARY    01000000
    WarnOnPost    REG_BINARY    01000000
    UrlEncoding    REG_DWORD    0x0
    SecureProtocols    REG_DWORD    0xa0
    PrivacyAdvanced    REG_DWORD    0x0
    ZonesSecurityUpgrade    REG_BINARY    CB69B4C6195DCD01
    DisableCachingOfSSLPages    REG_DWORD    0x0
    WarnonZoneCrossing    REG_DWORD    0x0
    CertificateRevocation    REG_DWORD    0x1
    EnableNegotiate    REG_DWORD    0x1
    MigrateProxy    REG_DWORD    0x1
    ProxyEnable    REG_DWORD    0x0
    ProxyOverride    REG_SZ    *.local
    GlobalUserOffline    REG_DWORD    0x0

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.
0
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CA
CHE
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\Co
nnections
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\Ht
tp Filters
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\Lo
ckdown_Zones
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\P3
P
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\Pa
ssport
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\Pr
otocols
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\Te
mplatePolicies
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\Wp
ad
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\Zo
neMap
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\Zo
nes

C:\Windows\System32>