Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Infected by virtool.win32/obfuscator.XZ on Windows 7


01 Jan 2013   #1

Windows 7 Home Premium 64bit
 
 
Infected by virtool.win32/obfuscator.XZ on Windows 7

Hi All,

My last MSE scan was in October of 2012, did a scan last night and found that I'm infected with virtool.win32/obfuscator.XZ.

I tried to do some research before posting and found these two threads that are relatively recent:
1. Solved: Please help removing virtool:win32/obfuscator.XZ - Tech Support Guy Forums
2. Infected by virtool.win32/obfuscator.XZ

This is what I did so far:

1. Delete infected files that MSE was latching on to, but was unable to remove because of file size.
2. Ran AdwCleaner and restarted my system.
3. Ran ComboFix and restarted my system.
4. Currently running ESET Online Scanner.

I'm wondering if I'm taking the appropriate steps to remove this virus from my computer? Also am wondering if someone can kindly take a look at my log files to see if I have removed the threat because according to this thread (Unable to get rid of virtool.win32/obfuscator.XZ) the problem was not solved because of a "rootkit" and a system wipe was necessary.

Thanks for any help in advance!


My System SpecsSystem Spec
.

01 Jan 2013   #2

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1 Pro
 
 

Anytime you have a rootkit, the best option is to do a clean install. A rootkit generally creates a hidden partition on your HD & boots from that. So it's up & running even before Windows is running.

https://www.microsoft.com/security/p...FObfuscator.XZ

There are tools you can try to clean out the system with, however in many cases, the damage is done & some of the Windows files are corrupted, to the point that they cannot be repaired (depending on the rootkit). The best option would be to try to get your PC as clean as possible, save your personal files & do a clean install.

Clean Install Windows 7

TDSSKiller is a anti rootkit utility that may/may not be able to remove the infection.

Windows Defender Offline can also help to clean up your system. Be aware that this AV needs to be made on a clean PC, otherwise there is a risk the scanning engine will be compromised.

In the future you may wish to make a system image so if something like this hits again, you can restore your PC to the state it was in when you made the system image. Keep 2 or 3 on an external HD in case you accidentally make a image that contains a virus.

Backup Complete Computer - Create an Image Backup
My System SpecsSystem Spec
01 Jan 2013   #3

Windows 7 Home Premium 64bit
 
 

Thanks for the quick reply Borg.

Is there any way to confirm whether or not I have a rootkit from this? Or is it pretty much certain?
My System SpecsSystem Spec
.


01 Jan 2013   #4

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1 Pro
 
 

Generally TDSSKiller is good at spotting them. And as I mentioned, may be able to clean the infection.

Windows Defender Offline will spot them too, but sometimes has trouble cleaning them out.

The other way you can check it to d/l & run GParted, a free bootable partition editor. You'll need to make a boot disk, then run it & look for a hidden partition. If you find one, usually at the end of the drive, between 1 - 10 MB, then it's highly likely you a rootkit.

GParted -- About
My System SpecsSystem Spec
01 Jan 2013   #5

Windows 7 Home Premium 64bit
 
 

Okay thanks, will work with your suggestions and if worst comes to worst, will do a fresh install.

Thanks again! Happy new year
My System SpecsSystem Spec
02 Jan 2013   #6

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1 Pro
 
 

Thank you, a Happy New year to you also
My System SpecsSystem Spec
05 Jan 2013   #7

Windows 7 Home Premium 64bit
 
 

After backing up my files and running GParted as you suggested, I see that I do have an unallocated partition that is 1.87mb in size. Does this mean that I most likely have a rootkit?

I have attached a picture I took of my partitions. Can someone look to see if things look normal?


Attached Thumbnails
Infected by virtool.win32/obfuscator.XZ on Windows 7-img_4301.jpg  
My System SpecsSystem Spec
05 Jan 2013   #8

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1 Pro
 
 

Unallocated means there's nothing there. If TDSSKiller did find a rootkit on your previous scans, then this is probably the remnant. Otherwise, everything looks normal.

Most rootkits will show up as a partition 1 - 10 MB in size, and it will be listed as hidden & as a boot partition.

Hopefully everything is running well, assuming it is, keep a close watch on your system for strange behavior.

It would still be a good idea to run WDO if you haven't already, as this is a boot scanner & might find some things. Never hurts to be double sure when it comes to PC viruses.
My System SpecsSystem Spec
05 Jan 2013   #9

Windows 7 Home Premium 64bit
 
 

That's great news!

I think WDO is the last thing that I have to run, so I'll be sure to do that today.

Thanks for your quick and clear responses!
My System SpecsSystem Spec
05 Jan 2013   #10

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1 Pro
 
 

Glad I could help. Please keep a close eye on your system for any suspicious behavior.

It would be a good idea to change your passwords on any websites you visited, from a clean PC (don't use yours, wait a couple weeks to see if anything suspicious happens).

Quote:
Some VirTool:Win32/Obfuscator.XZ infections contain trojan and keyloggers which can be used to steal sensitive data like passwords, credit card, bank account information etc.
Edit: I would also like to add that the only way you can be 100% sure everything is gone is to do a clean install. Judging by what MS wrote about the virus, you may never know if you got it all. Once it looks like everything is clean & running well, you may wish to consider saving all your personal files & the re-install when it's convenient.

Quote:
VirTool:Win32/Obfuscator are detections for programs that have had their purpose obfuscated to hinder analysis or detection by anti-virus scanners. They commonly employ a combination of methods including encryption, compression, anti-debugging and anti-emulation techniques.

These obfuscation techniques are used on various kinds of malware. The malware that lies "underneath" may have virtually any purpose. Hence, there are no obvious symptoms that indicate the presence of this malware on an affected machine.
My System SpecsSystem Spec
Reply

 Infected by virtool.win32/obfuscator.XZ on Windows 7




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 10:56 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33