Well, I actually managed to remove the plague on my own.
Steps I did:
- Boot the system with F-secure rescue CD (available for free here http://www.f-secure.com/en/web/labs_global/removal/rescue-cd)
- Let the scan and clean run. It cleans some files, but it skips/does nothing with the services.exe infection, which is responsable for reinfecting the machine. After it did its job, I pressed Alt + F4 (a hidden feature that drops you at a linux prompt)
- Entered windows directory (mine was at /mnt/scan/sda1/windows)
- Figured out the windows\winsxs has a backup of main system files, with more then one version on some cases!
- Found the backups of service.exe there, entering /mnt/scan/sda1/windows/winsxs and hitting ls -l *servicecontroller*
- Found three directories with service controller:
x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036
x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a
x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56
- Renamed the existing services.exe to services.virus
mv /mnt/scan/sda1/windows/system32/services.exe services.virus
- Copied the services.exe from the winsxs 6.0.6002 folder to windows/system32
cp /mnt/scan/sda1/windows/winsxs/x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56/services.exe /mnt/scan/sda1/windows/system32/services.exe
- Checked to see if all files and directories that MSE found to be with a virus were already cleaned by the rescue CD. The files weren't there, but the folders where. I deleted the folders (with rm -f )
- I then ejected the CD and rebooted the system in safe mode. Opened regedit (run, regedit.exe). Searched for the keys mentioned here (http://nakedsecurity.sophos.com/2012/06/06/zeroaccess-rootkit-usermode/)
More specifically
HKCR\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32
and
HKCU\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}
(BTW, HKCR is HKEY_CLASSES_ROOT, and HKCU is HKEY_CURRENT_USER)
The first was with the correct value already, and the second one didn't exist! Don't know if the rescue CD already fixed it or I got a different variant, but allright (if they existed, I'd restore the first and delete the second). I also searched for the GUID that was on the directories found, and didn't find them, so I concluded the registry was clean.
- Final step: I found out that winsxs directory is actually the real container of the services.exe file (http://www.winvistaclub.com/f16.html). The one in windows/system32 is supposed to be only a hard link. So I restored the hard link, by doing:
cd\windows\system32
move services.exe services.goodbutjustasimplecopy (have to rename it or windows won't let you ovewrite it)
cd\windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56
fsutil hardlink create c:\windows\system32\services.exe services.exe
And then I rebooted the system. Bingo.
Took the time to write this here so it might help someone that was in the same trouble as me, and happen to catch quads in a bad day...
